diff --git a/abseil-cpp.spec b/abseil-cpp.spec index c7ea286a6c93ae6191da0ee5d10d8a2731288f70..92665509a8f411bdae253063c8d29ab30e02ca9b 100644 --- a/abseil-cpp.spec +++ b/abseil-cpp.spec @@ -6,7 +6,7 @@ Name: abseil-cpp Version: 20230802.1 -Release: 5 +Release: 6 Summary: C++ Common Libraries License: Apache-2.0 @@ -16,6 +16,7 @@ Source0: https://github.com/abseil/abseil-cpp/archive/%{version}/%{name}- Patch1: abseil-cpp-20210324.2-sw.patch Patch100: 0001-add-loongarch-suopport-for-abseil-cpp.patch Patch101: 0002-PR-1644-unscaledcycleclock-remove-RISC-V-support.patch +Patch102: backport-CVE-2025-0838.patch BuildRequires: cmake ninja-build BuildRequires: gcc-c++ @@ -157,6 +158,12 @@ DESTDIR="%{buildroot}" %__cmake --install "%{_vpath_builddir}" %{_libdir}/pkgconfig/*.pc %changelog +* Mon Feb 24 2025 xinghe - 20230802.1-6 +- Type:cves +- CVE:CVE-2025-0838 +- SUG:NA +- DESC:fix CVE-2025-0838 + * Thu Aug 01 2024 xinghe - 20230802.1-5 - Type:bugfix - ID:NA diff --git a/backport-CVE-2025-0838.patch b/backport-CVE-2025-0838.patch new file mode 100644 index 0000000000000000000000000000000000000000..aac5033fffaefd7f48070b74da9cf7e48baea256 --- /dev/null +++ b/backport-CVE-2025-0838.patch @@ -0,0 +1,110 @@ +From 3c4b18dc14949d1c6dac8bae2e459c71b21e3416 Mon Sep 17 00:00:00 2001 +From: Derek Mauro +Date: Wed, 22 Jan 2025 15:58:56 -0500 +Subject: [PATCH] Fix potential integer overflow in hash container + create/resize + +The sized constructors, reserve(), and rehash() methods of +absl::{flat,node}_hash_{set,map} did not impose an upper bound on +their size argument. As a result, it was possible for a caller to pass +a very large size that would cause an integer overflow when computing +the size of the container's backing store. Subsequent accesses to the +container might then access out-of-bounds memory. + +The fix is in two parts: + +1) Update max_size() to return the maximum number of items that can be +stored in the container + +2) Validate the size arguments to the constructors, reserve(), and +rehash() methods, and abort the program when the argument is invalid + +We've looked at uses of these containers in Google codebases like +Chrome, and determined this vulnerability is likely to be difficult to +exploit. This is primarily because container sizes are rarely +attacker-controlled. + +The bug was discovered by Dmitry Vyukov . + +Conflict: remove absl/base/config.h +Reference: https://github.com/abseil/abseil-cpp/commit/3c4b18dc14949d1c6dac8bae2e459c71b21e3416 +--- + absl/base/config.h | 2 +- + absl/container/internal/raw_hash_set.h | 16 +++++++++++++++- + absl/container/internal/raw_hash_set_test.cc | 8 ++++++++ + 3 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h +index 5f89d8efee6..92b93453314 100644 +--- a/absl/container/internal/raw_hash_set.h ++++ b/absl/container/internal/raw_hash_set.h +@@ -1076,6 +1076,12 @@ inline size_t NormalizeCapacity(size_t n) { + return n ? ~size_t{} >> countl_zero(n) : 1; + } + ++template ++size_t MaxValidCapacity() { ++ return NormalizeCapacity((std::numeric_limits::max)() / 4 / ++ kSlotSize); ++} ++ + // General notes on capacity/growth methods below: + // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an + // average of two empty slots per group. +@@ -1717,6 +1723,8 @@ class raw_hash_set { + const allocator_type& alloc = allocator_type()) + : settings_(CommonFields{}, hash, eq, alloc) { + if (bucket_count) { ++ ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity(), ++ "Hash table size overflow"); + common().set_capacity(NormalizeCapacity(bucket_count)); + initialize_slots(); + } +@@ -1916,7 +1924,10 @@ class raw_hash_set { + bool empty() const { return !size(); } + size_t size() const { return common().size(); } + size_t capacity() const { return common().capacity(); } +- size_t max_size() const { return (std::numeric_limits::max)(); } ++ size_t max_size() const { ++ return CapacityToGrowth(MaxValidCapacity()); ++ } ++ + + ABSL_ATTRIBUTE_REINITIALIZES void clear() { + // Iterating over this container is O(bucket_count()). When bucket_count() +@@ -2266,6 +2277,8 @@ class raw_hash_set { + auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size())); + // n == 0 unconditionally rehashes as per the standard. + if (n == 0 || m > capacity()) { ++ ABSL_RAW_CHECK(m <= MaxValidCapacity(), ++ "Hash table size overflow"); + resize(m); + + // This is after resize, to ensure that we have completed the allocation +@@ -2276,6 +2289,7 @@ class raw_hash_set { + + void reserve(size_t n) { + if (n > size() + growth_left()) { ++ ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow"); + size_t m = GrowthToLowerboundCapacity(n); + resize(NormalizeCapacity(m)); + +diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc +index 242a97cbe3f..d5d5f3934da 100644 +--- a/absl/container/internal/raw_hash_set_test.cc ++++ b/absl/container/internal/raw_hash_set_test.cc +@@ -2510,6 +2510,14 @@ TEST(Iterator, InvalidComparisonDifferentTables) { + "Invalid iterator comparison.*non-end"); + } + ++TEST(Table, MaxSizeOverflow) { ++ size_t overflow = (std::numeric_limits::max)(); ++ EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow"); ++ IntTable t; ++ EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow"); ++ EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow"); ++} ++ + } // namespace + } // namespace container_internal + ABSL_NAMESPACE_END