| Message ID | 20240604035527.9937-1-vanusuri@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,kirkstone,v2] yajl: backport Debian patch for CVE-2022-24795 | expand |
Hi Armin, Any update on this? Thanks & Regards, Vijay On Tue, Jun 4, 2024 at 9:25 AM <vanusuri@mvista.com> wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > import patch from ubuntu to fix > CVE-2022-24795 > > Upstream-Status: Backport [import from ubuntu > https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/?h=ubuntu%2Ffocal-security > Upstream commit > > https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad > ] > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../yajl/yajl/CVE-2022-24795.patch | 61 +++++++++++++++++++ > meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb | 1 + > 2 files changed, 62 insertions(+) > create mode 100644 meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch > > diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch > b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch > new file mode 100644 > index 000000000..4de46e699 > --- /dev/null > +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch > @@ -0,0 +1,61 @@ > +From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> > +Date: Thu, 7 Apr 2022 17:29:54 +0200 > +Subject: [PATCH] Fix CVE-2022-24795 > + > +There was an integer overflow in yajl_buf_ensure_available() leading > +to allocating less memory than requested. Then data were written past > +the allocated heap buffer in yajl_buf_append(), the only caller of > +yajl_buf_ensure_available(). Another result of the overflow was an > +infinite loop without a return from yajl_buf_ensure_available(). > + > +yajl-ruby project, which bundles yajl, fixed it > +<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the > +integer overflow, fortifying buffer allocations, and report the > +failures to a caller. But then the caller yajl_buf_append() skips > +a memory write if yajl_buf_ensure_available() failed leading to a data > +corruption. > + > +A yajl fork mainter recommended calling memory allocation callbacks with > +the large memory request and let them to handle it. But that has the > +problem that it's not possible pass the overely large size to the > +callbacks. > + > +This patch catches the integer overflow and terminates the process > +with abort(). > + > +https://github.com/lloyd/yajl/issues/239 > + > https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm > + > +Upstream-Status: Backport [import from ubuntu > https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/CVE-2022-24795.patch > +Upstream commit > + > https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad > ] > +CVE: CVE-2022-24795 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + src/yajl_buf.c | 12 +++++++++++- > + 1 file changed, 11 insertions(+), 1 deletion(-) > + > +diff --git a/src/yajl_buf.c b/src/yajl_buf.c > +index 1aeafde0..55c11add 100644 > +--- a/src/yajl_buf.c > ++++ b/src/yajl_buf.c > +@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t > want) > + > + need = buf->len; > + > +- while (want >= (need - buf->used)) need <<= 1; > ++ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + > want)) { > ++ /* We cannot allocate more memory than SIZE_MAX. */ > ++ abort(); > ++ } > ++ while (want >= (need - buf->used)) { > ++ if (need >= (size_t)((size_t)(-1)<<1)>>1) { > ++ /* need would overflow. */ > ++ abort(); > ++ } > ++ need <<= 1; > ++ } > + > + if (need != buf->len) { > + buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, > need); > diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb > b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb > index 697f54d9f..eca709cc1 100644 > --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb > +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb > @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = > "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" > > SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \ > file://CVE-2023-33460.patch \ > + file://CVE-2022-24795.patch \ > " > SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" > > -- > 2.25.1 > >
diff --git a/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch new file mode 100644 index 000000000..4de46e699 --- /dev/null +++ b/meta-oe/recipes-devtools/yajl/yajl/CVE-2022-24795.patch @@ -0,0 +1,61 @@ +From 23cea2d7677e396efed78bbf1bf153961fab6bad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Thu, 7 Apr 2022 17:29:54 +0200 +Subject: [PATCH] Fix CVE-2022-24795 + +There was an integer overflow in yajl_buf_ensure_available() leading +to allocating less memory than requested. Then data were written past +the allocated heap buffer in yajl_buf_append(), the only caller of +yajl_buf_ensure_available(). Another result of the overflow was an +infinite loop without a return from yajl_buf_ensure_available(). + +yajl-ruby project, which bundles yajl, fixed it +<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the +integer overflow, fortifying buffer allocations, and report the +failures to a caller. But then the caller yajl_buf_append() skips +a memory write if yajl_buf_ensure_available() failed leading to a data +corruption. + +A yajl fork mainter recommended calling memory allocation callbacks with +the large memory request and let them to handle it. But that has the +problem that it's not possible pass the overely large size to the +callbacks. + +This patch catches the integer overflow and terminates the process +with abort(). + +https://github.com/lloyd/yajl/issues/239 +https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/yajl/tree/debian/patches/CVE-2022-24795.patch +Upstream commit +https://github.com/ppisar/yajl/commit/23cea2d7677e396efed78bbf1bf153961fab6bad] +CVE: CVE-2022-24795 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/yajl_buf.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/yajl_buf.c b/src/yajl_buf.c +index 1aeafde0..55c11add 100644 +--- a/src/yajl_buf.c ++++ b/src/yajl_buf.c +@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want) + + need = buf->len; + +- while (want >= (need - buf->used)) need <<= 1; ++ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { ++ /* We cannot allocate more memory than SIZE_MAX. */ ++ abort(); ++ } ++ while (want >= (need - buf->used)) { ++ if (need >= (size_t)((size_t)(-1)<<1)>>1) { ++ /* need would overflow. */ ++ abort(); ++ } ++ need <<= 1; ++ } + + if (need != buf->len) { + buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index 697f54d9f..eca709cc1 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https \ file://CVE-2023-33460.patch \ + file://CVE-2022-24795.patch \ " SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa"