[kirkstone,06/16] procps: patch CVE-2023-4016

Message ID	94521a1e49e8fd9193211f486995d2e504f99d3f.1727874367.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.169, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/16] procps: patch CVE-2023-4016 Date: Wed, 2 Oct 2024 06:12:46 -0700 Message-Id: <94521a1e49e8fd9193211f486995d2e504f99d3f.1727874367.git.steve@sakoman.com> In-Reply-To: <cover.1727874367.git.steve@sakoman.com> References: <cover.1727874367.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/16] curl: backport Debian patch for CVE-2024-8096 \| expand [kirkstone,01/16] curl: backport Debian patch for CVE-2024-8096 [kirkstone,02/16] gnupg: Document CVE-2022-3219 and mark wontfix [kirkstone,03/16] wpa-supplicant: Ignore CVE-2024-5290 [kirkstone,04/16] wpa-supplicant: Patch CVE-2024-3596 [kirkstone,05/16] wpa-supplicant: Patch security advisory 2024-2 [kirkstone,06/16] procps: patch CVE-2023-4016 [kirkstone,07/16] gcc: upgrade to v11.5 [kirkstone,08/16] glibc: stable 2.35 branch updates [kirkstone,09/16] bintuils: stable 2.38 branch update [kirkstone,10/16] curl: free old conn better on reuse [kirkstone,11/16] install-buildtools: support buildtools-make-tarball and update to 4.1 [kirkstone,12/16] install-buildtools: remove md5 checksum validation [kirkstone,13/16] install-buildtools: fix "test installation" step [kirkstone,14/16] scripts/install-buildtools: Update to 4.0.21 [kirkstone,15/16] kmscube: Add patch to fix -int-conversion build error [kirkstone,16/16] populate_sdk_base: inherit nopackages

Message ID

94521a1e49e8fd9193211f486995d2e504f99d3f.1727874367.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 06/16] procps: patch CVE-2023-4016
Date: Wed,  2 Oct 2024 06:12:46 -0700
Message-Id: 
 <94521a1e49e8fd9193211f486995d2e504f99d3f.1727874367.git.steve@sakoman.com>
In-Reply-To: <cover.1727874367.git.steve@sakoman.com>
References: <cover.1727874367.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/16] curl: backport Debian patch for CVE-2024-8096 | expand

Commit Message

Steve Sakoman Oct. 2, 2024, 1:12 p.m. UTC

From: Jinfeng Wang <jinfeng.wang.cn@windriver.com>

Previous patch[1] for CVE-2023-4016 is insufficent.
Backport more from upstream master.

There is one change needed to apply this patch:
* change file location from local/xalloc.h to include/xalloc.h

[1] https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/procps/procps/CVE-2023-4016.patch?h=kirkstone&id=71d0683d625c09d4db5e0473a0b15a266aa787f4

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../procps/procps/CVE-2023-4016-2.patch       | 60 +++++++++++++++++++
 meta/recipes-extended/procps/procps_3.3.17.bb |  3 +-
 2 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch

diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch
new file mode 100644
index 0000000000..7269068045
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/CVE-2023-4016-2.patch
@@ -0,0 +1,60 @@ 
+From 93bb86a37a0cf7b9c71e374f3c9aac7dbfe2953a Mon Sep 17 00:00:00 2001
+From: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+Date: Fri, 27 Sep 2024 14:22:32 +0800
+Subject: [PATCH] procps: patch CVE-2023-4016
+
+ps/parser: parse_list(): int overflow for large arg, free() of uninit. ptr
+
+* ps/parser.c:parse_list(): Regression (2c933ecb): node->u is uninitialized at
+  free(node->u) when reached before node->u=xcalloc().
+* ps/parser.c:parse_list(): When "arg" is very long, CVE-2023-4016 is triggered.
+  2c933ecb handles the multiplication issue, but there is still the possibility
+  of int overflow when incrementing "items".
+
+CVE: CVE-2023-4016
+
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/f5f843e257daeceaac2504b8957e84f4bf87a8f2]
+
+Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
+---
+ include/xalloc.h | 2 +-
+ ps/parser.c      | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/include/xalloc.h b/include/xalloc.h
+index 8b4d368f..a8046892 100644
+--- a/include/xalloc.h
++++ b/include/xalloc.h
+@@ -42,7 +42,7 @@ void *xcalloc(const size_t nelems, const size_t size)
+ {
+ 	void *ret = calloc(nelems, size);
+ 	if (!ret && size && nelems)
+-		xerrx(XALLOC_EXIT_CODE, "cannot allocate %zu bytes", size);
++		xerrx(XALLOC_EXIT_CODE, "cannot allocate %zu bytes", nelems*size);
+ 	return ret;
+ }
+ 
+diff --git a/ps/parser.c b/ps/parser.c
+index 5c92fce4..a94b49ff 100644
+--- a/ps/parser.c
++++ b/ps/parser.c
+@@ -185,6 +185,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   /*** prepare to operate ***/
+   node = malloc(sizeof(selection_node));
+   node->n = 0;
++  node->u = NULL;
+   buf = strdup(arg);
+   /*** sanity check and count items ***/
+   need_item = 1; /* true */
+@@ -198,7 +199,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+       need_item=1;
+       break;
+     default:
+-      if(need_item) items++;
++      if(need_item && items<INT_MAX) items++;
+       need_item=0;
+     }
+   } while (*++walk);
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/procps/procps_3.3.17.bb b/meta/recipes-extended/procps/procps_3.3.17.bb
index 897f28f187..bbec5a543c 100644
--- a/meta/recipes-extended/procps/procps_3.3.17.bb
+++ b/meta/recipes-extended/procps/procps_3.3.17.bb
@@ -17,6 +17,7 @@  SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
            file://0001-w.c-correct-musl-builds.patch \
            file://0002-proc-escape.c-add-missing-include.patch \
            file://CVE-2023-4016.patch \
+           file://CVE-2023-4016-2.patch \
            "
 SRCREV = "19a508ea121c0c4ac6d0224575a036de745eaaf8"
 
@@ -101,4 +102,4 @@  ALTERNATIVE_LINK_NAME[ps] = "${base_bindir}/ps"
 
 ALTERNATIVE:${PN}-sysctl = "sysctl"
 ALTERNATIVE_TARGET[sysctl] = "${base_sbindir}/sysctl"
-ALTERNATIVE_LINK_NAME[sysctl] = "${base_sbindir}/sysctl"
\ No newline at end of file
+ALTERNATIVE_LINK_NAME[sysctl] = "${base_sbindir}/sysctl"

[kirkstone,06/16] procps: patch CVE-2023-4016

Commit Message

Patch