| Message ID | 20250701041625.1956085-1-Qi.Chen@windriver.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [kirkstone,V2] coreutils: fix CVE-2025-5278 | expand |
Unfortunately this patch results in a failed ptest:
AssertionError: Failed ptests:
{'coreutils': ['tests/misc/sort-field-limit.sh']}
Steve
On Mon, Jun 30, 2025 at 9:16 PM Chen Qi via lists.openembedded.org
<Qi.Chen=windriver.com@lists.openembedded.org> wrote:
>
> From: Chen Qi <Qi.Chen@windriver.com>
>
> Backport patch to fix CVE-2025-5278.
> The patch is adjusted to fit 9.0 version.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> .../coreutils/coreutils/CVE-2025-5278.patch | 113 ++++++++++++++++++
> meta/recipes-core/coreutils/coreutils_9.0.bb | 1 +
> 2 files changed, 114 insertions(+)
> create mode 100644 meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
>
> diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
> new file mode 100644
> index 0000000000..34434a65fa
> --- /dev/null
> +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
> @@ -0,0 +1,113 @@
> +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
> +Date: Tue, 20 May 2025 16:03:44 +0100
> +Subject: [PATCH] sort: fix buffer under-read (CWE-127)
> +
> +* src/sort.c (begfield): Check pointer adjustment
> +to avoid Out-of-range pointer offset (CWE-823).
> +(limfield): Likewise.
> +* tests/sort/sort-field-limit.sh: Add a new test,
> +which triggers with ASAN or Valgrind.
> +* tests/local.mk: Reference the new test.
> +* NEWS: Mention bug fix introduced in v7.2 (2009).
> +Fixes https://bugs.gnu.org/78507
> +
> +CVE: CVE-2025-5278
> +
> +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
> +[Adjusted for 9.0 version]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + src/sort.c | 12 ++++++++++--
> + tests/local.mk | 1 +
> + tests/misc/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
> + 3 files changed, 46 insertions(+), 2 deletions(-)
> + create mode 100755 tests/misc/sort-field-limit.sh
> +
> +diff --git a/src/sort.c b/src/sort.c
> +index 5f4c817de..07b96d34b 100644
> +--- a/src/sort.c
> ++++ b/src/sort.c
> +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct keyfield const *key)
> + ++ptr;
> +
> + /* Advance PTR by SCHAR (if possible), but no further than LIM. */
> +- ptr = MIN (lim, ptr + schar);
> ++ size_t remaining_bytes = lim - ptr;
> ++ if (schar < remaining_bytes)
> ++ ptr += schar;
> ++ else
> ++ ptr = lim;
> +
> + return ptr;
> + }
> +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct keyfield const *key)
> + ++ptr;
> +
> + /* Advance PTR by ECHAR (if possible), but no further than LIM. */
> +- ptr = MIN (lim, ptr + echar);
> ++ size_t remaining_bytes = lim - ptr;
> ++ if (echar < remaining_bytes)
> ++ ptr += echar;
> ++ else
> ++ ptr = lim;
> + }
> +
> + return ptr;
> +diff --git a/tests/local.mk b/tests/local.mk
> +index 228d0e368..ced85c44c 100644
> +--- a/tests/local.mk
> ++++ b/tests/local.mk
> +@@ -373,6 +373,7 @@ all_tests = \
> + tests/misc/sort-debug-keys.sh \
> + tests/misc/sort-debug-warn.sh \
> + tests/misc/sort-discrim.sh \
> ++ tests/misc/sort-field-limit.sh \
> + tests/misc/sort-files0-from.pl \
> + tests/misc/sort-float.sh \
> + tests/misc/sort-h-thousands-sep.sh \
> +diff --git a/tests/misc/sort-field-limit.sh b/tests/misc/sort-field-limit.sh
> +new file mode 100755
> +index 000000000..52d8e1d17
> +--- /dev/null
> ++++ b/tests/misc/sort-field-limit.sh
> +@@ -0,0 +1,35 @@
> ++#!/bin/sh
> ++# From 7.2-9.7, this would trigger an out of bounds mem read
> ++
> ++# Copyright (C) 2025 Free Software Foundation, Inc.
> ++
> ++# This program is free software: you can redistribute it and/or modify
> ++# it under the terms of the GNU General Public License as published by
> ++# the Free Software Foundation, either version 3 of the License, or
> ++# (at your option) any later version.
> ++
> ++# This program is distributed in the hope that it will be useful,
> ++# but WITHOUT ANY WARRANTY; without even the implied warranty of
> ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> ++# GNU General Public License for more details.
> ++
> ++# You should have received a copy of the GNU General Public License
> ++# along with this program. If not, see <https://www.gnu.org/licenses/>.
> ++
> ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
> ++print_ver_ sort
> ++getlimits_
> ++
> ++# This issue triggers with valgrind or ASAN
> ++valgrind --error-exitcode=1 sort --version 2>/dev/null &&
> ++ VALGRIND='valgrind --error-exitcode=1'
> ++
> ++{ printf '%s\n' aa bb; } > in || framework_failure_
> ++
> ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
> ++compare in out || fail=1
> ++
> ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
> ++compare in out || fail=1
> ++
> ++Exit $fail
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb b/meta/recipes-core/coreutils/coreutils_9.0.bb
> index 1cce9192ec..7c975708f4 100644
> --- a/meta/recipes-core/coreutils/coreutils_9.0.bb
> +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb
> @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
> file://0001-uname-report-processor-and-hardware-correctly.patch \
> file://0001-local.mk-fix-cross-compiling-problem.patch \
> file://e8b56ebd536e82b15542a00c888109471936bfda.patch \
> + file://CVE-2025-5278.patch \
> file://run-ptest \
> file://0001-split-do-not-shrink-hold-buffer.patch \
> "
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#219544): https://lists.openembedded.org/g/openembedded-core/message/219544
> Mute This Topic: https://lists.openembedded.org/mt/113922209/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
On 7/4/25 04:13, Steve Sakoman wrote: > Unfortunately this patch results in a failed ptest: > > AssertionError: Failed ptests: > {'coreutils': ['tests/misc/sort-field-limit.sh']} > > Steve Interesting. I did run ptest before I sent out patch. Let me check what's going on here. Regards, Qi > > On Mon, Jun 30, 2025 at 9:16 PM Chen Qi via lists.openembedded.org > <Qi.Chen=windriver.com@lists.openembedded.org> wrote: >> From: Chen Qi <Qi.Chen@windriver.com> >> >> Backport patch to fix CVE-2025-5278. >> The patch is adjusted to fit 9.0 version. >> >> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >> --- >> .../coreutils/coreutils/CVE-2025-5278.patch | 113 ++++++++++++++++++ >> meta/recipes-core/coreutils/coreutils_9.0.bb | 1 + >> 2 files changed, 114 insertions(+) >> create mode 100644 meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >> >> diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >> new file mode 100644 >> index 0000000000..34434a65fa >> --- /dev/null >> +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >> @@ -0,0 +1,113 @@ >> +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com> >> +Date: Tue, 20 May 2025 16:03:44 +0100 >> +Subject: [PATCH] sort: fix buffer under-read (CWE-127) >> + >> +* src/sort.c (begfield): Check pointer adjustment >> +to avoid Out-of-range pointer offset (CWE-823). >> +(limfield): Likewise. >> +* tests/sort/sort-field-limit.sh: Add a new test, >> +which triggers with ASAN or Valgrind. >> +* tests/local.mk: Reference the new test. >> +* NEWS: Mention bug fix introduced in v7.2 (2009). >> +Fixes https://bugs.gnu.org/78507 >> + >> +CVE: CVE-2025-5278 >> + >> +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] >> +[Adjusted for 9.0 version] >> + >> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >> +--- >> + src/sort.c | 12 ++++++++++-- >> + tests/local.mk | 1 + >> + tests/misc/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++ >> + 3 files changed, 46 insertions(+), 2 deletions(-) >> + create mode 100755 tests/misc/sort-field-limit.sh >> + >> +diff --git a/src/sort.c b/src/sort.c >> +index 5f4c817de..07b96d34b 100644 >> +--- a/src/sort.c >> ++++ b/src/sort.c >> +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct keyfield const *key) >> + ++ptr; >> + >> + /* Advance PTR by SCHAR (if possible), but no further than LIM. */ >> +- ptr = MIN (lim, ptr + schar); >> ++ size_t remaining_bytes = lim - ptr; >> ++ if (schar < remaining_bytes) >> ++ ptr += schar; >> ++ else >> ++ ptr = lim; >> + >> + return ptr; >> + } >> +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct keyfield const *key) >> + ++ptr; >> + >> + /* Advance PTR by ECHAR (if possible), but no further than LIM. */ >> +- ptr = MIN (lim, ptr + echar); >> ++ size_t remaining_bytes = lim - ptr; >> ++ if (echar < remaining_bytes) >> ++ ptr += echar; >> ++ else >> ++ ptr = lim; >> + } >> + >> + return ptr; >> +diff --git a/tests/local.mk b/tests/local.mk >> +index 228d0e368..ced85c44c 100644 >> +--- a/tests/local.mk >> ++++ b/tests/local.mk >> +@@ -373,6 +373,7 @@ all_tests = \ >> + tests/misc/sort-debug-keys.sh \ >> + tests/misc/sort-debug-warn.sh \ >> + tests/misc/sort-discrim.sh \ >> ++ tests/misc/sort-field-limit.sh \ >> + tests/misc/sort-files0-from.pl \ >> + tests/misc/sort-float.sh \ >> + tests/misc/sort-h-thousands-sep.sh \ >> +diff --git a/tests/misc/sort-field-limit.sh b/tests/misc/sort-field-limit.sh >> +new file mode 100755 >> +index 000000000..52d8e1d17 >> +--- /dev/null >> ++++ b/tests/misc/sort-field-limit.sh >> +@@ -0,0 +1,35 @@ >> ++#!/bin/sh >> ++# From 7.2-9.7, this would trigger an out of bounds mem read >> ++ >> ++# Copyright (C) 2025 Free Software Foundation, Inc. >> ++ >> ++# This program is free software: you can redistribute it and/or modify >> ++# it under the terms of the GNU General Public License as published by >> ++# the Free Software Foundation, either version 3 of the License, or >> ++# (at your option) any later version. >> ++ >> ++# This program is distributed in the hope that it will be useful, >> ++# but WITHOUT ANY WARRANTY; without even the implied warranty of >> ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >> ++# GNU General Public License for more details. >> ++ >> ++# You should have received a copy of the GNU General Public License >> ++# along with this program. If not, see <https://www.gnu.org/licenses/>. >> ++ >> ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src >> ++print_ver_ sort >> ++getlimits_ >> ++ >> ++# This issue triggers with valgrind or ASAN >> ++valgrind --error-exitcode=1 sort --version 2>/dev/null && >> ++ VALGRIND='valgrind --error-exitcode=1' >> ++ >> ++{ printf '%s\n' aa bb; } > in || framework_failure_ >> ++ >> ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1 >> ++compare in out || fail=1 >> ++ >> ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1 >> ++compare in out || fail=1 >> ++ >> ++Exit $fail >> +-- >> +2.34.1 >> + >> diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb b/meta/recipes-core/coreutils/coreutils_9.0.bb >> index 1cce9192ec..7c975708f4 100644 >> --- a/meta/recipes-core/coreutils/coreutils_9.0.bb >> +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb >> @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ >> file://0001-uname-report-processor-and-hardware-correctly.patch \ >> file://0001-local.mk-fix-cross-compiling-problem.patch \ >> file://e8b56ebd536e82b15542a00c888109471936bfda.patch \ >> + file://CVE-2025-5278.patch \ >> file://run-ptest \ >> file://0001-split-do-not-shrink-hold-buffer.patch \ >> " >> -- >> 2.34.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#219544): https://lists.openembedded.org/g/openembedded-core/message/219544 >> Mute This Topic: https://lists.openembedded.org/mt/113922209/3620601 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
Hi Steve, I could not reproduce this issue. I tried qemux86-64, qemuarm and qemuarm64. Could you please help check how to reproduce this issue? Regards, Qi On 7/4/25 11:12, Chen Qi via lists.openembedded.org wrote: > On 7/4/25 04:13, Steve Sakoman wrote: >> Unfortunately this patch results in a failed ptest: >> >> AssertionError: Failed ptests: >> {'coreutils': ['tests/misc/sort-field-limit.sh']} >> >> Steve > > Interesting. I did run ptest before I sent out patch. > > Let me check what's going on here. > > Regards, > Qi > >> >> On Mon, Jun 30, 2025 at 9:16 PM Chen Qi via lists.openembedded.org >> <Qi.Chen=windriver.com@lists.openembedded.org> wrote: >>> From: Chen Qi <Qi.Chen@windriver.com> >>> >>> Backport patch to fix CVE-2025-5278. >>> The patch is adjusted to fit 9.0 version. >>> >>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >>> --- >>> .../coreutils/coreutils/CVE-2025-5278.patch | 113 >>> ++++++++++++++++++ >>> meta/recipes-core/coreutils/coreutils_9.0.bb | 1 + >>> 2 files changed, 114 insertions(+) >>> create mode 100644 >>> meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >>> >>> diff --git >>> a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >>> b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >>> new file mode 100644 >>> index 0000000000..34434a65fa >>> --- /dev/null >>> +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >>> @@ -0,0 +1,113 @@ >>> +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001 >>> +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com> >>> +Date: Tue, 20 May 2025 16:03:44 +0100 >>> +Subject: [PATCH] sort: fix buffer under-read (CWE-127) >>> + >>> +* src/sort.c (begfield): Check pointer adjustment >>> +to avoid Out-of-range pointer offset (CWE-823). >>> +(limfield): Likewise. >>> +* tests/sort/sort-field-limit.sh: Add a new test, >>> +which triggers with ASAN or Valgrind. >>> +* tests/local.mk: Reference the new test. >>> +* NEWS: Mention bug fix introduced in v7.2 (2009). >>> +Fixes https://bugs.gnu.org/78507 >>> + >>> +CVE: CVE-2025-5278 >>> + >>> +Upstream-Status: Backport >>> [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] >>> +[Adjusted for 9.0 version] >>> + >>> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >>> +--- >>> + src/sort.c | 12 ++++++++++-- >>> + tests/local.mk | 1 + >>> + tests/misc/sort-field-limit.sh | 35 >>> ++++++++++++++++++++++++++++++++++ >>> + 3 files changed, 46 insertions(+), 2 deletions(-) >>> + create mode 100755 tests/misc/sort-field-limit.sh >>> + >>> +diff --git a/src/sort.c b/src/sort.c >>> +index 5f4c817de..07b96d34b 100644 >>> +--- a/src/sort.c >>> ++++ b/src/sort.c >>> +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct >>> keyfield const *key) >>> + ++ptr; >>> + >>> + /* Advance PTR by SCHAR (if possible), but no further than LIM. */ >>> +- ptr = MIN (lim, ptr + schar); >>> ++ size_t remaining_bytes = lim - ptr; >>> ++ if (schar < remaining_bytes) >>> ++ ptr += schar; >>> ++ else >>> ++ ptr = lim; >>> + >>> + return ptr; >>> + } >>> +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct >>> keyfield const *key) >>> + ++ptr; >>> + >>> + /* Advance PTR by ECHAR (if possible), but no further than >>> LIM. */ >>> +- ptr = MIN (lim, ptr + echar); >>> ++ size_t remaining_bytes = lim - ptr; >>> ++ if (echar < remaining_bytes) >>> ++ ptr += echar; >>> ++ else >>> ++ ptr = lim; >>> + } >>> + >>> + return ptr; >>> +diff --git a/tests/local.mk b/tests/local.mk >>> +index 228d0e368..ced85c44c 100644 >>> +--- a/tests/local.mk >>> ++++ b/tests/local.mk >>> +@@ -373,6 +373,7 @@ all_tests >>> = \ >>> + tests/misc/sort-debug-keys.sh \ >>> + tests/misc/sort-debug-warn.sh \ >>> + tests/misc/sort-discrim.sh \ >>> ++ tests/misc/sort-field-limit.sh \ >>> + tests/misc/sort-files0-from.pl \ >>> + tests/misc/sort-float.sh \ >>> + tests/misc/sort-h-thousands-sep.sh \ >>> +diff --git a/tests/misc/sort-field-limit.sh >>> b/tests/misc/sort-field-limit.sh >>> +new file mode 100755 >>> +index 000000000..52d8e1d17 >>> +--- /dev/null >>> ++++ b/tests/misc/sort-field-limit.sh >>> +@@ -0,0 +1,35 @@ >>> ++#!/bin/sh >>> ++# From 7.2-9.7, this would trigger an out of bounds mem read >>> ++ >>> ++# Copyright (C) 2025 Free Software Foundation, Inc. >>> ++ >>> ++# This program is free software: you can redistribute it and/or >>> modify >>> ++# it under the terms of the GNU General Public License as >>> published by >>> ++# the Free Software Foundation, either version 3 of the License, or >>> ++# (at your option) any later version. >>> ++ >>> ++# This program is distributed in the hope that it will be useful, >>> ++# but WITHOUT ANY WARRANTY; without even the implied warranty of >>> ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>> ++# GNU General Public License for more details. >>> ++ >>> ++# You should have received a copy of the GNU General Public License >>> ++# along with this program. If not, see >>> <https://www.gnu.org/licenses/>. >>> ++ >>> ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src >>> ++print_ver_ sort >>> ++getlimits_ >>> ++ >>> ++# This issue triggers with valgrind or ASAN >>> ++valgrind --error-exitcode=1 sort --version 2>/dev/null && >>> ++ VALGRIND='valgrind --error-exitcode=1' >>> ++ >>> ++{ printf '%s\n' aa bb; } > in || framework_failure_ >>> ++ >>> ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || >>> fail=1 >>> ++compare in out || fail=1 >>> ++ >>> ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out >>> || fail=1 >>> ++compare in out || fail=1 >>> ++ >>> ++Exit $fail >>> +-- >>> +2.34.1 >>> + >>> diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb >>> b/meta/recipes-core/coreutils/coreutils_9.0.bb >>> index 1cce9192ec..7c975708f4 100644 >>> --- a/meta/recipes-core/coreutils/coreutils_9.0.bb >>> +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb >>> @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ >>> file://0001-uname-report-processor-and-hardware-correctly.patch \ >>> file://0001-local.mk-fix-cross-compiling-problem.patch \ >>> file://e8b56ebd536e82b15542a00c888109471936bfda.patch \ >>> + file://CVE-2025-5278.patch \ >>> file://run-ptest \ >>> file://0001-split-do-not-shrink-hold-buffer.patch \ >>> " >>> -- >>> 2.34.1 >>> >>> >>> >>> > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#219896): https://lists.openembedded.org/g/openembedded-core/message/219896 > Mute This Topic: https://lists.openembedded.org/mt/113922209/7304865 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@eng.windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Sun, Jul 6, 2025 at 7:03 PM ChenQi <Qi.Chen@windriver.com> wrote: > > I could not reproduce this issue. I tried qemux86-64, qemuarm and qemuarm64. > Could you please help check how to reproduce this issue? I put the patch back into my test queue, let's see what happens: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1969 Steve > On 7/4/25 11:12, Chen Qi via lists.openembedded.org wrote: > > On 7/4/25 04:13, Steve Sakoman wrote: > >> Unfortunately this patch results in a failed ptest: > >> > >> AssertionError: Failed ptests: > >> {'coreutils': ['tests/misc/sort-field-limit.sh']} > >> > >> Steve > > > > Interesting. I did run ptest before I sent out patch. > > > > Let me check what's going on here. > > > > Regards, > > Qi > > > >> > >> On Mon, Jun 30, 2025 at 9:16 PM Chen Qi via lists.openembedded.org > >> <Qi.Chen=windriver.com@lists.openembedded.org> wrote: > >>> From: Chen Qi <Qi.Chen@windriver.com> > >>> > >>> Backport patch to fix CVE-2025-5278. > >>> The patch is adjusted to fit 9.0 version. > >>> > >>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > >>> --- > >>> .../coreutils/coreutils/CVE-2025-5278.patch | 113 > >>> ++++++++++++++++++ > >>> meta/recipes-core/coreutils/coreutils_9.0.bb | 1 + > >>> 2 files changed, 114 insertions(+) > >>> create mode 100644 > >>> meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > >>> > >>> diff --git > >>> a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > >>> b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > >>> new file mode 100644 > >>> index 0000000000..34434a65fa > >>> --- /dev/null > >>> +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > >>> @@ -0,0 +1,113 @@ > >>> +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001 > >>> +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com> > >>> +Date: Tue, 20 May 2025 16:03:44 +0100 > >>> +Subject: [PATCH] sort: fix buffer under-read (CWE-127) > >>> + > >>> +* src/sort.c (begfield): Check pointer adjustment > >>> +to avoid Out-of-range pointer offset (CWE-823). > >>> +(limfield): Likewise. > >>> +* tests/sort/sort-field-limit.sh: Add a new test, > >>> +which triggers with ASAN or Valgrind. > >>> +* tests/local.mk: Reference the new test. > >>> +* NEWS: Mention bug fix introduced in v7.2 (2009). > >>> +Fixes https://bugs.gnu.org/78507 > >>> + > >>> +CVE: CVE-2025-5278 > >>> + > >>> +Upstream-Status: Backport > >>> [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] > >>> +[Adjusted for 9.0 version] > >>> + > >>> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > >>> +--- > >>> + src/sort.c | 12 ++++++++++-- > >>> + tests/local.mk | 1 + > >>> + tests/misc/sort-field-limit.sh | 35 > >>> ++++++++++++++++++++++++++++++++++ > >>> + 3 files changed, 46 insertions(+), 2 deletions(-) > >>> + create mode 100755 tests/misc/sort-field-limit.sh > >>> + > >>> +diff --git a/src/sort.c b/src/sort.c > >>> +index 5f4c817de..07b96d34b 100644 > >>> +--- a/src/sort.c > >>> ++++ b/src/sort.c > >>> +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct > >>> keyfield const *key) > >>> + ++ptr; > >>> + > >>> + /* Advance PTR by SCHAR (if possible), but no further than LIM. */ > >>> +- ptr = MIN (lim, ptr + schar); > >>> ++ size_t remaining_bytes = lim - ptr; > >>> ++ if (schar < remaining_bytes) > >>> ++ ptr += schar; > >>> ++ else > >>> ++ ptr = lim; > >>> + > >>> + return ptr; > >>> + } > >>> +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct > >>> keyfield const *key) > >>> + ++ptr; > >>> + > >>> + /* Advance PTR by ECHAR (if possible), but no further than > >>> LIM. */ > >>> +- ptr = MIN (lim, ptr + echar); > >>> ++ size_t remaining_bytes = lim - ptr; > >>> ++ if (echar < remaining_bytes) > >>> ++ ptr += echar; > >>> ++ else > >>> ++ ptr = lim; > >>> + } > >>> + > >>> + return ptr; > >>> +diff --git a/tests/local.mk b/tests/local.mk > >>> +index 228d0e368..ced85c44c 100644 > >>> +--- a/tests/local.mk > >>> ++++ b/tests/local.mk > >>> +@@ -373,6 +373,7 @@ all_tests > >>> = \ > >>> + tests/misc/sort-debug-keys.sh \ > >>> + tests/misc/sort-debug-warn.sh \ > >>> + tests/misc/sort-discrim.sh \ > >>> ++ tests/misc/sort-field-limit.sh \ > >>> + tests/misc/sort-files0-from.pl \ > >>> + tests/misc/sort-float.sh \ > >>> + tests/misc/sort-h-thousands-sep.sh \ > >>> +diff --git a/tests/misc/sort-field-limit.sh > >>> b/tests/misc/sort-field-limit.sh > >>> +new file mode 100755 > >>> +index 000000000..52d8e1d17 > >>> +--- /dev/null > >>> ++++ b/tests/misc/sort-field-limit.sh > >>> +@@ -0,0 +1,35 @@ > >>> ++#!/bin/sh > >>> ++# From 7.2-9.7, this would trigger an out of bounds mem read > >>> ++ > >>> ++# Copyright (C) 2025 Free Software Foundation, Inc. > >>> ++ > >>> ++# This program is free software: you can redistribute it and/or > >>> modify > >>> ++# it under the terms of the GNU General Public License as > >>> published by > >>> ++# the Free Software Foundation, either version 3 of the License, or > >>> ++# (at your option) any later version. > >>> ++ > >>> ++# This program is distributed in the hope that it will be useful, > >>> ++# but WITHOUT ANY WARRANTY; without even the implied warranty of > >>> ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > >>> ++# GNU General Public License for more details. > >>> ++ > >>> ++# You should have received a copy of the GNU General Public License > >>> ++# along with this program. If not, see > >>> <https://www.gnu.org/licenses/>. > >>> ++ > >>> ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src > >>> ++print_ver_ sort > >>> ++getlimits_ > >>> ++ > >>> ++# This issue triggers with valgrind or ASAN > >>> ++valgrind --error-exitcode=1 sort --version 2>/dev/null && > >>> ++ VALGRIND='valgrind --error-exitcode=1' > >>> ++ > >>> ++{ printf '%s\n' aa bb; } > in || framework_failure_ > >>> ++ > >>> ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || > >>> fail=1 > >>> ++compare in out || fail=1 > >>> ++ > >>> ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out > >>> || fail=1 > >>> ++compare in out || fail=1 > >>> ++ > >>> ++Exit $fail > >>> +-- > >>> +2.34.1 > >>> + > >>> diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb > >>> b/meta/recipes-core/coreutils/coreutils_9.0.bb > >>> index 1cce9192ec..7c975708f4 100644 > >>> --- a/meta/recipes-core/coreutils/coreutils_9.0.bb > >>> +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb > >>> @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ > >>> file://0001-uname-report-processor-and-hardware-correctly.patch \ > >>> file://0001-local.mk-fix-cross-compiling-problem.patch \ > >>> file://e8b56ebd536e82b15542a00c888109471936bfda.patch \ > >>> + file://CVE-2025-5278.patch \ > >>> file://run-ptest \ > >>> file://0001-split-do-not-shrink-hold-buffer.patch \ > >>> " > >>> -- > >>> 2.34.1 > >>> > >>> > >>> > >>> > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#219896): https://lists.openembedded.org/g/openembedded-core/message/219896 > > Mute This Topic: https://lists.openembedded.org/mt/113922209/7304865 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [Qi.Chen@eng.windriver.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
On Mon, Jul 7, 2025 at 1:27 PM Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> wrote: > > On Sun, Jul 6, 2025 at 7:03 PM ChenQi <Qi.Chen@windriver.com> wrote: > > > > I could not reproduce this issue. I tried qemux86-64, qemuarm and qemuarm64. > > Could you please help check how to reproduce this issue? > > I put the patch back into my test queue, let's see what happens: > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1969 Unfortunately the ptest is still failing :-( Steve > > On 7/4/25 11:12, Chen Qi via lists.openembedded.org wrote: > > > On 7/4/25 04:13, Steve Sakoman wrote: > > >> Unfortunately this patch results in a failed ptest: > > >> > > >> AssertionError: Failed ptests: > > >> {'coreutils': ['tests/misc/sort-field-limit.sh']} > > >> > > >> Steve > > > > > > Interesting. I did run ptest before I sent out patch. > > > > > > Let me check what's going on here. > > > > > > Regards, > > > Qi > > > > > >> > > >> On Mon, Jun 30, 2025 at 9:16 PM Chen Qi via lists.openembedded.org > > >> <Qi.Chen=windriver.com@lists.openembedded.org> wrote: > > >>> From: Chen Qi <Qi.Chen@windriver.com> > > >>> > > >>> Backport patch to fix CVE-2025-5278. > > >>> The patch is adjusted to fit 9.0 version. > > >>> > > >>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > > >>> --- > > >>> .../coreutils/coreutils/CVE-2025-5278.patch | 113 > > >>> ++++++++++++++++++ > > >>> meta/recipes-core/coreutils/coreutils_9.0.bb | 1 + > > >>> 2 files changed, 114 insertions(+) > > >>> create mode 100644 > > >>> meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > > >>> > > >>> diff --git > > >>> a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > > >>> b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > > >>> new file mode 100644 > > >>> index 0000000000..34434a65fa > > >>> --- /dev/null > > >>> +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > > >>> @@ -0,0 +1,113 @@ > > >>> +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001 > > >>> +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com> > > >>> +Date: Tue, 20 May 2025 16:03:44 +0100 > > >>> +Subject: [PATCH] sort: fix buffer under-read (CWE-127) > > >>> + > > >>> +* src/sort.c (begfield): Check pointer adjustment > > >>> +to avoid Out-of-range pointer offset (CWE-823). > > >>> +(limfield): Likewise. > > >>> +* tests/sort/sort-field-limit.sh: Add a new test, > > >>> +which triggers with ASAN or Valgrind. > > >>> +* tests/local.mk: Reference the new test. > > >>> +* NEWS: Mention bug fix introduced in v7.2 (2009). > > >>> +Fixes https://bugs.gnu.org/78507 > > >>> + > > >>> +CVE: CVE-2025-5278 > > >>> + > > >>> +Upstream-Status: Backport > > >>> [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] > > >>> +[Adjusted for 9.0 version] > > >>> + > > >>> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > > >>> +--- > > >>> + src/sort.c | 12 ++++++++++-- > > >>> + tests/local.mk | 1 + > > >>> + tests/misc/sort-field-limit.sh | 35 > > >>> ++++++++++++++++++++++++++++++++++ > > >>> + 3 files changed, 46 insertions(+), 2 deletions(-) > > >>> + create mode 100755 tests/misc/sort-field-limit.sh > > >>> + > > >>> +diff --git a/src/sort.c b/src/sort.c > > >>> +index 5f4c817de..07b96d34b 100644 > > >>> +--- a/src/sort.c > > >>> ++++ b/src/sort.c > > >>> +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct > > >>> keyfield const *key) > > >>> + ++ptr; > > >>> + > > >>> + /* Advance PTR by SCHAR (if possible), but no further than LIM. */ > > >>> +- ptr = MIN (lim, ptr + schar); > > >>> ++ size_t remaining_bytes = lim - ptr; > > >>> ++ if (schar < remaining_bytes) > > >>> ++ ptr += schar; > > >>> ++ else > > >>> ++ ptr = lim; > > >>> + > > >>> + return ptr; > > >>> + } > > >>> +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct > > >>> keyfield const *key) > > >>> + ++ptr; > > >>> + > > >>> + /* Advance PTR by ECHAR (if possible), but no further than > > >>> LIM. */ > > >>> +- ptr = MIN (lim, ptr + echar); > > >>> ++ size_t remaining_bytes = lim - ptr; > > >>> ++ if (echar < remaining_bytes) > > >>> ++ ptr += echar; > > >>> ++ else > > >>> ++ ptr = lim; > > >>> + } > > >>> + > > >>> + return ptr; > > >>> +diff --git a/tests/local.mk b/tests/local.mk > > >>> +index 228d0e368..ced85c44c 100644 > > >>> +--- a/tests/local.mk > > >>> ++++ b/tests/local.mk > > >>> +@@ -373,6 +373,7 @@ all_tests > > >>> = \ > > >>> + tests/misc/sort-debug-keys.sh \ > > >>> + tests/misc/sort-debug-warn.sh \ > > >>> + tests/misc/sort-discrim.sh \ > > >>> ++ tests/misc/sort-field-limit.sh \ > > >>> + tests/misc/sort-files0-from.pl \ > > >>> + tests/misc/sort-float.sh \ > > >>> + tests/misc/sort-h-thousands-sep.sh \ > > >>> +diff --git a/tests/misc/sort-field-limit.sh > > >>> b/tests/misc/sort-field-limit.sh > > >>> +new file mode 100755 > > >>> +index 000000000..52d8e1d17 > > >>> +--- /dev/null > > >>> ++++ b/tests/misc/sort-field-limit.sh > > >>> +@@ -0,0 +1,35 @@ > > >>> ++#!/bin/sh > > >>> ++# From 7.2-9.7, this would trigger an out of bounds mem read > > >>> ++ > > >>> ++# Copyright (C) 2025 Free Software Foundation, Inc. > > >>> ++ > > >>> ++# This program is free software: you can redistribute it and/or > > >>> modify > > >>> ++# it under the terms of the GNU General Public License as > > >>> published by > > >>> ++# the Free Software Foundation, either version 3 of the License, or > > >>> ++# (at your option) any later version. > > >>> ++ > > >>> ++# This program is distributed in the hope that it will be useful, > > >>> ++# but WITHOUT ANY WARRANTY; without even the implied warranty of > > >>> ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > > >>> ++# GNU General Public License for more details. > > >>> ++ > > >>> ++# You should have received a copy of the GNU General Public License > > >>> ++# along with this program. If not, see > > >>> <https://www.gnu.org/licenses/>. > > >>> ++ > > >>> ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src > > >>> ++print_ver_ sort > > >>> ++getlimits_ > > >>> ++ > > >>> ++# This issue triggers with valgrind or ASAN > > >>> ++valgrind --error-exitcode=1 sort --version 2>/dev/null && > > >>> ++ VALGRIND='valgrind --error-exitcode=1' > > >>> ++ > > >>> ++{ printf '%s\n' aa bb; } > in || framework_failure_ > > >>> ++ > > >>> ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || > > >>> fail=1 > > >>> ++compare in out || fail=1 > > >>> ++ > > >>> ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out > > >>> || fail=1 > > >>> ++compare in out || fail=1 > > >>> ++ > > >>> ++Exit $fail > > >>> +-- > > >>> +2.34.1 > > >>> + > > >>> diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb > > >>> b/meta/recipes-core/coreutils/coreutils_9.0.bb > > >>> index 1cce9192ec..7c975708f4 100644 > > >>> --- a/meta/recipes-core/coreutils/coreutils_9.0.bb > > >>> +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb > > >>> @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ > > >>> file://0001-uname-report-processor-and-hardware-correctly.patch \ > > >>> file://0001-local.mk-fix-cross-compiling-problem.patch \ > > >>> file://e8b56ebd536e82b15542a00c888109471936bfda.patch \ > > >>> + file://CVE-2025-5278.patch \ > > >>> file://run-ptest \ > > >>> file://0001-split-do-not-shrink-hold-buffer.patch \ > > >>> " > > >>> -- > > >>> 2.34.1 > > >>> > > >>> > > >>> > > >>> > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#219997): https://lists.openembedded.org/g/openembedded-core/message/219997 > Mute This Topic: https://lists.openembedded.org/mt/113922209/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Here are the logs for the arm64 and x86-64 ptest runs with the failure: https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/1852/steps/12/logs/stdio https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/1855/steps/12/logs/stdio There should be enough info there to allow you to try to reproduce the issue. Steve On Mon, Jul 7, 2025 at 7:31 PM Steve Sakoman <steve@sakoman.com> wrote: > > On Mon, Jul 7, 2025 at 1:27 PM Steve Sakoman via > lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> > wrote: > > > > On Sun, Jul 6, 2025 at 7:03 PM ChenQi <Qi.Chen@windriver.com> wrote: > > > > > > I could not reproduce this issue. I tried qemux86-64, qemuarm and qemuarm64. > > > Could you please help check how to reproduce this issue? > > > > I put the patch back into my test queue, let's see what happens: > > > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1969 > > Unfortunately the ptest is still failing :-( > > Steve > > > > On 7/4/25 11:12, Chen Qi via lists.openembedded.org wrote: > > > > On 7/4/25 04:13, Steve Sakoman wrote: > > > >> Unfortunately this patch results in a failed ptest: > > > >> > > > >> AssertionError: Failed ptests: > > > >> {'coreutils': ['tests/misc/sort-field-limit.sh']} > > > >> > > > >> Steve > > > > > > > > Interesting. I did run ptest before I sent out patch. > > > > > > > > Let me check what's going on here. > > > > > > > > Regards, > > > > Qi > > > > > > > >> > > > >> On Mon, Jun 30, 2025 at 9:16 PM Chen Qi via lists.openembedded.org > > > >> <Qi.Chen=windriver.com@lists.openembedded.org> wrote: > > > >>> From: Chen Qi <Qi.Chen@windriver.com> > > > >>> > > > >>> Backport patch to fix CVE-2025-5278. > > > >>> The patch is adjusted to fit 9.0 version. > > > >>> > > > >>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > > > >>> --- > > > >>> .../coreutils/coreutils/CVE-2025-5278.patch | 113 > > > >>> ++++++++++++++++++ > > > >>> meta/recipes-core/coreutils/coreutils_9.0.bb | 1 + > > > >>> 2 files changed, 114 insertions(+) > > > >>> create mode 100644 > > > >>> meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > > > >>> > > > >>> diff --git > > > >>> a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > > > >>> b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > > > >>> new file mode 100644 > > > >>> index 0000000000..34434a65fa > > > >>> --- /dev/null > > > >>> +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch > > > >>> @@ -0,0 +1,113 @@ > > > >>> +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001 > > > >>> +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com> > > > >>> +Date: Tue, 20 May 2025 16:03:44 +0100 > > > >>> +Subject: [PATCH] sort: fix buffer under-read (CWE-127) > > > >>> + > > > >>> +* src/sort.c (begfield): Check pointer adjustment > > > >>> +to avoid Out-of-range pointer offset (CWE-823). > > > >>> +(limfield): Likewise. > > > >>> +* tests/sort/sort-field-limit.sh: Add a new test, > > > >>> +which triggers with ASAN or Valgrind. > > > >>> +* tests/local.mk: Reference the new test. > > > >>> +* NEWS: Mention bug fix introduced in v7.2 (2009). > > > >>> +Fixes https://bugs.gnu.org/78507 > > > >>> + > > > >>> +CVE: CVE-2025-5278 > > > >>> + > > > >>> +Upstream-Status: Backport > > > >>> [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] > > > >>> +[Adjusted for 9.0 version] > > > >>> + > > > >>> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > > > >>> +--- > > > >>> + src/sort.c | 12 ++++++++++-- > > > >>> + tests/local.mk | 1 + > > > >>> + tests/misc/sort-field-limit.sh | 35 > > > >>> ++++++++++++++++++++++++++++++++++ > > > >>> + 3 files changed, 46 insertions(+), 2 deletions(-) > > > >>> + create mode 100755 tests/misc/sort-field-limit.sh > > > >>> + > > > >>> +diff --git a/src/sort.c b/src/sort.c > > > >>> +index 5f4c817de..07b96d34b 100644 > > > >>> +--- a/src/sort.c > > > >>> ++++ b/src/sort.c > > > >>> +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct > > > >>> keyfield const *key) > > > >>> + ++ptr; > > > >>> + > > > >>> + /* Advance PTR by SCHAR (if possible), but no further than LIM. */ > > > >>> +- ptr = MIN (lim, ptr + schar); > > > >>> ++ size_t remaining_bytes = lim - ptr; > > > >>> ++ if (schar < remaining_bytes) > > > >>> ++ ptr += schar; > > > >>> ++ else > > > >>> ++ ptr = lim; > > > >>> + > > > >>> + return ptr; > > > >>> + } > > > >>> +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct > > > >>> keyfield const *key) > > > >>> + ++ptr; > > > >>> + > > > >>> + /* Advance PTR by ECHAR (if possible), but no further than > > > >>> LIM. */ > > > >>> +- ptr = MIN (lim, ptr + echar); > > > >>> ++ size_t remaining_bytes = lim - ptr; > > > >>> ++ if (echar < remaining_bytes) > > > >>> ++ ptr += echar; > > > >>> ++ else > > > >>> ++ ptr = lim; > > > >>> + } > > > >>> + > > > >>> + return ptr; > > > >>> +diff --git a/tests/local.mk b/tests/local.mk > > > >>> +index 228d0e368..ced85c44c 100644 > > > >>> +--- a/tests/local.mk > > > >>> ++++ b/tests/local.mk > > > >>> +@@ -373,6 +373,7 @@ all_tests > > > >>> = \ > > > >>> + tests/misc/sort-debug-keys.sh \ > > > >>> + tests/misc/sort-debug-warn.sh \ > > > >>> + tests/misc/sort-discrim.sh \ > > > >>> ++ tests/misc/sort-field-limit.sh \ > > > >>> + tests/misc/sort-files0-from.pl \ > > > >>> + tests/misc/sort-float.sh \ > > > >>> + tests/misc/sort-h-thousands-sep.sh \ > > > >>> +diff --git a/tests/misc/sort-field-limit.sh > > > >>> b/tests/misc/sort-field-limit.sh > > > >>> +new file mode 100755 > > > >>> +index 000000000..52d8e1d17 > > > >>> +--- /dev/null > > > >>> ++++ b/tests/misc/sort-field-limit.sh > > > >>> +@@ -0,0 +1,35 @@ > > > >>> ++#!/bin/sh > > > >>> ++# From 7.2-9.7, this would trigger an out of bounds mem read > > > >>> ++ > > > >>> ++# Copyright (C) 2025 Free Software Foundation, Inc. > > > >>> ++ > > > >>> ++# This program is free software: you can redistribute it and/or > > > >>> modify > > > >>> ++# it under the terms of the GNU General Public License as > > > >>> published by > > > >>> ++# the Free Software Foundation, either version 3 of the License, or > > > >>> ++# (at your option) any later version. > > > >>> ++ > > > >>> ++# This program is distributed in the hope that it will be useful, > > > >>> ++# but WITHOUT ANY WARRANTY; without even the implied warranty of > > > >>> ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > > > >>> ++# GNU General Public License for more details. > > > >>> ++ > > > >>> ++# You should have received a copy of the GNU General Public License > > > >>> ++# along with this program. If not, see > > > >>> <https://www.gnu.org/licenses/>. > > > >>> ++ > > > >>> ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src > > > >>> ++print_ver_ sort > > > >>> ++getlimits_ > > > >>> ++ > > > >>> ++# This issue triggers with valgrind or ASAN > > > >>> ++valgrind --error-exitcode=1 sort --version 2>/dev/null && > > > >>> ++ VALGRIND='valgrind --error-exitcode=1' > > > >>> ++ > > > >>> ++{ printf '%s\n' aa bb; } > in || framework_failure_ > > > >>> ++ > > > >>> ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || > > > >>> fail=1 > > > >>> ++compare in out || fail=1 > > > >>> ++ > > > >>> ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out > > > >>> || fail=1 > > > >>> ++compare in out || fail=1 > > > >>> ++ > > > >>> ++Exit $fail > > > >>> +-- > > > >>> +2.34.1 > > > >>> + > > > >>> diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb > > > >>> b/meta/recipes-core/coreutils/coreutils_9.0.bb > > > >>> index 1cce9192ec..7c975708f4 100644 > > > >>> --- a/meta/recipes-core/coreutils/coreutils_9.0.bb > > > >>> +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb > > > >>> @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ > > > >>> file://0001-uname-report-processor-and-hardware-correctly.patch \ > > > >>> file://0001-local.mk-fix-cross-compiling-problem.patch \ > > > >>> file://e8b56ebd536e82b15542a00c888109471936bfda.patch \ > > > >>> + file://CVE-2025-5278.patch \ > > > >>> file://run-ptest \ > > > >>> file://0001-split-do-not-shrink-hold-buffer.patch \ > > > >>> " > > > >>> -- > > > >>> 2.34.1 > > > >>> > > > >>> > > > >>> > > > >>> > > > > > > > > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#219997): https://lists.openembedded.org/g/openembedded-core/message/219997 > > Mute This Topic: https://lists.openembedded.org/mt/113922209/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > >
I finally reproduced the issue. It's about valgrind. The test case could run with/without valgrind. With valgrind installed on target, valgrind is reporting error for coretuils's sort with/without this patch. I think valgrind in kirkstone might have some problem. I'll disable valgrind in the test case. Regards, Qi On 7/8/25 10:55, Steve Sakoman wrote: > Here are the logs for the arm64 and x86-64 ptest runs with the failure: > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/61/builds/1852/steps/12/logs/stdio > https://autobuilder.yoctoproject.org/valkyrie/#/builders/73/builds/1855/steps/12/logs/stdio > > There should be enough info there to allow you to try to reproduce the issue. > > Steve > > On Mon, Jul 7, 2025 at 7:31 PM Steve Sakoman <steve@sakoman.com> wrote: >> On Mon, Jul 7, 2025 at 1:27 PM Steve Sakoman via >> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> >> wrote: >>> On Sun, Jul 6, 2025 at 7:03 PM ChenQi <Qi.Chen@windriver.com> wrote: >>>> I could not reproduce this issue. I tried qemux86-64, qemuarm and qemuarm64. >>>> Could you please help check how to reproduce this issue? >>> I put the patch back into my test queue, let's see what happens: >>> >>> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1969 >> Unfortunately the ptest is still failing :-( >> >> Steve >> >>>> On 7/4/25 11:12, Chen Qi via lists.openembedded.org wrote: >>>>> On 7/4/25 04:13, Steve Sakoman wrote: >>>>>> Unfortunately this patch results in a failed ptest: >>>>>> >>>>>> AssertionError: Failed ptests: >>>>>> {'coreutils': ['tests/misc/sort-field-limit.sh']} >>>>>> >>>>>> Steve >>>>> Interesting. I did run ptest before I sent out patch. >>>>> >>>>> Let me check what's going on here. >>>>> >>>>> Regards, >>>>> Qi >>>>> >>>>>> On Mon, Jun 30, 2025 at 9:16 PM Chen Qi via lists.openembedded.org >>>>>> <Qi.Chen=windriver.com@lists.openembedded.org> wrote: >>>>>>> From: Chen Qi <Qi.Chen@windriver.com> >>>>>>> >>>>>>> Backport patch to fix CVE-2025-5278. >>>>>>> The patch is adjusted to fit 9.0 version. >>>>>>> >>>>>>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >>>>>>> --- >>>>>>> .../coreutils/coreutils/CVE-2025-5278.patch | 113 >>>>>>> ++++++++++++++++++ >>>>>>> meta/recipes-core/coreutils/coreutils_9.0.bb | 1 + >>>>>>> 2 files changed, 114 insertions(+) >>>>>>> create mode 100644 >>>>>>> meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >>>>>>> >>>>>>> diff --git >>>>>>> a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >>>>>>> b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >>>>>>> new file mode 100644 >>>>>>> index 0000000000..34434a65fa >>>>>>> --- /dev/null >>>>>>> +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch >>>>>>> @@ -0,0 +1,113 @@ >>>>>>> +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001 >>>>>>> +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com> >>>>>>> +Date: Tue, 20 May 2025 16:03:44 +0100 >>>>>>> +Subject: [PATCH] sort: fix buffer under-read (CWE-127) >>>>>>> + >>>>>>> +* src/sort.c (begfield): Check pointer adjustment >>>>>>> +to avoid Out-of-range pointer offset (CWE-823). >>>>>>> +(limfield): Likewise. >>>>>>> +* tests/sort/sort-field-limit.sh: Add a new test, >>>>>>> +which triggers with ASAN or Valgrind. >>>>>>> +* tests/local.mk: Reference the new test. >>>>>>> +* NEWS: Mention bug fix introduced in v7.2 (2009). >>>>>>> +Fixes https://bugs.gnu.org/78507 >>>>>>> + >>>>>>> +CVE: CVE-2025-5278 >>>>>>> + >>>>>>> +Upstream-Status: Backport >>>>>>> [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] >>>>>>> +[Adjusted for 9.0 version] >>>>>>> + >>>>>>> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >>>>>>> +--- >>>>>>> + src/sort.c | 12 ++++++++++-- >>>>>>> + tests/local.mk | 1 + >>>>>>> + tests/misc/sort-field-limit.sh | 35 >>>>>>> ++++++++++++++++++++++++++++++++++ >>>>>>> + 3 files changed, 46 insertions(+), 2 deletions(-) >>>>>>> + create mode 100755 tests/misc/sort-field-limit.sh >>>>>>> + >>>>>>> +diff --git a/src/sort.c b/src/sort.c >>>>>>> +index 5f4c817de..07b96d34b 100644 >>>>>>> +--- a/src/sort.c >>>>>>> ++++ b/src/sort.c >>>>>>> +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct >>>>>>> keyfield const *key) >>>>>>> + ++ptr; >>>>>>> + >>>>>>> + /* Advance PTR by SCHAR (if possible), but no further than LIM. */ >>>>>>> +- ptr = MIN (lim, ptr + schar); >>>>>>> ++ size_t remaining_bytes = lim - ptr; >>>>>>> ++ if (schar < remaining_bytes) >>>>>>> ++ ptr += schar; >>>>>>> ++ else >>>>>>> ++ ptr = lim; >>>>>>> + >>>>>>> + return ptr; >>>>>>> + } >>>>>>> +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct >>>>>>> keyfield const *key) >>>>>>> + ++ptr; >>>>>>> + >>>>>>> + /* Advance PTR by ECHAR (if possible), but no further than >>>>>>> LIM. */ >>>>>>> +- ptr = MIN (lim, ptr + echar); >>>>>>> ++ size_t remaining_bytes = lim - ptr; >>>>>>> ++ if (echar < remaining_bytes) >>>>>>> ++ ptr += echar; >>>>>>> ++ else >>>>>>> ++ ptr = lim; >>>>>>> + } >>>>>>> + >>>>>>> + return ptr; >>>>>>> +diff --git a/tests/local.mk b/tests/local.mk >>>>>>> +index 228d0e368..ced85c44c 100644 >>>>>>> +--- a/tests/local.mk >>>>>>> ++++ b/tests/local.mk >>>>>>> +@@ -373,6 +373,7 @@ all_tests >>>>>>> = \ >>>>>>> + tests/misc/sort-debug-keys.sh \ >>>>>>> + tests/misc/sort-debug-warn.sh \ >>>>>>> + tests/misc/sort-discrim.sh \ >>>>>>> ++ tests/misc/sort-field-limit.sh \ >>>>>>> + tests/misc/sort-files0-from.pl \ >>>>>>> + tests/misc/sort-float.sh \ >>>>>>> + tests/misc/sort-h-thousands-sep.sh \ >>>>>>> +diff --git a/tests/misc/sort-field-limit.sh >>>>>>> b/tests/misc/sort-field-limit.sh >>>>>>> +new file mode 100755 >>>>>>> +index 000000000..52d8e1d17 >>>>>>> +--- /dev/null >>>>>>> ++++ b/tests/misc/sort-field-limit.sh >>>>>>> +@@ -0,0 +1,35 @@ >>>>>>> ++#!/bin/sh >>>>>>> ++# From 7.2-9.7, this would trigger an out of bounds mem read >>>>>>> ++ >>>>>>> ++# Copyright (C) 2025 Free Software Foundation, Inc. >>>>>>> ++ >>>>>>> ++# This program is free software: you can redistribute it and/or >>>>>>> modify >>>>>>> ++# it under the terms of the GNU General Public License as >>>>>>> published by >>>>>>> ++# the Free Software Foundation, either version 3 of the License, or >>>>>>> ++# (at your option) any later version. >>>>>>> ++ >>>>>>> ++# This program is distributed in the hope that it will be useful, >>>>>>> ++# but WITHOUT ANY WARRANTY; without even the implied warranty of >>>>>>> ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>>>>>> ++# GNU General Public License for more details. >>>>>>> ++ >>>>>>> ++# You should have received a copy of the GNU General Public License >>>>>>> ++# along with this program. If not, see >>>>>>> <https://www.gnu.org/licenses/>. >>>>>>> ++ >>>>>>> ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src >>>>>>> ++print_ver_ sort >>>>>>> ++getlimits_ >>>>>>> ++ >>>>>>> ++# This issue triggers with valgrind or ASAN >>>>>>> ++valgrind --error-exitcode=1 sort --version 2>/dev/null && >>>>>>> ++ VALGRIND='valgrind --error-exitcode=1' >>>>>>> ++ >>>>>>> ++{ printf '%s\n' aa bb; } > in || framework_failure_ >>>>>>> ++ >>>>>>> ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || >>>>>>> fail=1 >>>>>>> ++compare in out || fail=1 >>>>>>> ++ >>>>>>> ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out >>>>>>> || fail=1 >>>>>>> ++compare in out || fail=1 >>>>>>> ++ >>>>>>> ++Exit $fail >>>>>>> +-- >>>>>>> +2.34.1 >>>>>>> + >>>>>>> diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb >>>>>>> b/meta/recipes-core/coreutils/coreutils_9.0.bb >>>>>>> index 1cce9192ec..7c975708f4 100644 >>>>>>> --- a/meta/recipes-core/coreutils/coreutils_9.0.bb >>>>>>> +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb >>>>>>> @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ >>>>>>> file://0001-uname-report-processor-and-hardware-correctly.patch \ >>>>>>> file://0001-local.mk-fix-cross-compiling-problem.patch \ >>>>>>> file://e8b56ebd536e82b15542a00c888109471936bfda.patch \ >>>>>>> + file://CVE-2025-5278.patch \ >>>>>>> file://run-ptest \ >>>>>>> file://0001-split-do-not-shrink-hold-buffer.patch \ >>>>>>> " >>>>>>> -- >>>>>>> 2.34.1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> >>>>> >>>>> >>> -=-=-=-=-=-=-=-=-=-=-=- >>> Links: You receive all messages sent to this group. >>> View/Reply Online (#219997): https://lists.openembedded.org/g/openembedded-core/message/219997 >>> Mute This Topic: https://lists.openembedded.org/mt/113922209/3620601 >>> Group Owner: openembedded-core+owner@lists.openembedded.org >>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] >>> -=-=-=-=-=-=-=-=-=-=-=- >>>
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch new file mode 100644 index 0000000000..34434a65fa --- /dev/null +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch @@ -0,0 +1,113 @@ +From 84a061ea3d1fad42188493c4e5d8396aff4a0f67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com> +Date: Tue, 20 May 2025 16:03:44 +0100 +Subject: [PATCH] sort: fix buffer under-read (CWE-127) + +* src/sort.c (begfield): Check pointer adjustment +to avoid Out-of-range pointer offset (CWE-823). +(limfield): Likewise. +* tests/sort/sort-field-limit.sh: Add a new test, +which triggers with ASAN or Valgrind. +* tests/local.mk: Reference the new test. +* NEWS: Mention bug fix introduced in v7.2 (2009). +Fixes https://bugs.gnu.org/78507 + +CVE: CVE-2025-5278 + +Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633] +[Adjusted for 9.0 version] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/sort.c | 12 ++++++++++-- + tests/local.mk | 1 + + tests/misc/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++ + 3 files changed, 46 insertions(+), 2 deletions(-) + create mode 100755 tests/misc/sort-field-limit.sh + +diff --git a/src/sort.c b/src/sort.c +index 5f4c817de..07b96d34b 100644 +--- a/src/sort.c ++++ b/src/sort.c +@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct keyfield const *key) + ++ptr; + + /* Advance PTR by SCHAR (if possible), but no further than LIM. */ +- ptr = MIN (lim, ptr + schar); ++ size_t remaining_bytes = lim - ptr; ++ if (schar < remaining_bytes) ++ ptr += schar; ++ else ++ ptr = lim; + + return ptr; + } +@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct keyfield const *key) + ++ptr; + + /* Advance PTR by ECHAR (if possible), but no further than LIM. */ +- ptr = MIN (lim, ptr + echar); ++ size_t remaining_bytes = lim - ptr; ++ if (echar < remaining_bytes) ++ ptr += echar; ++ else ++ ptr = lim; + } + + return ptr; +diff --git a/tests/local.mk b/tests/local.mk +index 228d0e368..ced85c44c 100644 +--- a/tests/local.mk ++++ b/tests/local.mk +@@ -373,6 +373,7 @@ all_tests = \ + tests/misc/sort-debug-keys.sh \ + tests/misc/sort-debug-warn.sh \ + tests/misc/sort-discrim.sh \ ++ tests/misc/sort-field-limit.sh \ + tests/misc/sort-files0-from.pl \ + tests/misc/sort-float.sh \ + tests/misc/sort-h-thousands-sep.sh \ +diff --git a/tests/misc/sort-field-limit.sh b/tests/misc/sort-field-limit.sh +new file mode 100755 +index 000000000..52d8e1d17 +--- /dev/null ++++ b/tests/misc/sort-field-limit.sh +@@ -0,0 +1,35 @@ ++#!/bin/sh ++# From 7.2-9.7, this would trigger an out of bounds mem read ++ ++# Copyright (C) 2025 Free Software Foundation, Inc. ++ ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++ ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see <https://www.gnu.org/licenses/>. ++ ++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src ++print_ver_ sort ++getlimits_ ++ ++# This issue triggers with valgrind or ASAN ++valgrind --error-exitcode=1 sort --version 2>/dev/null && ++ VALGRIND='valgrind --error-exitcode=1' ++ ++{ printf '%s\n' aa bb; } > in || framework_failure_ ++ ++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1 ++compare in out || fail=1 ++ ++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1 ++compare in out || fail=1 ++ ++Exit $fail +-- +2.34.1 + diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb b/meta/recipes-core/coreutils/coreutils_9.0.bb index 1cce9192ec..7c975708f4 100644 --- a/meta/recipes-core/coreutils/coreutils_9.0.bb +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb @@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ file://0001-uname-report-processor-and-hardware-correctly.patch \ file://0001-local.mk-fix-cross-compiling-problem.patch \ file://e8b56ebd536e82b15542a00c888109471936bfda.patch \ + file://CVE-2025-5278.patch \ file://run-ptest \ file://0001-split-do-not-shrink-hold-buffer.patch \ "