mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-16 14:54:29 +01:00
gnugrep: fix CVE-2015-1345 by upstream patch
This commit is contained in:
parent
db847a3345
commit
263d5239d6
2 changed files with 62 additions and 0 deletions
60
pkgs/tools/text/gnugrep/cve-2015-1345.patch
Normal file
60
pkgs/tools/text/gnugrep/cve-2015-1345.patch
Normal file
|
@ -0,0 +1,60 @@
|
|||
From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
|
||||
From: Yuliy Pisetsky <ypisetsky@fb.com>
|
||||
Date: Thu, 01 Jan 2015 23:36:55 +0000
|
||||
Subject: grep -F: fix a heap buffer (read) overrun
|
||||
|
||||
grep's read buffer is often filled to its full size, except when
|
||||
reading the final buffer of a file. In that case, the number of
|
||||
bytes read may be far less than the size of the buffer. However, for
|
||||
certain unusual pattern/text combinations, grep -F would mistakenly
|
||||
examine bytes in that uninitialized region of memory when searching
|
||||
for a match. With carefully chosen inputs, one can cause grep -F to
|
||||
read beyond the end of that buffer altogether. This problem arose via
|
||||
commit v2.18-90-g73893ff with the introduction of a more efficient
|
||||
heuristic using what is now the memchr_kwset function. The use of
|
||||
that function in bmexec_trans could leave TP much larger than EP,
|
||||
and the subsequent call to bm_delta2_search would mistakenly access
|
||||
beyond end of the main input read buffer.
|
||||
|
||||
* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
|
||||
do not call bm_delta2_search.
|
||||
* tests/kwset-abuse: New file.
|
||||
* tests/Makefile.am (TESTS): Add it.
|
||||
* THANKS.in: Update.
|
||||
* NEWS (Bug fixes): Mention it.
|
||||
|
||||
Prior to this patch, this command would trigger a UMR:
|
||||
|
||||
printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
|
||||
|
||||
Use of uninitialised value of size 8
|
||||
at 0x4142BE: bmexec_trans (kwset.c:657)
|
||||
by 0x4143CA: bmexec (kwset.c:678)
|
||||
by 0x414973: kwsexec (kwset.c:848)
|
||||
by 0x414DC4: Fexecute (kwsearch.c:128)
|
||||
by 0x404E2E: grepbuf (grep.c:1238)
|
||||
by 0x4054BF: grep (grep.c:1417)
|
||||
by 0x405CEB: grepdesc (grep.c:1645)
|
||||
by 0x405EC1: grep_command_line_arg (grep.c:1692)
|
||||
by 0x4077D4: main (grep.c:2570)
|
||||
|
||||
See the accompanying test for how to trigger the heap buffer overrun.
|
||||
|
||||
Thanks to Nima Aghdaii for testing and finding numerous
|
||||
ways to break early iterations of this patch.
|
||||
|
||||
Nix: @vcunat restricted this to the runtime code only to avoid needing autoreconfiguration.
|
||||
---
|
||||
diff --git a/src/kwset.c b/src/kwset.c
|
||||
index 4003c8d..376f7c3 100644
|
||||
--- a/src/kwset.c
|
||||
+++ b/src/kwset.c
|
||||
@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
|
||||
if (! tp)
|
||||
return -1;
|
||||
tp++;
|
||||
+ if (ep <= tp)
|
||||
+ break;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -10,6 +10,8 @@ stdenv.mkDerivation {
|
|||
sha256 = "1pp5n15qwxrw1pibwjhhgsibyv5cafhamf8lwzjygs6y00fa2i2j";
|
||||
};
|
||||
|
||||
patches = [ ./cve-2015-1345.patch ];
|
||||
|
||||
buildInputs = [ pcre libiconv ];
|
||||
|
||||
doCheck = !stdenv.isDarwin;
|
||||
|
|
Loading…
Reference in a new issue