Accepting request 282841 from Base:System

- grep-F-heap-overrun.patch: fix heap overrun with grep -F (CVE-2015-1345, bsc#914695) (forwarded request 282840 from Andreas_Schwab) OBS-URL: https://build.opensuse.org/request/show/282841 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grep?expand=0&rev=54
2015-02-08 10:41:14 +00:00 · 2015-02-08 10:41:14 +00:00 · 7e4f519036
commit 7e4f519036
parent 66105b9b52 0bfdea05de
3 changed files with 151 additions and 1 deletions
--- a/grep-F-heap-overrun.patch
+++ b/grep-F-heap-overrun.patch
@ -0,0 +1,141 @@
+From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
+From: Yuliy Pisetsky <ypisetsky@fb.com>
+Date: Thu, 1 Jan 2015 15:36:55 -0800
+Subject: [PATCH] grep -F: fix a heap buffer (read) overrun
+
+grep's read buffer is often filled to its full size, except when
+reading the final buffer of a file.  In that case, the number of
+bytes read may be far less than the size of the buffer.  However, for
+certain unusual pattern/text combinations, grep -F would mistakenly
+examine bytes in that uninitialized region of memory when searching
+for a match.  With carefully chosen inputs, one can cause grep -F to
+read beyond the end of that buffer altogether.  This problem arose via
+commit v2.18-90-g73893ff with the introduction of a more efficient
+heuristic using what is now the memchr_kwset function. The use of
+that function in bmexec_trans could leave TP much larger than EP,
+and the subsequent call to bm_delta2_search would mistakenly access
+beyond end of the main input read buffer.
+
+* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
+do not call bm_delta2_search.
+* tests/kwset-abuse: New file.
+* tests/Makefile.am (TESTS): Add it.
+* THANKS.in: Update.
+* NEWS (Bug fixes): Mention it.
+
+Prior to this patch, this command would trigger a UMR:
+
+  printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
+
+  Use of uninitialised value of size 8
+     at 0x4142BE: bmexec_trans (kwset.c:657)
+     by 0x4143CA: bmexec (kwset.c:678)
+     by 0x414973: kwsexec (kwset.c:848)
+     by 0x414DC4: Fexecute (kwsearch.c:128)
+     by 0x404E2E: grepbuf (grep.c:1238)
+     by 0x4054BF: grep (grep.c:1417)
+     by 0x405CEB: grepdesc (grep.c:1645)
+     by 0x405EC1: grep_command_line_arg (grep.c:1692)
+     by 0x4077D4: main (grep.c:2570)
+
+See the accompanying test for how to trigger the heap buffer overrun.
+
+Thanks to Nima Aghdaii for testing and finding numerous
+ways to break early iterations of this patch.
+---
+ NEWS              |  5 +++++
+ THANKS.in         |  1 +
+ src/kwset.c       |  2 ++
+ tests/Makefile.am |  1 +
+ tests/kwset-abuse | 32 ++++++++++++++++++++++++++++++++
+ 5 files changed, 41 insertions(+)
+ create mode 100755 tests/kwset-abuse
+
+Index: grep-2.21/src/kwset.c
+===================================================================
+--- grep-2.21.orig/src/kwset.c
+++ grep-2.21/src/kwset.c
+@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const
+                     if (! tp)
+                       return -1;
+                     tp++;
+                    if (ep <= tp)
+                      break;
+                   }
+               }
+           }
+Index: grep-2.21/tests/Makefile.am
+===================================================================
+--- grep-2.21.orig/tests/Makefile.am
+++ grep-2.21/tests/Makefile.am
+@@ -72,6 +72,7 @@ TESTS =						\
+   inconsistent-range				\
+   invalid-multibyte-infloop			\
+   khadafy					\
+  kwset-abuse					\
+   long-line-vs-2GiB-read			\
+   match-lines					\
+   max-count-overread				\
+Index: grep-2.21/tests/Makefile.in
+===================================================================
+--- grep-2.21.orig/tests/Makefile.in
+++ grep-2.21/tests/Makefile.in
+@@ -1376,6 +1376,7 @@ TESTS = \
+   inconsistent-range				\
+   invalid-multibyte-infloop			\
+   khadafy					\
+  kwset-abuse					\
+   long-line-vs-2GiB-read			\
+   match-lines					\
+   max-count-overread				\
+@@ -2030,6 +2031,13 @@ khadafy.log: khadafy
+ 	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ 	--log-file $$b.log --trs-file $$b.trs \
+ 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+	"$$tst" $(AM_TESTS_FD_REDIRECT)
+kwset-abuse.log: kwset-abuse
+	@p='kwset-abuse'; \
+	b='kwset-abuse'; \
+	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+	--log-file $$b.log --trs-file $$b.trs \
+	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ 	"$$tst" $(AM_TESTS_FD_REDIRECT)
+ long-line-vs-2GiB-read.log: long-line-vs-2GiB-read
+ 	@p='long-line-vs-2GiB-read'; \
+Index: grep-2.21/tests/kwset-abuse
+===================================================================
+--- /dev/null
+++ grep-2.21/tests/kwset-abuse
+@@ -0,0 +1,32 @@
+#! /bin/sh
+# Evoke a segfault in a hard-to-reach code path of kwset.c.
+# This bug affected grep versions 2.19 through 2.21.
+#
+# Copyright (C) 2015 Free Software Foundation, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ../src
+
+fail=0
+
+# This test case chooses a haystack of size 260,000, since prodding
+# with gdb showed a reallocation slightly larger than that in fillbuf.
+# To reach the buggy code, the needle must have length < 1/11 that of
+# the haystack, and 10,000 is a nice round number that fits the bill.
+printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0)
+
+test $? = 1 || fail=1
+
+Exit $fail
--- a/grep.changes
+++ b/grep.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Jan 26 10:46:13 UTC 2015 - schwab@suse.de
+
+- grep-F-heap-overrun.patch: fix heap overrun with grep -F (CVE-2015-1345,
+  bsc#914695)
+
 -------------------------------------------------------------------
 Mon Jan 12 08:59:43 UTC 2015 - schwab@suse.de

--- a/grep.spec
+++ b/grep.spec
@ -1,7 +1,7 @@
 #
 # spec file for package grep
 #
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -26,6 +26,7 @@ Url:            http://www.gnu.org/software/grep/
 Source0:        http://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
 Source2:        http://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig
 Source3:        http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=grep&download=1#/%{name}.keyring
+Patch0:         grep-F-heap-overrun.patch
 BuildRequires:  makeinfo
 BuildRequires:  pcre-devel
 BuildRequires:  xz
@ -43,6 +44,8 @@ the matching lines.

 %prep
 %setup -q
+%patch0 -p1
+chmod +x tests/kwset-abuse
 %if 0%{?suse_version} < 1120
 echo "ac_cv_search_pcre_compile=\${ac_cv_search_pcre_compile=%{_libdir}/libpcre.a}" >config.cache
 %endif