Merge lp:~tdaitx/whoopsie/lp-1850608-security-regression into lp:whoopsie

Proposed by Tiago Stürmer Daitx on 2019-11-20
Status: Merged
Merged at revision: 710
Proposed branch: lp:~tdaitx/whoopsie/lp-1850608-security-regression
Merge into: lp:whoopsie
Diff against target: 341 lines (+54/-41)
6 files modified
debian/changelog (+8/-0)
lib/bson/bson.c (+29/-24)
lib/bson/bson.h (+6/-6)
lib/bson/encoding.c (+6/-6)
lib/bson/encoding.h (+2/-2)
src/whoopsie.c (+3/-3)
To merge this branch: bzr merge lp:~tdaitx/whoopsie/lp-1850608-security-regression
Reviewer Review Type Date Requested Status
Brian Murray 2019-11-20 Approve on 2019-11-20
Review via email: mp+375788@code.launchpad.net

Description of the change

This merge request sync whoopsie with the latest release in Focal (0.2.69), fixing the last security update which introduced a bug for big endian archs - it is also a improved fix from the previous release (0.2.68).

Changelog:
* SECURITY REGRESSION: segfault when sending crash report (LP: #1850608)
  - use uint32_t instead of size_t and INT32_MAX instead of INT_MAX
    as bson expects variable sizes to be 32 bits long.

To post a comment you must log in.
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2019-10-30 17:55:35 +0000
+++ debian/changelog 2019-11-20 20:32:05 +0000
@@ -1,3 +1,11 @@
1whoopsie (0.2.69) focal; urgency=medium
2
3 * SECURITY REGRESSION: segfault when sending crash report (LP: #1850608)
4 - use uint32_t instead of size_t and INT32_MAX instead of INT_MAX
5 as bson expects variable sizes to be 32 bits long.
6
7 -- Tiago Stürmer Daitx <tiago.daitx@ubuntu.com> Mon, 04 Nov 2019 23:33:08 +0000
8
1whoopsie (0.2.68) focal; urgency=medium9whoopsie (0.2.68) focal; urgency=medium
210
3 * lib/bson/bson.c: properly initialize bson_size variable.11 * lib/bson/bson.c: properly initialize bson_size variable.
412
=== modified file 'lib/bson/bson.c'
--- lib/bson/bson.c 2019-10-30 17:55:35 +0000
+++ lib/bson/bson.c 2019-11-20 20:32:05 +0000
@@ -24,7 +24,7 @@
24#include "bson.h"24#include "bson.h"
25#include "encoding.h"25#include "encoding.h"
2626
27const size_t initialBufferSize = 128;27const uint32_t initialBufferSize = 128;
2828
29/* only need one of these */29/* only need one of these */
30static const int zero = 0;30static const int zero = 0;
@@ -86,8 +86,8 @@
86 b->errstr = NULL;86 b->errstr = NULL;
87}87}
8888
89size_t bson_size( const bson *b ) {89uint32_t bson_size( const bson *b ) {
90 size_t i = 0;90 uint32_t i;
91 if ( ! b || ! b->data )91 if ( ! b || ! b->data )
92 return 0;92 return 0;
93 bson_little_endian32( &i, b->data );93 bson_little_endian32( &i, b->data );
@@ -567,7 +567,7 @@
567 BUILDING567 BUILDING
568 ------------------------------ */568 ------------------------------ */
569569
570static void _bson_init_size( bson *b, size_t size ) {570static void _bson_init_size( bson *b, uint32_t size ) {
571 if( size == 0 )571 if( size == 0 )
572 b->data = NULL;572 b->data = NULL;
573 else573 else
@@ -581,7 +581,7 @@
581 _bson_init_size( b, initialBufferSize );581 _bson_init_size( b, initialBufferSize );
582}582}
583583
584void bson_init_size( bson *b, size_t size ) {584void bson_init_size( bson *b, uint32_t size ) {
585 _bson_init_size( b, size );585 _bson_init_size( b, size );
586}586}
587587
@@ -590,7 +590,7 @@
590 b->cur++;590 b->cur++;
591}591}
592592
593void bson_append( bson *b, const void *data, size_t len ) {593void bson_append( bson *b, const void *data, uint32_t len ) {
594 memcpy( b->cur , data , len );594 memcpy( b->cur , data , len );
595 b->cur += len;595 b->cur += len;
596}596}
@@ -605,13 +605,13 @@
605 b->cur += 8;605 b->cur += 8;
606}606}
607607
608int bson_ensure_space( bson *b, const size_t bytesNeeded ) {608int bson_ensure_space( bson *b, const uint32_t bytesNeeded ) {
609 size_t pos = b->cur - b->data;609 uint32_t pos = b->cur - b->data;
610 char *orig = b->data;610 char *orig = b->data;
611 size_t new_size;611 uint32_t new_size;
612612
613 if ( bytesNeeded > INT_MAX || pos > INT_MAX || b->dataSize > INT_MAX ||613 if ( bytesNeeded > INT32_MAX || pos > INT32_MAX || b->dataSize > INT32_MAX ||
614 ( INT_MAX - b->dataSize ) < bytesNeeded || ( INT_MAX - pos) < bytesNeeded ) {614 ( INT32_MAX - b->dataSize ) < bytesNeeded || ( INT32_MAX - pos) < bytesNeeded ) {
615 b->err = BSON_SIZE_OVERFLOW;615 b->err = BSON_SIZE_OVERFLOW;
616 return BSON_ERROR;616 return BSON_ERROR;
617 }617 }
@@ -621,8 +621,8 @@
621621
622 new_size = 1.5 * ( b->dataSize + bytesNeeded );622 new_size = 1.5 * ( b->dataSize + bytesNeeded );
623623
624 if ( new_size > INT_MAX)624 if ( new_size > INT32_MAX)
625 new_size = INT_MAX;625 new_size = INT32_MAX;
626626
627 b->data = bson_realloc( b->data, new_size );627 b->data = bson_realloc( b->data, new_size );
628 if ( !b->data )628 if ( !b->data )
@@ -635,7 +635,7 @@
635}635}
636636
637int bson_finish( bson *b ) {637int bson_finish( bson *b ) {
638 size_t i;638 uint32_t i;
639639
640 if( b->err & BSON_NOT_UTF8 )640 if( b->err & BSON_NOT_UTF8 )
641 return BSON_ERROR;641 return BSON_ERROR;
@@ -659,8 +659,8 @@
659 b->finished = 1;659 b->finished = 1;
660}660}
661661
662static int bson_append_estart( bson *b, int type, const char *name, const size_t dataSize ) {662static int bson_append_estart( bson *b, int type, const char *name, const uint32_t dataSize ) {
663 const size_t len = strlen( name ) + 1;663 const uint32_t len = strlen( name ) + 1;
664664
665 if ( b->finished ) {665 if ( b->finished ) {
666 b->err |= BSON_ALREADY_FINISHED;666 b->err |= BSON_ALREADY_FINISHED;
@@ -726,9 +726,9 @@
726}726}
727727
728int bson_append_string_base( bson *b, const char *name,728int bson_append_string_base( bson *b, const char *name,
729 const char *value, size_t len, bson_type type ) {729 const char *value, uint32_t len, bson_type type ) {
730730
731 size_t sl = len + 1;731 uint32_t sl = len + 1;
732 if ( bson_check_string( b, ( const char * )value, sl - 1 ) == BSON_ERROR )732 if ( bson_check_string( b, ( const char * )value, sl - 1 ) == BSON_ERROR )
733 return BSON_ERROR;733 return BSON_ERROR;
734 if ( bson_append_estart( b, type, name, 4 + sl ) == BSON_ERROR ) {734 if ( bson_append_estart( b, type, name, 4 + sl ) == BSON_ERROR ) {
@@ -741,7 +741,12 @@
741}741}
742742
743int bson_append_string( bson *b, const char *name, const char *value ) {743int bson_append_string( bson *b, const char *name, const char *value ) {
744 return bson_append_string_base( b, name, value, strlen ( value ), BSON_STRING );744 size_t len = strlen ( value );
745
746 if ( len > INT32_MAX )
747 return BSON_ERROR;
748
749 return bson_append_string_base( b, name, value, len, BSON_STRING );
745}750}
746751
747int bson_append_symbol( bson *b, const char *name, const char *value ) {752int bson_append_symbol( bson *b, const char *name, const char *value ) {
@@ -835,7 +840,7 @@
835840
836int bson_append_element( bson *b, const char *name_or_null, const bson_iterator *elem ) {841int bson_append_element( bson *b, const char *name_or_null, const bson_iterator *elem ) {
837 bson_iterator next = *elem;842 bson_iterator next = *elem;
838 size_t size;843 uint32_t size;
839844
840 bson_iterator_next( &next );845 bson_iterator_next( &next );
841 size = next.cur - elem->cur;846 size = next.cur - elem->cur;
@@ -845,7 +850,7 @@
845 return BSON_ERROR;850 return BSON_ERROR;
846 bson_append( b, elem->cur, size );851 bson_append( b, elem->cur, size );
847 } else {852 } else {
848 size_t data_size = size - 2 - strlen( bson_iterator_key( elem ) );853 uint32_t data_size = size - 2 - strlen( bson_iterator_key( elem ) );
849 bson_append_estart( b, elem->cur[0], name_or_null, data_size );854 bson_append_estart( b, elem->cur[0], name_or_null, data_size );
850 bson_append( b, bson_iterator_value( elem ), data_size );855 bson_append( b, bson_iterator_value( elem ), data_size );
851 }856 }
@@ -888,7 +893,7 @@
888893
889int bson_append_finish_object( bson *b ) {894int bson_append_finish_object( bson *b ) {
890 char *start;895 char *start;
891 size_t i;896 uint32_t i;
892 if ( bson_ensure_space( b, 1 ) == BSON_ERROR ) return BSON_ERROR;897 if ( bson_ensure_space( b, 1 ) == BSON_ERROR ) return BSON_ERROR;
893 bson_append_byte( b , 0 );898 bson_append_byte( b , 0 );
894899
@@ -914,14 +919,14 @@
914 return old;919 return old;
915}920}
916921
917void *bson_malloc( size_t size ) {922void *bson_malloc( uint32_t size ) {
918 void *p;923 void *p;
919 p = bson_malloc_func( size );924 p = bson_malloc_func( size );
920 bson_fatal_msg( !!p, "malloc() failed" );925 bson_fatal_msg( !!p, "malloc() failed" );
921 return p;926 return p;
922}927}
923928
924void *bson_realloc( void *ptr, size_t size ) {929void *bson_realloc( void *ptr, uint32_t size ) {
925 void *p;930 void *p;
926 p = bson_realloc_func( ptr, size );931 p = bson_realloc_func( ptr, size );
927 bson_fatal_msg( !!p, "realloc() failed" );932 bson_fatal_msg( !!p, "realloc() failed" );
928933
=== modified file 'lib/bson/bson.h'
--- lib/bson/bson.h 2019-10-30 04:28:50 +0000
+++ lib/bson/bson.h 2019-11-20 20:32:05 +0000
@@ -86,7 +86,7 @@
86typedef struct {86typedef struct {
87 char *data;87 char *data;
88 char *cur;88 char *cur;
89 size_t dataSize;89 uint32_t dataSize;
90 bson_bool_t finished;90 bson_bool_t finished;
91 int stack[32];91 int stack[32];
92 int stackPos;92 int stackPos;
@@ -119,7 +119,7 @@
119 *119 *
120 * @return the size.120 * @return the size.
121 */121 */
122size_t bson_size( const bson *b );122uint32_t bson_size( const bson *b );
123123
124/**124/**
125 * Print a string representation of a BSON object.125 * Print a string representation of a BSON object.
@@ -546,7 +546,7 @@
546 *546 *
547 * @return BSON_OK or BSON_ERROR.547 * @return BSON_OK or BSON_ERROR.
548 */548 */
549void bson_init_size( bson *b, size_t size );549void bson_init_size( bson *b, uint32_t size );
550550
551/**551/**
552 * Grow a bson object.552 * Grow a bson object.
@@ -557,7 +557,7 @@
557 * @return BSON_OK or BSON_ERROR with the bson error object set.557 * @return BSON_OK or BSON_ERROR with the bson error object set.
558 * Exits if allocation fails.558 * Exits if allocation fails.
559 */559 */
560int bson_ensure_space( bson *b, const size_t bytesNeeded );560int bson_ensure_space( bson *b, const uint32_t bytesNeeded );
561561
562/**562/**
563 * Finalize a bson object.563 * Finalize a bson object.
@@ -930,7 +930,7 @@
930 *930 *
931 * @sa malloc(3)931 * @sa malloc(3)
932 */932 */
933void *bson_malloc( size_t size );933void *bson_malloc( uint32_t size );
934934
935/**935/**
936 * Changes the size of allocated memory and checks return value,936 * Changes the size of allocated memory and checks return value,
@@ -943,7 +943,7 @@
943 *943 *
944 * @sa realloc()944 * @sa realloc()
945 */945 */
946void *bson_realloc( void *ptr, size_t size );946void *bson_realloc( void *ptr, uint32_t size );
947947
948/**948/**
949 * Set a function for error handling.949 * Set a function for error handling.
950950
=== modified file 'lib/bson/encoding.c'
--- lib/bson/encoding.c 2019-10-30 04:28:50 +0000
+++ lib/bson/encoding.c 2019-11-20 20:32:05 +0000
@@ -67,7 +67,7 @@
67 * If presented with a length > 4, this returns 0. The Unicode67 * If presented with a length > 4, this returns 0. The Unicode
68 * definition of UTF-8 goes up to 4-byte sequences.68 * definition of UTF-8 goes up to 4-byte sequences.
69 */69 */
70static int isLegalUTF8( const unsigned char *source, size_t length ) {70static int isLegalUTF8( const unsigned char *source, uint32_t length ) {
71 unsigned char a;71 unsigned char a;
72 const unsigned char *srcptr = source + length;72 const unsigned char *srcptr = source + length;
73 switch ( length ) {73 switch ( length ) {
@@ -102,11 +102,11 @@
102}102}
103103
104static int bson_validate_string( bson *b, const unsigned char *string,104static int bson_validate_string( bson *b, const unsigned char *string,
105 const size_t length, const char check_utf8, const char check_dot,105 const uint32_t length, const char check_utf8, const char check_dot,
106 const char check_dollar ) {106 const char check_dollar ) {
107107
108 size_t position = 0;108 uint32_t position = 0;
109 size_t sequence_length = 1;109 uint32_t sequence_length = 1;
110110
111 if( check_dollar && string[0] == '$' ) {111 if( check_dollar && string[0] == '$' ) {
112 b->err |= BSON_FIELD_INIT_DOLLAR;112 b->err |= BSON_FIELD_INIT_DOLLAR;
@@ -136,13 +136,13 @@
136136
137137
138int bson_check_string( bson *b, const char *string,138int bson_check_string( bson *b, const char *string,
139 const size_t length ) {139 const uint32_t length ) {
140140
141 return bson_validate_string( b, ( const unsigned char * )string, length, 1, 0, 0 );141 return bson_validate_string( b, ( const unsigned char * )string, length, 1, 0, 0 );
142}142}
143143
144int bson_check_field_name( bson *b, const char *string,144int bson_check_field_name( bson *b, const char *string,
145 const size_t length ) {145 const uint32_t length ) {
146146
147 return bson_validate_string( b, ( const unsigned char * )string, length, 1, 1, 1 );147 return bson_validate_string( b, ( const unsigned char * )string, length, 1, 1, 1 );
148}148}
149149
=== modified file 'lib/bson/encoding.h'
--- lib/bson/encoding.h 2019-10-30 04:28:50 +0000
+++ lib/bson/encoding.h 2019-11-20 20:32:05 +0000
@@ -35,7 +35,7 @@
35 * Set the value of b->err appropriately.35 * Set the value of b->err appropriately.
36 */36 */
37int bson_check_field_name( bson *b, const char *string,37int bson_check_field_name( bson *b, const char *string,
38 const size_t length );38 const uint32_t length );
3939
40/**40/**
41 * Check that a string is valid UTF8. Sets the buffer bit field appropriately.41 * Check that a string is valid UTF8. Sets the buffer bit field appropriately.
@@ -48,7 +48,7 @@
48 * Sets b->err on error.48 * Sets b->err on error.
49 */49 */
50bson_bool_t bson_check_string( bson *b, const char *string,50bson_bool_t bson_check_string( bson *b, const char *string,
51 const size_t length );51 const uint32_t length );
5252
53MONGO_EXTERN_C_END53MONGO_EXTERN_C_END
54#endif54#endif
5555
=== modified file 'src/whoopsie.c'
--- src/whoopsie.c 2019-10-30 04:28:50 +0000
+++ src/whoopsie.c 2019-11-20 20:32:05 +0000
@@ -261,7 +261,7 @@
261261
262gboolean262gboolean
263bsonify (GHashTable* report, bson* b, const char** bson_message,263bsonify (GHashTable* report, bson* b, const char** bson_message,
264 size_t* bson_message_len)264 uint32_t* bson_message_len)
265{265{
266 /* Attempt to convert a #GHashTable of the report into a BSON string.266 /* Attempt to convert a #GHashTable of the report into a BSON string.
267 * On error return %FALSE. */267 * On error return %FALSE. */
@@ -295,7 +295,7 @@
295}295}
296296
297int297int
298upload_report (const char* message_data, size_t message_len, GString *s)298upload_report (const char* message_data, uint32_t message_len, GString *s)
299{299{
300 CURL* curl = NULL;300 CURL* curl = NULL;
301 CURLcode result_code = 0;301 CURLcode result_code = 0;
@@ -665,7 +665,7 @@
665{665{
666 GHashTable* report = NULL;666 GHashTable* report = NULL;
667 gboolean success = FALSE;667 gboolean success = FALSE;
668 size_t message_len = 0;668 uint32_t message_len = 0;
669 const char* message_data = NULL;669 const char* message_data = NULL;
670 GError* error = NULL;670 GError* error = NULL;
671 bson b[1];671 bson b[1];

Subscribers

People subscribed via source and target branches

to status/vote changes: