[OE-core] [PATCH v2] busybox: Fix zlma segfaults

André Draszik git at andred.net
Thu May 31 08:13:52 UTC 2018 

Typo in the subject: zlma -> lzma

A.

On Thu, 2018-05-31 at 08:15 +0200, Andrej Valek wrote:
> - fix multiple lzma segmentation faults
> - patch includes multiple fixing commits
> - test-cases have been removed due to binary data
> 
> Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
> ---
>  .../busybox/busybox-fix-unlzma-segfaults.patch     | 106
> +++++++++++++++++++++
>  meta/recipes-core/busybox/busybox_1.27.2.bb        |   1 +
>  2 files changed, 107 insertions(+)
>  create mode 100644 meta/recipes-core/busybox/busybox/busybox-fix-unlzma-
> segfaults.patch
> 
> diff --git a/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-
> segfaults.patch b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-
> segfaults.patch
> new file mode 100644
> index 0000000000..5215da74a5
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/busybox-fix-unlzma-segfaults.patch
> @@ -0,0 +1,106 @@
> +busybox-1.27.2: Fix zlma segfaults
> +
> +[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
> +
> +libarchive: check buffer index in lzma_decompress
> +
> +With specific defconfig busybox fails to check zip fileheader magic
> +(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
> +for decompression which leads to segmentation fault. It prevents
> accessing into
> +buffer, which is smaller than pos index. Patch includes multiple
> segmentation
> +fault fixes.
> +
> +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36
> 986bb80289c1cd8d15a557e49207c9a42946b]
> +bug: 10436 10871
> +Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
> +
> +diff --git a/archival/libarchive/decompress_unlzma.c
> b/archival/libarchive/decompress_unlzma.c
> +index a904087..29eee2a 100644
> +--- a/archival/libarchive/decompress_unlzma.c
> ++++ b/archival/libarchive/decompress_unlzma.c
> +@@ -11,6 +11,14 @@
> + #include "libbb.h"
> + #include "bb_archive.h"
> + 
> ++
> ++#if 0
> ++# define dbg(...) bb_error_msg(__VA_ARGS__)
> ++#else
> ++# define dbg(...) ((void)0)
> ++#endif
> ++
> ++
> + #if ENABLE_FEATURE_LZMA_FAST
> + #  define speed_inline ALWAYS_INLINE
> + #  define size_inline
> +@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 	rc_t *rc;
> + 	int i;
> + 	uint8_t *buffer;
> ++	uint32_t buffer_size;
> + 	uint8_t previous_byte = 0;
> + 	size_t buffer_pos = 0, global_pos = 0;
> + 	int len = 0;
> +@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 	if (header.dict_size == 0)
> + 		header.dict_size++;
> + 
> +-	buffer = xmalloc(MIN(header.dst_size, header.dict_size));
> ++	buffer_size = MIN(header.dst_size, header.dict_size);
> ++	buffer = xmalloc(buffer_size);
> + 
> + 	{
> + 		int num_probs;
> +@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 						state = state <
> LZMA_NUM_LIT_STATES ? 9 : 11;
> + 
> + 						pos = buffer_pos - rep0;
> +-						if ((int32_t)pos < 0)
> ++						if ((int32_t)pos < 0) {
> + 							pos +=
> header.dict_size;
> ++							/* see
> unzip_bad_lzma_2.zip: */
> ++							if (pos >=
> buffer_size)
> ++								goto
> bad;
> ++						}
> + 						previous_byte =
> buffer[pos];
> + 						goto one_byte1;
> + #else
> +@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 						for (; num_bits2 !=
> LZMA_NUM_ALIGN_BITS; num_bits2--)
> + 							rep0 = (rep0 <<
> 1) | rc_direct_bit(rc);
> + 						rep0 <<=
> LZMA_NUM_ALIGN_BITS;
> ++						if ((int32_t)rep0 < 0) {
> ++							dbg("%d
> rep0:%d", __LINE__, rep0);
> ++							goto bad;
> ++						}
> + 						prob3 = p + LZMA_ALIGN;
> + 					}
> + 					i2 = 1;
> +@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
> +  IF_NOT_FEATURE_LZMA_FAST(string:)
> + 			do {
> + 				uint32_t pos = buffer_pos - rep0;
> +-				if ((int32_t)pos < 0)
> ++				if ((int32_t)pos < 0) {
> + 					pos += header.dict_size;
> ++					/* more stringent test (see
> unzip_bad_lzma_1.zip): */
> ++					if (pos >= buffer_size)
> ++						goto bad;
> ++				}
> + 				previous_byte = buffer[pos];
> +  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
> + 				buffer[buffer_pos++] = previous_byte;
> +@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
> + 		IF_DESKTOP(total_written += buffer_pos;)
> + 		if (transformer_write(xstate, buffer, buffer_pos) !=
> (ssize_t)buffer_pos) {
> +  bad:
> ++			/* One of our users, bbunpack(), expects _us_ to
> emit
> ++			 * the error message (since it's the best place
> to give
> ++			 * potentially more detailed information).
> ++			 * Do not fail silently.
> ++			 */
> ++			bb_error_msg("corrupted data");
> + 			total_written = -1; /* failure */
> + 		}
> + 		rc_free(rc);
> + 
> diff --git a/meta/recipes-core/busybox/busybox_1.27.2.bb b/meta/recipes-
> core/busybox/busybox_1.27.2.bb
> index 36a6342aaf..9f0393505a 100644
> --- a/meta/recipes-core/busybox/busybox_1.27.2.bb
> +++ b/meta/recipes-core/busybox/busybox_1.27.2.bb
> @@ -45,6 +45,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV
> }.tar.bz2;name=tarball \
>             file://CVE-2011-5325.patch \
>             file://CVE-2017-15873.patch \
>             file://busybox-CVE-2017-16544.patch \
> +           file://busybox-fix-unlzma-segfaults.patch \
>  "
>  SRC_URI_append_libc-musl = " file://musl.cfg "
>  
> -- 
> 2.11.0
>

More information about the Openembedded-core mailing list