[packages/libuv.git] / CVE-2021-22918.patch

From b7466e31e4bee160d82a68fca11b1f61d46debae Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Fri, 21 May 2021 11:23:36 +0200
Subject: [PATCH] idna: fix OOB read in punycode decoder

libuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()
function which is used to convert strings to ASCII. This is called by
the DNS resolution function and can lead to information disclosures or
crashes.

Reported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.

Reported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
Fixes: https://github.com/libuv/libuv/issues/3147
PR-URL: https://github.com/libuv/libuv-private/pull/1
Refs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
---
 src/idna.c       | 49 +++++++++++++++++++++++++++++++++++-------------
 test/test-idna.c | 19 +++++++++++++++++++
 test/test-list.h |  2 ++
 3 files changed, 57 insertions(+), 13 deletions(-)

diff --git a/src/idna.c b/src/idna.c
index 13ffac6be8..b44cb16a1e 100644
--- a/src/idna.c
+++ b/src/idna.c
@@ -19,6 +19,7 @@
 
 #include "uv.h"
 #include "idna.h"
+#include <assert.h>
 #include <string.h>
 
 static unsigned uv__utf8_decode1_slow(const char** p,
@@ -32,7 +33,7 @@ static unsigned uv__utf8_decode1_slow(const char** p,
   if (a > 0xF7)
     return -1;
 
-  switch (*p - pe) {
+  switch (pe - *p) {
   default:
     if (a > 0xEF) {
       min = 0x10000;
@@ -62,6 +63,8 @@ static unsigned uv__utf8_decode1_slow(const char** p,
       a = 0;
       break;
     }
+    /* Fall through. */
+  case 0:
     return -1;  /* Invalid continuation byte. */
   }
 
@@ -88,6 +91,8 @@ static unsigned uv__utf8_decode1_slow(const char** p,
 unsigned uv__utf8_decode1(const char** p, const char* pe) {
   unsigned a;
 
+  assert(*p < pe);
+
   a = (unsigned char) *(*p)++;
 
   if (a < 128)
@@ -96,9 +101,6 @@ unsigned uv__utf8_decode1(const char** p, const char* pe) {
   return uv__utf8_decode1_slow(p, pe, a);
 }
 
-#define foreach_codepoint(c, p, pe) \
-  for (; (void) (*p <= pe && (c = uv__utf8_decode1(p, pe))), *p <= pe;)
-
 static int uv__idna_toascii_label(const char* s, const char* se,
                                   char** d, char* de) {
   static const char alphabet[] = "abcdefghijklmnopqrstuvwxyz0123456789";
@@ -121,15 +123,22 @@ static int uv__idna_toascii_label(const char* s, const char* se,
   ss = s;
   todo = 0;
 
-  foreach_codepoint(c, &s, se) {
+  /* Note: after this loop we've visited all UTF-8 characters and know
+   * they're legal so we no longer need to check for decode errors.
+   */
+  while (s < se) {
+    c = uv__utf8_decode1(&s, se);
+
+    if (c == -1u)
+      return UV_EINVAL;
+
     if (c < 128)
       h++;
-    else if (c == (unsigned) -1)
-      return UV_EINVAL;
     else
       todo++;
   }
 
+  /* Only write "xn--" when there are non-ASCII characters. */
   if (todo > 0) {
     if (*d < de) *(*d)++ = 'x';
     if (*d < de) *(*d)++ = 'n';
@@ -137,9 +146,13 @@ static int uv__idna_toascii_label(const char* s, const char* se,
     if (*d < de) *(*d)++ = '-';
   }
 
+  /* Write ASCII characters. */
   x = 0;
   s = ss;
-  foreach_codepoint(c, &s, se) {
+  while (s < se) {
+    c = uv__utf8_decode1(&s, se);
+    assert(c != -1u);
+
     if (c > 127)
       continue;
 
@@ -166,10 +179,15 @@ static int uv__idna_toascii_label(const char* s, const char* se,
   while (todo > 0) {
     m = -1;
     s = ss;
-    foreach_codepoint(c, &s, se)
+
+    while (s < se) {
+      c = uv__utf8_decode1(&s, se);
+      assert(c != -1u);
+
       if (c >= n)
         if (c < m)
           m = c;
+    }
 
     x = m - n;
     y = h + 1;
@@ -181,7 +199,10 @@ static int uv__idna_toascii_label(const char* s, const char* se,
     n = m;
 
     s = ss;
-    foreach_codepoint(c, &s, se) {
+    while (s < se) {
+      c = uv__utf8_decode1(&s, se);
+      assert(c != -1u);
+
       if (c < n)
         if (++delta == 0)
           return UV_E2BIG;  /* Overflow. */
@@ -245,8 +266,6 @@ static int uv__idna_toascii_label(const char* s, const char* se,
   return 0;
 }
 
-#undef foreach_codepoint
-
 long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
   const char* si;
   const char* st;
@@ -256,10 +275,14 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
 
   ds = d;
 
-  for (si = s; si < se; /* empty */) {
+  si = s;
+  while (si < se) {
     st = si;
     c = uv__utf8_decode1(&si, se);
 
+    if (c == -1u)
+      return UV_EINVAL;
+
     if (c != '.')
       if (c != 0x3002)  /* 。 */
         if (c != 0xFF0E)  /* ． */
diff --git a/test/test-idna.c b/test/test-idna.c
index b76853cb99..f4fad9653d 100644
--- a/test/test-idna.c
+++ b/test/test-idna.c
@@ -96,6 +96,25 @@ TEST_IMPL(utf8_decode1) {
   return 0;
 }
 
+TEST_IMPL(utf8_decode1_overrun) {
+  const char* p;
+  char b[1];
+
+  /* Single byte. */
+  p = b;
+  b[0] = 0x7F;
+  ASSERT_EQ(0x7F, uv__utf8_decode1(&p, b + 1));
+  ASSERT_EQ(p, b + 1);
+
+  /* Multi-byte. */
+  p = b;
+  b[0] = 0xC0;
+  ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1));
+  ASSERT_EQ(p, b + 1);
+
+  return 0;
+}
+
 /* Doesn't work on z/OS because that platform uses EBCDIC, not ASCII. */
 #ifndef __MVS__
 
diff --git a/test/test-list.h b/test/test-list.h
index c3c6002ea3..424eea07fa 100644
--- a/test/test-list.h
+++ b/test/test-list.h
@@ -528,6 +528,7 @@ TEST_DECLARE  (fork_threadpool_queue_work_simple)
 
 TEST_DECLARE  (idna_toascii)
 TEST_DECLARE  (utf8_decode1)
+TEST_DECLARE  (utf8_decode1_overrun)
 TEST_DECLARE  (uname)
 
 TEST_DECLARE  (metrics_idle_time)
@@ -1124,6 +1125,7 @@ TASK_LIST_START
 #endif
 
   TEST_ENTRY  (utf8_decode1)
+  TEST_ENTRY  (utf8_decode1_overrun)
   TEST_ENTRY  (uname)
 
 /* Doesn't work on z/OS because that platform uses EBCDIC, not ASCII. */
Commit	Line	Data
52b5b29e JP	1	From b7466e31e4bee160d82a68fca11b1f61d46debae Mon Sep 17 00:00:00 2001
	2	From: Ben Noordhuis <info@bnoordhuis.nl>
	3	Date: Fri, 21 May 2021 11:23:36 +0200
	4	Subject: [PATCH] idna: fix OOB read in punycode decoder
	5
	6	libuv was vulnerable to out-of-bounds reads in the uv__idna_toascii()
	7	function which is used to convert strings to ASCII. This is called by
	8	the DNS resolution function and can lead to information disclosures or
	9	crashes.
	10
	11	Reported by Eric Sesterhenn in collaboration with Cure53 and ExpressVPN.
	12
	13	Reported-By: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
	14	Fixes: https://github.com/libuv/libuv/issues/3147
	15	PR-URL: https://github.com/libuv/libuv-private/pull/1
	16	Refs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
	17	Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
	18	Reviewed-By: Richard Lau <riclau@uk.ibm.com>
	19	---
	20	src/idna.c \| 49 +++++++++++++++++++++++++++++++++++-------------
	21	test/test-idna.c \| 19 +++++++++++++++++++
	22	test/test-list.h \| 2 ++
	23	3 files changed, 57 insertions(+), 13 deletions(-)
	24
	25	diff --git a/src/idna.c b/src/idna.c
	26	index 13ffac6be8..b44cb16a1e 100644
	27	--- a/src/idna.c
	28	+++ b/src/idna.c
	29	@@ -19,6 +19,7 @@
	30
	31	#include "uv.h"
	32	#include "idna.h"
	33	+#include <assert.h>
	34	#include <string.h>
	35
	36	static unsigned uv__utf8_decode1_slow(const char** p,
	37	@@ -32,7 +33,7 @@ static unsigned uv__utf8_decode1_slow(const char** p,
	38	if (a > 0xF7)
	39	return -1;
	40
	41	- switch (*p - pe) {
	42	+ switch (pe - *p) {
	43	default:
	44	if (a > 0xEF) {
	45	min = 0x10000;
	46	@@ -62,6 +63,8 @@ static unsigned uv__utf8_decode1_slow(const char** p,
	47	a = 0;
	48	break;
	49	}
	50	+ /* Fall through. */
	51	+ case 0:
	52	return -1; /* Invalid continuation byte. */
	53	}
	54
	55	@@ -88,6 +91,8 @@ static unsigned uv__utf8_decode1_slow(const char** p,
	56	unsigned uv__utf8_decode1(const char** p, const char* pe) {
	57	unsigned a;
	58
	59	+ assert(*p < pe);
	60	+
	61	a = (unsigned char) (p)++;
	62
	63	if (a < 128)
	64	@@ -96,9 +101,6 @@ unsigned uv__utf8_decode1(const char** p, const char* pe) {
65	return uv__utf8_decode1_slow(p, pe, a);
66	}
67
68	-#define foreach_codepoint(c, p, pe) \
69	- for (; (void) (p <= pe && (c = uv__utf8_decode1(p, pe))), p <= pe;)
70	-
71	static int uv__idna_toascii_label(const char* s, const char* se,
72	char** d, char* de) {
73	static const char alphabet[] = "abcdefghijklmnopqrstuvwxyz0123456789";
74	@@ -121,15 +123,22 @@ static int uv__idna_toascii_label(const char* s, const char* se,
75	ss = s;
76	todo = 0;
77
78	- foreach_codepoint(c, &s, se) {
79	+ /* Note: after this loop we've visited all UTF-8 characters and know
80	+ * they're legal so we no longer need to check for decode errors.
81	+ */
82	+ while (s < se) {
83	+ c = uv__utf8_decode1(&s, se);
84	+
85	+ if (c == -1u)
86	+ return UV_EINVAL;
87	+
88	if (c < 128)
89	h++;
90	- else if (c == (unsigned) -1)
91	- return UV_EINVAL;
92	else
93	todo++;
94	}
95
96	+ /* Only write "xn--" when there are non-ASCII characters. */
97	if (todo > 0) {
98	if (d < de) (*d)++ = 'x';
99	if (d < de) (*d)++ = 'n';
100	@@ -137,9 +146,13 @@ static int uv__idna_toascii_label(const char* s, const char* se,
101	if (d < de) (*d)++ = '-';
102	}
103
104	+ /* Write ASCII characters. */
105	x = 0;
106	s = ss;
107	- foreach_codepoint(c, &s, se) {
108	+ while (s < se) {
109	+ c = uv__utf8_decode1(&s, se);
110	+ assert(c != -1u);
111	+
112	if (c > 127)
113	continue;
114
115	@@ -166,10 +179,15 @@ static int uv__idna_toascii_label(const char* s, const char* se,
116	while (todo > 0) {
117	m = -1;
118	s = ss;
119	- foreach_codepoint(c, &s, se)
120	+
121	+ while (s < se) {
122	+ c = uv__utf8_decode1(&s, se);
123	+ assert(c != -1u);
124	+
125	if (c >= n)
126	if (c < m)
127	m = c;
128	+ }
129
130	x = m - n;
131	y = h + 1;
132	@@ -181,7 +199,10 @@ static int uv__idna_toascii_label(const char* s, const char* se,
133	n = m;
134
135	s = ss;
136	- foreach_codepoint(c, &s, se) {
137	+ while (s < se) {
138	+ c = uv__utf8_decode1(&s, se);
139	+ assert(c != -1u);
140	+
141	if (c < n)
142	if (++delta == 0)
143	return UV_E2BIG; /* Overflow. */
144	@@ -245,8 +266,6 @@ static int uv__idna_toascii_label(const char* s, const char* se,
145	return 0;
146	}
147
148	-#undef foreach_codepoint
149	-
150	long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
151	const char* si;
152	const char* st;
153	@@ -256,10 +275,14 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
154
155	ds = d;
156
157	- for (si = s; si < se; /* empty */) {
158	+ si = s;
159	+ while (si < se) {
160	st = si;
161	c = uv__utf8_decode1(&si, se);
162
163	+ if (c == -1u)
164	+ return UV_EINVAL;
165	+
166	if (c != '.')
167	if (c != 0x3002) /* 。 */
168	if (c != 0xFF0E) /* ． */
169	diff --git a/test/test-idna.c b/test/test-idna.c
170	index b76853cb99..f4fad9653d 100644
171	--- a/test/test-idna.c
172	+++ b/test/test-idna.c
173	@@ -96,6 +96,25 @@ TEST_IMPL(utf8_decode1) {
174	return 0;
175	}
176
177	+TEST_IMPL(utf8_decode1_overrun) {
178	+ const char* p;
179	+ char b[1];
180	+
181	+ /* Single byte. */
182	+ p = b;
183	+ b[0] = 0x7F;
184	+ ASSERT_EQ(0x7F, uv__utf8_decode1(&p, b + 1));
185	+ ASSERT_EQ(p, b + 1);
186	+
187	+ /* Multi-byte. */
188	+ p = b;
189	+ b[0] = 0xC0;
190	+ ASSERT_EQ((unsigned) -1, uv__utf8_decode1(&p, b + 1));
191	+ ASSERT_EQ(p, b + 1);
192	+
193	+ return 0;
194	+}
195	+
196	/* Doesn't work on z/OS because that platform uses EBCDIC, not ASCII. */
197	#ifndef __MVS__
198
199	diff --git a/test/test-list.h b/test/test-list.h
200	index c3c6002ea3..424eea07fa 100644
201	--- a/test/test-list.h
202	+++ b/test/test-list.h
203	@@ -528,6 +528,7 @@ TEST_DECLARE (fork_threadpool_queue_work_simple)
204
205	TEST_DECLARE (idna_toascii)
206	TEST_DECLARE (utf8_decode1)
207	+TEST_DECLARE (utf8_decode1_overrun)
208	TEST_DECLARE (uname)
209
210	TEST_DECLARE (metrics_idle_time)
211	@@ -1124,6 +1125,7 @@ TASK_LIST_START
212	#endif
213
214	TEST_ENTRY (utf8_decode1)
215	+ TEST_ENTRY (utf8_decode1_overrun)
216	TEST_ENTRY (uname)
217
218	/* Doesn't work on z/OS because that platform uses EBCDIC, not ASCII. */