[meta-oe,dunfell] capnproto: Fix CVE-2022-46149

Message ID	20221222065122.10079-1-thakur.virendra1810@gmail.com
State	New
Headers	show Return-Path: <thakur.virendra1810@gmail.com> ip: 209.85.214.171, mailfrom: thakur.virendra1810@gmail.com) From: virendra thakur <thakur.virendra1810@gmail.com> To: openembedded-devel@lists.openembedded.org, raj.khem@gmail.com Cc: akuster808@gmail.com, Virendra Thakur <virendrak@kpit.com> Subject: [oe][meta-oe][dunfell][PATCH] capnproto: Fix CVE-2022-46149 Date: Thu, 22 Dec 2022 12:21:22 +0530 Message-Id: <20221222065122.10079-1-thakur.virendra1810@gmail.com>
Series	[meta-oe,dunfell] capnproto: Fix CVE-2022-46149 \| expand [meta-oe,dunfell] capnproto: Fix CVE-2022-46149

Message ID

20221222065122.10079-1-thakur.virendra1810@gmail.com

State

New

Headers

From: virendra thakur <thakur.virendra1810@gmail.com>
To: openembedded-devel@lists.openembedded.org,
	raj.khem@gmail.com
Cc: akuster808@gmail.com,
	Virendra Thakur <virendrak@kpit.com>
Subject: [oe][meta-oe][dunfell][PATCH] capnproto: Fix CVE-2022-46149
Date: Thu, 22 Dec 2022 12:21:22 +0530
Message-Id: <20221222065122.10079-1-thakur.virendra1810@gmail.com>

Series

[meta-oe,dunfell] capnproto: Fix CVE-2022-46149 | expand

Commit Message

virendra thakur Dec. 22, 2022, 6:51 a.m. UTC

From: Virendra Thakur <virendrak@kpit.com>

This patch contains a fix for CVE-2022-46149

Patch backported from :
https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9

Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
 .../capnproto/capnproto_0.7.0.bb              |  4 +-
 .../capnproto/files/CVE-2022-46149.patch      | 49 +++++++++++++++++++
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch

diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
index cb748d3cb..fa1751e56 100644
--- a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
+++ b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
@@ -5,7 +5,9 @@  SECTION = "console/tools"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9"
 
-SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https"
+SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \
+           file://CVE-2022-46149.patch \
+"
 SRCREV = "3f44c6db0f0f6c0cab0633f15f15d0a2acd01d19"
 
 S = "${WORKDIR}/git/c++"
diff --git a/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch
new file mode 100644
index 000000000..b6b1fa651
--- /dev/null
+++ b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch
@@ -0,0 +1,49 @@ 
+From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001
+From: Kenton Varda <kenton@cloudflare.com>
+Date: Wed, 23 Nov 2022 12:02:29 -0600
+Subject: [PATCH] Apply data offset for list-of-pointers at access time rather
+ than ListReader creation time.
+
+Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected.
+
+CVE: CVE-2022-46149
+Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ c++/src/capnp/layout.c++ | 4 ----
+ c++/src/capnp/layout.h   | 6 +++++-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+Index: c++/src/capnp/layout.c++
+===================================================================
+--- c++.orig/src/capnp/layout.c++
++++ c++/src/capnp/layout.c++
+@@ -2322,10 +2322,6 @@ struct WireHelpers {
+             break;
+ 
+           case ElementSize::POINTER:
+-            // We expected a list of pointers but got a list of structs.  Assuming the first field
+-            // in the struct is the pointer we were looking for, we want to munge the pointer to
+-            // point at the first element's pointer section.
+-            ptr += tag->structRef.dataSize.get();
+             KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS,
+                        "Expected a pointer list, but got a list of data-only structs.") {
+               goto useDefault;
+Index: c++/src/capnp/layout.h
+===================================================================
+--- c++.orig/src/capnp/layout.h
++++ c++/src/capnp/layout.h
+@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V
+ }
+ 
+ inline PointerReader ListReader::getPointerElement(ElementCount index) const {
++  // If the list elements have data sections we need to skip those. Note that for pointers to be
++  // present at all (which already must be true if we get here), then `structDataSize` must be a
++  // whole number of words, so we don't have to worry about unaligned reads here.
++  auto offset = structDataSize / BITS_PER_BYTE;
+   return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>(
+-      ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
++      ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
+ }
+ 
+ // -------------------------------------------------------------------