From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from hall.aurel32.net (hall.aurel32.net [IPv6:2001:bc8:30d7:100::1]) by sourceware.org (Postfix) with ESMTPS id 0D3EC393C87C for ; Tue, 1 Dec 2020 07:35:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0D3EC393C87C Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=aurel32.net Authentication-Results: sourceware.org; spf=none smtp.mailfrom=aurelien@aurel32.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net ; s=202004.hall; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date: Subject:Cc:To:From:Content-Type:From:Reply-To:Subject:Content-ID: Content-Description:In-Reply-To:References:X-Debbugs-Cc; bh=gtuCEAH6CH+5zmdA6H5Nw3ptLgxBMY4sc9Zqz3LRCTs=; b=WQXewgjwccLXDnoKcAg6Zeu91M KilOV6PIVfaJORCOf8tu2ZNmV3LgxjQCrRNS1Q0szYoocLS20pYxIAL1LCoNqIbSN3u8oerKZs6HK 56H6EP3DBLapfYG5VeNh2cXaOnV4XBUfVhKc0jfekRHcVIqX3TQ5v0QM3zcMWwRj9Ci0viu4XgL8X nFS0EJtnPTgoSZvsyx+WQCOMqlTpMdHQKWxRj6vN75/tnvOkVc1x6gcqC7GYP95STBOKtih6vSA8U Pdp/UPfQfn1C5vhMO/3QNnL/BadRcNEQ6nV6ksF2u5bel2ERgsWRjPcfgD301m4lEhLwkeRG4Klhs GrfO6NCw==; Received: from [2a01:e35:2fdd:a4e1:fe91:fc89:bc43:b814] (helo=ohm.rr44.fr) by hall.aurel32.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kk0CG-00084X-LT; Tue, 01 Dec 2020 08:35:36 +0100 Received: from aurel32 by ohm.rr44.fr with local (Exim 4.94) (envelope-from ) id 1kk0CF-006Vxh-Sk; Tue, 01 Dec 2020 08:35:35 +0100 From: Aurelien Jarno To: libc-stable@sourceware.org Cc: Arjun Shankar , Carlos O'Donell Subject: [2.31 COMMITTED] iconv: Accept redundant shift sequences in IBM1364 [BZ #26224] Date: Tue, 1 Dec 2020 08:35:33 +0100 Message-Id: <20201201073533.1552769-1-aurelien@aurel32.net> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-11.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_PASS, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2020 07:35:41 -0000 From: Arjun Shankar The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets share converter logic (iconvdata/ibm1364.c) which would reject redundant shift sequences when processing input in these character sets. This led to a hang in the iconv program (CVE-2020-27618). This commit adjusts the converter to ignore redundant shift sequences and adds test cases for iconv_prog hangs that would be triggered upon their rejection. This brings the implementation in line with other converters that also ignore redundant shift sequences (e.g. IBM930 etc., fixed in commit 692de4b3960d). Reviewed-by: Carlos O'Donell (cherry picked from commit 9a99c682144bdbd40792ebf822fe9264e0376fb5) --- NEWS | 5 +++++ iconv/tst-iconv_prog.sh | 16 ++++++++++------ iconvdata/ibm1364.c | 14 ++------------ 3 files changed, 17 insertions(+), 18 deletions(-) diff --git a/NEWS b/NEWS index 1534314537..e1d666d484 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,8 @@ The following bugs are resolved with this release: [25933] Off by one error in __strncmp_avx2 [25966] Incorrect access of __x86_shared_non_temporal_threshold for x32 [25976] nss_compat: internal_end*ent may clobber errno, hiding ERANGE + [26224] iconv hangs when converting some invalid inputs from several IBM + character sets (CVE-2020-27618) [26248] Incorrect argument types for INLINE_SETXID_SYSCALL [26332] Incorrect cache line size load causes memory corruption in memset [26383] bind_textdomain_codeset doesn't accept //TRANSLIT anymore @@ -52,6 +54,9 @@ Security related changes: Dytrych of the Cisco Security Assessment and Penetration Team (See TALOS-2020-1019). + CVE-2020-27618: An infinite loop has been fixed in the iconv program when + invoked with input containing redundant shift sequences in the IBM1364, + IBM1371, IBM1388, IBM1390, or IBM1399 character sets. Version 2.31 diff --git a/iconv/tst-iconv_prog.sh b/iconv/tst-iconv_prog.sh index 8298136b7f..d8db7b335c 100644 --- a/iconv/tst-iconv_prog.sh +++ b/iconv/tst-iconv_prog.sh @@ -102,12 +102,16 @@ hangarray=( "\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE" "\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE" "\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE" -# These are known hangs that are yet to be fixed: -# "\x00\x0f;-c;IBM1364;UTF-8" -# "\x00\x0f;-c;IBM1371;UTF-8" -# "\x00\x0f;-c;IBM1388;UTF-8" -# "\x00\x0f;-c;IBM1390;UTF-8" -# "\x00\x0f;-c;IBM1399;UTF-8" +"\x00\x0f;-c;IBM1364;UTF-8" +"\x0e\x0e;-c;IBM1364;UTF-8" +"\x00\x0f;-c;IBM1371;UTF-8" +"\x0e\x0e;-c;IBM1371;UTF-8" +"\x00\x0f;-c;IBM1388;UTF-8" +"\x0e\x0e;-c;IBM1388;UTF-8" +"\x00\x0f;-c;IBM1390;UTF-8" +"\x0e\x0e;-c;IBM1390;UTF-8" +"\x00\x0f;-c;IBM1399;UTF-8" +"\x0e\x0e;-c;IBM1399;UTF-8" "\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE" "\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE" "\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE" diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c index 49e7267ab4..521f0825b7 100644 --- a/iconvdata/ibm1364.c +++ b/iconvdata/ibm1364.c @@ -158,24 +158,14 @@ enum \ if (__builtin_expect (ch, 0) == SO) \ { \ - /* Shift OUT, change to DBCS converter. */ \ - if (curcs == db) \ - { \ - result = __GCONV_ILLEGAL_INPUT; \ - break; \ - } \ + /* Shift OUT, change to DBCS converter (redundant escape okay). */ \ curcs = db; \ ++inptr; \ continue; \ } \ if (__builtin_expect (ch, 0) == SI) \ { \ - /* Shift IN, change to SBCS converter. */ \ - if (curcs == sb) \ - { \ - result = __GCONV_ILLEGAL_INPUT; \ - break; \ - } \ + /* Shift IN, change to SBCS converter (redundant escape okay). */ \ curcs = sb; \ ++inptr; \ continue; \ -- 2.28.0