From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from hall.aurel32.net (hall.aurel32.net [IPv6:2001:bc8:30d7:100::1]) by sourceware.org (Postfix) with ESMTPS id B4DE0393BC01 for ; Tue, 5 Jan 2021 05:36:31 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org B4DE0393BC01 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=aurel32.net Authentication-Results: sourceware.org; spf=none smtp.mailfrom=aurelien@aurel32.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net ; s=202004.hall; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date: Subject:Cc:To:From:Content-Type:From:Reply-To:Subject:Content-ID: Content-Description:In-Reply-To:References:X-Debbugs-Cc; bh=nF3u595xOwz3I+19Lwt5dP9laPQCa8GtHX3bIvhEerI=; b=1FiufQRHxdok+Om63yJzDWeFN4 1++sV9brsUs7qgKFmKxiQgaLSnnjCRtiYpooq6Ri4dlgt0GyZH47aHNIFusrCoT5j2U+w8wxxerg2 tNgCIFsox3Y1LZKirtOOw/j7uO+kodOvOUa+vvrjyj7I2wN8uaxjvvUoPe+u7hU3lL3vZjf1kUvw5 dyRm9a+fnNZt70s39NyBUjP3S2t7g5/F7tdCYvo3FhgiOjBooElXlRLF0hEeohC1viqfN/LHMZZU5 hYtWEl7PaOHK6vXe9QFlGsiJr8JN92yfrPTLwR+yrEmFzQcggPdQMNm0xzQ6BEJKBMJj8z5cWmTyY v5zWmkag==; Received: from [2a01:e35:2fdd:a4e1:fe91:fc89:bc43:b814] (helo=ohm.rr44.fr) by hall.aurel32.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kwf1C-0005J3-OX; Tue, 05 Jan 2021 06:36:30 +0100 Received: from aurel32 by ohm.rr44.fr with local (Exim 4.94) (envelope-from ) id 1kwf1B-00EJdM-Vy; Tue, 05 Jan 2021 06:36:30 +0100 From: Aurelien Jarno To: libc-stable@sourceware.org Cc: Andreas Schwab Subject: [2.31 COMMITTED] Fix buffer overrun in EUC-KR conversion module (bz #24973) Date: Tue, 5 Jan 2021 06:36:22 +0100 Message-Id: <20210105053622.3411945-1-aurelien@aurel32.net> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-12.1 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, SPF_HELO_PASS, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 05:36:33 -0000 From: Andreas Schwab The byte 0xfe as input to the EUC-KR conversion denotes a user-defined area and is not allowed. The from_euc_kr function used to skip two bytes when told to skip over the unknown designation, potentially running over the buffer end. (cherry picked from commit ee7a3144c9922808181009b7b3e50e852fb4999b) --- NEWS | 2 ++ iconvdata/Makefile | 2 +- iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++ iconvdata/euc-kr.c | 6 +---- iconvdata/ksc5601.h | 6 ++--- 5 files changed, 60 insertions(+), 9 deletions(-) create mode 100644 iconvdata/bug-iconv13.c diff --git a/NEWS b/NEWS index 9e514f5af1..67d5e08f2a 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,8 @@ The following bugs are resolved with this release: (CVE-2016-10228) [20543] Please move from .gnu.linkonce to comdat [23296] Data race in setting function descriptor during lazy binding + [24973] iconv encounters segmentation fault when converting 0x00 0xfe in + EUC-KR to UTF-8 (CVE-2019-25013) [25487] sinl() stack corruption from crafted input (CVE-2020-10029) [25523] MIPS/Linux inline syscall template is miscompiled [25623] test-sysvmsg, test-sysvsem, test-sysvshm fail with 2.31 on 32 bit and diff --git a/iconvdata/Makefile b/iconvdata/Makefile index c83962f351..9ac3ccc77b 100644 --- a/iconvdata/Makefile +++ b/iconvdata/Makefile @@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules)) ifeq (yes,$(build-shared)) tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ - bug-iconv10 bug-iconv11 bug-iconv12 + bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13 ifeq ($(have-thread-library),yes) tests += bug-iconv3 endif diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c new file mode 100644 index 0000000000..87aaff398e --- /dev/null +++ b/iconvdata/bug-iconv13.c @@ -0,0 +1,53 @@ +/* bug 24973: Test EUC-KR module + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +static int +do_test (void) +{ + iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR"); + TEST_VERIFY_EXIT (cd != (iconv_t) -1); + + /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined + areas, which are not allowed and should be skipped over due to + //IGNORE. The trailing 0xfe also is an incomplete sequence, which + should be checked first. */ + char input[4] = { '\xc9', '\xa1', '\0', '\xfe' }; + char *inptr = input; + size_t insize = sizeof (input); + char output[4]; + char *outptr = output; + size_t outsize = sizeof (output); + + /* This used to crash due to buffer overrun. */ + TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1); + TEST_VERIFY (errno == EINVAL); + /* The conversion should produce one character, the converted null + character. */ + TEST_VERIFY (sizeof (output) - outsize == 1); + + TEST_VERIFY_EXIT (iconv_close (cd) != -1); + + return 0; +} + +#include diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c index b0d56cf3ee..1045bae926 100644 --- a/iconvdata/euc-kr.c +++ b/iconvdata/euc-kr.c @@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp) \ if (ch <= 0x9f) \ ++inptr; \ - /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \ - user-defined areas. */ \ - else if (__builtin_expect (ch == 0xa0, 0) \ - || __builtin_expect (ch > 0xfe, 0) \ - || __builtin_expect (ch == 0xc9, 0)) \ + else if (__glibc_unlikely (ch == 0xa0)) \ { \ /* This is illegal. */ \ STANDARD_FROM_LOOP_ERR_HANDLER (1); \ diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h index d3eb3a4ff8..f5cdc72797 100644 --- a/iconvdata/ksc5601.h +++ b/iconvdata/ksc5601.h @@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset) unsigned char ch2; int idx; + if (avail < 2) + return 0; + /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */ if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e || (ch - offset) == 0x49) return __UNKNOWN_10646_CHAR; - if (avail < 2) - return 0; - ch2 = (*s)[1]; if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f) return __UNKNOWN_10646_CHAR; -- 2.29.2