diff options
author | P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> | 2023-07-08 01:05:27 +0300 |
---|---|---|
committer | P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> | 2023-12-31 16:58:43 +0300 |
commit | 7f53998bd3726c808abf8b0c4950e25db29d9ea2 (patch) | |
tree | 72543541bb498087ff726a8996bddebfe87229ac /meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch | |
parent | 9ad1806592d6c8e3111b9c26db1882f2af49d64c (diff) | |
download | openbmc-7f53998bd3726c808abf8b0c4950e25db29d9ea2.tar.xz |
Update to internal 1-1.11-1
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch new file mode 100644 index 000000000..b6a48587d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-40304.patch @@ -0,0 +1,101 @@ +From 1b41ec4e9433b05bb0376be4725804c54ef1d80b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 31 Aug 2022 22:11:25 +0200 +Subject: [PATCH] [CVE-2022-40304] Fix dict corruption caused by entity + reference cycles + +When an entity reference cycle is detected, the entity content is +cleared by setting its first byte to zero. But the entity content might +be allocated from a dict. In this case, the dict entry becomes corrupted +leading to all kinds of logic errors, including memory errors like +double-frees. + +Stop storing entity content, orig, ExternalID and SystemID in a dict. +These values are unlikely to occur multiple times in a document, so they +shouldn't have been stored in a dict in the first place. + +Thanks to Ned Williamson and Nathan Wachholz working with Google Project +Zero for the report! +--- + entities.c | 55 ++++++++++++++++-------------------------------------- + 1 file changed, 16 insertions(+), 39 deletions(-) + +diff --git a/entities.c b/entities.c +index 84435515..d4e5412e 100644 +--- a/entities.c ++++ b/entities.c +@@ -128,36 +128,19 @@ xmlFreeEntity(xmlEntityPtr entity) + if ((entity->children) && (entity->owner == 1) && + (entity == (xmlEntityPtr) entity->children->parent)) + xmlFreeNodeList(entity->children); +- if (dict != NULL) { +- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) +- xmlFree((char *) entity->name); +- if ((entity->ExternalID != NULL) && +- (!xmlDictOwns(dict, entity->ExternalID))) +- xmlFree((char *) entity->ExternalID); +- if ((entity->SystemID != NULL) && +- (!xmlDictOwns(dict, entity->SystemID))) +- xmlFree((char *) entity->SystemID); +- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) +- xmlFree((char *) entity->URI); +- if ((entity->content != NULL) +- && (!xmlDictOwns(dict, entity->content))) +- xmlFree((char *) entity->content); +- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) +- xmlFree((char *) entity->orig); +- } else { +- if (entity->name != NULL) +- xmlFree((char *) entity->name); +- if (entity->ExternalID != NULL) +- xmlFree((char *) entity->ExternalID); +- if (entity->SystemID != NULL) +- xmlFree((char *) entity->SystemID); +- if (entity->URI != NULL) +- xmlFree((char *) entity->URI); +- if (entity->content != NULL) +- xmlFree((char *) entity->content); +- if (entity->orig != NULL) +- xmlFree((char *) entity->orig); +- } ++ if ((entity->name != NULL) && ++ ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) ++ xmlFree((char *) entity->name); ++ if (entity->ExternalID != NULL) ++ xmlFree((char *) entity->ExternalID); ++ if (entity->SystemID != NULL) ++ xmlFree((char *) entity->SystemID); ++ if (entity->URI != NULL) ++ xmlFree((char *) entity->URI); ++ if (entity->content != NULL) ++ xmlFree((char *) entity->content); ++ if (entity->orig != NULL) ++ xmlFree((char *) entity->orig); + xmlFree(entity); + } + +@@ -193,18 +176,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, + ret->SystemID = xmlStrdup(SystemID); + } else { + ret->name = xmlDictLookup(dict, name, -1); +- if (ExternalID != NULL) +- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); +- if (SystemID != NULL) +- ret->SystemID = xmlDictLookup(dict, SystemID, -1); ++ ret->ExternalID = xmlStrdup(ExternalID); ++ ret->SystemID = xmlStrdup(SystemID); + } + if (content != NULL) { + ret->length = xmlStrlen(content); +- if ((dict != NULL) && (ret->length < 5)) +- ret->content = (xmlChar *) +- xmlDictLookup(dict, content, ret->length); +- else +- ret->content = xmlStrndup(content, ret->length); ++ ret->content = xmlStrndup(content, ret->length); + } else { + ret->length = 0; + ret->content = NULL; +-- +GitLab + |