Blame - poky/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch - mdmillerii/openbmc

blob: e0736bf210acda76f78257a726b5909f9d7c09d8 [file] [log] [blame]

Patrick Williams	169d7bc	2024-01-05 11:33:25 -0600	[diff] [blame]	1	From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001
				2	From: Evgeny Vereshchagin <evvers@ya.ru>
				3	Date: Tue, 19 Sep 2023 03:21:25 +0000
				4	Subject: [PATCH] [common] bail out when escaped labels can't fit into ret
				5
				6	Fixes:
				7	```
				8	==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8
				9	READ of size 1110 at 0x7f9e76f14c16 thread T0
				10	#0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba)
				11	#1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12
				12	#2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12
				13	```
				14	and
				15	```
				16	fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed.
				17	==101571== ERROR: libFuzzer: deadly signal
				18	#0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
				19	#1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
				20	#2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
				21	#3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
				22	#4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
				23	#5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
				24	#6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
				25	#7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
				26	#8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
				27	#9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9
				28	```
				29
				30	It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c
				31
				32	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-2.patch?h=ubuntu/jammy-security
				33	CVE: CVE-2023-38470 #Follow-up patch
				34	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
				35	---
				36	avahi-common/domain.c \| 3 ++-
				37	1 file changed, 2 insertions(+), 1 deletion(-)
				38
				39	Index: avahi-0.8/avahi-common/domain.c
				40	===================================================================
				41	--- avahi-0.8.orig/avahi-common/domain.c
				42	+++ avahi-0.8/avahi-common/domain.c
				43	@@ -210,7 +210,8 @@ char avahi_normalize_name(const char s
				44	} else
				45	empty = 0;
				46
				47	- avahi_escape_label(label, strlen(label), &r, &size);
				48	+ if (!(avahi_escape_label(label, strlen(label), &r, &size)))
				49	+ return NULL;
				50	}
				51
				52	return ret_s;