author | April Chin <april.chin@oracle.com> |
Fri, 06 Dec 2013 08:41:15 -0800 | |
changeset 1584 | 7acd6f4409b8 |
permissions | -rw-r--r-- |
1584
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
1 |
This ruby 1.8.7 patch was derived from the ruby 1.9.3 fix for: |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
2 |
|
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
3 |
https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
4 |
|
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
5 |
as seen here: |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
6 |
http://bugs.ruby-lang.org/projects/ruby-trunk/repository/diff/util.c?rev=43780&rev_to=41757 |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
7 |
|
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
8 |
CVE-2013-4164 |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
9 |
|
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
10 |
Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
11 |
before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
12 |
43780 allows context-dependent attackers to cause a denial of service |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
13 |
(segmentation fault) and possibly execute arbitrary code via a string |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
14 |
that is converted to a floating point value, as demonstrated using (1) |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
15 |
the to_f method or (2) JSON.parse. |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
16 |
|
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
17 |
--- ruby-1.8.7-p374-orig/util.c 2010-11-21 23:21:34.000000000 -0800 |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
18 |
+++ ruby-1.8.7-p374/util.c 2013-12-02 16:58:32.995038000 -0800 |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
19 |
@@ -892,6 +892,11 @@ |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
20 |
#else |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
21 |
#define MALLOC malloc |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
22 |
#endif |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
23 |
+#ifdef FREE |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
24 |
+extern void FREE(void*); |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
25 |
+#else |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
26 |
+#define FREE free |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
27 |
+#endif |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
28 |
|
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
29 |
#ifndef Omit_Private_Memory |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
30 |
#ifndef PRIVATE_MEM |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
31 |
@@ -1176,7 +1181,7 @@ |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
32 |
#endif |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
33 |
|
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
34 |
ACQUIRE_DTOA_LOCK(0); |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
35 |
- if ((rv = freelist[k]) != 0) { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
36 |
+ if (k <= Kmax && (rv = freelist[k]) != 0) { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
37 |
freelist[k] = rv->next; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
38 |
} |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
39 |
else { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
40 |
@@ -1186,7 +1191,7 @@ |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
41 |
#else |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
42 |
len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
43 |
/sizeof(double); |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
44 |
- if (pmem_next - private_mem + len <= PRIVATE_mem) { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
45 |
+ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
46 |
rv = (Bigint*)pmem_next; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
47 |
pmem_next += len; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
48 |
} |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
49 |
@@ -1205,6 +1210,10 @@ |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
50 |
Bfree(Bigint *v) |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
51 |
{ |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
52 |
if (v) { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
53 |
+ if (v->k > Kmax) { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
54 |
+ FREE(v); |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
55 |
+ return; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
56 |
+ } |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
57 |
ACQUIRE_DTOA_LOCK(0); |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
58 |
v->next = freelist[v->k]; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
59 |
freelist[v->k] = v; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
60 |
@@ -2200,6 +2209,7 @@ |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
61 |
for (; c >= '0' && c <= '9'; c = *++s) { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
62 |
have_dig: |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
63 |
nz++; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
64 |
+ if (nf > DBL_DIG * 4) continue; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
65 |
if (c -= '0') { |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
66 |
nf += nz; |
7acd6f4409b8
17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff
changeset
|
67 |
for (i = 1; i < nz; i++) |