From b428b49d8f2953ee0c26bd7a4770a4fe27b8e306 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Thu, 1 Jun 2023 15:43:45 +0300 Subject: gnu: libtommath: Prevent possible integer overflow. * gnu/packages/multiprecision.scm (libtommath)[source]: Add patch. * gnu/packages/patches/libtommath-integer-overflow.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/multiprecision.scm | 5 +- .../patches/libtommath-integer-overflow.patch | 140 +++++++++++++++++++++ 3 files changed, 144 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/libtommath-integer-overflow.patch diff --git a/gnu/local.mk b/gnu/local.mk index ba1b42fc05..df294564df 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1494,6 +1494,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtirpc-CVE-2021-46828.patch \ %D%/packages/patches/libtirpc-hurd.patch \ %D%/packages/patches/libtommath-fix-linkage.patch \ + %D%/packages/patches/libtommath-integer-overflow.patch \ %D%/packages/patches/libtool-grep-compat.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libusb-0.1-disable-tests.patch \ diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm index 6ba08be3a3..bb68ea06bf 100644 --- a/gnu/packages/multiprecision.scm +++ b/gnu/packages/multiprecision.scm @@ -6,7 +6,7 @@ ;;; Copyright © 2016, 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2018, 2019 Tobias Geerinckx-Rice ;;; Copyright © 2018 Eric Bavier -;;; Copyright © 2018, 2019, 2021 Efraim Flashner +;;; Copyright © 2018, 2019, 2021, 2023 Efraim Flashner ;;; Copyright © 2021 Vinicius Monego ;;; Copyright © 2022 Maxim Cournoyer ;;; @@ -450,7 +450,8 @@ number generators, public key cryptography and a plethora of other routines.") "download/v" version "/ltm-" version ".tar.xz")) (sha256 (base32 - "1c8q1qy88cjhdjlk3g24mra94h34c1ldvkjz0n2988c0yvn5xixp")))) + "1c8q1qy88cjhdjlk3g24mra94h34c1ldvkjz0n2988c0yvn5xixp")) + (patches (search-patches "libtommath-integer-overflow.patch")))) (build-system gnu-build-system) (arguments '(#:phases diff --git a/gnu/packages/patches/libtommath-integer-overflow.patch b/gnu/packages/patches/libtommath-integer-overflow.patch new file mode 100644 index 0000000000..5241726775 --- /dev/null +++ b/gnu/packages/patches/libtommath-integer-overflow.patch @@ -0,0 +1,140 @@ +This patch is from upstream: +https://github.com/libtom/libtommath/pull/546 + +From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 +From: czurnieden +Date: Tue, 9 May 2023 17:17:12 +0200 +Subject: [PATCH] Fix possible integer overflow + +--- + bn_mp_2expt.c | 4 ++++ + bn_mp_grow.c | 4 ++++ + bn_mp_init_size.c | 5 +++++ + bn_mp_mul_2d.c | 4 ++++ + bn_s_mp_mul_digs.c | 4 ++++ + bn_s_mp_mul_digs_fast.c | 4 ++++ + bn_s_mp_mul_high_digs.c | 4 ++++ + bn_s_mp_mul_high_digs_fast.c | 4 ++++ + 8 files changed, 33 insertions(+) + +diff --git a/bn_mp_2expt.c b/bn_mp_2expt.c +index 0ae3df1bf..23de0c3c5 100644 +--- a/bn_mp_2expt.c ++++ b/bn_mp_2expt.c +@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) + { + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* zero a as per default */ + mp_zero(a); + +diff --git a/bn_mp_grow.c b/bn_mp_grow.c +index 9e904c547..2b1682651 100644 +--- a/bn_mp_grow.c ++++ b/bn_mp_grow.c +@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) + int i; + mp_digit *tmp; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + /* if the alloc size is smaller alloc more ram */ + if (a->alloc < size) { + /* reallocate the array a->dp +diff --git a/bn_mp_init_size.c b/bn_mp_init_size.c +index d62268721..99573833f 100644 +--- a/bn_mp_init_size.c ++++ b/bn_mp_init_size.c +@@ -6,6 +6,11 @@ + /* init an mp_init for a given size */ + mp_err mp_init_size(mp_int *a, int size) + { ++ ++ if (size < 0) { ++ return MP_VAL; ++ } ++ + size = MP_MAX(MP_MIN_PREC, size); + + /* alloc mem */ +diff --git a/bn_mp_mul_2d.c b/bn_mp_mul_2d.c +index 87354de20..bfeaf2eb2 100644 +--- a/bn_mp_mul_2d.c ++++ b/bn_mp_mul_2d.c +@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, mp_int *c) + mp_digit d; + mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ + /* copy */ + if (a != c) { + if ((err = mp_copy(a, c)) != MP_OKAY) { +diff --git a/bn_s_mp_mul_digs.c b/bn_s_mp_mul_digs.c +index 64509d4cb..3682b4980 100644 +--- a/bn_s_mp_mul_digs.c ++++ b/bn_s_mp_mul_digs.c +@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if ((digs < MP_WARRAY) && + (MP_MIN(a->used, b->used) < MP_MAXFAST)) { +diff --git a/bn_s_mp_mul_digs_fast.c b/bn_s_mp_mul_digs_fast.c +index b2a287b02..3c4176a87 100644 +--- a/bn_s_mp_mul_digs_fast.c ++++ b/bn_s_mp_mul_digs_fast.c +@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + if (c->alloc < digs) { + if ((err = mp_grow(c, digs)) != MP_OKAY) { +diff --git a/bn_s_mp_mul_high_digs.c b/bn_s_mp_mul_high_digs.c +index 2bb2a5098..c9dd355f8 100644 +--- a/bn_s_mp_mul_high_digs.c ++++ b/bn_s_mp_mul_high_digs.c +@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *a, const mp_int *b, mp_int *c, int digs) + mp_word r; + mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* can we use the fast multiplier? */ + if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) + && ((a->used + b->used + 1) < MP_WARRAY) +diff --git a/bn_s_mp_mul_high_digs_fast.c b/bn_s_mp_mul_high_digs_fast.c +index a2c4fb692..4ce7f590c 100644 +--- a/bn_s_mp_mul_high_digs_fast.c ++++ b/bn_s_mp_mul_high_digs_fast.c +@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_int *a, const mp_int *b, mp_int *c, int + mp_digit W[MP_WARRAY]; + mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ + /* grow the destination as required */ + pa = a->used + b->used; + if (c->alloc < pa) { -- cgit v1.2.3