Accepting request 1168904 from Base:System

- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992) (forwarded request 1168903 from Andreas_Schwab) OBS-URL: https://build.opensuse.org/request/show/1168904 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=289
2024-04-21 18:25:17 +00:00 · 2024-04-21 18:25:17 +00:00 · d3adb6ac11
commit d3adb6ac11
parent 69b88c814f b54ec08c8c
3 changed files with 226 additions and 2 deletions
--- a/glibc.changes
+++ b/glibc.changes
@ -1,3 +1,9 @@
 -------------------------------------------------------------------
 Thu Apr 18 07:55:49 UTC 2024 - Andreas Schwab <schwab@suse.de>
 - iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
  writes when writing escape sequence (CVE-2024-2961, bsc#1222992)
 -------------------------------------------------------------------
 Wed Mar 13 08:31:20 UTC 2024 - Andreas Schwab <schwab@suse.de>
--- a/glibc.spec
+++ b/glibc.spec
@ -1,5 +1,5 @@
 #
-# spec file
+# spec file for package glibc
 #
 # Copyright (c) 2024 SUSE LLC
 #
@ -312,6 +312,8 @@ Patch1002:      duplocale-global-locale.patch
 Patch1003:      sigisemptyset.patch
 # PATCH-FIX-UPSTREAM Use gcc __builtin_stdc_* builtins in stdbit.h if possible
 Patch1004:      stdbit-builtins.patch
 # PATCH-FIX-UPSTREAM iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961)
 Patch1005:      iconv-iso-2022-cn-ext.patch
 %endif
 ###
--- a/iconv-iso-2022-cn-ext.patch
+++ b/iconv-iso-2022-cn-ext.patch
@ -0,0 +1,216 @@
 From 31da30f23cddd36db29d5b6a1c7619361b271fb4 Mon Sep 17 00:00:00 2001
 From: Charles Fol <folcharles@gmail.com>
 Date: Thu, 28 Mar 2024 12:25:38 -0300
 Subject: [PATCH] iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing
 escape sequence (CVE-2024-2961)
 ISO-2022-CN-EXT uses escape sequences to indicate character set changes
 (as specified by RFC 1922).  While the SOdesignation has the expected
 bounds checks, neither SS2designation nor SS3designation have its;
 allowing a write overflow of 1, 2, or 3 bytes with fixed values:
 '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
 Checked on aarch64-linux-gnu.
 Co-authored-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
 Tested-by: Carlos O'Donell <carlos@redhat.com>
 (cherry picked from commit f9dc609e06b1136bb0408be9605ce7973a767ada)
 ---
 iconvdata/Makefile                    |   5 +-
 iconvdata/iso-2022-cn-ext.c           |  12 +++
 iconvdata/tst-iconv-iso-2022-cn-ext.c | 128 ++++++++++++++++++++++++++
 3 files changed, 144 insertions(+), 1 deletion(-)
 create mode 100644 iconvdata/tst-iconv-iso-2022-cn-ext.c
 diff --git a/iconvdata/Makefile b/iconvdata/Makefile
 index ea019ce5c0..7196a8744b 100644
 --- a/iconvdata/Makefile
 +++ b/iconvdata/Makefile
@@ -75,7 +75,8 @@ ifeq (yes,$(build-shared))
 tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
 	tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
 	bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
 -	bug-iconv13 bug-iconv14 bug-iconv15
 +	bug-iconv13 bug-iconv14 bug-iconv15 \
 +	tst-iconv-iso-2022-cn-ext
 ifeq ($(have-thread-library),yes)
 tests += bug-iconv3
 endif
@@ -330,6 +331,8 @@ $(objpfx)bug-iconv14.out: $(addprefix $(objpfx), $(gconv-modules)) \
 			  $(addprefix $(objpfx),$(modules.so))
 $(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \
 			  $(addprefix $(objpfx),$(modules.so))
 +$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \
 +					$(addprefix $(objpfx),$(modules.so))
 $(objpfx)iconv-test.out: run-iconv-test.sh \
 			 $(addprefix $(objpfx), $(gconv-modules)) \
 diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c
 index b34c8a36f4..cce29b1969 100644
 --- a/iconvdata/iso-2022-cn-ext.c
 +++ b/iconvdata/iso-2022-cn-ext.c
@@ -574,6 +574,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
 	      {								      \
 		const char *escseq;					      \
 									      \
 +		if (outptr + 4 > outend)				      \
 +		  {							      \
 +		    result = __GCONV_FULL_OUTPUT;			      \
 +		    break;						      \
 +		  }							      \
 +									      \
 		assert (used == CNS11643_2_set); /* XXX */		      \
 		escseq = "*H";						      \
 		*outptr++ = ESC;					      \
@@ -587,6 +593,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
 	      {								      \
 		const char *escseq;					      \
 									      \
 +		if (outptr + 4 > outend)				      \
 +		  {							      \
 +		    result = __GCONV_FULL_OUTPUT;			      \
 +		    break;						      \
 +		  }							      \
 +									      \
 		assert ((used >> 5) >= 3 && (used >> 5) <= 7);		      \
 		escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2;		      \
 		*outptr++ = ESC;					      \
 diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c
 new file mode 100644
 index 0000000000..96a8765fd5
 --- /dev/null
 +++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c
@@ -0,0 +1,128 @@
 +/* Verify ISO-2022-CN-EXT does not write out of the bounds.
 +   Copyright (C) 2024 Free Software Foundation, Inc.
 +   This file is part of the GNU C Library.
 +
 +   The GNU C Library is free software; you can redistribute it and/or
 +   modify it under the terms of the GNU Lesser General Public
 +   License as published by the Free Software Foundation; either
 +   version 2.1 of the License, or (at your option) any later version.
 +
 +   The GNU C Library is distributed in the hope that it will be useful,
 +   but WITHOUT ANY WARRANTY; without even the implied warranty of
 +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +   Lesser General Public License for more details.
 +
 +   You should have received a copy of the GNU Lesser General Public
 +   License along with the GNU C Library; if not, see
 +   <https://www.gnu.org/licenses/>.  */
 +
 +#include <stdio.h>
 +#include <string.h>
 +
 +#include <errno.h>
 +#include <iconv.h>
 +#include <sys/mman.h>
 +
 +#include <support/xunistd.h>
 +#include <support/check.h>
 +#include <support/support.h>
 +
 +/* The test sets up a two memory page buffer with the second page marked
 +   PROT_NONE to trigger a fault if the conversion writes beyond the exact
 +   expected amount.  Then we carry out various conversions and precisely
 +   place the start of the output buffer in order to trigger a SIGSEGV if the
 +   process writes anywhere between 1 and page sized bytes more (only one
 +   PROT_NONE page is setup as a canary) than expected.  These tests exercise
 +   all three of the cases in ISO-2022-CN-EXT where the converter must switch
 +   character sets and may run out of buffer space while doing the
 +   operation.  */
 +
 +static int
 +do_test (void)
 +{
 +  iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8");
 +  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
 +
 +  char *ntf;
 +  size_t ntfsize;
 +  char *outbufbase;
 +  {
 +    int pgz = getpagesize ();
 +    TEST_VERIFY_EXIT (pgz > 0);
 +    ntfsize = 2 * pgz;
 +
 +    ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE
 +		 | MAP_ANONYMOUS, -1);
 +    xmprotect (ntf + pgz, pgz, PROT_NONE);
 +
 +    outbufbase = ntf + pgz;
 +  }
 +
 +  /* Check if SOdesignation escape sequence does not trigger an OOB write.  */
 +  {
 +    char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2";
 +
 +    for (int i = 0; i < 9; i++)
 +      {
 +	char *inp = inbuf;
 +	size_t inleft = sizeof (inbuf) - 1;
 +
 +	char *outp = outbufbase - i;
 +	size_t outleft = i;
 +
 +	TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
 +			  == (size_t) -1);
 +	TEST_COMPARE (errno, E2BIG);
 +
 +	TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
 +      }
 +  }
 +
 +  /* Same as before for SS2designation.  */
 +  {
 +    char inbuf[] = "㴽 \xe3\xb4\xbd";
 +
 +    for (int i = 0; i < 14; i++)
 +      {
 +	char *inp = inbuf;
 +	size_t inleft = sizeof (inbuf) - 1;
 +
 +	char *outp = outbufbase - i;
 +	size_t outleft = i;
 +
 +	TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
 +			  == (size_t) -1);
 +	TEST_COMPARE (errno, E2BIG);
 +
 +	TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
 +      }
 +  }
 +
 +  /* Same as before for SS3designation.  */
 +  {
 +    char inbuf[] = "劄 \xe5\x8a\x84";
 +
 +    for (int i = 0; i < 14; i++)
 +      {
 +	char *inp = inbuf;
 +	size_t inleft = sizeof (inbuf) - 1;
 +
 +	char *outp = outbufbase - i;
 +	size_t outleft = i;
 +
 +	TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
 +			  == (size_t) -1);
 +	TEST_COMPARE (errno, E2BIG);
 +
 +	TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
 +      }
 +  }
 +
 +  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
 +
 +  xmunmap (ntf, ntfsize);
 +
 +  return 0;
 +}
 +
 +#include <support/test-driver.c>
 -- 
 2.44.0