1*4882a593SmuzhiyunFrom 0b7f347638153e403ee2dd518af3ce26f4f99647 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Darren Kenny <darren.kenny@oracle.com> 3*4882a593SmuzhiyunDate: Thu, 5 Nov 2020 10:57:14 +0000 4*4882a593SmuzhiyunSubject: [PATCH] gnulib/regexec: Fix possible null-dereference 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunIt appears to be possible that the mctx->state_log field may be NULL, 7*4882a593Smuzhiyunand the name of this function, clean_state_log_if_needed(), suggests 8*4882a593Smuzhiyunthat it should be checking that it is valid to be cleaned before 9*4882a593Smuzhiyunassuming that it does. 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunFixes: CID 86720 12*4882a593Smuzhiyun 13*4882a593SmuzhiyunSigned-off-by: Darren Kenny <darren.kenny@oracle.com> 14*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 15*4882a593Smuzhiyun[Add changes to generated files] 16*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 17*4882a593Smuzhiyun--- 18*4882a593Smuzhiyun Makefile.in | 1 + 19*4882a593Smuzhiyun conf/Makefile.extra-dist | 1 + 20*4882a593Smuzhiyun grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch | 12 ++++++++++++ 21*4882a593Smuzhiyun grub-core/lib/gnulib/regexec.c | 3 +++ 22*4882a593Smuzhiyun 4 files changed, 17 insertions(+) 23*4882a593Smuzhiyun create mode 100644 grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch 24*4882a593Smuzhiyun 25*4882a593Smuzhiyundiff --git a/Makefile.in b/Makefile.in 26*4882a593Smuzhiyunindex 812b7c2..d9da6e9 100644 27*4882a593Smuzhiyun--- a/Makefile.in 28*4882a593Smuzhiyun+++ b/Makefile.in 29*4882a593Smuzhiyun@@ -2743,6 +2743,7 @@ EXTRA_DIST = autogen.sh geninit.sh gentpl.py Makefile.util.def \ 30*4882a593Smuzhiyun grub-core/genemuinit.sh grub-core/genemuinitheader.sh \ 31*4882a593Smuzhiyun grub-core/lib/gnulib-patches/fix-null-deref.patch \ 32*4882a593Smuzhiyun grub-core/lib/gnulib-patches/fix-null-state-deref.patch \ 33*4882a593Smuzhiyun+ grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch \ 34*4882a593Smuzhiyun grub-core/lib/gnulib-patches/fix-uninit-structure.patch \ 35*4882a593Smuzhiyun grub-core/lib/gnulib-patches/fix-unused-value.patch \ 36*4882a593Smuzhiyun grub-core/lib/gnulib-patches/fix-width.patch \ 37*4882a593Smuzhiyundiff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist 38*4882a593Smuzhiyunindex 96d7e69..d27d3a9 100644 39*4882a593Smuzhiyun--- a/conf/Makefile.extra-dist 40*4882a593Smuzhiyun+++ b/conf/Makefile.extra-dist 41*4882a593Smuzhiyun@@ -30,6 +30,7 @@ EXTRA_DIST += grub-core/genemuinitheader.sh 42*4882a593Smuzhiyun 43*4882a593Smuzhiyun EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-deref.patch 44*4882a593Smuzhiyun EXTRA_DIST += grub-core/lib/gnulib-patches/fix-null-state-deref.patch 45*4882a593Smuzhiyun+EXTRA_DIST += grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch 46*4882a593Smuzhiyun EXTRA_DIST += grub-core/lib/gnulib-patches/fix-uninit-structure.patch 47*4882a593Smuzhiyun EXTRA_DIST += grub-core/lib/gnulib-patches/fix-unused-value.patch 48*4882a593Smuzhiyun EXTRA_DIST += grub-core/lib/gnulib-patches/fix-width.patch 49*4882a593Smuzhiyundiff --git a/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch 50*4882a593Smuzhiyunnew file mode 100644 51*4882a593Smuzhiyunindex 0000000..db6dac9 52*4882a593Smuzhiyun--- /dev/null 53*4882a593Smuzhiyun+++ b/grub-core/lib/gnulib-patches/fix-regexec-null-deref.patch 54*4882a593Smuzhiyun@@ -0,0 +1,12 @@ 55*4882a593Smuzhiyun+--- a/lib/regexec.c 2020-10-21 14:25:35.310195912 +0000 56*4882a593Smuzhiyun++++ b/lib/regexec.c 2020-11-05 10:55:09.621542984 +0000 57*4882a593Smuzhiyun+@@ -1692,6 +1692,9 @@ 58*4882a593Smuzhiyun+ { 59*4882a593Smuzhiyun+ Idx top = mctx->state_log_top; 60*4882a593Smuzhiyun+ 61*4882a593Smuzhiyun++ if (mctx->state_log == NULL) 62*4882a593Smuzhiyun++ return REG_NOERROR; 63*4882a593Smuzhiyun++ 64*4882a593Smuzhiyun+ if ((next_state_log_idx >= mctx->input.bufs_len 65*4882a593Smuzhiyun+ && mctx->input.bufs_len < mctx->input.len) 66*4882a593Smuzhiyun+ || (next_state_log_idx >= mctx->input.valid_len 67*4882a593Smuzhiyundiff --git a/grub-core/lib/gnulib/regexec.c b/grub-core/lib/gnulib/regexec.c 68*4882a593Smuzhiyunindex 98a25f5..df97667 100644 69*4882a593Smuzhiyun--- a/grub-core/lib/gnulib/regexec.c 70*4882a593Smuzhiyun+++ b/grub-core/lib/gnulib/regexec.c 71*4882a593Smuzhiyun@@ -1696,6 +1696,9 @@ clean_state_log_if_needed (re_match_context_t *mctx, Idx next_state_log_idx) 72*4882a593Smuzhiyun { 73*4882a593Smuzhiyun Idx top = mctx->state_log_top; 74*4882a593Smuzhiyun 75*4882a593Smuzhiyun+ if (mctx->state_log == NULL) 76*4882a593Smuzhiyun+ return REG_NOERROR; 77*4882a593Smuzhiyun+ 78*4882a593Smuzhiyun if ((next_state_log_idx >= mctx->input.bufs_len 79*4882a593Smuzhiyun && mctx->input.bufs_len < mctx->input.len) 80*4882a593Smuzhiyun || (next_state_log_idx >= mctx->input.valid_len 81*4882a593Smuzhiyun-- 82*4882a593Smuzhiyun2.14.2 83*4882a593Smuzhiyun 84