mirror of
https://git.yoctoproject.org/poky
synced 2026-01-29 21:08:42 +01:00
coreutils: fix CVE-2025-5278
Backport patch to fix CVE-2025-5278. The patch is adjusted to fit 9.0 version. And the test case is also adjusted to avoid using valgrind. valgrind in kirkstone is reporting errors for coreutils' sort utility with/without this patch. To avoid ptest failure, we disable valgrind explicitly. (From OE-Core rev: bb7dbb195b55d9aaa0180906843f5af2dcf7509f) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Chen Qi
113
meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
Normal file
113
meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
Normal file
@@ -0,0 +1,113 @@
|
||||
From ed9ae6a4a02d322378739a895ae2090ca2bf6cdc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
|
||||
Date: Tue, 20 May 2025 16:03:44 +0100
|
||||
Subject: [PATCH] sort: fix buffer under-read (CWE-127)
|
||||
|
||||
* src/sort.c (begfield): Check pointer adjustment
|
||||
to avoid Out-of-range pointer offset (CWE-823).
|
||||
(limfield): Likewise.
|
||||
* tests/sort/sort-field-limit.sh: Add a new test,
|
||||
which triggers with ASAN or Valgrind.
|
||||
* tests/local.mk: Reference the new test.
|
||||
* NEWS: Mention bug fix introduced in v7.2 (2009).
|
||||
Fixes https://bugs.gnu.org/78507
|
||||
|
||||
CVE: CVE-2025-5278
|
||||
|
||||
Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
|
||||
[Adjusted for 9.0 version and adjusted test case to not use valgrind.]
|
||||
|
||||
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
||||
---
|
||||
src/sort.c | 12 ++++++++++--
|
||||
tests/local.mk | 1 +
|
||||
tests/misc/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 46 insertions(+), 2 deletions(-)
|
||||
create mode 100755 tests/misc/sort-field-limit.sh
|
||||
|
||||
diff --git a/src/sort.c b/src/sort.c
|
||||
index 5f4c817de..07b96d34b 100644
|
||||
--- a/src/sort.c
|
||||
+++ b/src/sort.c
|
||||
@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct keyfield const *key)
|
||||
++ptr;
|
||||
|
||||
/* Advance PTR by SCHAR (if possible), but no further than LIM. */
|
||||
- ptr = MIN (lim, ptr + schar);
|
||||
+ size_t remaining_bytes = lim - ptr;
|
||||
+ if (schar < remaining_bytes)
|
||||
+ ptr += schar;
|
||||
+ else
|
||||
+ ptr = lim;
|
||||
|
||||
return ptr;
|
||||
}
|
||||
@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct keyfield const *key)
|
||||
++ptr;
|
||||
|
||||
/* Advance PTR by ECHAR (if possible), but no further than LIM. */
|
||||
- ptr = MIN (lim, ptr + echar);
|
||||
+ size_t remaining_bytes = lim - ptr;
|
||||
+ if (echar < remaining_bytes)
|
||||
+ ptr += echar;
|
||||
+ else
|
||||
+ ptr = lim;
|
||||
}
|
||||
|
||||
return ptr;
|
||||
diff --git a/tests/local.mk b/tests/local.mk
|
||||
index 228d0e368..ced85c44c 100644
|
||||
--- a/tests/local.mk
|
||||
+++ b/tests/local.mk
|
||||
@@ -373,6 +373,7 @@ all_tests = \
|
||||
tests/misc/sort-debug-keys.sh \
|
||||
tests/misc/sort-debug-warn.sh \
|
||||
tests/misc/sort-discrim.sh \
|
||||
+ tests/misc/sort-field-limit.sh \
|
||||
tests/misc/sort-files0-from.pl \
|
||||
tests/misc/sort-float.sh \
|
||||
tests/misc/sort-h-thousands-sep.sh \
|
||||
diff --git a/tests/misc/sort-field-limit.sh b/tests/misc/sort-field-limit.sh
|
||||
new file mode 100755
|
||||
index 000000000..dc5b4c964
|
||||
--- /dev/null
|
||||
+++ b/tests/misc/sort-field-limit.sh
|
||||
@@ -0,0 +1,35 @@
|
||||
+#!/bin/sh
|
||||
+# From 7.2-9.7, this would trigger an out of bounds mem read
|
||||
+
|
||||
+# Copyright (C) 2025 Free Software Foundation, Inc.
|
||||
+
|
||||
+# This program is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
+
|
||||
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
|
||||
+print_ver_ sort
|
||||
+getlimits_
|
||||
+
|
||||
+# This issue triggers with valgrind or ASAN
|
||||
+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
|
||||
+ VALGRIND='valgrind --error-exitcode=1'
|
||||
+
|
||||
+{ printf '%s\n' aa bb; } > in || framework_failure_
|
||||
+
|
||||
+_POSIX2_VERSION=200809 sort +0.${SIZE_MAX}R in > out || fail=1
|
||||
+compare in out || fail=1
|
||||
+
|
||||
+_POSIX2_VERSION=200809 sort +1 -1.${SIZE_MAX}R in > out || fail=1
|
||||
+compare in out || fail=1
|
||||
+
|
||||
+Exit $fail
|
||||
--
|
||||
2.34.1
|
||||
|
||||
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
|
||||
file://0001-uname-report-processor-and-hardware-correctly.patch \
|
||||
file://0001-local.mk-fix-cross-compiling-problem.patch \
|
||||
file://e8b56ebd536e82b15542a00c888109471936bfda.patch \
|
||||
file://CVE-2025-5278.patch \
|
||||
file://run-ptest \
|
||||
file://0001-split-do-not-shrink-hold-buffer.patch \
|
||||
"
|
||||
|
||||
Reference in New Issue
Block a user