gnugrep: fix CVE-2015-1345 by upstream patch
This commit is contained in:
Vladimír Čunát
parent
2fd5f06ace
commit
a00f771551
|
|
@ -0,0 +1,60 @@
|
||||||
|
From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Yuliy Pisetsky <ypisetsky@fb.com>
|
||||||
|
Date: Thu, 01 Jan 2015 23:36:55 +0000
|
||||||
|
Subject: grep -F: fix a heap buffer (read) overrun
|
||||||
|
|
||||||
|
grep's read buffer is often filled to its full size, except when
|
||||||
|
reading the final buffer of a file. In that case, the number of
|
||||||
|
bytes read may be far less than the size of the buffer. However, for
|
||||||
|
certain unusual pattern/text combinations, grep -F would mistakenly
|
||||||
|
examine bytes in that uninitialized region of memory when searching
|
||||||
|
for a match. With carefully chosen inputs, one can cause grep -F to
|
||||||
|
read beyond the end of that buffer altogether. This problem arose via
|
||||||
|
commit v2.18-90-g73893ff with the introduction of a more efficient
|
||||||
|
heuristic using what is now the memchr_kwset function. The use of
|
||||||
|
that function in bmexec_trans could leave TP much larger than EP,
|
||||||
|
and the subsequent call to bm_delta2_search would mistakenly access
|
||||||
|
beyond end of the main input read buffer.
|
||||||
|
|
||||||
|
* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
|
||||||
|
do not call bm_delta2_search.
|
||||||
|
* tests/kwset-abuse: New file.
|
||||||
|
* tests/Makefile.am (TESTS): Add it.
|
||||||
|
* THANKS.in: Update.
|
||||||
|
* NEWS (Bug fixes): Mention it.
|
||||||
|
|
||||||
|
Prior to this patch, this command would trigger a UMR:
|
||||||
|
|
||||||
|
printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
|
||||||
|
|
||||||
|
Use of uninitialised value of size 8
|
||||||
|
at 0x4142BE: bmexec_trans (kwset.c:657)
|
||||||
|
by 0x4143CA: bmexec (kwset.c:678)
|
||||||
|
by 0x414973: kwsexec (kwset.c:848)
|
||||||
|
by 0x414DC4: Fexecute (kwsearch.c:128)
|
||||||
|
by 0x404E2E: grepbuf (grep.c:1238)
|
||||||
|
by 0x4054BF: grep (grep.c:1417)
|
||||||
|
by 0x405CEB: grepdesc (grep.c:1645)
|
||||||
|
by 0x405EC1: grep_command_line_arg (grep.c:1692)
|
||||||
|
by 0x4077D4: main (grep.c:2570)
|
||||||
|
|
||||||
|
See the accompanying test for how to trigger the heap buffer overrun.
|
||||||
|
|
||||||
|
Thanks to Nima Aghdaii for testing and finding numerous
|
||||||
|
ways to break early iterations of this patch.
|
||||||
|
|
||||||
|
Nix: @vcunat restricted this to the runtime code only to avoid needing autoreconfiguration.
|
||||||
|
---
|
||||||
|
diff --git a/src/kwset.c b/src/kwset.c
|
||||||
|
index 4003c8d..376f7c3 100644
|
||||||
|
--- a/src/kwset.c
|
||||||
|
+++ b/src/kwset.c
|
||||||
|
@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
|
||||||
|
if (! tp)
|
||||||
|
return -1;
|
||||||
|
tp++;
|
||||||
|
+ if (ep <= tp)
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -10,6 +10,8 @@ stdenv.mkDerivation {
|
||||||
sha256 = "1pp5n15qwxrw1pibwjhhgsibyv5cafhamf8lwzjygs6y00fa2i2j";
|
sha256 = "1pp5n15qwxrw1pibwjhhgsibyv5cafhamf8lwzjygs6y00fa2i2j";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
patches = [ ./cve-2015-1345.patch ];
|
||||||
|
|
||||||
buildInputs = [ pcre libiconv ];
|
buildInputs = [ pcre libiconv ];
|
||||||
|
|
||||||
doCheck = !stdenv.isDarwin;
|
doCheck = !stdenv.isDarwin;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue