!3 fix CVE-2020-28241

From: @tong_1001 Reviewed-by: @xiezhipeng1 Signed-off-by: @xiezhipeng1
2021-07-24 02:45:41 +00:00 · 2021-07-24 02:45:41 +00:00 · 326a8e837a
commit 326a8e837a
parent 90b7c49e03 ab5d3e0d52
3 changed files with 199 additions and 2 deletions
--- a/backport-CVE-2020-28241.patch
+++ b/backport-CVE-2020-28241.patch
@ -0,0 +1,134 @@
 From eac45e29196bcde1d123a6035c15d30356bed248 Mon Sep 17 00:00:00 2001
 From: Gregory Oschwald <goschwald@maxmind.com>
 Date: Wed, 5 Aug 2020 14:16:17 -0700
 Subject: [PATCH] Replace most malloc uses with calloc
 Closes #236.
 ---
 bin/mmdblookup.c    |  2 +-
 doc/libmaxminddb.md |  2 +-
 src/maxminddb.c     | 19 +++++++++++--------
 3 files changed, 13 insertions(+), 10 deletions(-)
 diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c
 index 26267c4..7f78773 100644
 --- a/bin/mmdblookup.c
 +++ b/bin/mmdblookup.c
@@ -184,7 +184,7 @@ LOCAL const char **get_options(int argc, char **argv, char **mmdb_file,
     }
     const char **lookup_path =
 -        malloc(sizeof(const char *) * ((argc - optind) + 1));
 +        calloc((argc - optind) + 1, sizeof(const char *));
     int i;
     for (i = 0; i < argc - optind; i++) {
         lookup_path[i] = argv[i + optind];
 diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md
 index ebeb7c5..a8385e0 100644
 --- a/doc/libmaxminddb.md
 +++ b/doc/libmaxminddb.md
@@ -302,7 +302,7 @@ libmaxminddb code.
 The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this structure
 are all pointers directly into the database's data section. This can either be
 -a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will
 +a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will
 become invalid after `MMDB_close()` is called.
 If you need to refer to this data after that time you should copy the data
 diff --git a/src/maxminddb.c b/src/maxminddb.c
 index 1cf2cbc..f8bbecb 100644
 --- a/src/maxminddb.c
 +++ b/src/maxminddb.c
@@ -34,7 +34,7 @@
     do {                                                        \
         char *binary = byte_to_binary(byte);                    \
         if (NULL == binary) {                                   \
 -            fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \
 +            fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \
             abort();                                            \
         }                                                       \
         fprintf(stderr, fmt "\n", binary);                      \
@@ -53,7 +53,7 @@
 #ifdef MMDB_DEBUG
 DEBUG_FUNC char *byte_to_binary(uint8_t byte)
 {
 -    char *bits = malloc(sizeof(char) * 9);
 +    char *bits = calloc(9, sizeof(char));
     if (NULL == bits) {
         return bits;
     }
@@ -658,7 +658,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
                               MMDB_INVALID_METADATA_ERROR);
     mmdb->metadata.languages.count = 0;
 -    mmdb->metadata.languages.names = malloc(array_size * sizeof(char *));
 +    mmdb->metadata.languages.names = calloc(array_size, sizeof(char *));
     if (NULL == mmdb->metadata.languages.names) {
         return MMDB_OUT_OF_MEMORY_ERROR;
     }
@@ -676,7 +676,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
         if (NULL == mmdb->metadata.languages.names[i]) {
             return MMDB_OUT_OF_MEMORY_ERROR;
         }
 -        // We assign this as we go so that if we fail a malloc and need to
 +        // We assign this as we go so that if we fail a calloc and need to
         // free it, the count is right.
         mmdb->metadata.languages.count = i + 1;
     }
@@ -728,7 +728,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
                               MMDB_INVALID_METADATA_ERROR);
     mmdb->metadata.description.descriptions =
 -        malloc(map_size * sizeof(MMDB_description_s *));
 +        calloc(map_size, sizeof(MMDB_description_s *));
     if (NULL == mmdb->metadata.description.descriptions) {
         status = MMDB_OUT_OF_MEMORY_ERROR;
         goto cleanup;
@@ -736,7 +736,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
     for (uint32_t i = 0; i < map_size; i++) {
         mmdb->metadata.description.descriptions[i] =
 -            malloc(sizeof(MMDB_description_s));
 +            calloc(1, sizeof(MMDB_description_s));
         if (NULL == mmdb->metadata.description.descriptions[i]) {
             status = MMDB_OUT_OF_MEMORY_ERROR;
             goto cleanup;
@@ -1140,7 +1140,7 @@ int MMDB_vget_value(MMDB_entry_s *const start,
     MAYBE_CHECK_SIZE_OVERFLOW(length, SIZE_MAX / sizeof(const char *) - 1,
                               MMDB_INVALID_METADATA_ERROR);
 -    const char **path = malloc((length + 1) * sizeof(const char *));
 +    const char **path = calloc(length + 1, sizeof(const char *));
     if (NULL == path) {
         return MMDB_OUT_OF_MEMORY_ERROR;
     }
@@ -2000,6 +2000,7 @@ LOCAL MMDB_entry_data_list_s *dump_entry_data_list(
             char *hex_string =
                 bytes_to_hex((uint8_t *)entry_data_list->entry_data.bytes,
                              entry_data_list->entry_data.data_size);
 +
             if (NULL == hex_string) {
                 *status = MMDB_OUT_OF_MEMORY_ERROR;
                 return NULL;
@@ -2093,7 +2094,7 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size)
     char *hex_string;
     MAYBE_CHECK_SIZE_OVERFLOW(size, SIZE_MAX / 2 - 1, NULL);
 -    hex_string = malloc((size * 2) + 1);
 +    hex_string = calloc((size * 2) + 1, sizeof(char));
     if (NULL == hex_string) {
         return NULL;
     }
@@ -2102,6 +2103,8 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size)
         sprintf(hex_string + (2 * i), "%02X", bytes[i]);
     }
 +
 +
     return hex_string;
 }
 -- 
 1.8.3.1
--- a/backport-Check-all-calloc-malloc-return-values.patch
+++ b/backport-Check-all-calloc-malloc-return-values.patch
@ -0,0 +1,57 @@
 From ec946c10d7bdad4215185b49d672d1508e0af4b1 Mon Sep 17 00:00:00 2001
 From: Gregory Oschwald <goschwald@maxmind.com>
 Date: Wed, 17 Feb 2021 14:18:06 -0800
 Subject: [PATCH] Check all calloc/malloc return values. Closes #252.
 ---
 bin/mmdblookup.c   | 4 ++++
 t/basic_lookup_t.c | 3 +++
 t/threads_t.c      | 3 +++
 3 files changed, 10 insertions(+)
 diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c
 index 7f78773..9a8eb67 100644
 --- a/bin/mmdblookup.c
 +++ b/bin/mmdblookup.c
@@ -185,6 +185,10 @@ LOCAL const char **get_options(int argc, char **argv, char **mmdb_file,
     const char **lookup_path =
         calloc((argc - optind) + 1, sizeof(const char *));
 +    if (!lookup_path) {
 +        fprintf(stderr, "calloc(): %s\n", strerror(errno));
 +        exit(1);
 +    }
     int i;
     for (i = 0; i < argc - optind; i++) {
         lookup_path[i] = argv[i + optind];
 diff --git a/t/basic_lookup_t.c b/t/basic_lookup_t.c
 index 7855919..5da0673 100644
 --- a/t/basic_lookup_t.c
 +++ b/t/basic_lookup_t.c
@@ -31,6 +31,9 @@ void test_one_result(MMDB_s *mmdb, MMDB_lookup_result_s result,
         // something like "::1.2.3.4", not just "1.2.3.4".
         int maxlen = strlen(expect) + 3;
         real_expect = malloc(maxlen);
 +        if (!real_expect) {
 +            BAIL_OUT("could not allocate memory");
 +        }
         snprintf(real_expect, maxlen, "::%s", expect);
     }
 diff --git a/t/threads_t.c b/t/threads_t.c
 index 23cd0ee..be060d3 100644
 --- a/t/threads_t.c
 +++ b/t/threads_t.c
@@ -68,6 +68,9 @@ void *run_one_thread(void *arg)
     const char *ip = thread_arg->ip_to_lookup;
     test_result_s *result = malloc(sizeof(test_result_s));
 +    if (!result) {
 +        BAIL_OUT("could not allocate memory");
 +    }
     test_one_ip(mmdb, ip, result);
     pthread_exit((void *)result);
 -- 
 1.8.3.1
--- a/libmaxminddb.spec
+++ b/libmaxminddb.spec
@ -1,11 +1,14 @@
 Name:           libmaxminddb
 Version:        1.2.0
-Release:        7
+Release:        8
 Summary:        C library for working with MaxMind DB files
 License:        ASL 2.0 and BSD
 URL:            https://github.com/maxmind/libmaxminddb
 Source0:        https://github.com/maxmind/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz
 Patch6000:      backport-CVE-2020-28241.patch
 Patch6001:      backport-Check-all-calloc-malloc-return-values.patch
 BuildRequires:  gcc perl-interpreter
 %description
@ -35,7 +38,7 @@ Summary:       man information and changelog document for user
 the help package include man information and changelog document for user.
 %prep
-%autosetup
+%autosetup -p1
 %build
 %configure --disable-static
@ -69,5 +72,8 @@ LD_PRELOAD=%{buildroot}%{_libdir}/libmaxminddb.so make check
 %{_mandir}/man3/*
 %changelog
 * Sat Jul 24 2021 shixuantong <shixuantong@huawei.com> - 1.2.0-8
 - fix CVE-2020-28241
 * Tue Sep 3 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.2.0-7
 - Package init