From 1c9e3318791e36d6bc851192a7640ee639f61f23 Mon Sep 17 00:00:00 2001 From: Joe Slater Date: Tue, 22 Aug 2017 14:14:46 -0700 Subject: ghostscript: CVE-2017-9727, -9835, -11714 CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust CVE-2017-9835: bounds check the array allocations methods CVE-2017-11714: prevent trying to reloc a freed object (From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f) Signed-off-by: Joe Slater Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- .../ghostscript/ghostscript/CVE-2017-11714.patch | 61 ++++++++++ .../ghostscript/ghostscript/CVE-2017-9727.patch | 35 ++++++ .../ghostscript/ghostscript/CVE-2017-9835.patch | 125 +++++++++++++++++++++ .../ghostscript/ghostscript_9.20.bb | 3 + 4 files changed, 224 insertions(+) create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch new file mode 100644 index 0000000000..84983c5aea --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch @@ -0,0 +1,61 @@ +From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 6 Jul 2017 14:54:02 +0100 +Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object + +In the token reader, we pass the scanner state structure around as a +t_struct ref on the Postscript operand stack. + +But we explicitly free the scanner state when we're done, which leaves a +dangling reference on the operand stack and, unless that reference gets +overwritten before the next garbager run, we can end up with the garbager +trying to deal with an already freed object - that can cause a crash, or +memory corruption. +--- + psi/ztoken.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- end of original header + +CVE: CVE-2017-11714 + +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Joe Slater + +diff --git a/psi/ztoken.c b/psi/ztoken.c +index 4dba7c5..af1ceeb 100644 +--- a/psi/ztoken.c ++++ b/psi/ztoken.c +@@ -107,6 +107,12 @@ token_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save) + int code; + ref token; + ++ /* Since we might free pstate below, and we're dealing with ++ * gc memory referenced by the stack, we need to explicitly ++ * remove the reference to pstate from the stack, otherwise ++ * the garbager will fall over ++ */ ++ make_null(osp); + /* Note that gs_scan_token may change osp! */ + pop(1); /* remove the file or scanner state */ + again: +@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p) + static int + tokenexec_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save) + { +- os_ptr op; ++ os_ptr op = osp; + int code; ++ /* Since we might free pstate below, and we're dealing with ++ * gc memory referenced by the stack, we need to explicitly ++ * remove the reference to pstate from the stack, otherwise ++ * the garbager will fall over ++ */ ++ make_null(osp); + /* Note that gs_scan_token may change osp! */ + pop(1); + again: +-- +1.7.9.5 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch new file mode 100644 index 0000000000..a2f7bfa506 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch @@ -0,0 +1,35 @@ +From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 15 Jun 2017 09:05:20 +0100 +Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more + robust + +--- + base/gxttfb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- end of original header + +CVE: CVE-2017-9727 + +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Joe Slater + +diff --git a/base/gxttfb.c b/base/gxttfb.c +index 0e9a444..e1561af 100644 +--- a/base/gxttfb.c ++++ b/base/gxttfb.c +@@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n) + if (!r->error) { + if (r->extra_glyph_index != -1) { + q = r->glyph_data.bits.data + r->pos; +- r->error = (r->glyph_data.bits.size - r->pos < n ? ++ r->error = ((r->pos >= r->glyph_data.bits.size || ++ r->glyph_data.bits.size - r->pos < n) ? + gs_note_error(gs_error_invalidfont) : 0); + if (r->error == 0) + memcpy(p, q, n); +-- +1.7.9.5 + diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch new file mode 100644 index 0000000000..7c65690c65 --- /dev/null +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch @@ -0,0 +1,125 @@ +From cfde94be1d4286bc47633c6e6eaf4e659bd78066 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Wed, 7 Jun 2017 14:55:12 +0100 +Subject: [PATCH] Bug 697985: bounds check the array allocations methods + +The clump allocator has four allocation functions that use 'number of elements' +and 'size of elements' parameters (rather than a simple 'number of bytes'). + +Those need specific bounds checking. +--- + base/gsalloc.c | 42 ++++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +--- end of original header + +CVE: CVE-2017-9835 + +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Joe Slater + +diff --git a/base/gsalloc.c b/base/gsalloc.c +index 741ba00..10c04dd 100644 +--- a/base/gsalloc.c ++++ b/base/gsalloc.c +@@ -1248,19 +1248,32 @@ i_alloc_struct_immovable(gs_memory_t * mem, gs_memory_type_ptr_t pstype, + alloc_trace("|+<.", imem, cname, pstype, size, obj); + return obj; + } ++ ++static inline bool ++alloc_array_check_size(ulong num_elements, ulong elt_size, ulong *lsize) ++{ ++ int64_t s = (int64_t)num_elements * elt_size; ++ if (s > max_uint) { ++ return false; ++ } ++ *lsize = (ulong)s; ++ return true; ++} ++ + static byte * + i_alloc_byte_array(gs_memory_t * mem, uint num_elements, uint elt_size, + client_name_t cname) + { + gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; + obj_header_t *obj; +- ++ ulong lsize; + #ifdef MEMENTO + if (Memento_failThisEvent()) + return NULL; + #endif +- +- obj = alloc_obj(imem, (ulong) num_elements * elt_size, ++ if (alloc_array_check_size(num_elements, elt_size, &lsize) == false) ++ return NULL; ++ obj = alloc_obj(imem, lsize, + &st_bytes, ALLOC_DIRECT, cname); + + if_debug6m('A', mem, "[a%d:+b.]%s -bytes-*(%lu=%u*%u) = 0x%lx\n", +@@ -1275,13 +1288,14 @@ i_alloc_byte_array_immovable(gs_memory_t * mem, uint num_elements, + { + gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; + obj_header_t *obj; +- ++ ulong lsize; + #ifdef MEMENTO + if (Memento_failThisEvent()) + return NULL; + #endif +- +- obj = alloc_obj(imem, (ulong) num_elements * elt_size, ++ if (alloc_array_check_size(num_elements, elt_size, &lsize) == false) ++ return NULL; ++ obj = alloc_obj(imem, lsize, + &st_bytes, ALLOC_IMMOVABLE | ALLOC_DIRECT, + cname); + +@@ -1297,7 +1311,7 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements, + { + gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; + obj_header_t *obj; +- ++ ulong lsize; + #ifdef MEMENTO + if (Memento_failThisEvent()) + return NULL; +@@ -1311,9 +1325,9 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements, + return NULL; /* fail */ + } + #endif +- obj = alloc_obj(imem, +- (ulong) num_elements * pstype->ssize, +- pstype, ALLOC_DIRECT, cname); ++ if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false) ++ return NULL; ++ obj = alloc_obj(imem, lsize, pstype, ALLOC_DIRECT, cname); + if_debug7m('A', mem, "[a%d:+<.]%s %s*(%lu=%u*%u) = 0x%lx\n", + alloc_trace_space(imem), client_name_string(cname), + struct_type_name_string(pstype), +@@ -1327,16 +1341,16 @@ i_alloc_struct_array_immovable(gs_memory_t * mem, uint num_elements, + { + gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem; + obj_header_t *obj; +- ++ ulong lsize; + #ifdef MEMENTO + if (Memento_failThisEvent()) + return NULL; + #endif + + ALLOC_CHECK_SIZE(mem,pstype); +- obj = alloc_obj(imem, +- (ulong) num_elements * pstype->ssize, +- pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname); ++ if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false) ++ return NULL; ++ obj = alloc_obj(imem, lsize, pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname); + if_debug7m('A', mem, "[a%d|+<.]%s %s*(%lu=%u*%u) = 0x%lx\n", + alloc_trace_space(imem), client_name_string(cname), + struct_type_name_string(pstype), +-- +1.7.9.5 + diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb index a7fb467fc5..e1d9700ab5 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb @@ -45,6 +45,9 @@ SRC_URI = "${SRC_URI_BASE} \ file://CVE-2017-9612.patch \ file://CVE-2017-9739.patch \ file://CVE-2017-9726.patch \ + file://CVE-2017-9727.patch \ + file://CVE-2017-9835.patch \ + file://CVE-2017-11714.patch \ " SRC_URI_class-native = "${SRC_URI_BASE} \ -- cgit 1.2.3-korg