From f9d53db9a4ba3c5f26160256a727a7defefd1e1216fe44082ae65b100023e606 Mon Sep 17 00:00:00 2001 From: Christophe Giboudeaux Date: Mon, 27 Apr 2020 12:57:20 +0000 Subject: [PATCH] Accepting request 798249 from home:Vogtinator:qt5.14 - Add patch to fix use-after-free (boo#1170582, CVE-2020-12267): * 0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch OBS-URL: https://build.opensuse.org/request/show/798249 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.14/libqt5-qtbase?expand=0&rev=10 --- ...orter-fix-use-after-free-add-fuzz-ge.patch | 142 ++++++++++++++++++ libqt5-qtbase.changes | 6 + libqt5-qtbase.spec | 1 + 3 files changed, 149 insertions(+) create mode 100644 0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch diff --git a/0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch b/0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch new file mode 100644 index 0000000..5a0a82e --- /dev/null +++ b/0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch @@ -0,0 +1,142 @@ +From 9dcf75766469dbe61c19389bae0413767360c234 Mon Sep 17 00:00:00 2001 +From: Shawn Rutledge +Date: Mon, 24 Feb 2020 16:23:27 +0100 +Subject: [PATCH] QTextMarkdownImporter: fix use after free; add fuzz-generated + tests + +It was possible to end up with a dangling pointer in m_listStack. +This is now avoided by using QPointer and doing nullptr checks before +accessing any QTextList pointer stored there. + +We have 2 specimens of garbage that caused crashes before; now they don't. +But only fuzz20450 triggered the dangling pointer in the list stack. +The crash caused by fuzz20580 was fixed by updating md4c from upstream: +4b0fc030777cd541604f5ebaaad47a2b76d61ff9 + +Change-Id: I8e1eca23b281256a03aea0f55e9ae20f1bdd2a38 +Reviewed-by: Robert Loehning +--- + src/gui/text/qtextmarkdownimporter.cpp | 7 ++++-- + src/gui/text/qtextmarkdownimporter_p.h | 2 +- + .../qtextmarkdownimporter/data/fuzz20450.md | 5 ++++ + .../qtextmarkdownimporter/data/fuzz20580.md | 1 + + .../qtextmarkdownimporter.pro | 2 ++ + .../tst_qtextmarkdownimporter.cpp | 24 +++++++++++++++++++ + 6 files changed, 38 insertions(+), 3 deletions(-) + create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md + create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md + +diff --git a/src/gui/text/qtextmarkdownimporter.cpp b/src/gui/text/qtextmarkdownimporter.cpp +index 88965046ce..ea62d5c2e5 100644 +--- a/src/gui/text/qtextmarkdownimporter.cpp ++++ b/src/gui/text/qtextmarkdownimporter.cpp +@@ -575,7 +575,10 @@ void QTextMarkdownImporter::insertBlock() + QTextBlockFormat blockFormat; + if (!m_listStack.isEmpty() && !m_needsInsertList && m_listItem) { + QTextList *list = m_listStack.top(); +- blockFormat = list->item(list->count() - 1).blockFormat(); ++ if (list) ++ blockFormat = list->item(list->count() - 1).blockFormat(); ++ else ++ qWarning() << "attempted to insert into a list that no longer exists"; + } + if (m_blockQuoteDepth) { + blockFormat.setProperty(QTextFormat::BlockQuoteLevel, m_blockQuoteDepth); +@@ -605,7 +608,7 @@ void QTextMarkdownImporter::insertBlock() + } + if (m_needsInsertList) { + m_listStack.push(m_cursor->createList(m_listFormat)); +- } else if (!m_listStack.isEmpty() && m_listItem) { ++ } else if (!m_listStack.isEmpty() && m_listItem && m_listStack.top()) { + m_listStack.top()->add(m_cursor->block()); + } + m_needsInsertList = false; +diff --git a/src/gui/text/qtextmarkdownimporter_p.h b/src/gui/text/qtextmarkdownimporter_p.h +index f450da5eb3..e3b4bcd0f2 100644 +--- a/src/gui/text/qtextmarkdownimporter_p.h ++++ b/src/gui/text/qtextmarkdownimporter_p.h +@@ -113,7 +113,7 @@ private: + #endif + QString m_blockCodeLanguage; + QVector m_nonEmptyTableCells; // in the current row +- QStack m_listStack; ++ QStack> m_listStack; + QStack m_spanFormatStack; + QFont m_monoFont; + QPalette m_palette; +diff --git a/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md +new file mode 100644 +index 0000000000..d7005cb01e +--- /dev/null ++++ b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20450.md +@@ -0,0 +1,5 @@ ++ÿ ++* ÿ ++ ++ ÿ ++* ÿ +\ No newline at end of file +diff --git a/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md +new file mode 100644 +index 0000000000..22006f5876 +--- /dev/null ++++ b/tests/auto/gui/text/qtextmarkdownimporter/data/fuzz20580.md +@@ -0,0 +1 @@ ++| --:| ("warning"); ++ QTest::newRow("fuzz20450") << "attempted to insert into a list that no longer exists"; ++ QTest::newRow("fuzz20580") << ""; ++} ++ ++void tst_QTextMarkdownImporter::pathological() // avoid crashing on crazy input ++{ ++ QFETCH(QString, warning); ++ QString filename = QLatin1String("data/") + QTest::currentDataTag() + QLatin1String(".md"); ++ QFile f(QFINDTESTDATA(filename)); ++ QVERIFY(f.open(QFile::ReadOnly)); ++#ifdef QT_NO_DEBUG ++ Q_UNUSED(warning) ++#else ++ if (!warning.isEmpty()) ++ QTest::ignoreMessage(QtWarningMsg, warning.toLatin1()); ++#endif ++ QTextDocument().setMarkdown(f.readAll()); ++} ++ + QTEST_MAIN(tst_QTextMarkdownImporter) + #include "tst_qtextmarkdownimporter.moc" +-- +2.25.1 + diff --git a/libqt5-qtbase.changes b/libqt5-qtbase.changes index d4afe4d..3d405d0 100644 --- a/libqt5-qtbase.changes +++ b/libqt5-qtbase.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Apr 27 12:45:07 UTC 2020 - Fabian Vogt + +- Add patch to fix use-after-free (boo#1170582, CVE-2020-12267): + * 0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch + ------------------------------------------------------------------- Mon Jan 27 13:13:57 UTC 2020 - Fabian Vogt diff --git a/libqt5-qtbase.spec b/libqt5-qtbase.spec index e2d7ce7..57f800a 100644 --- a/libqt5-qtbase.spec +++ b/libqt5-qtbase.spec @@ -66,6 +66,7 @@ Patch22: 0002-Revert-qtlite-Fix-build-libs-with-no-feature-regular.patch Patch23: 0003-Revert-White-list-more-recent-Mesa-version-for-multi.patch Patch24: fix-fixqt4headers.patch # patches 1000-2000 and above from upstream 5.14 branch # +Patch1000: 0001-QTextMarkdownImporter-fix-use-after-free-add-fuzz-ge.patch # patches 2000-3000 and above from upstream 5.15/dev branch # # Not accepted yet, https://codereview.qt-project.org/c/qt/qtbase/+/255384 Patch2001: 0002-Synthesize-Enter-LeaveEvent-for-accepted-QTabletEven.patch