diff options
| author | Florian Weimer <fweimer@redhat.com> | 2014-09-03 19:45:43 +0200 |
|---|---|---|
| committer | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2015-01-16 06:18:57 -0500 |
| commit | 3e36f1f5391c49e0024d5001e8097aeb49fda824 (patch) | |
| tree | 33ed182b8e23f1a384ef19b36b51dee74e8f0a2d | |
| parent | 301e0d6f9a2218f2d1943860c2d14046b917e846 (diff) | |
| download | glibc-3e36f1f5391c49e0024d5001e8097aeb49fda824.tar.gz glibc-3e36f1f5391c49e0024d5001e8097aeb49fda824.tar.xz glibc-3e36f1f5391c49e0024d5001e8097aeb49fda824.zip | |
CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
These changes are based on the fix for BZ #14134 in commit 6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
| -rw-r--r-- | ChangeLog | 17 | ||||
| -rw-r--r-- | NEWS | 7 | ||||
| -rw-r--r-- | iconvdata/Makefile | 5 | ||||
| -rw-r--r-- | iconvdata/ibm1364.c | 3 | ||||
| -rw-r--r-- | iconvdata/ibm932.c | 5 | ||||
| -rw-r--r-- | iconvdata/ibm933.c | 2 | ||||
| -rw-r--r-- | iconvdata/ibm935.c | 2 | ||||
| -rw-r--r-- | iconvdata/ibm937.c | 2 | ||||
| -rw-r--r-- | iconvdata/ibm939.c | 2 | ||||
| -rw-r--r-- | iconvdata/ibm943.c | 5 | ||||
| -rwxr-xr-x | iconvdata/run-iconv-test.sh | 18 |
11 files changed, 57 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog index 14760a24ee..ccdfddf8ac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,20 @@ +2014-09-03 Florian Weimer <fweimer@redhat.com> + + [BZ #17325] + * iconvdata/ibm1364.c (BODY): Fix check for sentinel. + * iconvdata/ibm932.c (BODY): Replace invalid sentinel check with + assert. + * iconvdata/ibm933.c (BODY): Fix check for sentinel. + * iconvdata/ibm935.c (BODY): Likewise. + * iconvdata/ibm937.c (BODY): Likewise. + * iconvdata/ibm939.c (BODY): Likewise. + * iconvdata/ibm943.c (BODY): Replace invalid sentinel check with + assert. + * iconvdata/Makefile (iconv-test.out): Pass module list to test + script. + * iconvdata/run-iconv-test.sh: New test loop for checking for + decoder crashers. + 2014-02-18 Brooks Moses <bmoses@google.com> [BZ #15915] diff --git a/NEWS b/NEWS index e2931f13c4..8029dab04a 100644 --- a/NEWS +++ b/NEWS @@ -11,10 +11,15 @@ Version 2.18.1 14143, 14155, 14547, 14699, 15532, 15427, 15522, 15680, 15723, 15734, 15735, 15797, 15892, 15895, 15909, 15915, 15917, 15996, 16072, 16150, - 16414, 16430, 16431. + 16414, 16430, 16431, 17325. * Support for powerpc64le has been added. +* Decoding a crafted input sequence in the character sets IBM933, IBM935, + IBM937, IBM939, IBM1364 could result in an out-of-bounds array read, + resulting a denial-of-service security vulnerability in applications which + use functions related to iconv. (CVE-2014-6040) + * CVE-2013-4237 The readdir_r function could write more than NAME_MAX bytes to the d_name member of struct dirent, or omit the terminating NUL character. (Bugzilla #14699). diff --git a/iconvdata/Makefile b/iconvdata/Makefile index 7752013f5b..a8c43bd557 100644 --- a/iconvdata/Makefile +++ b/iconvdata/Makefile @@ -299,7 +299,10 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \ $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ $(addprefix $(objpfx),$(modules.so)) \ $(common-objdir)/iconv/iconv_prog TESTS - $(SHELL) $< $(common-objdir) '$(test-wrapper)' > $@ + iconv_modules="$(modules)" \ + $(SHELL) $< $(common-objdir) '$(test-wrapper-env)' \ + '$(run-program-env)' > $@; \ + $(evaluate-test) $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \ $(addprefix $(objpfx),$(modules.so)) \ diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c index 0dfa250692..569fdc185c 100644 --- a/iconvdata/ibm1364.c +++ b/iconvdata/ibm1364.c @@ -220,7 +220,8 @@ enum ++rp2; \ \ uint32_t res; \ - if (__builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ + || __builtin_expect (ch < rp2->start, 0) \ || (res = DB_TO_UCS4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm932.c b/iconvdata/ibm932.c index 0764fb2385..cbdaad32d1 100644 --- a/iconvdata/ibm932.c +++ b/iconvdata/ibm932.c @@ -73,11 +73,12 @@ } \ \ ch = (ch * 0x100) + inptr[1]; \ + /* ch was less than 0xfd. */ \ + assert (ch < 0xfd00); \ while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ - || __builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (ch < rp2->start, 0) \ || (res = __ibm932db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, '\1') == 0 && ch !=0)) \ { \ diff --git a/iconvdata/ibm933.c b/iconvdata/ibm933.c index 145d12f98a..b56a68dd9b 100644 --- a/iconvdata/ibm933.c +++ b/iconvdata/ibm933.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm933db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm935.c b/iconvdata/ibm935.c index 7d5628bb7e..4d111b0a8d 100644 --- a/iconvdata/ibm935.c +++ b/iconvdata/ibm935.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm935db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm937.c b/iconvdata/ibm937.c index b913cbbb0f..dcedcd4f26 100644 --- a/iconvdata/ibm937.c +++ b/iconvdata/ibm937.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm939.c b/iconvdata/ibm939.c index d42b98c4ba..4727288a04 100644 --- a/iconvdata/ibm939.c +++ b/iconvdata/ibm939.c @@ -161,7 +161,7 @@ enum while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ + if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ || (res = __ibm939db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ diff --git a/iconvdata/ibm943.c b/iconvdata/ibm943.c index b3a655591f..53eb2fca16 100644 --- a/iconvdata/ibm943.c +++ b/iconvdata/ibm943.c @@ -74,11 +74,12 @@ } \ \ ch = (ch * 0x100) + inptr[1]; \ + /* ch was less than 0xfd. */ \ + assert (ch < 0xfd00); \ while (ch > rp2->end) \ ++rp2; \ \ - if (__builtin_expect (rp2 == NULL, 0) \ - || __builtin_expect (ch < rp2->start, 0) \ + if (__builtin_expect (ch < rp2->start, 0) \ || (res = __ibm943db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, '\1') == 0 && ch !=0)) \ { \ diff --git a/iconvdata/run-iconv-test.sh b/iconvdata/run-iconv-test.sh index 107ded0dfd..8afece987b 100755 --- a/iconvdata/run-iconv-test.sh +++ b/iconvdata/run-iconv-test.sh @@ -188,6 +188,24 @@ while read utf8 from filename; do done < TESTS2 +# Check for crashes in decoders. +printf '\016\377\377\377\377\377\377\377' > $temp1 +for from in $iconv_modules ; do + echo $ac_n "test decoder $from $ac_c" + PROG=`eval echo $ICONV` + if $PROG < $temp1 >/dev/null 2>&1 ; then + : # fall through + else + status=$? + if test $status -gt 1 ; then + echo "/FAILED" + failed=1 + continue + fi + fi + echo "OK" +done + exit $failed # Local Variables: # mode:shell-script |