Fix integer overflow leading to heap corruption (CVE-2022-24795)

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2023-07-10 14:17:15 +01:00
parent b9e95f3366
commit 9c33a12015
2 changed files with 62 additions and 0 deletions

View File

@ -0,0 +1,60 @@
From 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 7 Apr 2022 17:29:54 +0200
Subject: [PATCH 6/8] Fix CVE-2022-24795
There was an integer overflow in yajl_buf_ensure_available() leading
to allocating less memory than requested. Then data were written past
the allocated heap buffer in yajl_buf_append(), the only caller of
yajl_buf_ensure_available(). Another result of the overflow was an
infinite loop without a return from yajl_buf_ensure_available().
yajl-ruby project, which bundles yajl, fixed it
<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
integer overflow, fortifying buffer allocations, and report the
failures to a caller. But then the caller yajl_buf_append() skips
a memory write if yajl_buf_ensure_available() failed leading to a data
corruption.
A yajl fork mainter recommended calling memory allocation callbacks with
the large memory request and let them to handle it. But that has the
problem that it's not possible pass the overely large size to the
callbacks.
This patch catches the integer overflow and terminates the process
with abort().
https://github.com/lloyd/yajl/issues/239
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
(cherry picked from commit 23cea2d7677e396efed78bbf1bf153961fab6bad
in https://github.com/ppisar/yajl)
---
src/yajl_buf.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/yajl_buf.c b/src/yajl_buf.c
index 1aeafde..55c11ad 100644
--- a/src/yajl_buf.c
+++ b/src/yajl_buf.c
@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
need = buf->len;
- while (want >= (need - buf->used)) need <<= 1;
+ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
+ /* We cannot allocate more memory than SIZE_MAX. */
+ abort();
+ }
+ while (want >= (need - buf->used)) {
+ if (need >= (size_t)((size_t)(-1)<<1)>>1) {
+ /* need would overflow. */
+ abort();
+ }
+ need <<= 1;
+ }
if (need != buf->len) {
buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
--
2.41.0

View File

@ -26,6 +26,7 @@ Patch: 0002-pkg-config-include-dir-should-not-have-the-yajl-suff.patch
Patch: 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch Patch: 0003-fix-patch-to-test-files-to-take-account-of-vpath.patch
Patch: 0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch Patch: 0004-drop-bogus-_s-suffix-from-yajl-dynamic-library.patch
Patch: 0005-Fix-for-CVE-2017-16516.patch Patch: 0005-Fix-for-CVE-2017-16516.patch
Patch: 0006-Fix-CVE-2022-24795.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: cmake BuildRequires: cmake
@ -97,6 +98,7 @@ cd test
* Mon Jul 10 2023 Daniel P. Berrangé <berrange@redhat.com> - 2.1.0-21 * Mon Jul 10 2023 Daniel P. Berrangé <berrange@redhat.com> - 2.1.0-21
- Switch to using git for managing patches - Switch to using git for managing patches
- Fix potential buffer overread (CVE-2017-16516) - Fix potential buffer overread (CVE-2017-16516)
- Fix integer overflow leading to heap corruption (CVE-2022-24795)
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-20 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild