diff options
author | Florian Weimer <fweimer@redhat.com> | 2014-09-03 19:45:43 +0200 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2014-09-05 22:44:12 +1000 |
commit | daea1a9b2ab9ad1690a2770006f5964e188be11f (patch) | |
tree | b6be546f6f75162ec99de5fa4338b5a6f8eb7054 | |
parent | b8d0acdb33866d0f67ee8a019bdbdaa6a00d0c99 (diff) | |
download | glibc-daea1a9b2ab9ad1690a2770006f5964e188be11f.tar.gz glibc-daea1a9b2ab9ad1690a2770006f5964e188be11f.tar.xz glibc-daea1a9b2ab9ad1690a2770006f5964e188be11f.zip |
CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
These changes are based on the fix for BZ #14134 in commit 6e230d11837f3ae7b375ea69d7905f0d18eb79e5. (cherry picked from commit 41488498b6d9440ee66ab033808cce8323bba7ac) Conflicts: NEWS iconvdata/Makefile
-rw-r--r-- | ChangeLog | 17 | ||||
-rw-r--r-- | NEWS | 7 | ||||
-rw-r--r-- | iconvdata/Makefile | 1 | ||||
-rw-r--r-- | iconvdata/ibm1364.c | 3 | ||||
-rw-r--r-- | iconvdata/ibm932.c | 5 | ||||
-rw-r--r-- | iconvdata/ibm933.c | 2 | ||||
-rw-r--r-- | iconvdata/ibm935.c | 2 | ||||
-rw-r--r-- | iconvdata/ibm937.c | 2 | ||||
-rw-r--r-- | iconvdata/ibm939.c | 2 | ||||
-rw-r--r-- | iconvdata/ibm943.c | 5 | ||||
-rwxr-xr-x | iconvdata/run-iconv-test.sh | 18 |
11 files changed, 54 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog index fdef17a250..2df8e44f4e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,20 @@ +2014-09-03 Florian Weimer <fweimer@redhat.com> + + [BZ #17325] + * iconvdata/ibm1364.c (BODY): Fix check for sentinel. + * iconvdata/ibm932.c (BODY): Replace invalid sentinel check with + assert. + * iconvdata/ibm933.c (BODY): Fix check for sentinel. + * iconvdata/ibm935.c (BODY): Likewise. + * iconvdata/ibm937.c (BODY): Likewise. + * iconvdata/ibm939.c (BODY): Likewise. + * iconvdata/ibm943.c (BODY): Replace invalid sentinel check with + assert. + * iconvdata/Makefile (iconv-test.out): Pass module list to test + script. + * iconvdata/run-iconv-test.sh: New test loop for checking for + decoder crashers. + 2014-08-26 Florian Weimer <fweimer@redhat.com> [BZ #17187] diff --git a/NEWS b/NEWS index ebcefb5a80..4e722f738e 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,7 @@ Version 2.19.1 * The following bugs are resolved with this release: 15946, 16545, 16574, 16623, 16695, 16878, 16882, 16885, 16916, 16932, - 16943, 16958, 17048, 17069, 17137, 17263. + 16943, 16958, 17048, 17069, 17137, 17263, 17325. * Reverted change of ABI data structures for s390 and s390x: On s390 and s390x the size of struct ucontext and jmp_buf was increased in @@ -44,6 +44,11 @@ Version 2.19.1 normal gconv conversion modules are still supported. Transliteration with //TRANSLIT is still possible, and the //IGNORE specifier continues to be supported. (CVE-2014-5119) + +* Decoding a crafted input sequence in the character sets IBM933, IBM935, + IBM937, IBM939, IBM1364 could result in an out-of-bounds array read, + resulting a denial-of-service security vulnerability in applications which + use functions related to iconv. (CVE-2014-6040) Version 2.19 diff --git a/iconvdata/Makefile b/iconvdata/Makefile index 5c2154e7bf..3165d27655 100644 --- a/iconvdata/Makefile +++ b/iconvdata/Makefile @@ -299,6 +299,7 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \ $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ $(addprefix $(objpfx),$(modules.so)) \ $(common-objdir)/iconv/iconv_prog TESTS + iconv_modules="$(modules)" \ $(SHELL) $< $(common-objdir) '$(test-wrapper)' > $@ $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \ diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c index 373d49a743..e9ea405457 100644 --- a/iconvdata/ibm1364.c +++ b/iconvdata/ibm1364.c @@ -220,7 +220,8 @@ enum ++rp2; \ \ uint32_t res; \ - if (__builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ || (res = DB_TO_UCS4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm932.c b/iconvdata/ibm932.c index 4ceeaae5b9..a3f25834d8 100644 --- a/iconvdata/ibm932.c +++ b/iconvdata/ibm932.c @@ -73,11 +73,12 @@ } \ \ ch = (ch * 0x100) + inptr[1]; \ + /* ch was less than 0xfd. */ \ + assert (ch < 0xfd00); \ while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ - || __builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (ch < rp2->start, 0) \ || (res = __ibm932db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, '\1') == 0 && ch !=0)) \ { \ diff --git a/iconvdata/ibm933.c b/iconvdata/ibm933.c index 4723df4890..7323df4376 100644 --- a/iconvdata/ibm933.c +++ b/iconvdata/ibm933.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm933db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm935.c b/iconvdata/ibm935.c index 1ed311b01f..1af85dfcff 100644 --- a/iconvdata/ibm935.c +++ b/iconvdata/ibm935.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm935db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm937.c b/iconvdata/ibm937.c index 1edaf624d0..a979bf4c36 100644 --- a/iconvdata/ibm937.c +++ b/iconvdata/ibm937.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm939.c b/iconvdata/ibm939.c index b40c486540..93582bfb52 100644 --- a/iconvdata/ibm939.c +++ b/iconvdata/ibm939.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm939db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm943.c b/iconvdata/ibm943.c index 495e37909e..815c3d473a 100644 --- a/iconvdata/ibm943.c +++ b/iconvdata/ibm943.c @@ -74,11 +74,12 @@ } \ \ ch = (ch * 0x100) + inptr[1]; \ + /* ch was less than 0xfd. */ \ + assert (ch < 0xfd00); \ while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ - || __builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (ch < rp2->start, 0) \ || (res = __ibm943db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, '\1') == 0 && ch !=0)) \ { \ diff --git a/iconvdata/run-iconv-test.sh b/iconvdata/run-iconv-test.sh index e23f60d442..565600a059 100755 --- a/iconvdata/run-iconv-test.sh +++ b/iconvdata/run-iconv-test.sh @@ -188,6 +188,24 @@ while read utf8 from filename; do done < TESTS2 +# Check for crashes in decoders. +printf '\016\377\377\377\377\377\377\377' > $temp1 +for from in $iconv_modules ; do + echo $ac_n "test decoder $from $ac_c" + PROG=`eval echo $ICONV` + if $PROG < $temp1 >/dev/null 2>&1 ; then + : # fall through + else + status=$? + if test $status -gt 1 ; then + echo "/FAILED" + failed=1 + continue + fi + fi + echo "OK" +done + exit $failed # Local Variables: # mode:shell-script |