[security] chicken-4.12.0p0

Wed, 15 Mar 2017 22:22:29 -0700 

Hi,

Chicken has unchecked malloc() arguments in srfi-4:
http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg00000.html

Here's backported patch to fix it.

Quickly tested on amd64, could use a bit more testing though.

Timo

Index: Makefile.inc
===================================================================
RCS file: /cvs/ports/lang/chicken/Makefile.inc,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile.inc
--- Makefile.inc        25 Feb 2017 02:45:13 -0000      1.10
+++ Makefile.inc        16 Mar 2017 05:18:18 -0000
@@ -3,6 +3,7 @@
 COMMENT=       practical and portable Scheme system
 
 V=             4.12.0
+REVISION=      0
 DISTNAME=      chicken-${V}
 
 MAINTAINER=    Timo Myyra <timo.my...@wickedbsd.net>
Index: core/patches/patch-srfi-4_scm
===================================================================
RCS file: core/patches/patch-srfi-4_scm
diff -N core/patches/patch-srfi-4_scm
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ core/patches/patch-srfi-4_scm       16 Mar 2017 05:18:18 -0000
@@ -0,0 +1,96 @@
+$OpenBSD$
+Backport of security fix:
+  - Remove unchecked malloc() call in SRFI-4 constructors when
+    allocating in non-GC memory, resulting in potential 1-word
+    buffer overrun and/or segfault (thanks to Lemonboy).
+--- srfi-4.scm.orig    Thu Mar 16 06:49:38 2017
++++ srfi-4.scm Thu Mar 16 06:57:14 2017
+@@ -256,16 +256,21 @@ EOF
+ ;;; Basic constructors:
+ 
+ (let* ([ext-alloc
+-      (foreign-lambda* scheme-object ([int bytes])
+-        "C_word *buf = (C_word *)C_malloc(bytes + sizeof(C_header));"
+-        "if(buf == NULL) C_return(C_SCHEME_FALSE);"
++      (foreign-lambda* scheme-object ([size_t bytes])
++          "C_word *buf;"
++          "if (bytes > C_HEADER_SIZE_MASK) C_return(C_SCHEME_FALSE);"
++          "buf = (C_word *)C_malloc(bytes + sizeof(C_header));"
+         "C_block_header_init(buf, C_make_header(C_BYTEVECTOR_TYPE, bytes));"
++          "if(buf == NULL) C_return(C_SCHEME_FALSE);"
++          "C_block_header_init(buf, C_make_header(C_BYTEVECTOR_TYPE, bytes));"
+         "C_return(buf);") ]
+        [ext-free
+       (foreign-lambda* void ([scheme-object bv])
+         "C_free((void *)C_block_item(bv, 1));") ]
+        [alloc
+       (lambda (loc len ext?)
++         (##sys#check-exact len loc)
++         (when (fx< len 0) (##sys#error loc "size is negative" len))  
+         (if ext?
+             (let ([bv (ext-alloc len)])
+               (or bv
+@@ -282,7 +287,6 @@ EOF
+ 
+   (set! make-u8vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-u8vector)
+       (let ((v (##sys#make-structure 'u8vector (alloc 'make-u8vector len 
ext?))))
+       (when (and ext? fin?) (set-finalizer! v ext-free))
+       (if (not init)
+@@ -295,7 +299,6 @@ EOF
+ 
+   (set! make-s8vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-s8vector)
+       (let ((v (##sys#make-structure 's8vector (alloc 'make-s8vector len 
ext?))))
+       (when (and ext? fin?) (set-finalizer! v ext-free))
+       (if (not init)
+@@ -308,7 +311,6 @@ EOF
+ 
+   (set! make-u16vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-u16vector)
+       (let ((v (##sys#make-structure 'u16vector (alloc 'make-u16vector 
(##core#inline "C_fixnum_shift_left" len 1) ext?))))
+       (when (and ext? fin?) (set-finalizer! v ext-free))
+       (if (not init)
+@@ -321,7 +323,6 @@ EOF
+ 
+   (set! make-s16vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-s16vector)
+       (let ((v (##sys#make-structure 's16vector (alloc 'make-s16vector 
(##core#inline "C_fixnum_shift_left" len 1) ext?))))
+       (when (and ext? fin?) (set-finalizer! v ext-free))
+       (if (not init)
+@@ -334,7 +335,6 @@ EOF
+ 
+   (set! make-u32vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-u32vector)
+       (let ((v (##sys#make-structure 'u32vector (alloc 'make-u32vector 
(##core#inline "C_fixnum_shift_left" len 2) ext?))))
+       (when (and ext? fin?) (set-finalizer! v ext-free))
+       (if (not init)
+@@ -347,7 +347,6 @@ EOF
+ 
+   (set! make-s32vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-s32vector)
+       (let ((v (##sys#make-structure 's32vector (alloc 'make-s32vector 
(##core#inline "C_fixnum_shift_left" len 2) ext?))))
+       (when (and ext? fin?) (set-finalizer! v ext-free))
+       (if (not init)
+@@ -360,7 +359,6 @@ EOF
+ 
+   (set! make-f32vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-f32vector)
+       (let ((v (##sys#make-structure 'f32vector (alloc 'make-f32vector 
(##core#inline "C_fixnum_shift_left" len 2) ext?))))
+       (when (and ext? fin?) (set-finalizer! v ext-free))
+       (if (not init)
+@@ -375,7 +373,6 @@ EOF
+ 
+   (set! make-f64vector
+     (lambda (len #!optional (init #f)  (ext? #f) (fin? #t))
+-      (##sys#check-exact len 'make-f64vector)
+       (let ((v (##sys#make-structure
+               'f64vector
+               (alloc 'make-f64vector (##core#inline "C_fixnum_shift_left" len 
3) ext?))))

Reply via email to