| b.liu | e958203 | 2025-04-17 19:18:16 +0800 | [diff] [blame^] | 1 | From: The FreeBSD Project |
| 2 | Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862 |
| 3 | Subject: CVE-2014-9862 - check for a negative value on numbers of bytes |
| 4 | The implementation of bspatch does not check for a negative value on numbers |
| 5 | of bytes read from the diff and extra streams, allowing an attacker who |
| 6 | can control the patch file to write at arbitrary locations in the heap. |
| 7 | . |
| 8 | bspatch's main loop reads three numbers from the "control" stream in |
| 9 | the patch: X, Y and Z. The first two are the number of bytes to read |
| 10 | from "diff" and "extra" (and thus only non-negative), while the |
| 11 | third one could be positive or negative and moves the oldpos pointer |
| 12 | on the source image. These 3 values are 64bits signed ints (encoded |
| 13 | somehow on the file) that are later passed the function that reads |
| 14 | from the streams, but those values are not verified to be |
| 15 | non-negative. |
| 16 | . |
| 17 | Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862 |
| 18 | The patch was downloaded from a link pointed by |
| 19 | https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp |
| 20 | |
| 21 | --- |
| 22 | bspatch.c | 4 ++++ |
| 23 | 1 file changed, 4 insertions(+) |
| 24 | |
| 25 | --- a/bspatch.c |
| 26 | +++ b/bspatch.c |
| 27 | @@ -152,6 +152,10 @@ int main(int argc,char * argv[]) |
| 28 | }; |
| 29 | |
| 30 | /* Sanity-check */ |
| 31 | + if ((ctrl[0] < 0) || (ctrl[1] < 0)) |
| 32 | + errx(1,"Corrupt patch\n"); |
| 33 | + |
| 34 | + /* Sanity-check */ |
| 35 | if(newpos+ctrl[0]>newsize) |
| 36 | errx(1,"Corrupt patch\n"); |
| 37 | |