From 866e482bc67499d343a84f5c83ac9ac3c3a872101378ab3393bba17a41af5206 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Schr=C3=B6der?= Date: Tue, 5 Jan 2021 15:40:08 +0000 Subject: [PATCH] - fix potential access of freed mem in ndb's glue code [bnc#1179416] OBS-URL: https://build.opensuse.org/package/show/Base:System/rpm?expand=0&rev=565 --- ndbglue.diff | 142 +++++++----------------------------------------- python-rpm.spec | 2 +- rpm.changes | 2 +- rpm.spec | 2 +- 4 files changed, 22 insertions(+), 126 deletions(-) diff --git a/ndbglue.diff b/ndbglue.diff index 2907c53..6413dcc 100644 --- a/ndbglue.diff +++ b/ndbglue.diff @@ -1,135 +1,31 @@ ---- ./lib/backend/ndb/glue.c.orig -+++ ./lib/backend/ndb/glue.c -@@ -19,6 +19,8 @@ struct dbiCursor_s { - const void *key; - unsigned int keylen; - unsigned int hdrNum; -+ void *data; -+ unsigned int datalen; - int flags; +--- ./lib/backend/ndb/glue.c.orig 2021-01-05 15:36:03.097744355 +0000 ++++ ./lib/backend/ndb/glue.c 2021-01-05 15:36:35.353659287 +0000 +@@ -316,7 +316,7 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi, - unsigned int *list; -@@ -33,7 +35,7 @@ struct ndbEnv_s { - int refs; - int dofsync; - -- unsigned int hdrNum; -+ unsigned int hdrNum; /* free for adoption */ - void *data; - unsigned int datalen; - }; -@@ -278,6 +280,40 @@ static int ndb_Ctrl(rpmdb rdb, dbCtrlOp ctrl) - return 0; - } - -+static void setenvdata(struct ndbEnv_s *ndbenv, unsigned int hdrNum, unsigned char *hdrBlob, unsigned int hdrLen) -+{ -+ if (ndbenv->data) -+ free(ndbenv->data); -+ ndbenv->hdrNum = hdrNum; -+ ndbenv->data = hdrBlob; -+ ndbenv->datalen = hdrLen; -+} -+ -+static void setdata(dbiCursor dbc, unsigned int hdrNum, unsigned char *hdrBlob, unsigned int hdrLen) -+{ -+ struct ndbEnv_s *ndbenv = dbc->dbi->dbi_rpmdb->db_dbenv; -+ if (ndbenv->data) -+ setenvdata(ndbenv, 0, 0, 0); /* clear dbenv cache */ -+ if (dbc->data) -+ free(dbc->data); -+ dbc->hdrNum = hdrNum; -+ dbc->data = hdrBlob; -+ dbc->datalen = hdrLen; -+} -+ -+static void adoptdata(dbiCursor dbc) -+{ -+ struct ndbEnv_s *ndbenv = dbc->dbi->dbi_rpmdb->db_dbenv; -+ if (dbc->data) -+ free(dbc->data); -+ dbc->hdrNum = ndbenv->hdrNum; -+ dbc->data = ndbenv->data; -+ dbc->datalen = ndbenv->datalen; -+ ndbenv->hdrNum = 0; -+ ndbenv->data = 0; -+ ndbenv->datalen = 0; -+} -+ - static dbiCursor ndb_CursorInit(dbiIndex dbi, unsigned int flags) - { - dbiCursor dbc = xcalloc(1, sizeof(*dbc)); -@@ -293,21 +329,17 @@ static dbiCursor ndb_CursorFree(dbiIndex dbi, dbiCursor dbc) - free(dbc->list); - if (dbc->listdata) - free(dbc->listdata); -+ if (dbc->data) { -+ /* release data into dbenv so that the next cursor can adopt it */ -+ struct ndbEnv_s *ndbenv = dbc->dbi->dbi_rpmdb->db_dbenv; -+ setenvdata(ndbenv, dbc->hdrNum, dbc->data, dbc->datalen); -+ } - free(dbc); + if (hnum == 0) { + rc = rpmpkgNextPkgIdx(dbc->dbi->dbi_db, &hnum); +- if (!rc) ++ if (!rc && ndbenv->hdrNum == hnum) + setdata(dbc, hnum, 0, 0); } - return NULL; - } - --static void setdata(dbiCursor dbc, unsigned int hdrNum, unsigned char *hdrBlob, unsigned int hdrLen) --{ -- struct ndbEnv_s *ndbenv = dbc->dbi->dbi_rpmdb->db_dbenv; -- if (ndbenv->data) -- free(ndbenv->data); -- ndbenv->hdrNum = hdrNum; -- ndbenv->data = hdrBlob; -- ndbenv->datalen = hdrLen; --} - - static rpmRC ndb_pkgdbPut(dbiIndex dbi, dbiCursor dbc, unsigned int *hdrNum, unsigned char *hdrBlob, unsigned int hdrLen) - { -@@ -324,7 +356,6 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi, dbiCursor dbc, unsigned int *hdrNum, un - rc = rpmpkgPut(dbc->dbi->dbi_db, hnum, hdrBlob, hdrLen); +@@ -325,7 +325,8 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi, if (!rc) { -- dbc->hdrNum = hnum; - setdata(dbc, hnum, 0, 0); + dbc->hdrNum = hnum; +- setdata(dbc, hnum, 0, 0); ++ if (ndbenv->hdrNum == hnum) ++ setdata(dbc, hnum, 0, 0); *hdrNum = hnum; } -@@ -333,7 +364,6 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi, dbiCursor dbc, unsigned int *hdrNum, un - + return rc; +@@ -334,7 +335,8 @@ static rpmRC ndb_pkgdbPut(dbiIndex dbi, static rpmRC ndb_pkgdbDel(dbiIndex dbi, dbiCursor dbc, unsigned int hdrNum) { -- dbc->hdrNum = 0; - setdata(dbc, 0, 0, 0); + dbc->hdrNum = 0; +- setdata(dbc, 0, 0, 0); ++ if (ndbenv->hdrNum == hnum) ++ setdata(dbc, 0, 0, 0); return rpmpkgDel(dbc->dbi->dbi_db, hdrNum); } -@@ -362,7 +392,6 @@ static rpmRC ndb_pkgdbIter(dbiIndex dbi, dbiCursor dbc, unsigned char **hdrBlob, - break; - dbc->ilist++; - if (!rc) { -- dbc->hdrNum = hdrNum; - setdata(dbc, hdrNum, *hdrBlob, *hdrLen); - break; - } -@@ -377,16 +406,16 @@ static rpmRC ndb_pkgdbGet(dbiIndex dbi, dbiCursor dbc, unsigned int hdrNum, unsi - - if (!hdrNum) - return ndb_pkgdbIter(dbi, dbc, hdrBlob, hdrLen); -- if (hdrNum == ndbenv->hdrNum && ndbenv->data) { -- *hdrBlob = ndbenv->data; -- *hdrLen = ndbenv->datalen; -+ if (!dbc->data && ndbenv->data) -+ adoptdata(dbc); -+ if (dbc->data && hdrNum == dbc->hdrNum) { -+ *hdrBlob = dbc->data; -+ *hdrLen = dbc->datalen; - return RPMRC_OK; - } - rc = rpmpkgGet(dbc->dbi->dbi_db, hdrNum, hdrBlob, hdrLen); -- if (!rc) { -- dbc->hdrNum = hdrNum; -+ if (!rc) - setdata(dbc, hdrNum, *hdrBlob, *hdrLen); -- } - return rc; - } diff --git a/python-rpm.spec b/python-rpm.spec index 3c2e5c0..95709e4 100644 --- a/python-rpm.spec +++ b/python-rpm.spec @@ -1,7 +1,7 @@ # # spec file for package python-rpm # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # Copyright (c) 2017 Neal Gompa . # # All modifications and additions to the file contributed by third parties diff --git a/rpm.changes b/rpm.changes index aa56cea..f5abc5b 100644 --- a/rpm.changes +++ b/rpm.changes @@ -1,7 +1,7 @@ ------------------------------------------------------------------- Mon Dec 21 16:29:40 CET 2020 - mls@suse.de -- rework header data handling in ndb's glue code [bnc#1179416] +- fix potential access of freed mem in ndb's glue code [bnc#1179416] * new patch: ndbglue.diff ------------------------------------------------------------------- diff --git a/rpm.spec b/rpm.spec index 389f1a2..a758c1f 100644 --- a/rpm.spec +++ b/rpm.spec @@ -1,7 +1,7 @@ # # spec file for package rpm # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed