ghostscript: CVE-2017-9727, -9835, -11714

CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust CVE-2017-9835: bounds check the array allocations methods CVE-2017-11714: prevent trying to reloc a freed object (From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f) (From OE-Core rev: 1c9e3318791e36d6bc851192a7640ee639f61f23) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-08-22 14:14:46 -07:00 · 2017-08-22 14:14:46 -07:00 · e6533d1d9e
parent bbb081544c
commit e6533d1d9e
4 changed files with 224 additions and 0 deletions
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-11714.patch
@ -0,0 +1,61 @@
+From 671fd59eb657743aa86fbc1895cb15872a317caa Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Jul 2017 14:54:02 +0100
+Subject: [PATCH] Bug 698158: prevent trying to reloc a freed object
+
+In the token reader, we pass the scanner state structure around as a
+t_struct ref on the Postscript operand stack.
+
+But we explicitly free the scanner state when we're done, which leaves a
+dangling reference on the operand stack and, unless that reference gets
+overwritten before the next garbager run, we can end up with the garbager
+trying to deal with an already freed object - that can cause a crash, or
+memory corruption.
+---
+ psi/ztoken.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- end of original header
+
+CVE: CVE-2017-11714
+
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+diff --git a/psi/ztoken.c b/psi/ztoken.c
+index 4dba7c5..af1ceeb 100644
+--- a/psi/ztoken.c
+++ b/psi/ztoken.c
+@@ -107,6 +107,12 @@ token_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
+     int code;
+     ref token;
+ 
+    /* Since we might free pstate below, and we're dealing with
+     * gc memory referenced by the stack, we need to explicitly
+     * remove the reference to pstate from the stack, otherwise
+     * the garbager will fall over
+     */
+    make_null(osp);
+     /* Note that gs_scan_token may change osp! */
+     pop(1);                     /* remove the file or scanner state */
+ again:
+@@ -183,8 +189,14 @@ ztokenexec_continue(i_ctx_t *i_ctx_p)
+ static int
+ tokenexec_continue(i_ctx_t *i_ctx_p, scanner_state * pstate, bool save)
+ {
+-    os_ptr op;
+    os_ptr op = osp;
+     int code;
+    /* Since we might free pstate below, and we're dealing with
+     * gc memory referenced by the stack, we need to explicitly
+     * remove the reference to pstate from the stack, otherwise
+     * the garbager will fall over
+     */
+    make_null(osp);
+     /* Note that gs_scan_token may change osp! */
+     pop(1);
+ again:
+-- 
+1.7.9.5
+
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9727.patch
@ -0,0 +1,35 @@
+From 937ccd17ac65935633b2ebc06cb7089b91e17e6b Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 15 Jun 2017 09:05:20 +0100
+Subject: [PATCH] Bug 698056: make bounds check in gx_ttfReader__Read more
+ robust
+
+---
+ base/gxttfb.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- end of original header
+
+CVE: CVE-2017-9727
+
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+diff --git a/base/gxttfb.c b/base/gxttfb.c
+index 0e9a444..e1561af 100644
+--- a/base/gxttfb.c
+++ b/base/gxttfb.c
+@@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n)
+     if (!r->error) {
+         if (r->extra_glyph_index != -1) {
+             q = r->glyph_data.bits.data + r->pos;
+-            r->error = (r->glyph_data.bits.size - r->pos < n ?
+            r->error = ((r->pos >= r->glyph_data.bits.size ||
+                        r->glyph_data.bits.size - r->pos < n) ?
+                             gs_note_error(gs_error_invalidfont) : 0);
+             if (r->error == 0)
+                 memcpy(p, q, n);
+-- 
+1.7.9.5
+
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-9835.patch
@ -0,0 +1,125 @@
+From cfde94be1d4286bc47633c6e6eaf4e659bd78066 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 7 Jun 2017 14:55:12 +0100
+Subject: [PATCH] Bug 697985: bounds check the array allocations methods
+
+The clump allocator has four allocation functions that use 'number of elements'
+and 'size of elements' parameters (rather than a simple 'number of bytes').
+
+Those need specific bounds checking.
+---
+ base/gsalloc.c |   42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- end of original header
+
+CVE: CVE-2017-9835
+
+Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+diff --git a/base/gsalloc.c b/base/gsalloc.c
+index 741ba00..10c04dd 100644
+--- a/base/gsalloc.c
+++ b/base/gsalloc.c
+@@ -1248,19 +1248,32 @@ i_alloc_struct_immovable(gs_memory_t * mem, gs_memory_type_ptr_t pstype,
+     alloc_trace("|+<.", imem, cname, pstype, size, obj);
+     return obj;
+ }
+
+static inline bool
+alloc_array_check_size(ulong num_elements, ulong elt_size, ulong *lsize)
+{
+    int64_t s = (int64_t)num_elements * elt_size;
+    if (s > max_uint) {
+        return false;
+    }
+    *lsize = (ulong)s;
+    return true;
+}
+
+ static byte *
+ i_alloc_byte_array(gs_memory_t * mem, uint num_elements, uint elt_size,
+                    client_name_t cname)
+ {
+     gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
+     obj_header_t *obj;
+-
+    ulong lsize;
+ #ifdef MEMENTO
+     if (Memento_failThisEvent())
+         return NULL;
+ #endif
+-
+-    obj = alloc_obj(imem, (ulong) num_elements * elt_size,
+    if (alloc_array_check_size(num_elements, elt_size, &lsize) == false)
+        return NULL;
+    obj = alloc_obj(imem, lsize,
+                     &st_bytes, ALLOC_DIRECT, cname);
+ 
+     if_debug6m('A', mem, "[a%d:+b.]%s -bytes-*(%lu=%u*%u) = 0x%lx\n",
+@@ -1275,13 +1288,14 @@ i_alloc_byte_array_immovable(gs_memory_t * mem, uint num_elements,
+ {
+     gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
+     obj_header_t *obj;
+-
+    ulong lsize;
+ #ifdef MEMENTO
+     if (Memento_failThisEvent())
+         return NULL;
+ #endif
+-
+-    obj = alloc_obj(imem, (ulong) num_elements * elt_size,
+    if (alloc_array_check_size(num_elements, elt_size, &lsize) == false)
+        return NULL;
+    obj = alloc_obj(imem, lsize,
+                     &st_bytes, ALLOC_IMMOVABLE | ALLOC_DIRECT,
+                     cname);
+ 
+@@ -1297,7 +1311,7 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements,
+ {
+     gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
+     obj_header_t *obj;
+-
+    ulong lsize;
+ #ifdef MEMENTO
+     if (Memento_failThisEvent())
+         return NULL;
+@@ -1311,9 +1325,9 @@ i_alloc_struct_array(gs_memory_t * mem, uint num_elements,
+         return NULL;		/* fail */
+     }
+ #endif
+-    obj = alloc_obj(imem,
+-                    (ulong) num_elements * pstype->ssize,
+-                    pstype, ALLOC_DIRECT, cname);
+    if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false)
+        return NULL;
+    obj = alloc_obj(imem, lsize, pstype, ALLOC_DIRECT, cname);
+     if_debug7m('A', mem, "[a%d:+<.]%s %s*(%lu=%u*%u) = 0x%lx\n",
+                alloc_trace_space(imem), client_name_string(cname),
+                struct_type_name_string(pstype),
+@@ -1327,16 +1341,16 @@ i_alloc_struct_array_immovable(gs_memory_t * mem, uint num_elements,
+ {
+     gs_ref_memory_t * const imem = (gs_ref_memory_t *)mem;
+     obj_header_t *obj;
+-
+    ulong lsize;
+ #ifdef MEMENTO
+     if (Memento_failThisEvent())
+         return NULL;
+ #endif
+ 
+     ALLOC_CHECK_SIZE(mem,pstype);
+-    obj = alloc_obj(imem,
+-                    (ulong) num_elements * pstype->ssize,
+-                    pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname);
+    if (alloc_array_check_size(num_elements, pstype->ssize, &lsize) == false)
+        return NULL;
+    obj = alloc_obj(imem, lsize, pstype, ALLOC_IMMOVABLE | ALLOC_DIRECT, cname);
+     if_debug7m('A', mem, "[a%d|+<.]%s %s*(%lu=%u*%u) = 0x%lx\n",
+                alloc_trace_space(imem), client_name_string(cname),
+                struct_type_name_string(pstype),
+-- 
+1.7.9.5
+
--- a/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.20.bb
@ -45,6 +45,9 @@ SRC_URI = "${SRC_URI_BASE} \
           file://CVE-2017-9612.patch \
           file://CVE-2017-9739.patch \
           file://CVE-2017-9726.patch \
+           file://CVE-2017-9727.patch \
+           file://CVE-2017-9835.patch \
+           file://CVE-2017-11714.patch \
           "

 SRC_URI_class-native = "${SRC_URI_BASE} \