Accepting request 566471 from home:kbabioch:branches:devel:libraries:c_c++

- CVE-2016-8859.patch: Fix multiple integer overflows which allowed
  attackers to cause memory corruption via a large number of (1) states or
  (2) tags, which triggered an out-of-bounds write (bnc#1005483)

OBS-URL: https://build.opensuse.org/request/show/566471
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/tre?expand=0&rev=17
This commit is contained in:
Adam Majer 2018-01-18 09:50:39 +00:00 committed by Git OBS Bridge
parent 16ce85f704
commit 5918c9cc94
3 changed files with 83 additions and 1 deletions

73
CVE-2016-8859.patch Normal file
View File

@ -0,0 +1,73 @@
From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Thu, 6 Oct 2016 18:34:58 -0400
Subject: fix missing integer overflow checks in regexec buffer size
computations
most of the possible overflows were already ruled out in practice by
regcomp having already succeeded performing larger allocations.
however at least the num_states*num_tags multiplication can clearly
overflow in practice. for safety, check them all, and use the proper
type, size_t, rather than int.
also improve comments, use calloc in place of malloc+memset, and
remove bogus casts.
---
src/regex/regexec.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
Note: patch was modified to apply to tre, parts were taken from
https://github.com/laurikari/tre/issues/37
--- a/lib/tre-match-parallel.c
+++ b/lib/tre-match-parallel.c
@@ -59,6 +59,7 @@ char *alloca ();
#ifdef HAVE_MALLOC_H
#include <malloc.h>
#endif /* HAVE_MALLOC_H */
+#include <stdint.h>
#include "tre-internal.h"
#include "tre-match-utils.h"
@@ -150,11 +151,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *
/* Allocate memory for temporary data required for matching. This needs to
be done for every matching operation to be thread safe. This allocates
- everything in a single large block from the stack frame using alloca()
- or with malloc() if alloca is unavailable. */
+ everything in a single large block with calloc(). */
{
- int tbytes, rbytes, pbytes, xbytes, total_bytes;
+ size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
char *tmp_buf;
+
+ /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
+ * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
+ if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
+ return REG_BADPAT;
+
+ /* Likewise check rbytes. */
+ if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
+ return REG_BADPAT;
+
+ /* Likewise check pbytes. */
+ if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
+ return REG_BADPAT;
+
/* Compute the length of the block we need. */
tbytes = sizeof(*tmp_tags) * num_tags;
rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
@@ -168,11 +182,11 @@ tre_tnfa_run_parallel(const tre_tnfa_t *
#ifdef TRE_USE_ALLOCA
buf = alloca(total_bytes);
#else /* !TRE_USE_ALLOCA */
- buf = xmalloc((unsigned)total_bytes);
+ buf = xmalloc(total_bytes);
#endif /* !TRE_USE_ALLOCA */
if (buf == NULL)
return REG_ESPACE;
- memset(buf, 0, (size_t)total_bytes);
+ memset(buf, 0, total_bytes);
/* Get the various pointers within tmp_buf (properly aligned). */
tmp_tags = (void *)buf;

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Jan 16 16:08:41 UTC 2018 - kbabioch@suse.com
- CVE-2016-8859.patch: Fix multiple integer overflows which allowed
attackers to cause memory corruption via a large number of (1) states or
(2) tags, which triggered an out-of-bounds write (bnc#1005483)
-------------------------------------------------------------------
Thu Apr 24 09:06:44 UTC 2014 - pgajdos@suse.com

View File

@ -1,7 +1,7 @@
#
# spec file for package tre
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -32,6 +32,7 @@ Patch0: %{name}.diff
# Update the python build to fix wrong include and lib paths.
# See https://github.com/laurikari/tre/pull/19.
Patch1: %{name}-chicken.patch
Patch2: CVE-2016-8859.patch
BuildRequires: gettext-devel
BuildRequires: libtool
BuildRequires: pkgconfig
@ -94,6 +95,7 @@ This package contains the python bindings for the TRE library.
%setup -q
%patch0 -p1
%patch1 -p1 -b .chicken
%patch2 -p1
./utils/autogen.sh
%build