From patchwork Tue Nov  3 20:55:50 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arjun Shankar <arjun.is@lostca.se>
X-Patchwork-Id: 40957
Return-Path: <libc-alpha-bounces@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id EC880386101F;
	Tue,  3 Nov 2020 20:55:55 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from aloka.lostca.se (aloka.lostca.se [IPv6:2a01:4f8:120:624c::2])
 by sourceware.org (Postfix) with ESMTPS id 478C33858020;
 Tue,  3 Nov 2020 20:55:53 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 478C33858020
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=lostca.se
Authentication-Results: sourceware.org;
 spf=pass smtp.mailfrom=arjun.is@lostca.se
Received: from aloka.lostca.se (aloka [127.0.0.1])
 by aloka.lostca.se (Postfix) with ESMTP id B0D4A176F9;
 Tue,  3 Nov 2020 20:55:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lostca.se; h=date:from:to
 :cc:subject:message-id:mime-version:content-type; s=howrah; bh=u
 Ar1IgHqJi5MurS1IZZEW2p6Je0=; b=IuA6sWaOFqnuYWAnzyoAYxxOymBPiA5g+
 5+vFZHZrlp7PwDzJb4OlVhodY/HWWfVQcB2Z0N42FVYwJbhazyuRqKcDdxx2CCc6
 YuSCpWMGk5Ubvs3AG0MtiAQ8NKvKW7EK1QjZSct0qE9xozimHfLu6M7Fycg6YEKN
 n99xBcZidc=
Received: from localhost (unknown [IPv6:2a01:4f8:120:624c::25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by aloka.lostca.se (Postfix) with ESMTPSA id 73BB5176F8;
 Tue,  3 Nov 2020 20:55:51 +0000 (UTC)
Date: Tue, 3 Nov 2020 20:55:50 +0000
From: Arjun Shankar <arjun.is@lostca.se>
To: libc-alpha@sourceware.org
Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ
 #26224]
Message-ID: <20201103205549.GA56271@aloka.lostca.se>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-10.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE,
 SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Cc: Florian Weimer <fweimer@redhat.com>,
 Siddhesh Poyarekar <siddhesh@sourceware.org>
Errors-To: libc-alpha-bounces@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>

From: Arjun Shankar <arjun@redhat.com>

The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets
share converter logic (iconvdata/ibm1364.c) which would reject
redundant shift sequences when processing input in these character
sets.  This led to a hang in the iconv program (CVE-2020-27618).

This commit adjusts the converter to ignore redundant shift sequences
and adds test cases for iconv_prog hangs that would be triggered upon
their rejection.  This brings the implementation in line with other
converters that also ignore redundant shift sequences (e.g. IBM930
etc., fixed in commit 692de4b3960d).
---
 iconv/tst-iconv_prog.sh | 16 ++++++++++------
 iconvdata/ibm1364.c     | 14 ++------------
 2 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/iconv/tst-iconv_prog.sh b/iconv/tst-iconv_prog.sh
index 8298136b7f..d8db7b335c 100644
--- a/iconv/tst-iconv_prog.sh
+++ b/iconv/tst-iconv_prog.sh
@@ -102,12 +102,16 @@ hangarray=(
 "\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE"
 "\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE"
 "\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE"
-# These are known hangs that are yet to be fixed:
-# "\x00\x0f;-c;IBM1364;UTF-8"
-# "\x00\x0f;-c;IBM1371;UTF-8"
-# "\x00\x0f;-c;IBM1388;UTF-8"
-# "\x00\x0f;-c;IBM1390;UTF-8"
-# "\x00\x0f;-c;IBM1399;UTF-8"
+"\x00\x0f;-c;IBM1364;UTF-8"
+"\x0e\x0e;-c;IBM1364;UTF-8"
+"\x00\x0f;-c;IBM1371;UTF-8"
+"\x0e\x0e;-c;IBM1371;UTF-8"
+"\x00\x0f;-c;IBM1388;UTF-8"
+"\x0e\x0e;-c;IBM1388;UTF-8"
+"\x00\x0f;-c;IBM1390;UTF-8"
+"\x0e\x0e;-c;IBM1390;UTF-8"
+"\x00\x0f;-c;IBM1399;UTF-8"
+"\x0e\x0e;-c;IBM1399;UTF-8"
 "\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE"
 "\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE"
 "\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE"
diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
index 49e7267ab4..521f0825b7 100644
--- a/iconvdata/ibm1364.c
+++ b/iconvdata/ibm1364.c
@@ -158,24 +158,14 @@ enum
 									      \
     if (__builtin_expect (ch, 0) == SO)					      \
       {									      \
-	/* Shift OUT, change to DBCS converter.  */			      \
-	if (curcs == db)						      \
-	  {								      \
-	    result = __GCONV_ILLEGAL_INPUT;				      \
-	    break;							      \
-	  }								      \
+	/* Shift OUT, change to DBCS converter (redundant escape okay).  */   \
 	curcs = db;							      \
 	++inptr;							      \
 	continue;							      \
       }									      \
     if (__builtin_expect (ch, 0) == SI)					      \
       {									      \
-	/* Shift IN, change to SBCS converter.  */			      \
-	if (curcs == sb)						      \
-	  {								      \
-	    result = __GCONV_ILLEGAL_INPUT;				      \
-	    break;							      \
-	  }								      \
+	/* Shift IN, change to SBCS converter (redundant escape okay).  */    \
 	curcs = sb;							      \
 	++inptr;							      \
 	continue;							      \