packages/abseil-cpp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2025-0838

Browse Source
This commit is contained in:
xh 2025-02-24 11:21:21 +00:00
parent b6152dd94c
commit ca76282d7d
2 changed files with 117 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
abseil-cpp.spec
View File

@ -2,13 +2,15 @@
%undefine __cmake_in_source_build %undefine __cmake_in_source_build
Name: abseil-cpp Name: abseil-cpp
Version: 20210324.2 Version: 20210324.2
Release: 1 Release: 2
Summary: C++ Common Libraries Summary: C++ Common Libraries
License: ASL 2.0 License: ASL 2.0
URL: https://abseil.io URL: https://abseil.io
Source0: https://github.com/abseil/abseil-cpp/archive/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/abseil/abseil-cpp/archive/%{version}/%{name}-%{version}.tar.gz
Patch0: backport-CVE-2025-0838.patch
BuildRequires: cmake BuildRequires: cmake
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: make BuildRequires: make
@ -57,6 +59,12 @@ Development headers for %{name}
%{_libdir}/pkgconfig/*.pc %{_libdir}/pkgconfig/*.pc
%changelog %changelog
* Mon Feb 24 2025 xinghe <xinghe2@h-partners.com> - 20210324.2-2
- Type:cves
- ID:CVE-2025-0838
- SUG:NA
- DESC:fix CVE-2025-0838
* Fri Oct 15 2021 licihua <licihua@huawei.com> - 20210324.2-1 * Fri Oct 15 2021 licihua <licihua@huawei.com> - 20210324.2-1
- update to 20210324.2 - update to 20210324.2

108
backport-CVE-2025-0838.patch Normal file
View File

@ -0,0 +1,108 @@
From 3c4b18dc14949d1c6dac8bae2e459c71b21e3416 Mon Sep 17 00:00:00 2001
From: Derek Mauro <dmauro@google.com>
Date: Wed, 22 Jan 2025 15:58:56 -0500
Subject: [PATCH] Fix potential integer overflow in hash container
create/resize
The sized constructors, reserve(), and rehash() methods of
absl::{flat,node}_hash_{set,map} did not impose an upper bound on
their size argument. As a result, it was possible for a caller to pass
a very large size that would cause an integer overflow when computing
the size of the container's backing store. Subsequent accesses to the
container might then access out-of-bounds memory.
The fix is in two parts:
1) Update max_size() to return the maximum number of items that can be
stored in the container
2) Validate the size arguments to the constructors, reserve(), and
rehash() methods, and abort the program when the argument is invalid
We've looked at uses of these containers in Google codebases like
Chrome, and determined this vulnerability is likely to be difficult to
exploit. This is primarily because container sizes are rarely
attacker-controlled.
The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
Conflict: remove absl/base/config.h and context adapt
Reference: https://github.com/abseil/abseil-cpp/commit/3c4b18dc14949d1c6dac8bae2e459c71b21e3416
---
absl/container/internal/raw_hash_set.h | 15 ++++++++++++++-
absl/container/internal/raw_hash_set_test.cc | 8 ++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h
index 8615de8..7e74de6 100644
--- a/absl/container/internal/raw_hash_set.h
+++ b/absl/container/internal/raw_hash_set.h
@@ -468,6 +468,12 @@ inline size_t NormalizeCapacity(size_t n) {
return n ? ~size_t{} >> countl_zero(n) : 1;
}
+template <size_t kSlotSize>
+size_t MaxValidCapacity() {
+ return NormalizeCapacity((std::numeric_limits<size_t>::max)() / 4 /
+ kSlotSize);
+}
+
// General notes on capacity/growth methods below:
// - We use 7/8th as maximum load factor. For 16-wide groups, that gives an
// average of two empty slots per group.
@@ -795,6 +801,8 @@ class raw_hash_set {
: ctrl_(EmptyGroup()),
settings_(0, HashtablezInfoHandle(), hash, eq, alloc) {
if (bucket_count) {
+ ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity<sizeof(slot_type)>(),
+ "Hash table size overflow");
capacity_ = NormalizeCapacity(bucket_count);
initialize_slots();
}
@@ -986,7 +994,9 @@ class raw_hash_set {
bool empty() const { return !size(); }
size_t size() const { return size_; }
size_t capacity() const { return capacity_; }
- size_t max_size() const { return (std::numeric_limits<size_t>::max)(); }
+ size_t max_size() const {
+ return CapacityToGrowth(MaxValidCapacity<sizeof(slot_type)>());
+ }
ABSL_ATTRIBUTE_REINITIALIZES void clear() {
// Iterating over this container is O(bucket_count()). When bucket_count()
@@ -1318,11 +1328,14 @@ class raw_hash_set {
auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size()));
// n == 0 unconditionally rehashes as per the standard.
if (n == 0 || m > capacity_) {
+ ABSL_RAW_CHECK(m <= MaxValidCapacity<sizeof(slot_type)>(),
+ "Hash table size overflow");
resize(m);
}
}
void reserve(size_t n) {
+ ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow");
size_t m = GrowthToLowerboundCapacity(n);
if (m > capacity_) {
resize(NormalizeCapacity(m));
diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc
index 7dac65a..27efa7a 100644
--- a/absl/container/internal/raw_hash_set_test.cc
+++ b/absl/container/internal/raw_hash_set_test.cc
@@ -1978,6 +1978,14 @@ TEST(Sanitizer, PoisoningOnErase) {
}
#endif // ABSL_HAVE_ADDRESS_SANITIZER
+TEST(Table, MaxSizeOverflow) {
+ size_t overflow = (std::numeric_limits<size_t>::max)();
+ EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow");
+ IntTable t;
+ EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow");
+ EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow");
+}
+
} // namespace
} // namespace container_internal
ABSL_NAMESPACE_END
--
2.43.0