tag -1 patch thanks Attached is the proposed patch onto debian repo for this bug. Note that because the patch order is important (one patch depends on another).
Some tests on the original PRs did not apply because there were no such files in 1.48 Please review before apply since I don't know whether any of these CVEs are introduced by changes not in 1.48. Thanks, Yao Wei
From 3fdae0f56ce61fcbb9fe617f8d084f81655f0270 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yao=20Wei=20=28=E9=AD=8F=E9=8A=98=E5=BB=B7=29?= <m...@debian.org> Date: Sun, 25 Apr 2021 06:52:42 +0800 Subject: [PATCH] CVE fixups (Closes #986803) --- debian/patches/series | 9 +++ debian/patches/u-CVE-2021-28875.patch | 49 ++++++++++++++ debian/patches/u-CVE-2021-28876.patch | 37 +++++++++++ debian/patches/u-CVE-2021-28877.patch | 71 ++++++++++++++++++++ debian/patches/u-CVE-2021-28878.patch | 70 ++++++++++++++++++++ debian/patches/u-CVE-2021-28879.patch | 30 +++++++++ debian/patches/u-CVE-2021-36317.patch | 66 +++++++++++++++++++ debian/patches/u-CVE-2021-36318.patch | 93 +++++++++++++++++++++++++++ 8 files changed, 425 insertions(+) create mode 100644 debian/patches/u-CVE-2021-28875.patch create mode 100644 debian/patches/u-CVE-2021-28876.patch create mode 100644 debian/patches/u-CVE-2021-28877.patch create mode 100644 debian/patches/u-CVE-2021-28878.patch create mode 100644 debian/patches/u-CVE-2021-28879.patch create mode 100644 debian/patches/u-CVE-2021-36317.patch create mode 100644 debian/patches/u-CVE-2021-36318.patch diff --git a/debian/patches/series b/debian/patches/series index 89fdfba4a..2207db5af 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -45,3 +45,12 @@ d-fix-mips64el-bootstrap.patch # Work around for some porterboxes, keep this commented #d-host-duplicates.patch + +# Upstream CVE fixes, no upstream needed +u-CVE-2021-28875.patch +u-CVE-2021-28876.patch +u-CVE-2021-28877.patch +u-CVE-2021-28879.patch +u-CVE-2021-28878.patch +u-CVE-2021-36317.patch +u-CVE-2021-36318.patch diff --git a/debian/patches/u-CVE-2021-28875.patch b/debian/patches/u-CVE-2021-28875.patch new file mode 100644 index 000000000..e0ed5cabc --- /dev/null +++ b/debian/patches/u-CVE-2021-28875.patch @@ -0,0 +1,49 @@ +Bug: https://github.com/rust-lang/rust/pull/80895 +Bug-Debian: https://bugs.debian.org/986803 +From ebe402dc9e708a8ed5e5860a7b30ea7826ab52a1 Mon Sep 17 00:00:00 2001 +From: Steven Fackler <sfack...@gmail.com> +Date: Mon, 11 Jan 2021 07:27:03 -0500 +Subject: [PATCH 1/4] Fix handling of malicious Readers in read_to_end + +--- a/library/std/src/io/mod.rs ++++ b/library/std/src/io/mod.rs +@@ -364,7 +364,6 @@ + { + let start_len = buf.len(); + let mut g = Guard { len: buf.len(), buf }; +- let ret; + loop { + if g.len == g.buf.len() { + unsafe { +@@ -383,21 +382,20 @@ + } + } + +- match r.read(&mut g.buf[g.len..]) { +- Ok(0) => { +- ret = Ok(g.len - start_len); +- break; ++ let buf = &mut g.buf[g.len..]; ++ match r.read(buf) { ++ Ok(0) => return Ok(g.len - start_len), ++ Ok(n) => { ++ // We can't allow bogus values from read. If it is too large, the returned vec could have its length ++ // set past its capacity, or if it overflows the vec could be shortened which could create an invalid ++ // string if this is called via read_to_string. ++ assert!(n <= buf.len()); ++ g.len += n; + } +- Ok(n) => g.len += n, + Err(ref e) if e.kind() == ErrorKind::Interrupted => {} +- Err(e) => { +- ret = Err(e); +- break; +- } ++ Err(e) => return Err(e), + } + } +- +- ret + } + + pub(crate) fn default_read_vectored<F>(read: F, bufs: &mut [IoSliceMut<'_>]) -> Result<usize> diff --git a/debian/patches/u-CVE-2021-28876.patch b/debian/patches/u-CVE-2021-28876.patch new file mode 100644 index 000000000..8462d2830 --- /dev/null +++ b/debian/patches/u-CVE-2021-28876.patch @@ -0,0 +1,37 @@ +Bug: https://github.com/rust-lang/rust/pull/81741 +Bug-Debian: https://bugs.debian.org/986803 + +From 86a4b27475aab52b998c15f5758540697cc9cff0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebast...@centricular.com> +Date: Thu, 4 Feb 2021 10:23:01 +0200 +Subject: [PATCH] Increment `self.index` before calling + `Iterator::self.a.__iterator_get_unchecked` in `Zip` `TrustedRandomAccess` + specialization + +Otherwise if `Iterator::self.a.__iterator_get_unchecked` panics the +index would not have been incremented yet and another call to +`Iterator::next` would read from the same index again, which is not +allowed according to the API contract of `TrustedRandomAccess` for +`!Clone`. + +Fixes https://github.com/rust-lang/rust/issues/81740 + +--- a/library/core/src/iter/adapters/zip.rs ++++ b/library/core/src/iter/adapters/zip.rs +@@ -201,12 +201,13 @@ + Some((self.a.__iterator_get_unchecked(i), self.b.__iterator_get_unchecked(i))) + } + } else if A::may_have_side_effect() && self.index < self.a.size() { ++ let i = self.index; ++ self.index += 1; + // match the base implementation's potential side effects +- // SAFETY: we just checked that `self.index` < `self.a.len()` ++ // SAFETY: we just checked that `i` < `self.a.len()` + unsafe { +- self.a.__iterator_get_unchecked(self.index); ++ self.a.__iterator_get_unchecked(i); + } +- self.index += 1; + None + } else { + None diff --git a/debian/patches/u-CVE-2021-28877.patch b/debian/patches/u-CVE-2021-28877.patch new file mode 100644 index 000000000..3fcf7e028 --- /dev/null +++ b/debian/patches/u-CVE-2021-28877.patch @@ -0,0 +1,71 @@ +Bug: https://github.com/rust-lang/rust/pull/80670 +Bug-Debian: https://bugs.debian.org/986803 + +From af2983a9122138cb9055b79fda54e72f71599a6f Mon Sep 17 00:00:00 2001 +From: The8472 <g...@infinite-source.de> +Date: Mon, 4 Jan 2021 01:08:13 +0100 +Subject: [PATCH] TrustedRandomAaccess spec composes incorrectly for nested + iter::Zips + +After partially consuming a Zip adapter and then wrapping it into +another Zip where the adapters use their TrustedRandomAccess specializations +leads to the outer adapter returning elements which should have already been +consumed. + +--- a/library/core/src/iter/adapters/zip.rs ++++ b/library/core/src/iter/adapters/zip.rs +@@ -290,6 +290,7 @@ + + #[inline] + unsafe fn get_unchecked(&mut self, idx: usize) -> <Self as Iterator>::Item { ++ let idx = self.index + idx; + // SAFETY: the caller must uphold the contract for + // `Iterator::__iterator_get_unchecked`. + unsafe { (self.a.__iterator_get_unchecked(idx), self.b.__iterator_get_unchecked(idx)) } +--- a/library/core/tests/iter.rs ++++ b/library/core/tests/iter.rs +@@ -2,6 +2,7 @@ + + use core::cell::Cell; + use core::convert::TryFrom; ++use core::iter::TrustedRandomAccess; + use core::iter::*; + + #[test] +@@ -499,6 +500,26 @@ + } + + #[test] ++fn test_zip_trusted_random_access_composition() { ++ let a = [0, 1, 2, 3, 4]; ++ let b = a; ++ let c = a; ++ ++ let a = a.iter().copied(); ++ let b = b.iter().copied(); ++ let mut c = c.iter().copied(); ++ c.next(); ++ ++ let mut z1 = a.zip(b); ++ assert_eq!(z1.next().unwrap(), (0, 0)); ++ ++ let mut z2 = z1.zip(c); ++ fn assert_trusted_random_access<T: TrustedRandomAccess>(_a: &T) {} ++ assert_trusted_random_access(&z2); ++ assert_eq!(z2.next().unwrap(), ((1, 1), 1)); ++} ++ ++#[test] + fn test_iterator_step_by() { + // Identity + let mut it = (0..).step_by(1).take(3); +--- a/library/core/tests/lib.rs ++++ b/library/core/tests/lib.rs +@@ -59,6 +59,7 @@ + #![feature(once_cell)] + #![feature(unsafe_block_in_unsafe_fn)] + #![feature(int_bits_const)] ++#![feature(trusted_random_access)] + #![deny(unsafe_op_in_unsafe_fn)] + + extern crate test; diff --git a/debian/patches/u-CVE-2021-28878.patch b/debian/patches/u-CVE-2021-28878.patch new file mode 100644 index 000000000..d7ceaf804 --- /dev/null +++ b/debian/patches/u-CVE-2021-28878.patch @@ -0,0 +1,70 @@ +Bug: https://github.com/rust-lang/rust/pull/82292 +Bug-Debian: https://bugs.debian.org/986803 +Comment: Note that test has been dropped since rustc 1.48 does not have test + for responding mod yet. + +From 2371914a05f8f2763dffe6e2511d0870bcd6b461 Mon Sep 17 00:00:00 2001 +From: Giacomo Stevanato <giaco.stevan...@gmail.com> +Date: Wed, 3 Mar 2021 21:09:01 +0100 +Subject: [PATCH 1/2] Prevent Zip specialization from calling + __iterator_get_unchecked twice with the same index after calling next_back + +--- a/library/core/src/iter/adapters/zip.rs ++++ b/library/core/src/iter/adapters/zip.rs +@@ -16,9 +16,10 @@ + pub struct Zip<A, B> { + a: A, + b: B, +- // index and len are only used by the specialized version of zip ++ // index, len and a_len are only used by the specialized version of zip + index: usize, + len: usize, ++ a_len: usize, + } + impl<A: Iterator, B: Iterator> Zip<A, B> { + pub(in super::super) fn new(a: A, b: B) -> Zip<A, B> { +@@ -113,6 +114,7 @@ + b, + index: 0, // unused + len: 0, // unused ++ a_len: 0, // unused + } + } + +@@ -187,8 +189,9 @@ + B: TrustedRandomAccess + Iterator, + { + fn new(a: A, b: B) -> Self { +- let len = cmp::min(a.size(), b.size()); +- Zip { a, b, index: 0, len } ++ let a_len = a.size(); ++ let len = cmp::min(a_len, b.size()); ++ Zip { a, b, index: 0, len, a_len } + } + + #[inline] +@@ -200,7 +203,7 @@ + unsafe { + Some((self.a.__iterator_get_unchecked(i), self.b.__iterator_get_unchecked(i))) + } +- } else if A::may_have_side_effect() && self.index < self.a.size() { ++ } else if A::may_have_side_effect() && self.index < self.a_len { + let i = self.index; + self.index += 1; + self.len += 1; +@@ -267,6 +270,7 @@ + for _ in 0..sz_a - self.len { + self.a.next_back(); + } ++ self.a_len = self.len; + } + let sz_b = self.b.size(); + if b_side_effect && sz_b > self.len { +@@ -278,6 +282,7 @@ + } + if self.index < self.len { + self.len -= 1; ++ self.a_len -= 1; + let i = self.len; + // SAFETY: `i` is smaller than the previous value of `self.len`, + // which is also smaller than or equal to `self.a.len()` and `self.b.len()` diff --git a/debian/patches/u-CVE-2021-28879.patch b/debian/patches/u-CVE-2021-28879.patch new file mode 100644 index 000000000..f090caaed --- /dev/null +++ b/debian/patches/u-CVE-2021-28879.patch @@ -0,0 +1,30 @@ +Bug: https://github.com/rust-lang/rust/pull/82289 +Bug-Debian: https://bugs.debian.org/986803 +Comment: Note that test has been dropped since rustc 1.48 does not have test + for responding mod yet. + +From 66a260617a88ed1ad55a46f03c5a90d5ad3004d3 Mon Sep 17 00:00:00 2001 +From: Giacomo Stevanato <giaco.stevan...@gmail.com> +Date: Fri, 19 Feb 2021 12:15:37 +0100 +Subject: Increment self.len in specialized ZipImpl to avoid underflow in + size_hint + +--- a/library/core/src/iter/adapters/zip.rs ++++ b/library/core/src/iter/adapters/zip.rs +@@ -203,6 +203,7 @@ + } else if A::may_have_side_effect() && self.index < self.a.size() { + let i = self.index; + self.index += 1; ++ self.len += 1; + // match the base implementation's potential side effects + // SAFETY: we just checked that `i` < `self.a.len()` + unsafe { +@@ -263,7 +264,7 @@ + if sz_a != sz_b { + let sz_a = self.a.size(); + if a_side_effect && sz_a > self.len { +- for _ in 0..sz_a - cmp::max(self.len, self.index) { ++ for _ in 0..sz_a - self.len { + self.a.next_back(); + } + } diff --git a/debian/patches/u-CVE-2021-36317.patch b/debian/patches/u-CVE-2021-36317.patch new file mode 100644 index 000000000..6984363c4 --- /dev/null +++ b/debian/patches/u-CVE-2021-36317.patch @@ -0,0 +1,66 @@ +Bug: https://github.com/rust-lang/rust/pull/78499 +Bug-Debian: https://bugs.debian.org/986803 + +From e83666f45e3d93439775daefda7800b2ab193d30 Mon Sep 17 00:00:00 2001 +From: Giacomo Stevanato <giaco.stevan...@gmail.com> +Date: Wed, 28 Oct 2020 18:52:45 +0100 +Subject: [PATCH 1/2] Prevent String::retain from creating non-utf8 strings + when abusing panic + +--- a/library/alloc/src/string.rs ++++ b/library/alloc/src/string.rs +@@ -1236,6 +1236,10 @@ + let mut del_bytes = 0; + let mut idx = 0; + ++ unsafe { ++ self.vec.set_len(0); ++ } ++ + while idx < len { + let ch = unsafe { self.get_unchecked(idx..len).chars().next().unwrap() }; + let ch_len = ch.len_utf8(); +@@ -1256,10 +1260,8 @@ + idx += ch_len; + } + +- if del_bytes > 0 { +- unsafe { +- self.vec.set_len(len - del_bytes); +- } ++ unsafe { ++ self.vec.set_len(len - del_bytes); + } + } + +--- a/library/alloc/tests/string.rs ++++ b/library/alloc/tests/string.rs +@@ -1,6 +1,7 @@ + use std::borrow::Cow; + use std::collections::TryReserveError::*; + use std::ops::Bound::*; ++use std::panic; + + pub trait IntoCow<'a, B: ?Sized> + where +@@ -378,6 +379,20 @@ + + s.retain(|_| false); + assert_eq!(s, ""); ++ ++ let mut s = String::from("0è0"); ++ let _ = panic::catch_unwind(panic::AssertUnwindSafe(|| { ++ let mut count = 0; ++ s.retain(|_| { ++ count += 1; ++ match count { ++ 1 => false, ++ 2 => true, ++ _ => panic!(), ++ } ++ }); ++ })); ++ assert!(std::str::from_utf8(s.as_bytes()).is_ok()); + } + + #[test] diff --git a/debian/patches/u-CVE-2021-36318.patch b/debian/patches/u-CVE-2021-36318.patch new file mode 100644 index 000000000..cd49e4d4e --- /dev/null +++ b/debian/patches/u-CVE-2021-36318.patch @@ -0,0 +1,93 @@ +Bug: https://github.com/rust-lang/rust/pull/79814 +Bug-Debian: https://bugs.debian.org/986803 + +From 4fb9f1d7846f64beeec749db5933a24c05456ff2 Mon Sep 17 00:00:00 2001 +From: Bastian Kauschke <bastian_kausc...@hotmail.de> +Date: Tue, 8 Dec 2020 10:34:31 +0100 +Subject: [PATCH] fix unsoundness in `make_contiguous` + +--- a/library/alloc/src/collections/vec_deque.rs ++++ b/library/alloc/src/collections/vec_deque.rs +@@ -1495,6 +1495,8 @@ + + #[inline] + fn is_contiguous(&self) -> bool { ++ // FIXME: Should we consider `head == 0` to mean ++ // that `self` is contiguous? + self.tail <= self.head + } + +@@ -2224,7 +2226,7 @@ + if self.is_contiguous() { + let tail = self.tail; + let head = self.head; +- return unsafe { &mut self.buffer_as_mut_slice()[tail..head] }; ++ return unsafe { RingSlices::ring_slices(self.buffer_as_mut_slice(), head, tail).0 }; + } + + let buf = self.buf.ptr(); +@@ -2250,7 +2252,13 @@ + self.tail = 0; + self.head = len; + } +- } else if free >= self.head { ++ } else if free > self.head { ++ // FIXME: We currently do not consider ....ABCDEFGH ++ // to be contiguous because `head` would be `0` in this ++ // case. While we probably want to change this it ++ // isn't trivial as a few places expect `is_contiguous` ++ // to mean that we can just slice using `buf[tail..head]`. ++ + // there is enough free space to copy the head in one go, + // this means that we first shift the tail forwards, and then + // copy the head to the correct position. +@@ -2264,7 +2272,7 @@ + // ...ABCDEFGH. + + self.tail = self.head; +- self.head = self.tail + len; ++ self.head = self.wrap_add(self.tail, len); + } + } else { + // free is smaller than both head and tail, +@@ -2304,7 +2312,7 @@ + + let tail = self.tail; + let head = self.head; +- unsafe { &mut self.buffer_as_mut_slice()[tail..head] } ++ unsafe { RingSlices::ring_slices(self.buffer_as_mut_slice(), head, tail).0 } + } + + /// Rotates the double-ended queue `mid` places to the left. +@@ -3096,7 +3104,7 @@ + let len = other.len(); + let cap = other.cap(); + +- if other.head != 0 { ++ if other.tail != 0 { + ptr::copy(buf.add(other.tail), buf, len); + } + Vec::from_raw_parts(buf, len, cap) +--- a/library/alloc/src/collections/vec_deque/tests.rs ++++ b/library/alloc/src/collections/vec_deque/tests.rs +@@ -211,6 +211,20 @@ + } + + #[test] ++fn make_contiguous_head_to_end() { ++ let mut dq = VecDeque::with_capacity(3); ++ dq.push_front('B'); ++ dq.push_front('A'); ++ dq.push_back('C'); ++ dq.make_contiguous(); ++ let expected_tail = 0; ++ let expected_head = 3; ++ assert_eq!(expected_tail, dq.tail); ++ assert_eq!(expected_head, dq.head); ++ assert_eq!((&['A', 'B', 'C'] as &[_], &[] as &[_]), dq.as_slices()); ++} ++ ++#[test] + fn test_remove() { + // This test checks that every single combination of tail position, length, and + // removal position is tested. Capacity 15 should be large enough to cover every case. -- 2.31.1
signature.asc
Description: PGP signature
