kmx git

Commit	Date	Message
fb9acedc	2020-05-26T21:42:13	libpkgconf: dependency: fix out of boundary write It is possible to trigger an out of boundary write in function pkgconf_dependency_parse_str if a dependency line contains a very long comparator. The comparator is stored in a temporary buffer which has a size of PKGCONF_ITEM_SIZE. The line which is parsed can be up to PKGCONF_BUFSIZE characters long, which is larger than PKGCONF_ITEM_SIZE (although it depends on PATH_MAX). Having a comparator which is longer than PKGCONF_ITEM_SIZE therefore leads to an out of boundary write. Although it is undefined behaviour, this can lead to an overridden compare variable, which in turn can lead to an invalid instruction pointer, i.e. most likely a crash or code execution (very unlikely). Proof of concept: $ echo "Requires: x " > poc.pc $ dd if=/dev/zero bs=1 count=65535 \| tr '\0' '<' >> poc.pc $ pkgconf poc.pc Eiter compile pkgconf with address sanitizer or run pkgconf multiple times, eventually it might crash (assuming that ASLR is in place). In order to fix this, I decided to use an end pointer to avoid OOB write. Alternative would be to increase the buffer size, but I try to avoid that since this would be additional ~60 KB stack space for a very unlikely situation.
3f753fa3	2018-03-18T19:03:18	libpkgconf: dependency: preference uncoloured nodes in event of a dependency collision
ad65bc4a	2018-03-18T18:01:59	libpkgconf: dependency: allow dependency nodes to be colored with traits
74d58d1b	2017-12-05T17:34:01	libpkgconf: pkg: cache solutions for already solved dependency graph nodes in almost all cases, we partially solve the dependency graph multiple times, which just wastes resources. if we record the solution to a given dependency node, further iterations can make use of the previous solution without having to solve it again. this is safe because all provides entries (including virtuals) are knowable prior to solving the dependency graph the first time. a nice side effect of this is that all packages are preloaded when querying information about them (--cflags and related commands).
4589274c	2017-10-16T12:56:19	libpkgconf: start to remove PKGCONF_BUFSIZE allocations from the stack. (closes #149) Patch by Karen Arutyunov.
e9fd43ca	2017-09-17T23:38:25	libpkgconf: clean up header includes (closes #137)
1252d7ae	2017-09-08T19:53:52	libpkgconf: dependency: make dependency_to_str() private, use a caller-supplied buffer for reentrancy
794443a9	2017-02-25T16:04:55	dependency: break API to add tracepoints to dependency list building
5db87c96	2017-01-22T20:31:34	remove dead assignments (#109) * remove dead assignments None of them are used. Signed-off-by: Igor Gnatenko <ignatenko@redhat.com> * The address of an object "&pkgconf_pkg_provides_vermatch_rules[pkgdep->compare]" is never null Signed-off-by: Igor Gnatenko <ignatenko@redhat.com> * Overrunning array pkgconf_pkg_comparator_names at element index 7 Signed-off-by: Igor Gnatenko <ignatenko@redhat.com>
af503f21	2016-12-10T19:57:26	libpkgconf: document dependency module
8213d910	2016-12-10T16:19:40	libpkgconf: migrate to using the pkgconf_ namespaced strlcat/strlcpy symbols
8740c5cd	2016-12-01T15:05:03	libpkgconf: begin removing global state from libpkgconf library by introducing a "client" object which holds the state
d72ece6a	2016-08-26T23:40:15	dependency: add pkgconf_dependency_add for programmatically adding a dependency object
cb83dab4	2015-12-02T14:59:51	More casting for ctype
2f4f68fb	2015-09-06T11:50:29	libpkgconf: dependency: remove some dead debug code
50cf8db0	2015-09-06T11:39:55	libpkgconf: clean up PKG_MODULE_SEPARATOR() and PKG_OPERATOR_CHAR() macros
dd86ba43	2015-09-06T11:34:09	libpkgconf: PKG_ comparators become PKGCONF_CMP_ namespace
571d9c75	2015-09-06T11:29:56	libpkgconf: PKG_BUFSIZE becomes PKGCONF_BUFSIZE, remove unused PKG_MIN/PKG_MAX.
ca1b0265	2015-09-06T11:20:48	libpkgconf: untangle remaining pkg_ functions related to pkgconf_pkg_t
66247fae	2015-09-06T10:57:26	libpkgconf: pkg_comparator_t becomes pkgconf_pkg_comparator_t (and so on)
4c71b25d	2015-09-06T10:41:40	libpkgconf: move pkg_tuple to pkgconf_tuple namespace
1ee18d0e	2015-09-06T10:38:30	libpkgconf: move pkg_dependency to pkgconf_dependency namespace
cc2dcc1f	2015-09-06T10:31:21	libpkgconf: move pkg_node and pkg_list to pkgconf_node and pkgconf_list namespaces
a706b3dc	2015-09-06T09:35:08	initial libtoolization for libpkgconf

fb9acedc

2020-05-26T21:42:13

libpkgconf: dependency: fix out of boundary write It is possible to trigger an out of boundary write in function pkgconf_dependency_parse_str if a dependency line contains a very long comparator. The comparator is stored in a temporary buffer which has a size of PKGCONF_ITEM_SIZE. The line which is parsed can be up to PKGCONF_BUFSIZE characters long, which is larger than PKGCONF_ITEM_SIZE (although it depends on PATH_MAX). Having a comparator which is longer than PKGCONF_ITEM_SIZE therefore leads to an out of boundary write. Although it is undefined behaviour, this can lead to an overridden compare variable, which in turn can lead to an invalid instruction pointer, i.e. most likely a crash or code execution (very unlikely). Proof of concept: $ echo "Requires: x " > poc.pc $ dd if=/dev/zero bs=1 count=65535 | tr '\0' '<' >> poc.pc $ pkgconf poc.pc Eiter compile pkgconf with address sanitizer or run pkgconf multiple times, eventually it might crash (assuming that ASLR is in place). In order to fix this, I decided to use an end pointer to avoid OOB write. Alternative would be to increase the buffer size, but I try to avoid that since this would be additional ~60 KB stack space for a very unlikely situation.

3f753fa3

2018-03-18T19:03:18

libpkgconf: dependency: preference uncoloured nodes in event of a dependency collision

ad65bc4a

2018-03-18T18:01:59

libpkgconf: dependency: allow dependency nodes to be colored with traits

74d58d1b

2017-12-05T17:34:01

libpkgconf: pkg: cache solutions for already solved dependency graph nodes in almost all cases, we partially solve the dependency graph multiple times, which just wastes resources. if we record the solution to a given dependency node, further iterations can make use of the previous solution without having to solve it again. this is safe because all provides entries (including virtuals) are knowable prior to solving the dependency graph the first time. a nice side effect of this is that all packages are preloaded when querying information about them (--cflags and related commands).

4589274c

2017-10-16T12:56:19

libpkgconf: start to remove PKGCONF_BUFSIZE allocations from the stack. (closes #149) Patch by Karen Arutyunov.

e9fd43ca

2017-09-17T23:38:25

libpkgconf: clean up header includes (closes #137)

1252d7ae

2017-09-08T19:53:52

libpkgconf: dependency: make dependency_to_str() private, use a caller-supplied buffer for reentrancy

794443a9

2017-02-25T16:04:55

dependency: break API to add tracepoints to dependency list building

5db87c96

2017-01-22T20:31:34

remove dead assignments (#109) * remove dead assignments None of them are used. Signed-off-by: Igor Gnatenko <ignatenko@redhat.com> * The address of an object "&pkgconf_pkg_provides_vermatch_rules[pkgdep->compare]" is never null Signed-off-by: Igor Gnatenko <ignatenko@redhat.com> * Overrunning array pkgconf_pkg_comparator_names at element index 7 Signed-off-by: Igor Gnatenko <ignatenko@redhat.com>

af503f21

2016-12-10T19:57:26

libpkgconf: document dependency module

8213d910

2016-12-10T16:19:40

libpkgconf: migrate to using the pkgconf_ namespaced strlcat/strlcpy symbols

8740c5cd

2016-12-01T15:05:03

libpkgconf: begin removing global state from libpkgconf library by introducing a "client" object which holds the state

d72ece6a

2016-08-26T23:40:15

dependency: add pkgconf_dependency_add for programmatically adding a dependency object

cb83dab4

2015-12-02T14:59:51

More casting for ctype

2f4f68fb

2015-09-06T11:50:29

libpkgconf: dependency: remove some dead debug code

50cf8db0

2015-09-06T11:39:55

libpkgconf: clean up PKG_MODULE_SEPARATOR() and PKG_OPERATOR_CHAR() macros

dd86ba43

2015-09-06T11:34:09

libpkgconf: PKG_ comparators become PKGCONF_CMP_ namespace

571d9c75

2015-09-06T11:29:56

libpkgconf: PKG_BUFSIZE becomes PKGCONF_BUFSIZE, remove unused PKG_MIN/PKG_MAX.

ca1b0265

2015-09-06T11:20:48

libpkgconf: untangle remaining pkg_ functions related to pkgconf_pkg_t

66247fae

2015-09-06T10:57:26

libpkgconf: pkg_comparator_t becomes pkgconf_pkg_comparator_t (and so on)

4c71b25d

2015-09-06T10:41:40

libpkgconf: move pkg_tuple to pkgconf_tuple namespace

1ee18d0e

2015-09-06T10:38:30

libpkgconf: move pkg_dependency to pkgconf_dependency namespace

cc2dcc1f

2015-09-06T10:31:21

libpkgconf: move pkg_node and pkg_list to pkgconf_node and pkgconf_list namespaces

a706b3dc

2015-09-06T09:35:08

initial libtoolization for libpkgconf

kc3-lang/pkgconf/libpkgconf/dependency.c

libpkgconf/dependency.c

Log