From patchwork Tue Nov 3 22:21:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arjun Shankar X-Patchwork-Id: 40958 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C89003987521; Tue, 3 Nov 2020 22:21:58 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C89003987521 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1604442118; bh=9fvdT1U4atsEXwDJlCV+RBMMmv1VTbbj/BYjap+03MQ=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=fJHNnVqiIHxRnfNHjhbnTOWYKXRWZl3UsUjnstyUXtna29H3GvIz2g5TXPsJXI5NI A9Yb7rz99ya7Tzcn1PkUuR5kwLY+dUr71RJOhwwqI1JHCxN3Z6J1N1BXpv2eH6BaU+ MaHP0OYI1jgwP8cpMotXU+RLMR8cqf7Xx9Wi/wi8= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from aloka.lostca.se (aloka.lostca.se [IPv6:2a01:4f8:120:624c::2]) by sourceware.org (Postfix) with ESMTPS id E6B703854836; Tue, 3 Nov 2020 22:21:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E6B703854836 Received: from aloka.lostca.se (aloka [127.0.0.1]) by aloka.lostca.se (Postfix) with ESMTP id 85826177E7; Tue, 3 Nov 2020 22:21:54 +0000 (UTC) Received: from localhost (unknown [IPv6:2a01:4f8:120:624c::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aloka.lostca.se (Postfix) with ESMTPSA id 2F75D177E6; Tue, 3 Nov 2020 22:21:54 +0000 (UTC) Date: Tue, 3 Nov 2020 22:21:51 +0000 To: libc-alpha@sourceware.org, Florian Weimer Subject: [PATCH v2] iconv: Accept redundant shift sequences in IBM1364 [BZ #26224] Message-ID: <20201103222150.GA58255@aloka.lostca.se> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-13.0 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, SPF_FAIL, SPF_HELO_NONE, TO_EQ_FM_DOM_SPF_FAIL, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Arjun Shankar via Libc-alpha From: Arjun Shankar Reply-To: Arjun Shankar Cc: Siddhesh Poyarekar Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" From: Arjun Shankar The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets share converter logic (iconvdata/ibm1364.c) which would reject redundant shift sequences when processing input in these character sets. This led to a hang in the iconv program (CVE-2020-27618). This commit adjusts the converter to ignore redundant shift sequences and adds test cases for iconv_prog hangs that would be triggered upon their rejection. This brings the implementation in line with other converters that also ignore redundant shift sequences (e.g. IBM930 etc., fixed in commit 692de4b3960d). Reviewed-by: Carlos O'Donell --- v2: Added a NEWS entry. NEWS | 4 +++- iconv/tst-iconv_prog.sh | 16 ++++++++++------ iconvdata/ibm1364.c | 14 ++------------ 3 files changed, 15 insertions(+), 19 deletions(-) diff --git a/NEWS b/NEWS index 4307c4b1b0..0335fb98e5 100644 --- a/NEWS +++ b/NEWS @@ -58,7 +58,9 @@ Changes to build and runtime requirements: Security related changes: - [Add security related changes here] + CVE-2020-27618: An infinite loop has been fixed in the iconv program when + invoked with input containing redundant shift sequences in the IBM1364, + IBM1371, IBM1388, IBM1390, or IBM1399 character sets. The following bugs are resolved with this release: diff --git a/iconv/tst-iconv_prog.sh b/iconv/tst-iconv_prog.sh index 8298136b7f..d8db7b335c 100644 --- a/iconv/tst-iconv_prog.sh +++ b/iconv/tst-iconv_prog.sh @@ -102,12 +102,16 @@ hangarray=( "\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE" "\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE" "\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE" -# These are known hangs that are yet to be fixed: -# "\x00\x0f;-c;IBM1364;UTF-8" -# "\x00\x0f;-c;IBM1371;UTF-8" -# "\x00\x0f;-c;IBM1388;UTF-8" -# "\x00\x0f;-c;IBM1390;UTF-8" -# "\x00\x0f;-c;IBM1399;UTF-8" +"\x00\x0f;-c;IBM1364;UTF-8" +"\x0e\x0e;-c;IBM1364;UTF-8" +"\x00\x0f;-c;IBM1371;UTF-8" +"\x0e\x0e;-c;IBM1371;UTF-8" +"\x00\x0f;-c;IBM1388;UTF-8" +"\x0e\x0e;-c;IBM1388;UTF-8" +"\x00\x0f;-c;IBM1390;UTF-8" +"\x0e\x0e;-c;IBM1390;UTF-8" +"\x00\x0f;-c;IBM1399;UTF-8" +"\x0e\x0e;-c;IBM1399;UTF-8" "\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE" "\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE" "\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE" diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c index 49e7267ab4..521f0825b7 100644 --- a/iconvdata/ibm1364.c +++ b/iconvdata/ibm1364.c @@ -158,24 +158,14 @@ enum \ if (__builtin_expect (ch, 0) == SO) \ { \ - /* Shift OUT, change to DBCS converter. */ \ - if (curcs == db) \ - { \ - result = __GCONV_ILLEGAL_INPUT; \ - break; \ - } \ + /* Shift OUT, change to DBCS converter (redundant escape okay). */ \ curcs = db; \ ++inptr; \ continue; \ } \ if (__builtin_expect (ch, 0) == SI) \ { \ - /* Shift IN, change to SBCS converter. */ \ - if (curcs == sb) \ - { \ - result = __GCONV_ILLEGAL_INPUT; \ - break; \ - } \ + /* Shift IN, change to SBCS converter (redundant escape okay). */ \ curcs = sb; \ ++inptr; \ continue; \