- fix multiple lzma segmentation faults - patch includes multiple fixing commits - test-cases have been removed due to binary data
Signed-off-by: Andrej Valek <andrej.va...@siemens.com> --- .../busybox/busybox-fix-unlzma-segfaults.patch | 106 +++++++++++++++++++++ meta/recipes-core/busybox/busybox_1.27.2.bb | 1 + 2 files changed, 107 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch new file mode 100644 index 0000000000..5215da74a5 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch @@ -0,0 +1,106 @@ +busybox-1.27.2: Fix zlma segfaults + +[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871 + +libarchive: check buffer index in lzma_decompress + +With specific defconfig busybox fails to check zip fileheader magic +(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c) +for decompression which leads to segmentation fault. It prevents accessing into +buffer, which is smaller than pos index. Patch includes multiple segmentation +fault fixes. + +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b] +bug: 10436 10871 +Signed-off-by: Andrej Valek <andrej.va...@siemens.com> + +diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c +index a904087..29eee2a 100644 +--- a/archival/libarchive/decompress_unlzma.c ++++ b/archival/libarchive/decompress_unlzma.c +@@ -11,6 +11,14 @@ + #include "libbb.h" + #include "bb_archive.h" + ++ ++#if 0 ++# define dbg(...) bb_error_msg(__VA_ARGS__) ++#else ++# define dbg(...) ((void)0) ++#endif ++ ++ + #if ENABLE_FEATURE_LZMA_FAST + # define speed_inline ALWAYS_INLINE + # define size_inline +@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate) + rc_t *rc; + int i; + uint8_t *buffer; ++ uint32_t buffer_size; + uint8_t previous_byte = 0; + size_t buffer_pos = 0, global_pos = 0; + int len = 0; +@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate) + if (header.dict_size == 0) + header.dict_size++; + +- buffer = xmalloc(MIN(header.dst_size, header.dict_size)); ++ buffer_size = MIN(header.dst_size, header.dict_size); ++ buffer = xmalloc(buffer_size); + + { + int num_probs; +@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate) + state = state < LZMA_NUM_LIT_STATES ? 9 : 11; + + pos = buffer_pos - rep0; +- if ((int32_t)pos < 0) ++ if ((int32_t)pos < 0) { + pos += header.dict_size; ++ /* see unzip_bad_lzma_2.zip: */ ++ if (pos >= buffer_size) ++ goto bad; ++ } + previous_byte = buffer[pos]; + goto one_byte1; + #else +@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate) + for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--) + rep0 = (rep0 << 1) | rc_direct_bit(rc); + rep0 <<= LZMA_NUM_ALIGN_BITS; ++ if ((int32_t)rep0 < 0) { ++ dbg("%d rep0:%d", __LINE__, rep0); ++ goto bad; ++ } + prob3 = p + LZMA_ALIGN; + } + i2 = 1; +@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate) + IF_NOT_FEATURE_LZMA_FAST(string:) + do { + uint32_t pos = buffer_pos - rep0; +- if ((int32_t)pos < 0) ++ if ((int32_t)pos < 0) { + pos += header.dict_size; ++ /* more stringent test (see unzip_bad_lzma_1.zip): */ ++ if (pos >= buffer_size) ++ goto bad; ++ } + previous_byte = buffer[pos]; + IF_NOT_FEATURE_LZMA_FAST(one_byte2:) + buffer[buffer_pos++] = previous_byte; +@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate) + IF_DESKTOP(total_written += buffer_pos;) + if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) { + bad: ++ /* One of our users, bbunpack(), expects _us_ to emit ++ * the error message (since it's the best place to give ++ * potentially more detailed information). ++ * Do not fail silently. ++ */ ++ bb_error_msg("corrupted data"); + total_written = -1; /* failure */ + } + rc_free(rc); + diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-core/busybox/busybox_1.27.2.bb index 36a6342aaf..9f0393505a 100644 --- a/meta/recipes-core/busybox/busybox_1.27.2.bb +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb @@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2011-5325.patch \ file://CVE-2017-15873.patch \ file://busybox-CVE-2017-16544.patch \ + file://busybox-fix-unlzma-segfaults.patch \ " SRC_URI_append_libc-musl = " file://musl.cfg " -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
