diff --git a/backport-CVE-2020-28241.patch b/backport-CVE-2020-28241.patch new file mode 100644 index 0000000..90f8934 --- /dev/null +++ b/backport-CVE-2020-28241.patch @@ -0,0 +1,134 @@ +From eac45e29196bcde1d123a6035c15d30356bed248 Mon Sep 17 00:00:00 2001 +From: Gregory Oschwald +Date: Wed, 5 Aug 2020 14:16:17 -0700 +Subject: [PATCH] Replace most malloc uses with calloc + +Closes #236. +--- + bin/mmdblookup.c | 2 +- + doc/libmaxminddb.md | 2 +- + src/maxminddb.c | 19 +++++++++++-------- + 3 files changed, 13 insertions(+), 10 deletions(-) + +diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c +index 26267c4..7f78773 100644 +--- a/bin/mmdblookup.c ++++ b/bin/mmdblookup.c +@@ -184,7 +184,7 @@ LOCAL const char **get_options(int argc, char **argv, char **mmdb_file, + } + + const char **lookup_path = +- malloc(sizeof(const char *) * ((argc - optind) + 1)); ++ calloc((argc - optind) + 1, sizeof(const char *)); + int i; + for (i = 0; i < argc - optind; i++) { + lookup_path[i] = argv[i + optind]; +diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md +index ebeb7c5..a8385e0 100644 +--- a/doc/libmaxminddb.md ++++ b/doc/libmaxminddb.md +@@ -302,7 +302,7 @@ libmaxminddb code. + + The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this structure + are all pointers directly into the database's data section. This can either be +-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will ++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will + become invalid after `MMDB_close()` is called. + + If you need to refer to this data after that time you should copy the data +diff --git a/src/maxminddb.c b/src/maxminddb.c +index 1cf2cbc..f8bbecb 100644 +--- a/src/maxminddb.c ++++ b/src/maxminddb.c +@@ -34,7 +34,7 @@ + do { \ + char *binary = byte_to_binary(byte); \ + if (NULL == binary) { \ +- fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \ ++ fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \ + abort(); \ + } \ + fprintf(stderr, fmt "\n", binary); \ +@@ -53,7 +53,7 @@ + #ifdef MMDB_DEBUG + DEBUG_FUNC char *byte_to_binary(uint8_t byte) + { +- char *bits = malloc(sizeof(char) * 9); ++ char *bits = calloc(9, sizeof(char)); + if (NULL == bits) { + return bits; + } +@@ -658,7 +658,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + MMDB_INVALID_METADATA_ERROR); + + mmdb->metadata.languages.count = 0; +- mmdb->metadata.languages.names = malloc(array_size * sizeof(char *)); ++ mmdb->metadata.languages.names = calloc(array_size, sizeof(char *)); + if (NULL == mmdb->metadata.languages.names) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +@@ -676,7 +676,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + if (NULL == mmdb->metadata.languages.names[i]) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +- // We assign this as we go so that if we fail a malloc and need to ++ // We assign this as we go so that if we fail a calloc and need to + // free it, the count is right. + mmdb->metadata.languages.count = i + 1; + } +@@ -728,7 +728,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + MMDB_INVALID_METADATA_ERROR); + + mmdb->metadata.description.descriptions = +- malloc(map_size * sizeof(MMDB_description_s *)); ++ calloc(map_size, sizeof(MMDB_description_s *)); + if (NULL == mmdb->metadata.description.descriptions) { + status = MMDB_OUT_OF_MEMORY_ERROR; + goto cleanup; +@@ -736,7 +736,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + + for (uint32_t i = 0; i < map_size; i++) { + mmdb->metadata.description.descriptions[i] = +- malloc(sizeof(MMDB_description_s)); ++ calloc(1, sizeof(MMDB_description_s)); + if (NULL == mmdb->metadata.description.descriptions[i]) { + status = MMDB_OUT_OF_MEMORY_ERROR; + goto cleanup; +@@ -1140,7 +1140,7 @@ int MMDB_vget_value(MMDB_entry_s *const start, + MAYBE_CHECK_SIZE_OVERFLOW(length, SIZE_MAX / sizeof(const char *) - 1, + MMDB_INVALID_METADATA_ERROR); + +- const char **path = malloc((length + 1) * sizeof(const char *)); ++ const char **path = calloc(length + 1, sizeof(const char *)); + if (NULL == path) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +@@ -2000,6 +2000,7 @@ LOCAL MMDB_entry_data_list_s *dump_entry_data_list( + char *hex_string = + bytes_to_hex((uint8_t *)entry_data_list->entry_data.bytes, + entry_data_list->entry_data.data_size); ++ + if (NULL == hex_string) { + *status = MMDB_OUT_OF_MEMORY_ERROR; + return NULL; +@@ -2093,7 +2094,7 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size) + char *hex_string; + MAYBE_CHECK_SIZE_OVERFLOW(size, SIZE_MAX / 2 - 1, NULL); + +- hex_string = malloc((size * 2) + 1); ++ hex_string = calloc((size * 2) + 1, sizeof(char)); + if (NULL == hex_string) { + return NULL; + } +@@ -2102,6 +2103,8 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size) + sprintf(hex_string + (2 * i), "%02X", bytes[i]); + } + ++ ++ + return hex_string; + } + +-- +1.8.3.1 + diff --git a/backport-Check-all-calloc-malloc-return-values.patch b/backport-Check-all-calloc-malloc-return-values.patch new file mode 100644 index 0000000..f59b4b6 --- /dev/null +++ b/backport-Check-all-calloc-malloc-return-values.patch @@ -0,0 +1,57 @@ +From ec946c10d7bdad4215185b49d672d1508e0af4b1 Mon Sep 17 00:00:00 2001 +From: Gregory Oschwald +Date: Wed, 17 Feb 2021 14:18:06 -0800 +Subject: [PATCH] Check all calloc/malloc return values. Closes #252. + +--- + bin/mmdblookup.c | 4 ++++ + t/basic_lookup_t.c | 3 +++ + t/threads_t.c | 3 +++ + 3 files changed, 10 insertions(+) + +diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c +index 7f78773..9a8eb67 100644 +--- a/bin/mmdblookup.c ++++ b/bin/mmdblookup.c +@@ -185,6 +185,10 @@ LOCAL const char **get_options(int argc, char **argv, char **mmdb_file, + + const char **lookup_path = + calloc((argc - optind) + 1, sizeof(const char *)); ++ if (!lookup_path) { ++ fprintf(stderr, "calloc(): %s\n", strerror(errno)); ++ exit(1); ++ } + int i; + for (i = 0; i < argc - optind; i++) { + lookup_path[i] = argv[i + optind]; +diff --git a/t/basic_lookup_t.c b/t/basic_lookup_t.c +index 7855919..5da0673 100644 +--- a/t/basic_lookup_t.c ++++ b/t/basic_lookup_t.c +@@ -31,6 +31,9 @@ void test_one_result(MMDB_s *mmdb, MMDB_lookup_result_s result, + // something like "::1.2.3.4", not just "1.2.3.4". + int maxlen = strlen(expect) + 3; + real_expect = malloc(maxlen); ++ if (!real_expect) { ++ BAIL_OUT("could not allocate memory"); ++ } + snprintf(real_expect, maxlen, "::%s", expect); + } + +diff --git a/t/threads_t.c b/t/threads_t.c +index 23cd0ee..be060d3 100644 +--- a/t/threads_t.c ++++ b/t/threads_t.c +@@ -68,6 +68,9 @@ void *run_one_thread(void *arg) + const char *ip = thread_arg->ip_to_lookup; + + test_result_s *result = malloc(sizeof(test_result_s)); ++ if (!result) { ++ BAIL_OUT("could not allocate memory"); ++ } + test_one_ip(mmdb, ip, result); + + pthread_exit((void *)result); +-- +1.8.3.1 + diff --git a/libmaxminddb.spec b/libmaxminddb.spec index ab514c2..6437115 100644 --- a/libmaxminddb.spec +++ b/libmaxminddb.spec @@ -1,11 +1,14 @@ Name: libmaxminddb Version: 1.2.0 -Release: 7 +Release: 8 Summary: C library for working with MaxMind DB files License: ASL 2.0 and BSD URL: https://github.com/maxmind/libmaxminddb Source0: https://github.com/maxmind/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz +Patch6000: backport-CVE-2020-28241.patch +Patch6001: backport-Check-all-calloc-malloc-return-values.patch + BuildRequires: gcc perl-interpreter %description @@ -35,7 +38,7 @@ Summary: man information and changelog document for user the help package include man information and changelog document for user. %prep -%autosetup +%autosetup -p1 %build %configure --disable-static @@ -69,5 +72,8 @@ LD_PRELOAD=%{buildroot}%{_libdir}/libmaxminddb.so make check %{_mandir}/man3/* %changelog +* Sat Jul 24 2021 shixuantong - 1.2.0-8 +- fix CVE-2020-28241 + * Tue Sep 3 2019 openEuler Buildteam - 1.2.0-7 - Package init