LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24816 Commits
1 Branch
46 MiB
Tree: aaa46eb44e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'aaa46eb44e'
${ noResults }
openwrt-packages-dist/libs/libuv/patches/CVE-2021-22918.patch

166 lines
4.3 KiB
Raw Normal View History

libuv: fix CVE-2021-22918 idna: fix OOB read in punycode decoder libuv was vulnerable to out-of-bounds reads in the uv__idna_toascii() function which is used to convert strings to ASCII. This is called by the DNS resolution function and can lead to information disclosures or crashes. https://github.com/libuv/libuv/commit/b7466e31e4bee160d82a68fca11b1f61d46debae https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561 https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/ Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
3 years ago
 
  1. From b7466e31e4bee160d82a68fca11b1f61d46debae Mon Sep 17 00:00:00 2001
  2. From: Ben Noordhuis <info@bnoordhuis.nl>
  3. Date: Fri, 21 May 2021 11:23:36 +0200
  4. Subject: [PATCH] idna: fix OOB read in punycode decoder
  5. 

  6. libuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()
  7. function which is used to convert strings to ASCII. This is called by
  8. the DNS resolution function and can lead to information disclosures or
  9. crashes.
  10. 

  11. Reported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.
  12. 

  13. Reported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
  14. Fixes: https://github.com/libuv/libuv/issues/3147
  15. PR-URL: https://github.com/libuv/libuv-private/pull/1
  16. Refs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
  17. Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
  18. Reviewed-By: Richard Lau <riclau@uk.ibm.com>
  19. ---

  20.  src/idna.c       | 49 +++++++++++++++++++++++++++++++++++-------------
  21.  test/test-idna.c | 19 +++++++++++++++++++
  22.  test/test-list.h |  2 ++
  23.  3 files changed, 57 insertions(+), 13 deletions(-)
  24. 

  25. --- a/src/idna.c

  26. +++ b/src/idna.c

  27. @@ -19,6 +19,7 @@

  28.  
  29.  #include "uv.h"
  30.  #include "idna.h"
  31. +#include <assert.h>

  32.  #include <string.h>
  33.  
  34.  static unsigned uv__utf8_decode1_slow(const char** p,
  35. @@ -32,7 +33,7 @@ static unsigned uv__utf8_decode1_slow(co

  36.    if (a > 0xF7)
  37.      return -1;
  38.  
  39. -  switch (*p - pe) {

  40. +  switch (pe - *p) {

  41.    default:
  42.      if (a > 0xEF) {
  43.        min = 0x10000;
  44. @@ -62,6 +63,8 @@ static unsigned uv__utf8_decode1_slow(co

  45.        a = 0;
  46.        break;
  47.      }
  48. +    /* Fall through. */

  49. +  case 0:

  50.      return -1;  /* Invalid continuation byte. */
  51.    }
  52.  
  53. @@ -88,6 +91,8 @@ static unsigned uv__utf8_decode1_slow(co

  54.  unsigned uv__utf8_decode1(const char** p, const char* pe) {
  55.    unsigned a;
  56.  
  57. +  assert(*p < pe);

  58. +

  59.    a = (unsigned char) *(*p)++;
  60.  
  61.    if (a < 128)
  62. @@ -96,9 +101,6 @@ unsigned uv__utf8_decode1(const char** p

  63.    return uv__utf8_decode1_slow(p, pe, a);
  64.  }
  65.  
  66. -#define foreach_codepoint(c, p, pe) \

  67. -  for (; (void) (*p <= pe && (c = uv__utf8_decode1(p, pe))), *p <= pe;)

  68. -

  69.  static int uv__idna_toascii_label(const char* s, const char* se,
  70.                                    char** d, char* de) {
  71.    static const char alphabet[] = "abcdefghijklmnopqrstuvwxyz0123456789";
  72. @@ -121,15 +123,22 @@ static int uv__idna_toascii_label(const

  73.    ss = s;
  74.    todo = 0;
  75.  
  76. -  foreach_codepoint(c, &s, se) {

  77. +  /* Note: after this loop we've visited all UTF-8 characters and know

  78. +   * they're legal so we no longer need to check for decode errors.

  79. +   */

  80. +  while (s < se) {

  81. +    c = uv__utf8_decode1(&s, se);

  82. +

  83. +    if (c == -1u)

  84. +      return UV_EINVAL;

  85. +

  86.      if (c < 128)
  87.        h++;
  88. -    else if (c == (unsigned) -1)

  89. -      return UV_EINVAL;

  90.      else
  91.        todo++;
  92.    }
  93.  
  94. +  /* Only write "xn--" when there are non-ASCII characters. */

  95.    if (todo > 0) {
  96.      if (*d < de) *(*d)++ = 'x';
  97.      if (*d < de) *(*d)++ = 'n';
  98. @@ -137,9 +146,13 @@ static int uv__idna_toascii_label(const

  99.      if (*d < de) *(*d)++ = '-';
  100.    }
  101.  
  102. +  /* Write ASCII characters. */

  103.    x = 0;
  104.    s = ss;
  105. -  foreach_codepoint(c, &s, se) {

  106. +  while (s < se) {

  107. +    c = uv__utf8_decode1(&s, se);

  108. +    assert(c != -1u);

  109. +

  110.      if (c > 127)
  111.        continue;
  112.  
  113. @@ -166,10 +179,15 @@ static int uv__idna_toascii_label(const

  114.    while (todo > 0) {
  115.      m = -1;
  116.      s = ss;
  117. -    foreach_codepoint(c, &s, se)

  118. +

  119. +    while (s < se) {

  120. +      c = uv__utf8_decode1(&s, se);

  121. +      assert(c != -1u);

  122. +

  123.        if (c >= n)
  124.          if (c < m)
  125.            m = c;
  126. +    }

  127.  
  128.      x = m - n;
  129.      y = h + 1;
  130. @@ -181,7 +199,10 @@ static int uv__idna_toascii_label(const

  131.      n = m;
  132.  
  133.      s = ss;
  134. -    foreach_codepoint(c, &s, se) {

  135. +    while (s < se) {

  136. +      c = uv__utf8_decode1(&s, se);

  137. +      assert(c != -1u);

  138. +

  139.        if (c < n)
  140.          if (++delta == 0)
  141.            return UV_E2BIG;  /* Overflow. */
  142. @@ -245,8 +266,6 @@ static int uv__idna_toascii_label(const

  143.    return 0;
  144.  }
  145.  
  146. -#undef foreach_codepoint

  147. -

  148.  long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
  149.    const char* si;
  150.    const char* st;
  151. @@ -256,10 +275,14 @@ long uv__idna_toascii(const char* s, con

  152.  
  153.    ds = d;
  154.  
  155. -  for (si = s; si < se; /* empty */) {

  156. +  si = s;

  157. +  while (si < se) {

  158.      st = si;
  159.      c = uv__utf8_decode1(&si, se);
  160.  
  161. +    if (c == -1u)

  162. +      return UV_EINVAL;

  163. +

  164.      if (c != '.')
  165.        if (c != 0x3002)  /* 。 */
  166.          if (c != 0xFF0E)  /* . */