Backport a fix from upstream to resolve CVE-2024-0911 https://git.savannah.gnu.org/git/indent.git feb2b646e6c3a05018e132515c5eda98ca13d50d
Signed-off-by: Hongxu Jia <[email protected]> --- ...ap-buffer-underread-in-set_buf_break.patch | 123 ++++++++++++++++++ .../recipes-extended/indent/indent_2.2.12.bb | 1 + 2 files changed, 124 insertions(+) create mode 100644 meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch diff --git a/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch b/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch new file mode 100644 index 0000000000..9938b6ebed --- /dev/null +++ b/meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch @@ -0,0 +1,123 @@ +From ec3ce4dce7f0bc6f15e8a29eeb3776359e0750fb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> +Date: Fri, 22 Nov 2024 17:27:21 +0800 +Subject: [PATCH] Fix a heap buffer underread in set_buf_break() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If an opening parenthesis follows a comment with a text, a read from +an invalid address happens in set_buf_break(): + + $ printf '/*a*/()' | valgrind -- ./src/indent - -o /dev/null + ==28887== Memcheck, a memory error detector + ==28887== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. + ==28887== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info + ==28887== Command: ./src/indent - -o /dev/null + ==28887== + ==28887== Invalid read of size 2 + ==28887== at 0x409989: set_buf_break (output.c:319) + ==28887== by 0x401FE7: indent_main_loop (indent.c:640) + ==28887== by 0x4022A7: indent (indent.c:759) + ==28887== by 0x40294E: indent_single_file (indent.c:1004) + ==28887== by 0x402A1C: indent_all (indent.c:1042) + ==28887== by 0x402BD0: main (indent.c:1123) + ==28887== Address 0x4a5facc is 4 bytes before a block of size 16 alloc'd + ==28887== at 0x4849E60: calloc (vg_replace_malloc.c:1595) + ==28887== by 0x408B61: xmalloc (globs.c:42) + ==28887== by 0x40765E: init_parser (parse.c:73) + ==28887== by 0x402B1F: main (indent.c:1101) + +It happens when checking an indentation level of the outer scope by indexing +parser_state_tos->paren_indents[]: + + level = parser_state_tos->p_l_follow; + [...] + /* Did we just parse a bracket that will be put on the next line + * by this line break? */ + if ((*token == '(') || (*token == '[')) + --level; /* then don't take it into account */ + [...] + if (level == 0) { + } else { +→ if (parser_state_tos->paren_indents[level - 1] < 0) {...} + } + +The cause is a special case for moving opening parentheses and +brackets to a next line. If parser_state_tos->p_l_follow is zero +(like in the reproducer), the index evaluates to -2 and goes out of +range of the paren_indents array. + +This patch simply prevents from decreasing the index under zero when +formating the code. Maybe it leaves some piece of code unformated, but +it's safe. + +I checked all places where p_l_follow is set (it is only in +handletoken.c) and they corretly prevent from decrasing it under +zero. That keeps set_buf_break() in output.c as the culprit. + +<https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00000.html> + +Signed-off-by: Petr Písař <[email protected]> + +CVE: CVE-2024-0911 +Upstream-Status: Backport [feb2b646e6c3a05018e132515c5eda98ca13d50d +Signed-off-by: Hongxu Jia <[email protected]> +--- + regression/TEST | 2 +- + regression/input/comment-parent-heap-underread.c | 3 +++ + regression/standard/comment-parent-heap-underread.c | 5 +++++ + src/output.c | 2 +- + 4 files changed, 10 insertions(+), 2 deletions(-) + create mode 100644 regression/input/comment-parent-heap-underread.c + create mode 100644 regression/standard/comment-parent-heap-underread.c + +diff --git a/regression/TEST b/regression/TEST +index a76c112..0888a18 100755 +--- a/regression/TEST ++++ b/regression/TEST +@@ -38,7 +38,7 @@ BUGS="case-label.c one-line-1.c one-line-2.c one-line-3.c \ + macro.c enum.c elif.c nested.c wrapped-string.c minus_predecrement.c \ + bug-gnu-33364.c float-constant-suffix.c block-comments.c \ + no-forced-nl-in-block-init.c hexadecimal_float.c \ +- comment-heap-overread.c" ++ comment-heap-overread.c comment-parent-heap-underread.c" + + INDENTSRC="args.c backup.h backup.c dirent_def.h globs.c indent.h \ + indent.c indent_globs.h io.c lexi.c memcpy.c parse.c pr_comment.c \ +diff --git a/regression/input/comment-parent-heap-underread.c b/regression/input/comment-parent-heap-underread.c +new file mode 100644 +index 0000000..68e13cf +--- /dev/null ++++ b/regression/input/comment-parent-heap-underread.c +@@ -0,0 +1,3 @@ ++void foo(void) { ++/*a*/(1); ++} +diff --git a/regression/standard/comment-parent-heap-underread.c b/regression/standard/comment-parent-heap-underread.c +new file mode 100644 +index 0000000..9a1c6e3 +--- /dev/null ++++ b/regression/standard/comment-parent-heap-underread.c +@@ -0,0 +1,5 @@ ++void ++foo (void) ++{ ++/*a*/ (1); ++} +diff --git a/src/output.c b/src/output.c +index 5b92167..b8a4961 100644 +--- a/src/output.c ++++ b/src/output.c +@@ -290,7 +290,7 @@ void set_buf_break ( + /* Did we just parse a bracket that will be put on the next line + * by this line break? */ + +- if ((*token == '(') || (*token == '[')) ++ if (level > 0 && ((*token == '(') || (*token == '['))) + { + --level; /* then don't take it into account */ + } +-- +2.34.1 + diff --git a/meta-oe/recipes-extended/indent/indent_2.2.12.bb b/meta-oe/recipes-extended/indent/indent_2.2.12.bb index a846682c13..7bf8e406fb 100644 --- a/meta-oe/recipes-extended/indent/indent_2.2.12.bb +++ b/meta-oe/recipes-extended/indent/indent_2.2.12.bb @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ file://0001-Remove-dead-paren_level-code.patch \ file://CVE-2023-40305_0001.patch \ file://CVE-2023-40305_0002.patch \ + file://0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch \ " SRC_URI[md5sum] = "4764b6ac98f6654a35da117b8e5e8e14" SRC_URI[sha256sum] = "e77d68c0211515459b8812118d606812e300097cfac0b4e9fb3472664263bb8b" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#113993): https://lists.openembedded.org/g/openembedded-devel/message/113993 Mute This Topic: https://lists.openembedded.org/mt/109719828/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
