commit: a08e969a19e21838d80d19de94cb1e1108bd6122 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Thu Feb 15 13:02:50 2024 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Thu Feb 15 15:24:32 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a08e969a
dev-qt/qtgui: Fix CVE-2024-25580 See also: https://www.qt.io/blog/security-advisory-potential-buffer-overflow-when-reading-ktx-images https://lists.qt-project.org/pipermail/announce/2024-February/000472.html Bug: https://bugs.gentoo.org/924647 Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> .../qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch | 228 +++++++++++++++++++++ dev-qt/qtgui/qtgui-5.15.12-r2.ebuild | 182 ++++++++++++++++ 2 files changed, 410 insertions(+) diff --git a/dev-qt/qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch b/dev-qt/qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch new file mode 100644 index 000000000000..41a500c82578 --- /dev/null +++ b/dev-qt/qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch @@ -0,0 +1,228 @@ +From c8061284095abebebbcd6fea7167477aef44a00c Mon Sep 17 00:00:00 2001 +From: Jonas Karlsson <jonas.karls...@qt.io> +Date: Thu, 8 Feb 2024 17:01:05 +0100 +Subject: [PATCH] Improve KTX file reading memory safety + +* Use qAddOverflow/qSubOverflow methods for catching additions and + subtractions with overflow and handle these scenarios when reading the + file. +* Add 'safeView' method that checks that the byte array view constructed + is not out of bounds. +* Return error if number of levels is higher than what is reasonable. +* Return error if number of faces is incorrect. +* Add unit test with invalid KTX file previously causing a segmentation + fault. + +This fixes CVE-2024-25580. + +Fixes: QTBUG-121918 +Pick-to: 6.7 6.6 6.5 6.2 5.15 +Change-Id: Ie0824c32a5921de30cf07c1fc1b49a084e6d07b2 +Reviewed-by: Eirik Aavitsland <eirik.aavitsl...@qt.io> +Reviewed-by: Qt CI Bot <qt_ci_...@qt-project.org> +(cherry picked from commit 28ecb523ce8490bff38b251b3df703c72e057519) +--- + src/gui/util/qktxhandler.cpp | 138 +++++++++++++++++++++++++++-------- + src/gui/util/qktxhandler_p.h | 2 +- + 2 files changed, 110 insertions(+), 30 deletions(-) + +diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp +index 7eda4c46fb..2853e46c3d 100644 +--- a/src/gui/util/qktxhandler.cpp ++++ b/src/gui/util/qktxhandler.cpp +@@ -73,7 +73,7 @@ struct KTXHeader { + quint32 bytesOfKeyValueData; + }; + +-static const quint32 headerSize = sizeof(KTXHeader); ++static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader); + + // Currently unused, declared for future reference + struct KTXKeyValuePairItem { +@@ -103,11 +103,36 @@ struct KTXMipmapLevel { + */ + }; + +-bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block) ++static bool qAddOverflow(quint32 v1, quint32 v2, quint32 *r) { ++ // unsigned additions are well-defined ++ *r = v1 + v2; ++ return v1 > quint32(v1 + v2); ++} ++ ++// Returns the nearest multiple of 4 greater than or equal to 'value' ++static bool nearestMultipleOf4(quint32 value, quint32 *result) ++{ ++ constexpr quint32 rounding = 4; ++ *result = 0; ++ if (qAddOverflow(value, rounding - 1, result)) ++ return true; ++ *result &= ~(rounding - 1); ++ return false; ++} ++ ++// Returns a slice with prechecked bounds ++static QByteArray safeSlice(const QByteArray& array, quint32 start, quint32 length) + { +- Q_UNUSED(suffix) ++ quint32 end = 0; ++ if (qAddOverflow(start, length, &end) || end > quint32(array.length())) ++ return {}; ++ return QByteArray(array.data() + start, length); ++} + +- return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH) == 0); ++bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block) ++{ ++ Q_UNUSED(suffix); ++ return block.startsWith(QByteArray::fromRawData(ktxIdentifier, KTX_IDENTIFIER_LENGTH)); + } + + QTextureFileData QKtxHandler::read() +@@ -115,42 +140,97 @@ QTextureFileData QKtxHandler::read() + if (!device()) + return QTextureFileData(); + +- QByteArray buf = device()->readAll(); +- const quint32 dataSize = quint32(buf.size()); +- if (dataSize < headerSize || !canRead(QByteArray(), buf)) { +- qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData()); ++ const QByteArray buf = device()->readAll(); ++ if (size_t(buf.size()) > std::numeric_limits<quint32>::max()) { ++ qWarning(lcQtGuiTextureIO, "Too big KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ if (!canRead(QByteArray(), buf)) { ++ qWarning(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ if (buf.size() < qsizetype(qktxh_headerSize)) { ++ qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s", logName().constData()); + return QTextureFileData(); + } + +- const KTXHeader *header = reinterpret_cast<const KTXHeader *>(buf.constData()); +- if (!checkHeader(*header)) { +- qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData()); ++ KTXHeader header; ++ memcpy(&header, buf.data(), qktxh_headerSize); ++ if (!checkHeader(header)) { ++ qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData()); + return QTextureFileData(); + } + + QTextureFileData texData; + texData.setData(buf); + +- texData.setSize(QSize(decode(header->pixelWidth), decode(header->pixelHeight))); +- texData.setGLFormat(decode(header->glFormat)); +- texData.setGLInternalFormat(decode(header->glInternalFormat)); +- texData.setGLBaseInternalFormat(decode(header->glBaseInternalFormat)); +- +- texData.setNumLevels(decode(header->numberOfMipmapLevels)); +- quint32 offset = headerSize + decode(header->bytesOfKeyValueData); +- const int maxLevels = qMin(texData.numLevels(), 32); // Cap iterations in case of corrupt file. +- for (int i = 0; i < maxLevels; i++) { +- if (offset + sizeof(KTXMipmapLevel) > dataSize) // Corrupt file; avoid oob read +- break; +- const KTXMipmapLevel *level = reinterpret_cast<const KTXMipmapLevel *>(buf.constData() + offset); +- quint32 levelLen = decode(level->imageSize); +- texData.setDataOffset(offset + sizeof(KTXMipmapLevel::imageSize), i); +- texData.setDataLength(levelLen, i); +- offset += sizeof(KTXMipmapLevel::imageSize) + levelLen + (3 - ((levelLen + 3) % 4)); ++ texData.setSize(QSize(decode(header.pixelWidth), decode(header.pixelHeight))); ++ texData.setGLFormat(decode(header.glFormat)); ++ texData.setGLInternalFormat(decode(header.glInternalFormat)); ++ texData.setGLBaseInternalFormat(decode(header.glBaseInternalFormat)); ++ ++ texData.setNumLevels(decode(header.numberOfMipmapLevels)); ++ ++ const quint32 bytesOfKeyValueData = decode(header.bytesOfKeyValueData); ++ quint32 headerKeyValueSize; ++ if (qAddOverflow(qktxh_headerSize, bytesOfKeyValueData, &headerKeyValueSize)) { ++ qWarning(lcQtGuiTextureIO, "Overflow in size of key value data in header of KTX file %s", ++ logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ if (headerKeyValueSize >= quint32(buf.size())) { ++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ // Technically, any number of levels is allowed but if the value is bigger than ++ // what is possible in KTX V2 (and what makes sense) we return an error. ++ // maxLevels = log2(max(width, height, depth)) ++ const int maxLevels = (sizeof(quint32) * 8) ++ - qCountLeadingZeroBits(std::max( ++ { header.pixelWidth, header.pixelHeight, header.pixelDepth })); ++ ++ if (texData.numLevels() > maxLevels) { ++ qWarning(lcQtGuiTextureIO, "Too many levels in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ quint32 offset = headerKeyValueSize; ++ for (int level = 0; level < texData.numLevels(); level++) { ++ const auto imageSizeSlice = safeSlice(buf, offset, sizeof(quint32)); ++ if (imageSizeSlice.isEmpty()) { ++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ const quint32 imageSize = decode(qFromUnaligned<quint32>(imageSizeSlice.data())); ++ offset += sizeof(quint32); // overflow checked indirectly above ++ ++ texData.setDataOffset(offset, level); ++ texData.setDataLength(imageSize, level); ++ ++ // Add image data and padding to offset ++ quint32 padded = 0; ++ if (nearestMultipleOf4(imageSize, &padded)) { ++ qWarning(lcQtGuiTextureIO, "Overflow in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ quint32 offsetNext; ++ if (qAddOverflow(offset, padded, &offsetNext)) { ++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData()); ++ return QTextureFileData(); ++ } ++ ++ offset = offsetNext; + } + + if (!texData.isValid()) { +- qCDebug(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", logName().constData()); ++ qWarning(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", ++ logName().constData()); + return QTextureFileData(); + } + +@@ -191,7 +271,7 @@ bool QKtxHandler::checkHeader(const KTXHeader &header) + (decode(header.numberOfFaces) == 1)); + } + +-quint32 QKtxHandler::decode(quint32 val) ++quint32 QKtxHandler::decode(quint32 val) const + { + return inverseEndian ? qbswap<quint32>(val) : val; + } +diff --git a/src/gui/util/qktxhandler_p.h b/src/gui/util/qktxhandler_p.h +index 19f7b0e79a..8da990aaac 100644 +--- a/src/gui/util/qktxhandler_p.h ++++ b/src/gui/util/qktxhandler_p.h +@@ -68,7 +68,7 @@ public: + + private: + bool checkHeader(const KTXHeader &header); +- quint32 decode(quint32 val); ++ quint32 decode(quint32 val) const; + + bool inverseEndian = false; + }; +-- +2.43.0 + diff --git a/dev-qt/qtgui/qtgui-5.15.12-r2.ebuild b/dev-qt/qtgui/qtgui-5.15.12-r2.ebuild new file mode 100644 index 000000000000..3ee7968082e2 --- /dev/null +++ b/dev-qt/qtgui/qtgui-5.15.12-r2.ebuild @@ -0,0 +1,182 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +if [[ ${PV} != *9999* ]]; then + QT5_KDEPATCHSET_REV=3 + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +QT5_MODULE="qtbase" +inherit qt5-build + +DESCRIPTION="The GUI module and platform plugins for the Qt5 framework" + +SLOT=5/${QT5_PV} # bug 707658 +IUSE="accessibility dbus egl eglfs evdev gles2-only ibus jpeg +libinput + linuxfb +png tslib tuio +udev vnc vulkan wayland +X" +REQUIRED_USE=" + || ( eglfs linuxfb vnc wayland X ) + accessibility? ( dbus X ) + eglfs? ( egl ) + ibus? ( dbus ) + libinput? ( udev ) + X? ( gles2-only? ( egl ) ) +" + +RDEPEND=" + dev-libs/glib:2 + =dev-qt/qtcore-${QT5_PV}*:5= + dev-util/gtk-update-icon-cache + media-libs/fontconfig + media-libs/freetype:2 + media-libs/harfbuzz:= + sys-libs/zlib:= + accessibility? ( app-accessibility/at-spi2-core:2 ) + dbus? ( =dev-qt/qtdbus-${QT5_PV}* ) + eglfs? ( + media-libs/mesa[gbm(+)] + x11-libs/libdrm + ) + evdev? ( sys-libs/mtdev ) + jpeg? ( media-libs/libjpeg-turbo:= ) + gles2-only? ( media-libs/libglvnd ) + !gles2-only? ( media-libs/libglvnd[X] ) + libinput? ( + dev-libs/libinput:= + x11-libs/libxkbcommon + ) + png? ( media-libs/libpng:= ) + tslib? ( >=x11-libs/tslib-1.21 ) + tuio? ( =dev-qt/qtnetwork-${QT5_PV}* ) + udev? ( virtual/libudev:= ) + vnc? ( =dev-qt/qtnetwork-${QT5_PV}* ) + vulkan? ( dev-util/vulkan-headers ) + X? ( + x11-libs/libICE + x11-libs/libSM + x11-libs/libX11 + x11-libs/libxcb:= + x11-libs/libxkbcommon[X] + x11-libs/xcb-util-image + x11-libs/xcb-util-keysyms + x11-libs/xcb-util-renderutil + x11-libs/xcb-util-wm + ) +" +DEPEND="${RDEPEND} + evdev? ( sys-kernel/linux-headers ) + linuxfb? ( sys-kernel/linux-headers ) + udev? ( sys-kernel/linux-headers ) + X? ( x11-base/xorg-proto ) +" +PDEPEND=" + ibus? ( app-i18n/ibus ) + wayland? ( =dev-qt/qtwayland-${QT5_PV}* ) +" + +QT5_TARGET_SUBDIRS=( + src/tools/qvkgen + src/gui + src/openglextensions + src/platformheaders + src/platformsupport + src/plugins/generic + src/plugins/imageformats + src/plugins/platforms + src/plugins/platforminputcontexts +) + +QT5_GENTOO_CONFIG=( + accessibility:accessibility-atspi-bridge + egl:egl: + eglfs:eglfs: + eglfs:eglfs_egldevice: + eglfs:eglfs_gbm: + evdev:evdev: + evdev:mtdev: + :fontconfig: + :system-freetype:FREETYPE + !:no-freetype: + gles2-only::OPENGL_ES + gles2-only:opengles2:OPENGL_ES_2 + !:no-gui: + :system-harfbuzz: + !:no-harfbuzz: + jpeg:system-jpeg:IMAGEFORMAT_JPEG + !jpeg:no-jpeg: + libinput + libinput:xkbcommon: + :opengl + png:png: + png:system-png:IMAGEFORMAT_PNG + !png:no-png: + tslib:tslib: + udev:libudev: + vulkan:vulkan: + X:xcb: + X:xcb-glx: + X:xcb-plugin: + X:xcb-render: + X:xcb-sm: + X:xcb-xlib: + X:xcb-xinput: +) + +QT5_GENTOO_PRIVATE_CONFIG=( + :gui +) + +PATCHES=( "${FILESDIR}/${P}-CVE-2024-25580.patch" ) # bug 924647 + +src_prepare() { + # don't add -O3 to CXXFLAGS, bug 549140 + sed -i -e '/CONFIG\s*+=/s/optimize_full//' src/gui/gui.pro || die + + # egl_x11 is activated when both egl and X are enabled + use egl && QT5_GENTOO_CONFIG+=(X:egl_x11:) || QT5_GENTOO_CONFIG+=(egl:egl_x11:) + + qt_use_disable_config dbus dbus \ + src/platformsupport/themes/genericunix/genericunix.pri + + qt_use_disable_config tuio tuiotouch src/plugins/generic/generic.pro + + qt_use_disable_mod ibus dbus \ + src/plugins/platforminputcontexts/platforminputcontexts.pro + + use vnc || sed -i -e '/SUBDIRS += vnc/d' \ + src/plugins/platforms/platforms.pro || die + + qt5-build_src_prepare +} + +src_configure() { + local myconf=( + $(qt_use accessibility feature-accessibility-atspi-bridge) + $(usev dbus -dbus-linked) + $(qt_use egl) + $(qt_use eglfs) + $(usev eglfs '-gbm -kms') + $(qt_use evdev) + $(qt_use evdev mtdev) + -fontconfig + -system-freetype + -gui + -system-harfbuzz + $(qt_use jpeg libjpeg system) + $(qt_use libinput) + $(qt_use linuxfb) + -opengl $(usex gles2-only es2 desktop) + $(qt_use png libpng system) + $(qt_use tslib) + $(qt_use udev libudev) + $(qt_use vulkan) + $(qt_use X xcb) + $(usev X '-xcb-xlib') + ) + if use libinput || use X; then + myconf+=( -xkbcommon ) + fi + qt5-build_src_configure +}
