From 10e9faf901605af5713bc89a5a36631f2025a956 Mon Sep 17 00:00:00 2001 From: shangyibin Date: Thu, 17 Feb 2022 14:14:24 +0800 Subject: [PATCH] realloc buffer when header size changed fix size use for stdin segmentation fault on invalid unicode input passed to -s option --- fix-size-use-for-stdin.patch | 61 ++++++++++++++++++ realloc-buffer-when-header-size-changed.patch | 64 +++++++++++++++++++ ...lid-unicode-input-passed-to-s-option.patch | 27 ++++++++ util-linux.spec | 13 +++- 4 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 fix-size-use-for-stdin.patch create mode 100644 realloc-buffer-when-header-size-changed.patch create mode 100644 segmentation-fault-on-invalid-unicode-input-passed-to-s-option.patch diff --git a/fix-size-use-for-stdin.patch b/fix-size-use-for-stdin.patch new file mode 100644 index 0000000..ee4bdd4 --- /dev/null +++ b/fix-size-use-for-stdin.patch @@ -0,0 +1,61 @@ +From 58e4ee082bca100034791a4a74481f263bb30a25 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 21 Oct 2021 18:47:40 +0200 +Subject: [PATCH] logger: fix --size use for stdin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The stdin version counts log header into the message size, but +for example when it reads message from argv[] it counts only message +itself. + + $ logger --stderr --size 3 "abcd" + <13>Oct 21 18:48:29 kzak: abc + + $ echo "abcd" | logger --stderr --size 3 + logger: cannot allocate 18446744073709551597 bytes: Cannot allocate memory + +Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2011602 +Signed-off-by: Karel Zak +--- + misc-utils/logger.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +diff --git a/misc-utils/logger.c b/misc-utils/logger.c +index 25ff2b9308..50ae211056 100644 +--- a/misc-utils/logger.c ++++ b/misc-utils/logger.c +@@ -976,9 +976,7 @@ static void logger_stdin(struct logger_ctl *ctl) + */ + int default_priority = ctl->pri; + int last_pri = default_priority; +- size_t max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr); +- size_t allocated_usrmsg_size = max_usrmsg_size; +- char *buf = xmalloc(allocated_usrmsg_size + 2 + 2); ++ char *buf = xmalloc(ctl->max_message_size + 2 + 2); + int pri; + int c; + size_t i; +@@ -1006,20 +1004,13 @@ static void logger_stdin(struct logger_ctl *ctl) + + if (ctl->pri != last_pri) { + generate_syslog_header(ctl); +- max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr); +- +- if (max_usrmsg_size > allocated_usrmsg_size) { +- allocated_usrmsg_size = max_usrmsg_size; +- buf = xrealloc(buf, allocated_usrmsg_size + 2 + 2); +- } +- + last_pri = ctl->pri; + } + if (c != EOF && c != '\n') + c = getchar(); + } + +- while (c != EOF && c != '\n' && i < max_usrmsg_size) { ++ while (c != EOF && c != '\n' && i < ctl->max_message_size) { + buf[i++] = c; + c = getchar(); + } diff --git a/realloc-buffer-when-header-size-changed.patch b/realloc-buffer-when-header-size-changed.patch new file mode 100644 index 0000000..a542097 --- /dev/null +++ b/realloc-buffer-when-header-size-changed.patch @@ -0,0 +1,64 @@ +From b0a8b8cd9c34600dda7d0503aac2dc0af3012fdc Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 21 Oct 2021 16:00:01 +0200 +Subject: [PATCH] logger: realloc buffer when header size changed + +This is probably paranoid optimization, but when we generate a new +header we need to be sure that buffer is not smaller than calculated +maximal size of user's data. + +Signed-off-by: Karel Zak +--- + misc-utils/logger.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/misc-utils/logger.c b/misc-utils/logger.c +index 23da164cd6..4511ab1141 100644 +--- a/misc-utils/logger.c ++++ b/misc-utils/logger.c +@@ -979,11 +979,11 @@ static void logger_stdin(struct logger_ctl *ctl) + * update header timestamps and to reflect possible priority changes. + * The initial header is generated by logger_open(). + */ +- int has_header = 1; + int default_priority = ctl->pri; + int last_pri = default_priority; + size_t max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr); +- char *const buf = xmalloc(max_usrmsg_size + 2 + 2); ++ size_t allocated_usrmsg_size = max_usrmsg_size; ++ char *buf = xmalloc(allocated_usrmsg_size + 2 + 2); + int pri; + int c; + size_t i; +@@ -1010,9 +1010,14 @@ static void logger_stdin(struct logger_ctl *ctl) + ctl->pri = default_priority; + + if (ctl->pri != last_pri) { +- has_header = 0; +- max_usrmsg_size = +- ctl->max_message_size - strlen(ctl->hdr); ++ generate_syslog_header(ctl); ++ max_usrmsg_size = ctl->max_message_size - strlen(ctl->hdr); ++ ++ if (max_usrmsg_size > allocated_usrmsg_size) { ++ allocated_usrmsg_size = max_usrmsg_size; ++ buf = xrealloc(buf, allocated_usrmsg_size + 2 + 2); ++ } ++ + last_pri = ctl->pri; + } + if (c != EOF && c != '\n') +@@ -1025,12 +1030,8 @@ static void logger_stdin(struct logger_ctl *ctl) + } + buf[i] = '\0'; + +- if (i > 0 || !ctl->skip_empty_lines) { +- if (!has_header) +- generate_syslog_header(ctl); ++ if (i > 0 || !ctl->skip_empty_lines) + write_output(ctl, buf); +- has_header = 0; +- } + + if (c == '\n') /* discard line terminator */ + c = getchar(); diff --git a/segmentation-fault-on-invalid-unicode-input-passed-to-s-option.patch b/segmentation-fault-on-invalid-unicode-input-passed-to-s-option.patch new file mode 100644 index 0000000..f08047c --- /dev/null +++ b/segmentation-fault-on-invalid-unicode-input-passed-to-s-option.patch @@ -0,0 +1,27 @@ +From 9714331843ef3a6d9c10ff1d3bc5fcf53d44d930 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Tue, 31 Aug 2021 12:31:15 +0200 +Subject: [PATCH] column: segmentation fault on invalid unicode input passed to + -s option + +The function mbs_to_wcs() returns NULL on invalid UTF. + +Fixes: https://github.com/karelzak/util-linux/issues/1425 +Signed-off-by: Karel Zak +--- + text-utils/column.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/text-utils/column.c b/text-utils/column.c +index 1bc90e84e3..f9878e4422 100644 +--- a/text-utils/column.c ++++ b/text-utils/column.c +@@ -814,6 +814,8 @@ int main(int argc, char **argv) + case 's': + free(ctl.input_separator); + ctl.input_separator = mbs_to_wcs(optarg); ++ if (!ctl.input_separator) ++ err(EXIT_FAILURE, _("failed to use input separator")); + ctl.greedy = 0; + break; + case 'T': diff --git a/util-linux.spec b/util-linux.spec index 9c3f31b..a1f9545 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -3,7 +3,7 @@ Name: util-linux Version: 2.37.2 -Release: 3 +Release: 4 Summary: A random collection of Linux utilities License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git @@ -21,6 +21,9 @@ Source9: util-linux-runuser-l.pamd Patch6000: 2.36-login-lastlog-create.patch Patch6001: backport-CVE-2021-3995.patch Patch6002: backport-CVE-2021-3996.patch +Patch6003: realloc-buffer-when-header-size-changed.patch +Patch6004: fix-size-use-for-stdin.patch +Patch6005: segmentation-fault-on-invalid-unicode-input-passed-to-s-option.patch Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch Patch9001: SKIPPED-no-root-permissions-test.patch @@ -391,6 +394,14 @@ fi %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*} %changelog +* Fri Feb 18 2022 shangyibin - 2.37.2-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:realloc buffer when header size changed + fix size use for stdin + segmentation fault on invalid unicode input passed to -s option + * Mon Feb 14 2021 shangyibin - 2.37.2-3 - Type:CVE - ID:CVE-2021-3995 CVE-2021-3996 -- Gitee