grep: 2.21 -> 2.22

This commit is contained in:
William A. Kennington III 2015-11-03 20:54:22 -08:00
parent aff3a23d67
commit b983c6b9b5
2 changed files with 5 additions and 65 deletions

View File

@ -1,60 +0,0 @@
From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
From: Yuliy Pisetsky <ypisetsky@fb.com>
Date: Thu, 01 Jan 2015 23:36:55 +0000
Subject: grep -F: fix a heap buffer (read) overrun
grep's read buffer is often filled to its full size, except when
reading the final buffer of a file. In that case, the number of
bytes read may be far less than the size of the buffer. However, for
certain unusual pattern/text combinations, grep -F would mistakenly
examine bytes in that uninitialized region of memory when searching
for a match. With carefully chosen inputs, one can cause grep -F to
read beyond the end of that buffer altogether. This problem arose via
commit v2.18-90-g73893ff with the introduction of a more efficient
heuristic using what is now the memchr_kwset function. The use of
that function in bmexec_trans could leave TP much larger than EP,
and the subsequent call to bm_delta2_search would mistakenly access
beyond end of the main input read buffer.
* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
do not call bm_delta2_search.
* tests/kwset-abuse: New file.
* tests/Makefile.am (TESTS): Add it.
* THANKS.in: Update.
* NEWS (Bug fixes): Mention it.
Prior to this patch, this command would trigger a UMR:
printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
Use of uninitialised value of size 8
at 0x4142BE: bmexec_trans (kwset.c:657)
by 0x4143CA: bmexec (kwset.c:678)
by 0x414973: kwsexec (kwset.c:848)
by 0x414DC4: Fexecute (kwsearch.c:128)
by 0x404E2E: grepbuf (grep.c:1238)
by 0x4054BF: grep (grep.c:1417)
by 0x405CEB: grepdesc (grep.c:1645)
by 0x405EC1: grep_command_line_arg (grep.c:1692)
by 0x4077D4: main (grep.c:2570)
See the accompanying test for how to trigger the heap buffer overrun.
Thanks to Nima Aghdaii for testing and finding numerous
ways to break early iterations of this patch.
Nix: @vcunat restricted this to the runtime code only to avoid needing autoreconfiguration.
---
diff --git a/src/kwset.c b/src/kwset.c
index 4003c8d..376f7c3 100644
--- a/src/kwset.c
+++ b/src/kwset.c
@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
if (! tp)
return -1;
tp++;
+ if (ep <= tp)
+ break;
}
}
}

View File

@ -1,17 +1,17 @@
{ stdenv, fetchurl, pcre, libiconv }:
{ stdenv, fetchurl, pcre, libiconv, perl }:
let version = "2.21"; in
let version = "2.22"; in
stdenv.mkDerivation {
name = "gnugrep-${version}";
src = fetchurl {
url = "mirror://gnu/grep/grep-${version}.tar.xz";
sha256 = "1pp5n15qwxrw1pibwjhhgsibyv5cafhamf8lwzjygs6y00fa2i2j";
sha256 = "1srn321x7whlhs5ks36zlcrrmj4iahll8fxwsh1vbz3v04px54fa";
};
patches = [ ./cve-2015-1345.patch ];
# Perl is needed for testing
nativeBuildInputs = [ perl ];
buildInputs = [ pcre libiconv ];
# cygwin: FAIL: multibyte-white-space