diff mbox series

[meta-oe,kirkstone,v2] yajl: backport Debian patch for CVE-2022-24795

Message ID 20240604035527.9937-1-vanusuri@mvista.com
State New
Headers show
Series [meta-oe,kirkstone,v2] yajl: backport Debian patch for CVE-2022-24795 | expand

Commit Message

Vijay Anusuri June 4, 2024, 3:55 a.m. UTC
From: Vijay Anusuri <vanusuri@mvista.com>

import patch from ubuntu to fix
 CVE-2022-24795

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 .../yajl/yajl/CVE-2022-24795.patch            | 61 +++++++++++++++++++
 meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb   |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch

Comments

Vijay Anusuri June 25, 2024, 2:07 a.m. UTC | #1
Hi Armin,

Any update on this?

Thanks & Regards,
Vijay

On Tue, Jun 4, 2024 at 9:25 AM <vanusuri@mvista.com> wrote:

> From: Vijay Anusuri <vanusuri@mvista.com>
>
> import patch from ubuntu to fix
>  CVE-2022-24795
>
> Upstream-Status: Backport [import from ubuntu
> https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/?h=ubuntu%2Ffocal-security
> Upstream commit
>
> https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad
> ]
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  .../yajl/yajl/CVE-2022-24795.patch            | 61 +++++++++++++++++++
>  meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb   |  1 +
>  2 files changed, 62 insertions(+)
>  create mode 100644 meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
>
> diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
> b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
> new file mode 100644
> index 000000000..4de46e699
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
> @@ -0,0 +1,61 @@
> +From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
> +Date: Thu, 7 Apr 2022 17:29:54 +0200
> +Subject: [PATCH] Fix CVE-2022-24795
> +
> +There was an integer overflow in yajl_buf_ensure_available() leading
> +to allocating less memory than requested. Then data were written past
> +the allocated heap buffer in yajl_buf_append(), the only caller of
> +yajl_buf_ensure_available(). Another result of the overflow was an
> +infinite loop without a return from yajl_buf_ensure_available().
> +
> +yajl-ruby project, which bundles yajl, fixed it
> +<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
> +integer overflow, fortifying buffer allocations, and report the
> +failures to a caller. But then the caller yajl_buf_append() skips
> +a memory write if yajl_buf_ensure_available() failed leading to a data
> +corruption.
> +
> +A yajl fork mainter recommended calling memory allocation callbacks with
> +the large memory request and let them to handle it. But that has the
> +problem that it's not possible pass the overely large size to the
> +callbacks.
> +
> +This patch catches the integer overflow and terminates the process
> +with abort().
> +
> +https://github.com/lloyd/yajl/issues/239
> +
> https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
> +
> +Upstream-Status: Backport [import from ubuntu
> https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/CVE-2022-24795.patch
> +Upstream commit
> +
> https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad
> ]
> +CVE: CVE-2022-24795
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + src/yajl_buf.c | 12 +++++++++++-
> + 1 file changed, 11 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/yajl_buf.c b/src/yajl_buf.c
> +index 1aeafde0..55c11add 100644
> +--- a/src/yajl_buf.c
> ++++ b/src/yajl_buf.c
> +@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t
> want)
> +
> +     need = buf->len;
> +
> +-    while (want >= (need - buf->used)) need <<= 1;
> ++    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used +
> want)) {
> ++        /* We cannot allocate more memory than SIZE_MAX. */
> ++        abort();
> ++    }
> ++    while (want >= (need - buf->used)) {
> ++        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
> ++            /* need would overflow. */
> ++            abort();
> ++        }
> ++        need <<= 1;
> ++    }
> +
> +     if (need != buf->len) {
> +         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data,
> need);
> diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
> b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
> index 697f54d9f..eca709cc1 100644
> --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
> +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
> @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"
>
>  SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \
>             file://CVE-2023-33460.patch \
> +           file://CVE-2022-24795.patch \
>            "
>  SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"
>
> --
> 2.25.1
>
>
diff mbox series

Patch

diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
new file mode 100644
index 000000000..4de46e699
--- /dev/null
+++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch
@@ -0,0 +1,61 @@ 
+From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 7 Apr 2022 17:29:54 +0200
+Subject: [PATCH] Fix CVE-2022-24795
+
+There was an integer overflow in yajl_buf_ensure_available() leading
+to allocating less memory than requested. Then data were written past
+the allocated heap buffer in yajl_buf_append(), the only caller of
+yajl_buf_ensure_available(). Another result of the overflow was an
+infinite loop without a return from yajl_buf_ensure_available().
+
+yajl-ruby project, which bundles yajl, fixed it
+<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the
+integer overflow, fortifying buffer allocations, and report the
+failures to a caller. But then the caller yajl_buf_append() skips
+a memory write if yajl_buf_ensure_available() failed leading to a data
+corruption.
+
+A yajl fork mainter recommended calling memory allocation callbacks with
+the large memory request and let them to handle it. But that has the
+problem that it's not possible pass the overely large size to the
+callbacks.
+
+This patch catches the integer overflow and terminates the process
+with abort().
+
+https://github.com/lloyd/yajl/issues/239
+https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/CVE-2022-24795.patch
+Upstream commit
+https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad]
+CVE: CVE-2022-24795
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/yajl_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/yajl_buf.c b/src/yajl_buf.c
+index 1aeafde0..55c11add 100644
+--- a/src/yajl_buf.c
++++ b/src/yajl_buf.c
+@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)
+ 
+     need = buf->len;
+ 
+-    while (want >= (need - buf->used)) need <<= 1;
++    if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) {
++        /* We cannot allocate more memory than SIZE_MAX. */
++        abort();
++    }
++    while (want >= (need - buf->used)) {
++        if (need >= (size_t)((size_t)(-1)<<1)>>1) {
++            /* need would overflow. */
++            abort();
++        }
++        need <<= 1;
++    }
+ 
+     if (need != buf->len) {
+         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);
diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
index 697f54d9f..eca709cc1 100644
--- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
+++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb
@@ -10,6 +10,7 @@  LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d"
 
 SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \
            file://CVE-2023-33460.patch \
+           file://CVE-2022-24795.patch \
           "
 SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"