diff options
| author | Florian Weimer <fweimer@redhat.com> | 2014-09-03 19:45:43 +0200 |
|---|---|---|
| committer | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2015-01-15 15:07:32 -0500 |
| commit | bd51e93f9305e37aa17e08dbdb86a2e146c09eff (patch) | |
| tree | c5e3db0be4b5cc9a01a5678d39e403741832d839 | |
| parent | 97ef0b2223e10fe3053494defd8a008d7dd9d6d8 (diff) | |
| download | glibc-bd51e93f9305e37aa17e08dbdb86a2e146c09eff.tar glibc-bd51e93f9305e37aa17e08dbdb86a2e146c09eff.tar.gz glibc-bd51e93f9305e37aa17e08dbdb86a2e146c09eff.tar.bz2 glibc-bd51e93f9305e37aa17e08dbdb86a2e146c09eff.zip | |
CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
| -rw-r--r-- | ChangeLog | 17 | ||||
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | iconvdata/Makefile | 4 | ||||
| -rw-r--r-- | iconvdata/ibm1364.c | 3 | ||||
| -rw-r--r-- | iconvdata/ibm932.c | 5 | ||||
| -rw-r--r-- | iconvdata/ibm933.c | 2 | ||||
| -rw-r--r-- | iconvdata/ibm935.c | 2 | ||||
| -rw-r--r-- | iconvdata/ibm937.c | 2 | ||||
| -rw-r--r-- | iconvdata/ibm939.c | 2 | ||||
| -rw-r--r-- | iconvdata/ibm943.c | 5 | ||||
| -rwxr-xr-x | iconvdata/run-iconv-test.sh | 18 |
11 files changed, 56 insertions, 11 deletions
@@ -1,3 +1,20 @@ +2014-09-03 Florian Weimer <fweimer@redhat.com> + + [BZ #17325] + * iconvdata/ibm1364.c (BODY): Fix check for sentinel. + * iconvdata/ibm932.c (BODY): Replace invalid sentinel check with + assert. + * iconvdata/ibm933.c (BODY): Fix check for sentinel. + * iconvdata/ibm935.c (BODY): Likewise. + * iconvdata/ibm937.c (BODY): Likewise. + * iconvdata/ibm939.c (BODY): Likewise. + * iconvdata/ibm943.c (BODY): Replace invalid sentinel check with + assert. + * iconvdata/Makefile (iconv-test.out): Pass module list to test + script. + * iconvdata/run-iconv-test.sh: New test loop for checking for + decoder crashers. + 2013-09-11 Will Newton <will.newton@linaro.org> [BZ #15857] @@ -10,7 +10,12 @@ Version 2.16.1 * The following bugs are resolved with this release: 6530, 14195, 14547, 14459, 14476, 14562, 14621, 14648, 14699, 14756, 14831, - 15078, 15754, 15755, 16072. + 15078, 15754, 15755, 16072, 17325. + +* Decoding a crafted input sequence in the character sets IBM933, IBM935, + IBM937, IBM939, IBM1364 could result in an out-of-bounds array read, + resulting a denial-of-service security vulnerability in applications which + use functions related to iconv. (CVE-2014-6040) * CVE-2013-4332 The pvalloc, valloc, memalign, posix_memalign and aligned_alloc functions could allocate too few bytes or corrupt the diff --git a/iconvdata/Makefile b/iconvdata/Makefile index eac51ba572..74d468fb02 100644 --- a/iconvdata/Makefile +++ b/iconvdata/Makefile @@ -299,7 +299,9 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \ $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ $(addprefix $(objpfx),$(modules.so)) \ $(common-objdir)/iconv/iconv_prog TESTS - $(SHELL) -e $< $(common-objdir) > $@ + iconv_modules="$(modules)" \ + $(SHELL) $< $(common-objdir) '$(test-wrapper-env)' \ + '$(run-program-env)' > $@ $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \ $(addprefix $(objpfx),$(modules.so)) \ diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c index 09202a29f5..dc71cd728b 100644 --- a/iconvdata/ibm1364.c +++ b/iconvdata/ibm1364.c @@ -220,7 +220,8 @@ enum ++rp2; \ \ uint32_t res; \ - if (__builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ || (res = DB_TO_UCS4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm932.c b/iconvdata/ibm932.c index bd070e19fd..d88185c126 100644 --- a/iconvdata/ibm932.c +++ b/iconvdata/ibm932.c @@ -73,11 +73,12 @@ } \ \ ch = (ch * 0x100) + inptr[1]; \ + /* ch was less than 0xfd. */ \ + assert (ch < 0xfd00); \ while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ - || __builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (ch < rp2->start, 0) \ || (res = __ibm932db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, '\1') == 0 && ch !=0)) \ { \ diff --git a/iconvdata/ibm933.c b/iconvdata/ibm933.c index 12c20710d3..9d9886ff19 100644 --- a/iconvdata/ibm933.c +++ b/iconvdata/ibm933.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm933db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm935.c b/iconvdata/ibm935.c index 110d513864..966a092254 100644 --- a/iconvdata/ibm935.c +++ b/iconvdata/ibm935.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm935db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm937.c b/iconvdata/ibm937.c index c88f9e2967..20dd9bfc84 100644 --- a/iconvdata/ibm937.c +++ b/iconvdata/ibm937.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm939.c b/iconvdata/ibm939.c index 6eefabc5de..482f26ab2b 100644 --- a/iconvdata/ibm939.c +++ b/iconvdata/ibm939.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm939db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm943.c b/iconvdata/ibm943.c index bc2cec373d..e020d09726 100644 --- a/iconvdata/ibm943.c +++ b/iconvdata/ibm943.c @@ -74,11 +74,12 @@ } \ \ ch = (ch * 0x100) + inptr[1]; \ + /* ch was less than 0xfd. */ \ + assert (ch < 0xfd00); \ while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ - || __builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (ch < rp2->start, 0) \ || (res = __ibm943db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, '\1') == 0 && ch !=0)) \ { \ diff --git a/iconvdata/run-iconv-test.sh b/iconvdata/run-iconv-test.sh index 60be69f628..f689b6ff58 100755 --- a/iconvdata/run-iconv-test.sh +++ b/iconvdata/run-iconv-test.sh @@ -185,6 +185,24 @@ while read utf8 from filename; do done < TESTS2 +# Check for crashes in decoders. +printf '\016\377\377\377\377\377\377\377' > $temp1 +for from in $iconv_modules ; do + echo $ac_n "test decoder $from $ac_c" + PROG=`eval echo $ICONV` + if $PROG < $temp1 >/dev/null 2>&1 ; then + : # fall through + else + status=$? + if test $status -gt 1 ; then + echo "/FAILED" + failed=1 + continue + fi + fi + echo "OK" +done + exit $failed # Local Variables: # mode:shell-script |