1*ac13d5f3SPatrick WilliamsFrom 17de4d15687aa30c49660dc4b792b1fb4d38b569 Mon Sep 17 00:00:00 2001 2*ac13d5f3SPatrick WilliamsFrom: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> 3*ac13d5f3SPatrick WilliamsDate: Thu, 7 Apr 2022 17:29:54 +0200 4*ac13d5f3SPatrick WilliamsSubject: [PATCH] Fix CVE-2022-24795 5*ac13d5f3SPatrick Williams 6*ac13d5f3SPatrick WilliamsThere was an integer overflow in yajl_buf_ensure_available() leading 7*ac13d5f3SPatrick Williamsto allocating less memory than requested. Then data were written past 8*ac13d5f3SPatrick Williamsthe allocated heap buffer in yajl_buf_append(), the only caller of 9*ac13d5f3SPatrick Williamsyajl_buf_ensure_available(). Another result of the overflow was an 10*ac13d5f3SPatrick Williamsinfinite loop without a return from yajl_buf_ensure_available(). 11*ac13d5f3SPatrick Williams 12*ac13d5f3SPatrick Williamsyajl-ruby project, which bundles yajl, fixed it 13*ac13d5f3SPatrick Williams<https://github.com/brianmario/yajl-ruby/pull/211> by checking for the 14*ac13d5f3SPatrick Williamsinteger overflow, fortifying buffer allocations, and report the 15*ac13d5f3SPatrick Williamsfailures to a caller. But then the caller yajl_buf_append() skips 16*ac13d5f3SPatrick Williamsa memory write if yajl_buf_ensure_available() failed leading to a data 17*ac13d5f3SPatrick Williamscorruption. 18*ac13d5f3SPatrick Williams 19*ac13d5f3SPatrick WilliamsA yajl fork mainter recommended calling memory allocation callbacks with 20*ac13d5f3SPatrick Williamsthe large memory request and let them to handle it. But that has the 21*ac13d5f3SPatrick Williamsproblem that it's not possible pass the overely large size to the 22*ac13d5f3SPatrick Williamscallbacks. 23*ac13d5f3SPatrick Williams 24*ac13d5f3SPatrick WilliamsThis patch catches the integer overflow and terminates the process 25*ac13d5f3SPatrick Williamswith abort(). 26*ac13d5f3SPatrick Williams 27*ac13d5f3SPatrick WilliamsCVE: CVE-2022-24795 28*ac13d5f3SPatrick WilliamsUpstream-Status: Submitted [https://github.com/lloyd/yajl/issues/239] 29*ac13d5f3SPatrick WilliamsSigned-off-by: Ross Burton <ross.burton@arm.com> 30*ac13d5f3SPatrick Williams--- 31*ac13d5f3SPatrick Williams src/yajl_buf.c | 12 +++++++++++- 32*ac13d5f3SPatrick Williams 1 file changed, 11 insertions(+), 1 deletion(-) 33*ac13d5f3SPatrick Williams 34*ac13d5f3SPatrick Williamsdiff --git a/src/yajl_buf.c b/src/yajl_buf.c 35*ac13d5f3SPatrick Williamsindex 1aeafde..55c11ad 100644 36*ac13d5f3SPatrick Williams--- a/src/yajl_buf.c 37*ac13d5f3SPatrick Williams+++ b/src/yajl_buf.c 38*ac13d5f3SPatrick Williams@@ -45,7 +45,17 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want) 39*ac13d5f3SPatrick Williams 40*ac13d5f3SPatrick Williams need = buf->len; 41*ac13d5f3SPatrick Williams 42*ac13d5f3SPatrick Williams- while (want >= (need - buf->used)) need <<= 1; 43*ac13d5f3SPatrick Williams+ if (((buf->used > want) ? buf->used : want) > (size_t)(buf->used + want)) { 44*ac13d5f3SPatrick Williams+ /* We cannot allocate more memory than SIZE_MAX. */ 45*ac13d5f3SPatrick Williams+ abort(); 46*ac13d5f3SPatrick Williams+ } 47*ac13d5f3SPatrick Williams+ while (want >= (need - buf->used)) { 48*ac13d5f3SPatrick Williams+ if (need >= (size_t)((size_t)(-1)<<1)>>1) { 49*ac13d5f3SPatrick Williams+ /* need would overflow. */ 50*ac13d5f3SPatrick Williams+ abort(); 51*ac13d5f3SPatrick Williams+ } 52*ac13d5f3SPatrick Williams+ need <<= 1; 53*ac13d5f3SPatrick Williams+ } 54*ac13d5f3SPatrick Williams 55*ac13d5f3SPatrick Williams if (need != buf->len) { 56*ac13d5f3SPatrick Williams buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need); 57*ac13d5f3SPatrick Williams-- 58*ac13d5f3SPatrick Williams2.34.1 59*ac13d5f3SPatrick Williams 60