meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001
From: Kenton Varda <kenton@cloudflare.com>
Date: Wed, 23 Nov 2022 12:02:29 -0600
Subject: [PATCH] Apply data offset for list-of-pointers at access time rather
 than ListReader creation time.

Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected.

CVE: CVE-2022-46149
Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9]
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
 c++/src/capnp/layout.c++ | 4 ----
 c++/src/capnp/layout.h   | 6 +++++-
 2 files changed, 5 insertions(+), 5 deletions(-)

Index: c++/src/capnp/layout.c++
===================================================================
--- c++.orig/src/capnp/layout.c++
+++ c++/src/capnp/layout.c++
@@ -2322,10 +2322,6 @@ struct WireHelpers {
             break;
 
           case ElementSize::POINTER:
-            // We expected a list of pointers but got a list of structs.  Assuming the first field
-            // in the struct is the pointer we were looking for, we want to munge the pointer to
-            // point at the first element's pointer section.
-            ptr += tag->structRef.dataSize.get();
             KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS,
                        "Expected a pointer list, but got a list of data-only structs.") {
               goto useDefault;
Index: c++/src/capnp/layout.h
===================================================================
--- c++.orig/src/capnp/layout.h
+++ c++/src/capnp/layout.h
@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V
 }
 
 inline PointerReader ListReader::getPointerElement(ElementCount index) const {
+  // If the list elements have data sections we need to skip those. Note that for pointers to be
+  // present at all (which already must be true if we get here), then `structDataSize` must be a
+  // whole number of words, so we don't have to worry about unaligned reads here.
+  auto offset = structDataSize / BITS_PER_BYTE;
   return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>(
-      ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
+      ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
 }
 
 // -------------------------------------------------------------------