nss-3.15.1: fix CVE-2013-1741

Integer overflow in Mozilla Network Security Services (NSS)
3.15 before 3.15.3 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via a
large size value.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

2 files changed, 93 insertions, 0 deletions

diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
new file mode 100644
index 00000000000..21da0c03b50
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
+Upstream-Status: backport
+yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/nss/lib/util/secport.c
++++ b/nss/lib/util/secport.c
+@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
+ PORTCharConversionFunc ucs2Utf8ConvertFunc;
+ PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+ 
++/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
++ * use the PRUint32 type for the size parameter. Before we pass a size_t or
++ * unsigned long size to these functions, we need to ensure it is <= half of
++ * the maximum PRUint32 value to avoid truncation and catch a negative size.
++ */
++#define MAX_SIZE (PR_UINT32_MAX >> 1)
++
+ void *
+ PORT_Alloc(size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Malloc(bytes ? bytes : 1);
++    if (bytes <= MAX_SIZE) {
++	/* Always allocate a non-zero amount of bytes */
++	rv = PR_Malloc(bytes ? bytes : 1);
++    }
+     if (!rv) {
+ 	++port_allocFailures;
+ 	PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
+ void *
+ PORT_Realloc(void *oldptr, size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    rv = (void *)PR_Realloc(oldptr, bytes);
++    if (bytes <= MAX_SIZE) {
++	rv = PR_Realloc(oldptr, bytes);
++    }
+     if (!rv) {
+ 	++port_allocFailures;
+ 	PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
+ void *
+ PORT_ZAlloc(size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
++    if (bytes <= MAX_SIZE) {
++	/* Always allocate a non-zero amount of bytes */
++	rv = PR_Calloc(1, bytes ? bytes : 1);
++    }
+     if (!rv) {
+ 	++port_allocFailures;
+ 	PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
+ {
+     PORTArenaPool *pool;
+     
++    if (chunksize > MAX_SIZE) {
++	PORT_SetError(SEC_ERROR_NO_MEMORY);
++	return NULL;
++    }
+     pool = PORT_ZNew(PORTArenaPool);
+     if (!pool) {
+ 	return NULL;
+@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
+     return(&pool->arena);
+ }
+ 
+-#define MAX_SIZE 0x7fffffffUL
+-
+ void *
+ PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+ {
+@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void 
+     PORTArenaPool *pool = (PORTArenaPool *)arena;
+     PORT_Assert(newsize >= oldsize);
+     
++    if (newsize > MAX_SIZE) {
++	PORT_SetError(SEC_ERROR_NO_MEMORY);
++	return NULL;
++    }
++
+     if (ARENAPOOL_MAGIC == pool->magic ) {
+ 	PZ_Lock(pool->lock);
+ 	/* Do we do a THREADMARK check here? */
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index a6aeed8b1ab..6364562a13d 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -16,6 +16,7 @@ SRC_URI = "\
     file://nss-fix-support-cross-compiling.patch \
     file://nss-no-rpath-for-cross-compiling.patch \
     file://nss-fix-incorrect-shebang-of-perl.patch \
+    file://nss-3.15.1-fix-CVE-2013-1741.patch \
 "
 SRC_URI_append_class-target = "\
     file://nss.pc.in \