!1197 整数溢出漏洞修复

Merge pull request !1197 from hw_llm/master
Description: fix CVE-817641412102197248
2024-07-15 13:45:01 +00:00 · 2024-07-12 15:03:23 +08:00 · 2024-07-11 13:32:59 +00:00 · 2024-07-11 16:50:49 +08:00 · 2024-05-27 11:37:41 +00:00 · 2024-05-25 02:30:55 +00:00
6 changed files with 28 additions and 16 deletions
--- a/OAT.xml
+++ b/OAT.xml
@@ -65,6 +65,8 @@
                <!--filteritem type="filepath" name="projectroot/[a-zA-Z0-9]{20,}.sh" desc="Temp files"/-->
            </filefilter>
            <filefilter name="binaryFileTypePolicyFilter" desc="Filters for binary file policies">
+                <filteritem type="filepath" name="figures/architecture-of-the-openharmony-liteos-cortex-a-kernel.png" desc="architecture-of-the-openharmony-liteos-cortex-a-kernel"/>
+                <filteritem type="filepath" name="figures/OpenHarmony-LiteOS-A内核架构图.png" desc="LiteOS-A内核架构图"/>
                <!--filteritem type="filename" name="*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
                <!--filteritem type="filepath" name="abcdefg/.*.uvwxyz" desc="Describe the reason for filtering scan results"/-->
                <!--filteritem type="filepath" name="projectroot/[a-zA-Z0-9]{20,}.sh" desc="Temp files"/-->
--- a/bundle.json
+++ b/bundle.json
@@ -27,9 +27,6 @@
    "component": {
        "name": "liteos_a",
        "subsystem": "kernel",
-        "syscap": [
-            "SystemCapability.Kernel.Liteos-A"
-        ],
        "features": [],
        "adapted_system_type": [
            "small"
--- a/compat/posix/src/mqueue.c
+++ b/compat/posix/src/mqueue.c
@@ -270,6 +270,7 @@ STATIC INT32 DoMqueueClose(struct mqpersonal *privateMqPersonal)
 {
    struct mqarray *mqueueCB = NULL;
    struct mqpersonal *tmp = NULL;
+    INT32 ret;

    mqueueCB = privateMqPersonal->mq_posixdes;
    if (mqueueCB == NULL || mqueueCB->mq_personal == NULL) {
@@ -277,6 +278,12 @@ STATIC INT32 DoMqueueClose(struct mqpersonal *privateMqPersonal)
        return LOS_NOK;
    }

+    if ((mqueueCB->unlinkflag == TRUE) && (privateMqPersonal->mq_next == NULL)) {
+        ret = DoMqueueDelete(mqueueCB);
+        if (ret < 0) {
+            return ret;
+        }
+    }
    /* find the personal and remove */
    if (mqueueCB->mq_personal == privateMqPersonal) {
        mqueueCB->mq_personal = privateMqPersonal->mq_next;
@@ -298,9 +305,6 @@ STATIC INT32 DoMqueueClose(struct mqpersonal *privateMqPersonal)
    /* free the personal */
    (VOID)LOS_MemFree(OS_SYS_MEM_ADDR, privateMqPersonal);

-    if ((mqueueCB->unlinkflag == TRUE) && (mqueueCB->mq_personal == NULL)) {
-        return DoMqueueDelete(mqueueCB);
-    }
    return LOS_OK;
 }

@@ -604,17 +608,19 @@ int OsMqGetAttr(mqd_t personal, struct mq_attr *mqAttr)
    struct mqarray *mqueueCB = NULL;
    struct mqpersonal *privateMqPersonal = NULL;

+    (VOID)pthread_mutex_lock(&IPC_QUEUE_MUTEX);
    privateMqPersonal = MqGetPrivDataBuff(personal);
    if (privateMqPersonal == NULL) {
+        (VOID)pthread_mutex_unlock(&IPC_QUEUE_MUTEX);
        return -1;
    }

    if (mqAttr == NULL) {
        errno = EINVAL;
+        (VOID)pthread_mutex_unlock(&IPC_QUEUE_MUTEX);
        return -1;
    }

-    (VOID)pthread_mutex_lock(&IPC_QUEUE_MUTEX);
    if (privateMqPersonal->mq_status != MQ_USE_MAGIC) {
        errno = EBADF;
        (VOID)pthread_mutex_unlock(&IPC_QUEUE_MUTEX);
@@ -634,17 +640,19 @@ int OsMqSetAttr(mqd_t personal, const struct mq_attr *mqSetAttr, struct mq_attr
 {
    struct mqpersonal *privateMqPersonal = NULL;

+    (VOID)pthread_mutex_lock(&IPC_QUEUE_MUTEX);
    privateMqPersonal = MqGetPrivDataBuff(personal);
    if (privateMqPersonal == NULL) {
+        (VOID)pthread_mutex_unlock(&IPC_QUEUE_MUTEX);
        return -1;
    }

    if (mqSetAttr == NULL) {
        errno = EINVAL;
+        (VOID)pthread_mutex_unlock(&IPC_QUEUE_MUTEX);
        return -1;
    }

-    (VOID)pthread_mutex_lock(&IPC_QUEUE_MUTEX);
    if (privateMqPersonal->mq_status != MQ_USE_MAGIC) {
        errno = EBADF;
        (VOID)pthread_mutex_unlock(&IPC_QUEUE_MUTEX);
--- a/fs/jffs2/jffs2.patch
+++ b/fs/jffs2/jffs2.patch
@@ -8667,7 +8667,7 @@ diff -Nupr old/fs/jffs2/writev.c new/fs/jffs2/writev.c
 diff -Nupr old/fs/jffs2/xattr.c new/fs/jffs2/xattr.c
 --- old/fs/jffs2/xattr.c	2022-05-09 17:15:24.360000000 +0800
 +++ new/fs/jffs2/xattr.c	1970-01-01 08:00:00.000000000 +0800
-@@ -1,1347 +0,0 @@
+@@ -1,1352 +0,0 @@
 -/*
 - * JFFS2 -- Journalling Flash File System, Version 2.
 - *
@@ -9442,10 +9442,10 @@ diff -Nupr old/fs/jffs2/xattr.c new/fs/jffs2/xattr.c
 -}
 -
 -#define XREF_TMPHASH_SIZE	(128)
-void jffs2_build_xattr_subsystem(struct jffs2_sb_info *c)
+-int jffs2_build_xattr_subsystem(struct jffs2_sb_info *c)
 -{
 -	struct jffs2_xattr_ref *ref, *_ref;
-	struct jffs2_xattr_ref *xref_tmphash[XREF_TMPHASH_SIZE];
+-	struct jffs2_xattr_ref **xref_tmphash;
 -	struct jffs2_xattr_datum *xd, *_xd;
 -	struct jffs2_inode_cache *ic;
 -	struct jffs2_raw_node_ref *raw;
@@ -9454,9 +9454,12 @@ diff -Nupr old/fs/jffs2/xattr.c new/fs/jffs2/xattr.c
 -
 -	BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
 -
+-	xref_tmphash = kcalloc(XREF_TMPHASH_SIZE,
+-			       sizeof(struct jffs2_xattr_ref *), GFP_KERNEL);
+-	if (!xref_tmphash)
+-		return -ENOMEM;
+-
 -	/* Phase.1 : Merge same xref */
-	for (i=0; i < XREF_TMPHASH_SIZE; i++)
-		xref_tmphash[i] = NULL;
 -	for (ref=c->xref_temp; ref; ref=_ref) {
 -		struct jffs2_xattr_ref *tmp;
 -
@@ -9554,6 +9557,8 @@ diff -Nupr old/fs/jffs2/xattr.c new/fs/jffs2/xattr.c
 -		     "%u of xref (%u dead, %u orphan) found.\n",
 -		     xdatum_count, xdatum_unchecked_count, xdatum_orphan_count,
 -		     xref_count, xref_dead_count, xref_orphan_count);
+-	kfree(xref_tmphash);
+-	return 0;
 -}
 -
 -struct jffs2_xattr_datum *jffs2_setup_xattr_datum(struct jffs2_sb_info *c,
--- a/kernel/base/ipc/los_queue_debug.c
+++ b/kernel/base/ipc/los_queue_debug.c
@@ -103,7 +103,7 @@ STATIC VOID SortQueueIndexArray(UINT32 *indexArray, UINT32 count)
    IpcSortParam queueSortParam;
    queueSortParam.buf = (CHAR *)g_queueDebugArray;
    queueSortParam.ipcDebugCBSize = sizeof(QueueDebugCB);
-    queueSortParam.ipcDebugCBCnt = LOSCFG_BASE_IPC_SEM_LIMIT;
+    queueSortParam.ipcDebugCBCnt = LOSCFG_BASE_IPC_QUEUE_LIMIT;
    queueSortParam.sortElemOff = LOS_OFF_SET_OF(QueueDebugCB, lastAccessTime);

    if (count > 0) {
--- a/syscall/net_syscall.c
+++ b/syscall/net_syscall.c
@@ -401,7 +401,7 @@ ssize_t SysSendMsg(int s, const struct msghdr *message, int flags)
    CHECK_ASPACE(message, sizeof(struct msghdr));
    CPY_FROM_CONST_USER(struct msghdr, message);

-    if (message && message->msg_iovlen > IOV_MAX) {
+    if (message && (size_t)message->msg_iovlen > IOV_MAX) {
        set_errno(EMSGSIZE);
        return -get_errno();
    }
@@ -449,7 +449,7 @@ ssize_t SysRecvMsg(int s, struct msghdr *message, int flags)
    CHECK_ASPACE(message, sizeof(struct msghdr));
    CPY_FROM_NONCONST_USER(message);

-    if (message && message->msg_iovlen > IOV_MAX) {
+    if (message && (size_t)message->msg_iovlen > IOV_MAX) {
        set_errno(EMSGSIZE);
        return -get_errno();
    }
Author	SHA1	Message	Date
openharmony_ci	cc34b8f00e	!1197 整数溢出漏洞修复 Merge pull request !1197 from hw_llm/master	2024-07-15 13:45:01 +00:00
hw_llm	da45d3f539	Description: fix CVE-817641412102197248 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IACJLK Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-07-12 15:03:23 +08:00
openharmony_ci	49ad79f55e	!1194 解决UAF问题 Merge pull request !1194 from hw_llm/master	2024-07-11 13:32:59 +00:00
hw_llm	78db02de2c	Description: fix CVE-810023952561737728 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/IAAZWU Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-07-11 16:50:49 +08:00
openharmony_ci	7fcec6797c	!1192 【修复】OAT告警 Merge pull request !1192 from 石子怡/master	2024-05-27 11:37:41 +00:00
石子怡	dff8682d4d	修复OAT告警 Signed-off-by: 石子怡 <z15319797139@163.com>	2024-05-25 02:30:55 +00:00
石子怡	b0520a56f4	修复OAT告警 Signed-off-by: 石子怡 <z15319797139@163.com>	2024-05-25 01:33:58 +00:00
openharmony_ci	180bf8e5cd	!1189 内核mqueue 竞争漏洞修复 Merge pull request !1189 from hw_llm/master	2024-05-11 03:01:05 +00:00
hw_llm	dbbb96c427	Description: liteos_a 内核竞争漏洞修复 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/I9OACM Feature Or Bugfix: Bugfix Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-05-10 20:05:39 +08:00
openharmony_ci	e3eaae1b1c	!1184 【轻量级 PR】：修改 SortQueueIndexArray 函数笔误 Merge pull request !1184 from brucezhao/N/A	2024-03-26 07:19:04 +00:00
openharmony_ci	9b5892e0a6	!1187 LTS 5.10 补丁升级适配 Merge pull request !1187 from Wanxiaoqing/master	2024-03-14 07:52:29 +00:00
wanxiaoqing	6a4d0be681	LTS 5.10 补丁升级适配 Signed-off-by: wanxiaoqing <wanxiaoqing@huawei.com>	2024-03-13 09:38:42 +08:00
openharmony_ci	8fe4080d08	!1185 删除bundle.json中的syscap信息，确保与架构信息平台设计信息一致 Merge pull request !1185 from hw_llm/master	2024-02-05 07:22:47 +00:00
hw_llm	cfa0209c14	Description: 删除bundle.json中syscap信息 IssueNo: https://gitee.com/openharmony/kernel_liteos_a/issues/I90PKD Feature Or Bugfix: Feature Binary Source: No Signed-off-by: hw_llm <liu.limin@huawei.com>	2024-02-02 15:41:59 +08:00
brucezhao	a235c4c106	修改 SortQueueIndexArray 函数笔误修改 SortQueueIndexArray 函数 queueSortParam.ipcDebugCBCnt = LOSCFG_BASE_IPC_SEM_LIMIT; 的笔误为 LOSCFG_BASE_IPC_QUEUE_LIMIT Signed-off-by: brucezhao <bruce.e.zhao@gmail.com>	2023-11-24 07:57:04 +00:00