From 7a0f8a92967dc1c6eab8d6f66ec476905009a287 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@koprulu.sector>
Date: Sat, 15 Jul 2023 22:41:20 +0100
Subject: gentoo auto-resync : 15:07:2023 - 22:41:20

---
 sys-fs/erofs-utils/Manifest                        |   3 +
 sys-fs/erofs-utils/erofs-utils-1.6-r1.ebuild       |  49 +++++++++
 .../files/erofs-utils-1.6-CVE-2023-33551.patch     |  70 ++++++++++++
 .../files/erofs-utils-1.6-CVE-2023-33552.patch     | 117 +++++++++++++++++++++
 4 files changed, 239 insertions(+)
 create mode 100644 sys-fs/erofs-utils/erofs-utils-1.6-r1.ebuild
 create mode 100644 sys-fs/erofs-utils/files/erofs-utils-1.6-CVE-2023-33551.patch
 create mode 100644 sys-fs/erofs-utils/files/erofs-utils-1.6-CVE-2023-33552.patch

(limited to 'sys-fs/erofs-utils')

diff --git a/sys-fs/erofs-utils/Manifest b/sys-fs/erofs-utils/Manifest
index cecc4a8d57d2..3ed9fff2936c 100644
--- a/sys-fs/erofs-utils/Manifest
+++ b/sys-fs/erofs-utils/Manifest
@@ -1,5 +1,8 @@
+AUX erofs-utils-1.6-CVE-2023-33551.patch 2204 BLAKE2B d0cf130e455123df3d4961b3f2b292167f189257bfd5d4aec9afb932179fa8642b84d62b891a70480b2d2dd0be52420467b81d1471c27b5d1c0f7c6c6e61f482 SHA512 e8c7ad3f00c6f86a76f3f9f5001939fc878157229f9223796f2dfdb6ea37c2598f4b5d45934a6c5c3171689bbf455f8987f583617b5853fe0eaed7a237c63b8f
+AUX erofs-utils-1.6-CVE-2023-33552.patch 3294 BLAKE2B 45a36f7c91dcbbce8a0e25a28727fcccbf1cb9d0f073909e7f883f033de5d2b1ee133a1604cdf4c132624441973432e298d76ae38333259421e0e47096b56b07 SHA512 952eb009d3c0ecde751af1246f9c34bbb16bb692a8664cbc7ac084e41840acc1e082cceb3b44826091f3819b73c0e04e19f051c949c5c7a0145ea3170dc92ada
 DIST erofs-utils-1.5.tar.gz 106559 BLAKE2B 69a2b93c0ba8c50fb3f75a53cc224490ab31f55e24055932091e85032a637c2be6d937ab42f068a2937e5b9d8b6054fd756e89b9333f47a6b6b35c20a421ed49 SHA512 0a9d593a9fef3c5976dc63e2927f47d070121ed07e6dda727b0a715b72cfe560c83bdf26ce41fe07b8cb5b66b0660105848e3f7c5a84f222296eb422d1cd5cba
 DIST erofs-utils-1.6.tar.gz 126558 BLAKE2B ad4ce3777c484d485b91f29a97c08499398595d654a4ad63e1cc6a75c176b0476d3af1d7a2bf1ef5f6df996281c1b1bdfdf004be4428c0c168652af68acd83d1 SHA512 1537c5cb60cb70c607b8c00408451f90122fe902d80c9d35dde7b9205588ae3513ddd7cb38d4062e55bb57e37d9b53a668752792e6cba0bc0d78176afed3e502
 EBUILD erofs-utils-1.5-r1.ebuild 907 BLAKE2B dac0f19a9b237f5a4c0f4e581ad56f92d148936197249b8115d5f8abf4e46d4fc6e6b97e76fa1955b72107958b6c21e448efdb7b3176ac2aa0b3599e1e13ca41 SHA512 1d7f8f52d38b515180c8e735cd339d09d54bf5d0a01c178aedc3742b624dde4fd156d42e28f502be94738379731f4841b7c3d9f56d7f25161832ef0be026ed82
+EBUILD erofs-utils-1.6-r1.ebuild 989 BLAKE2B 12b5a6b4d33748b0d55034c9ef6fd2d812f37a7ba2410beff7765b8554ad67c4f389055eb051c52c89e3d371833b3b983bd8d54c958d566668a581ffbc72bd86 SHA512 8b4b4c8877d49ceaf3a28515914123b80ddf4948047626cea09644e6694f5c2ed65eb114b89a0a26157650fb42a0dcf0e194eca3ae2d2fb6356879e87b60bd8e
 EBUILD erofs-utils-1.6.ebuild 907 BLAKE2B dac0f19a9b237f5a4c0f4e581ad56f92d148936197249b8115d5f8abf4e46d4fc6e6b97e76fa1955b72107958b6c21e448efdb7b3176ac2aa0b3599e1e13ca41 SHA512 1d7f8f52d38b515180c8e735cd339d09d54bf5d0a01c178aedc3742b624dde4fd156d42e28f502be94738379731f4841b7c3d9f56d7f25161832ef0be026ed82
 MISC metadata.xml 422 BLAKE2B 9c580f677db0b02904c12e023efd2c1abf0dca9d5dd84776ea55551e3997a968bf23c092b9bfa98e941f7d16009c6e56cdd0120a075872c8e3f84a77899ba556 SHA512 bb5def8dcfe0ecfdc8ce9e6fec61b7c707114abef8e79f2c0f27736341e9c3cca48c053b613d85db762c1632194e76d3ab33386bf0be7ba669a6aaee652b64c1
diff --git a/sys-fs/erofs-utils/erofs-utils-1.6-r1.ebuild b/sys-fs/erofs-utils/erofs-utils-1.6-r1.ebuild
new file mode 100644
index 000000000000..87fe99420cfd
--- /dev/null
+++ b/sys-fs/erofs-utils/erofs-utils-1.6-r1.ebuild
@@ -0,0 +1,49 @@
+# Copyright 2021-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="Userspace tools for EROFS"
+HOMEPAGE="https://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs-utils.git"
+LICENSE="GPL-2+"
+
+SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/xiang/${PN}.git/snapshot/${P}.tar.gz"
+KEYWORDS="~amd64 ~loong"
+
+SLOT="0"
+IUSE="fuse +lz4 +lzma selinux +uuid"
+
+RDEPEND="
+	fuse? ( sys-fs/fuse:0 )
+	lz4? ( app-arch/lz4:0= )
+	lzma? ( >=app-arch/xz-utils-5.4.0:0= )
+	selinux? ( sys-libs/libselinux:0= )
+	uuid? ( sys-apps/util-linux )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+PATCHES=(
+	"${FILESDIR}/${P}-CVE-2023-33551.patch"
+	"${FILESDIR}/${P}-CVE-2023-33552.patch"
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		--disable-werror
+		$(use_enable fuse)
+		$(use_enable lz4)
+		$(use_enable lzma)
+		$(use_with selinux)
+		$(use_with uuid)
+	)
+
+	econf "${myeconfargs[@]}"
+}
diff --git a/sys-fs/erofs-utils/files/erofs-utils-1.6-CVE-2023-33551.patch b/sys-fs/erofs-utils/files/erofs-utils-1.6-CVE-2023-33551.patch
new file mode 100644
index 000000000000..ce20d18cb33f
--- /dev/null
+++ b/sys-fs/erofs-utils/files/erofs-utils-1.6-CVE-2023-33551.patch
@@ -0,0 +1,70 @@
+https://git.kernel.org/xiang/erofs-utils/c/27aeef179bf17d5f1d98f827e93d24839a6d4176
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Fri, 2 Jun 2023 13:52:56 +0800
+Subject: erofs-utils: fsck: block insane long paths when extracting images
+
+Since some crafted EROFS filesystem images could have insane deep
+hierarchy (or may form directory loops) which triggers the
+PATH_MAX-sized path buffer OR stack overflow.
+
+Actually some crafted images cannot be deemed as real corrupted
+images but over-PATH_MAX paths are not something that we'd like to
+support for now.
+
+CVE: CVE-2023-33551
+Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33551
+Reported-by: Chaoming Yang <lometsj@live.com>
+Fixes: f44043561491 ("erofs-utils: introduce fsck.erofs")
+Fixes: b11f84f593f9 ("erofs-utils: fsck: convert to use erofs_iterate_dir()")
+Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
+Signeo-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230602055256.18061-1-hsiangkao@linux.alibaba.com
+--- a/fsck/main.c
++++ b/fsck/main.c
+@@ -680,28 +680,35 @@ again:
+ static int erofsfsck_dirent_iter(struct erofs_dir_context *ctx)
+ {
+ 	int ret;
+-	size_t prev_pos = fsckcfg.extract_pos;
++	size_t prev_pos, curr_pos;
+ 
+ 	if (ctx->dot_dotdot)
+ 		return 0;
+ 
+-	if (fsckcfg.extract_path) {
+-		size_t curr_pos = prev_pos;
++	prev_pos = fsckcfg.extract_pos;
++	curr_pos = prev_pos;
++
++	if (prev_pos + ctx->de_namelen >= PATH_MAX) {
++		erofs_err("unable to fsck since the path is too long (%u)",
++			  curr_pos + ctx->de_namelen);
++		return -EOPNOTSUPP;
++	}
+ 
++	if (fsckcfg.extract_path) {
+ 		fsckcfg.extract_path[curr_pos++] = '/';
+ 		strncpy(fsckcfg.extract_path + curr_pos, ctx->dname,
+ 			ctx->de_namelen);
+ 		curr_pos += ctx->de_namelen;
+ 		fsckcfg.extract_path[curr_pos] = '\0';
+-		fsckcfg.extract_pos = curr_pos;
++	} else {
++		curr_pos += ctx->de_namelen;
+ 	}
+-
++	fsckcfg.extract_pos = curr_pos;
+ 	ret = erofsfsck_check_inode(ctx->dir->nid, ctx->de_nid);
+ 
+-	if (fsckcfg.extract_path) {
++	if (fsckcfg.extract_path)
+ 		fsckcfg.extract_path[prev_pos] = '\0';
+-		fsckcfg.extract_pos = prev_pos;
+-	}
++	fsckcfg.extract_pos = prev_pos;
+ 	return ret;
+ }
+ 
+-- 
+cgit 
+
diff --git a/sys-fs/erofs-utils/files/erofs-utils-1.6-CVE-2023-33552.patch b/sys-fs/erofs-utils/files/erofs-utils-1.6-CVE-2023-33552.patch
new file mode 100644
index 000000000000..c53a9b8044fe
--- /dev/null
+++ b/sys-fs/erofs-utils/files/erofs-utils-1.6-CVE-2023-33552.patch
@@ -0,0 +1,117 @@
+https://git.kernel.org/xiang/erofs-utils/c/2145dff03dd3f3f74bcda3b52160fbad37f7fcfe
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Fri, 2 Jun 2023 11:05:19 +0800
+Subject: erofs-utils: fsck: don't allocate/read too large extents
+
+Since some crafted EROFS filesystem images could have insane large
+extents, which causes unexpected bahaviors when extracting data.
+
+Fix it by extracting large extents with a buffer of a reasonable
+maximum size limit and reading multiple times instead.
+
+Note that only `--extract` option is impacted.
+
+CVE: CVE-2023-33552
+Closes: https://nvd.nist.gov/vuln/detail/CVE-2023-33552
+Reported-by: Chaoming Yang <lometsj@live.com>
+Fixes: 412c8f908132 ("erofs-utils: fsck: add --extract=X support to extract to path X")
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230602030519.117071-1-hsiangkao@linux.alibaba.com
+--- a/fsck/main.c
++++ b/fsck/main.c
+@@ -392,6 +392,8 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
+ 	}
+ 
+ 	while (pos < inode->i_size) {
++		unsigned int alloc_rawsize;
++
+ 		map.m_la = pos;
+ 		if (compressed)
+ 			ret = z_erofs_map_blocks_iter(inode, &map,
+@@ -420,10 +422,28 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
+ 		if (!(map.m_flags & EROFS_MAP_MAPPED) || !fsckcfg.check_decomp)
+ 			continue;
+ 
+-		if (map.m_plen > raw_size) {
+-			raw_size = map.m_plen;
+-			raw = realloc(raw, raw_size);
+-			BUG_ON(!raw);
++		if (map.m_plen > Z_EROFS_PCLUSTER_MAX_SIZE) {
++			if (compressed) {
++				erofs_err("invalid pcluster size %" PRIu64 " @ offset %" PRIu64 " of nid %" PRIu64,
++					  map.m_plen, map.m_la,
++					  inode->nid | 0ULL);
++				ret = -EFSCORRUPTED;
++				goto out;
++			}
++			alloc_rawsize = Z_EROFS_PCLUSTER_MAX_SIZE;
++		} else {
++			alloc_rawsize = map.m_plen;
++		}
++
++		if (alloc_rawsize > raw_size) {
++			char *newraw = realloc(raw, alloc_rawsize);
++
++			if (!newraw) {
++				ret = -ENOMEM;
++				goto out;
++			}
++			raw = newraw;
++			raw_size = alloc_rawsize;
+ 		}
+ 
+ 		if (compressed) {
+@@ -434,18 +454,27 @@ static int erofs_verify_inode_data(struct erofs_inode *inode, int outfd)
+ 			}
+ 			ret = z_erofs_read_one_data(inode, &map, raw, buffer,
+ 						    0, map.m_llen, false);
++			if (ret)
++				goto out;
++
++			if (outfd >= 0 && write(outfd, buffer, map.m_llen) < 0)
++				goto fail_eio;
+ 		} else {
+-			ret = erofs_read_one_data(&map, raw, 0, map.m_plen);
+-		}
+-		if (ret)
+-			goto out;
++			u64 p = 0;
+ 
+-		if (outfd >= 0 && write(outfd, compressed ? buffer : raw,
+-					map.m_llen) < 0) {
+-			erofs_err("I/O error occurred when verifying data chunk @ nid %llu",
+-				  inode->nid | 0ULL);
+-			ret = -EIO;
+-			goto out;
++			do {
++				u64 count = min_t(u64, alloc_rawsize,
++						  map.m_llen);
++
++				ret = erofs_read_one_data(&map, raw, p, count);
++				if (ret)
++					goto out;
++
++				if (outfd >= 0 && write(outfd, raw, count) < 0)
++					goto fail_eio;
++				map.m_llen -= count;
++				p += count;
++			} while (map.m_llen);
+ 		}
+ 	}
+ 
+@@ -460,6 +489,12 @@ out:
+ 	if (buffer)
+ 		free(buffer);
+ 	return ret < 0 ? ret : 0;
++
++fail_eio:
++	erofs_err("I/O error occurred when verifying data chunk @ nid %llu",
++		  inode->nid | 0ULL);
++	ret = -EIO;
++	goto out;
+ }
+ 
+ static inline int erofs_extract_dir(struct erofs_inode *inode)
+-- 
+cgit 
+
-- 
cgit v1.2.3