Fix integer overflow leading to heap corruption (CVE-2022-24795)
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
b9e95f3366
commit
9c33a12015
60
0006-Fix-CVE-2022-24795.patch
Normal file
60
0006-Fix-CVE-2022-24795.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||||
|
Date: Thu, 7 Apr 2022 17:29:54 +0200
|
||||||
|
Subject: [PATCH 6/8] Fix CVE-2022-24795
|
||||||
|
|
||||||
|
There was an integer overflow in yajl_buf_ensure_available() leading
|
||||||
|
to allocating less memory than requested. Then data were written past
|
||||||
|
the allocated heap buffer in yajl_buf_append(), the only caller of
|
||||||
|
yajl_buf_ensure_available(). Another result of the overflow was an
|
||||||
|
infinite loop without a return from yajl_buf_ensure_available().
|
||||||
|
|
||||||
|
yajl-ruby project, which bundles yajl, fixed it
|
||||||
|
<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
|
||||||
|
integer overflow, fortifying buffer allocations, and report the
|
||||||
|
failures to a caller. But then the caller yajl_buf_append() skips
|
||||||
|
a memory write if yajl_buf_ensure_available() failed leading to a data
|
||||||
|
corruption.
|
||||||
|
|
||||||
|
A yajl fork mainter recommended calling memory allocation callbacks with
|
||||||
|
the large memory request and let them to handle it. But that has the
|
||||||
|
problem that it's not possible pass the overely large size to the
|
||||||
|
callbacks.
|
||||||
|
|
||||||
|
This patch catches the integer overflow and terminates the process
|
||||||
|
with abort().
|
||||||
|
|
||||||
|
https://github.com/lloyd/yajl/issues/239
|
||||||
|
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
|
||||||
|
(cherry picked from commit 23cea2d7677e396efed78bbf1bf153961fab6bad
|
||||||
|
in https://github.com/ppisar/yajl)
|
||||||
|
---
|
||||||
|
src/yajl_buf.c | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/yajl_buf.c b/src/yajl_buf.c
|
||||||
|
index 1aeafde..55c11ad 100644
|
||||||
|
--- a/src/yajl_buf.c
|
||||||
|
+++ b/src/yajl_buf.c
|
||||||
|
@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
|
||||||
|
|
||||||
|
need = buf->len;
|
||||||
|
|
||||||
|
- while (want >= (need - buf->used)) need <<= 1;
|
||||||
|
+ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
|
||||||
|
+ /* We cannot allocate more memory than SIZE_MAX. */
|
||||||
|
+ abort();
|
||||||
|
+ }
|
||||||
|
+ while (want >= (need - buf->used)) {
|
||||||
|
+ if (need >= (size_t)((size_t)(-1)<<1)>>1) {
|
||||||
|
+ /* need would overflow. */
|
||||||
|
+ abort();
|
||||||
|
+ }
|
||||||
|
+ need <<= 1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (need != buf->len) {
|
||||||
|
buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -26,6 +26,7 @@ Patch: 0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch
|
|||||||
Patch: 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
|
Patch: 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
|
||||||
Patch: 0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch
|
Patch: 0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch
|
||||||
Patch: 0005-Fix-for-CVE-2017-16516.patch
|
Patch: 0005-Fix-for-CVE-2017-16516.patch
|
||||||
|
Patch: 0006-Fix-CVE-2022-24795.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
@ -97,6 +98,7 @@ cd test
|
|||||||
* Mon Jul 10 2023 Daniel P. Berrangé <berrange@redhat.com> - 2.1.0-21
|
* Mon Jul 10 2023 Daniel P. Berrangé <berrange@redhat.com> - 2.1.0-21
|
||||||
- Switch to using git for managing patches
|
- Switch to using git for managing patches
|
||||||
- Fix potential buffer overread (CVE-2017-16516)
|
- Fix potential buffer overread (CVE-2017-16516)
|
||||||
|
- Fix integer overflow leading to heap corruption (CVE-2022-24795)
|
||||||
|
|
||||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-20
|
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-20
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
Loading…
Reference in New Issue
Block a user