mirror of
git://git.yoctoproject.org/poky.git
synced 2025-07-05 05:04:44 +02:00
coreutils: fix CVE-2025-5278
Backport patch to fix CVE-2025-5278. (From OE-Core rev: 1bada55b3e76d9e5e7989f7229d5f25c8fd5ea89) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Chen Qi
Richard Purdie
parent
33fd6f6e82
commit
412c6ed99f
|
|
@ -0,0 +1,112 @@
|
|||
From 8763c305c29d0abb7e2be4695212b42917d054b2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
|
||||
Date: Tue, 20 May 2025 16:03:44 +0100
|
||||
Subject: [PATCH] sort: fix buffer under-read (CWE-127)
|
||||
|
||||
* src/sort.c (begfield): Check pointer adjustment
|
||||
to avoid Out-of-range pointer offset (CWE-823).
|
||||
(limfield): Likewise.
|
||||
* tests/sort/sort-field-limit.sh: Add a new test,
|
||||
which triggers with ASAN or Valgrind.
|
||||
* tests/local.mk: Reference the new test.
|
||||
* NEWS: Mention bug fix introduced in v7.2 (2009).
|
||||
Fixes https://bugs.gnu.org/78507
|
||||
|
||||
CVE: CVE-2025-5278
|
||||
|
||||
Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
|
||||
|
||||
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
||||
---
|
||||
src/sort.c | 12 ++++++++++--
|
||||
tests/local.mk | 1 +
|
||||
tests/sort/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 46 insertions(+), 2 deletions(-)
|
||||
create mode 100755 tests/sort/sort-field-limit.sh
|
||||
|
||||
diff --git a/src/sort.c b/src/sort.c
|
||||
index b10183b6f..7af1a2512 100644
|
||||
--- a/src/sort.c
|
||||
+++ b/src/sort.c
|
||||
@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key)
|
||||
++ptr;
|
||||
|
||||
/* Advance PTR by SCHAR (if possible), but no further than LIM. */
|
||||
- ptr = MIN (lim, ptr + schar);
|
||||
+ size_t remaining_bytes = lim - ptr;
|
||||
+ if (schar < remaining_bytes)
|
||||
+ ptr += schar;
|
||||
+ else
|
||||
+ ptr = lim;
|
||||
|
||||
return ptr;
|
||||
}
|
||||
@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key)
|
||||
++ptr;
|
||||
|
||||
/* Advance PTR by ECHAR (if possible), but no further than LIM. */
|
||||
- ptr = MIN (lim, ptr + echar);
|
||||
+ size_t remaining_bytes = lim - ptr;
|
||||
+ if (echar < remaining_bytes)
|
||||
+ ptr += echar;
|
||||
+ else
|
||||
+ ptr = lim;
|
||||
}
|
||||
|
||||
return ptr;
|
||||
diff --git a/tests/local.mk b/tests/local.mk
|
||||
index 4da6756ac..642d225fa 100644
|
||||
--- a/tests/local.mk
|
||||
+++ b/tests/local.mk
|
||||
@@ -388,6 +388,7 @@ all_tests = \
|
||||
tests/sort/sort-debug-keys.sh \
|
||||
tests/sort/sort-debug-warn.sh \
|
||||
tests/sort/sort-discrim.sh \
|
||||
+ tests/sort/sort-field-limit.sh \
|
||||
tests/sort/sort-files0-from.pl \
|
||||
tests/sort/sort-float.sh \
|
||||
tests/sort/sort-h-thousands-sep.sh \
|
||||
diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
|
||||
new file mode 100755
|
||||
index 000000000..52d8e1d17
|
||||
--- /dev/null
|
||||
+++ b/tests/sort/sort-field-limit.sh
|
||||
@@ -0,0 +1,35 @@
|
||||
+#!/bin/sh
|
||||
+# From 7.2-9.7, this would trigger an out of bounds mem read
|
||||
+
|
||||
+# Copyright (C) 2025 Free Software Foundation, Inc.
|
||||
+
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
+
|
||||
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
|
||||
+print_ver_ sort
|
||||
+getlimits_
|
||||
+
|
||||
+# This issue triggers with valgrind or ASAN
|
||||
+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
|
||||
+ VALGRIND='valgrind --error-exitcode=1'
|
||||
+
|
||||
+{ printf '%s\n' aa bb; } > in || framework_failure_
|
||||
+
|
||||
+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
|
||||
+compare in out || fail=1
|
||||
+
|
||||
+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
|
||||
+compare in out || fail=1
|
||||
+
|
||||
+Exit $fail
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
|
@ -15,6 +15,7 @@ inherit autotools gettext texinfo
|
|||
|
||||
SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
|
||||
file://remove-usr-local-lib-from-m4.patch \
|
||||
file://0001-sort-fix-buffer-under-read-CWE-127.patch \
|
||||
file://run-ptest \
|
||||
"
|
||||
SRC_URI[sha256sum] = "e8bb26ad0293f9b5a1fc43fb42ba970e312c66ce92c1b0b16713d7500db251bf"
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user