diff --git a/abseil-cpp.spec b/abseil-cpp.spec index 6949aac7a581dca8266595359db27cd729e9ca2a..2428a53b49e29a614d25f4761232bfe87bc78a11 100644 --- a/abseil-cpp.spec +++ b/abseil-cpp.spec @@ -6,7 +6,7 @@ Name: abseil-cpp Version: 20220623.1 -Release: 5 +Release: 6 Summary: C++ Common Libraries License: ASL 2.0 @@ -16,6 +16,7 @@ Source0: https://github.com/abseil/abseil-cpp/archive/%{version}/%{name}- Patch0: backport-Do-not-leak-maes-msse4.1-into-pkgconfig.patch Patch1: abseil-cpp-20210324.2-sw.patch Patch2: backport-Add-missing-include-for-std-unique_ptr.patch +Patch3: backport-CVE-2025-0838.patch %ifarch loongarch64 Patch100: 0001-add-loongarch-suopport-for-abseil-cpp.patch @@ -69,6 +70,12 @@ Development headers for %{name} %{_libdir}/pkgconfig/*.pc %changelog +* Mon Feb 24 2025 xinghe - 20220623.1-6 +- Type:cves +- CVE:CVE-2025-0838 +- SUG:NA +- DESC:fix CVE-2025-0838 + * Tue Apr 16 2024 xinghe - 20220623.1-5 - Type:bugfix - CVE:NA diff --git a/backport-CVE-2025-0838.patch b/backport-CVE-2025-0838.patch new file mode 100644 index 0000000000000000000000000000000000000000..5332026a8d6f7c38b5f6b705dd398595a02884e4 --- /dev/null +++ b/backport-CVE-2025-0838.patch @@ -0,0 +1,110 @@ +From 3c4b18dc14949d1c6dac8bae2e459c71b21e3416 Mon Sep 17 00:00:00 2001 +From: Derek Mauro +Date: Wed, 22 Jan 2025 15:58:56 -0500 +Subject: [PATCH] Fix potential integer overflow in hash container + create/resize + +The sized constructors, reserve(), and rehash() methods of +absl::{flat,node}_hash_{set,map} did not impose an upper bound on +their size argument. As a result, it was possible for a caller to pass +a very large size that would cause an integer overflow when computing +the size of the container's backing store. Subsequent accesses to the +container might then access out-of-bounds memory. + +The fix is in two parts: + +1) Update max_size() to return the maximum number of items that can be +stored in the container + +2) Validate the size arguments to the constructors, reserve(), and +rehash() methods, and abort the program when the argument is invalid + +We've looked at uses of these containers in Google codebases like +Chrome, and determined this vulnerability is likely to be difficult to +exploit. This is primarily because container sizes are rarely +attacker-controlled. + +The bug was discovered by Dmitry Vyukov . + +Conflict: remove absl/base/config.h and context adapt +Reference: https://github.com/abseil/abseil-cpp/commit/3c4b18dc14949d1c6dac8bae2e459c71b21e3416 +--- + absl/container/internal/raw_hash_set.h | 15 ++++++++++++++- + absl/container/internal/raw_hash_set_test.cc | 8 ++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/absl/container/internal/raw_hash_set.h b/absl/container/internal/raw_hash_set.h +index ea912f8..40c2c67 100644 +--- a/absl/container/internal/raw_hash_set.h ++++ b/absl/container/internal/raw_hash_set.h +@@ -745,6 +745,12 @@ inline size_t NormalizeCapacity(size_t n) { + return n ? ~size_t{} >> countl_zero(n) : 1; + } + ++template ++size_t MaxValidCapacity() { ++ return NormalizeCapacity((std::numeric_limits::max)() / 4 / ++ kSlotSize); ++} ++ + // General notes on capacity/growth methods below: + // - We use 7/8th as maximum load factor. For 16-wide groups, that gives an + // average of two empty slots per group. +@@ -1148,6 +1154,8 @@ class raw_hash_set { + : ctrl_(EmptyGroup()), + settings_(0, HashtablezInfoHandle(), hash, eq, alloc) { + if (bucket_count) { ++ ABSL_RAW_CHECK(bucket_count <= MaxValidCapacity(), ++ "Hash table size overflow"); + capacity_ = NormalizeCapacity(bucket_count); + initialize_slots(); + } +@@ -1341,7 +1349,9 @@ class raw_hash_set { + bool empty() const { return !size(); } + size_t size() const { return size_; } + size_t capacity() const { return capacity_; } +- size_t max_size() const { return (std::numeric_limits::max)(); } ++ size_t max_size() const { ++ return CapacityToGrowth(MaxValidCapacity()); ++ } + + ABSL_ATTRIBUTE_REINITIALIZES void clear() { + // Iterating over this container is O(bucket_count()). When bucket_count() +@@ -1678,6 +1688,8 @@ class raw_hash_set { + auto m = NormalizeCapacity(n | GrowthToLowerboundCapacity(size())); + // n == 0 unconditionally rehashes as per the standard. + if (n == 0 || m > capacity_) { ++ ABSL_RAW_CHECK(m <= MaxValidCapacity(), ++ "Hash table size overflow"); + resize(m); + + // This is after resize, to ensure that we have completed the allocation +@@ -1688,6 +1700,7 @@ class raw_hash_set { + + void reserve(size_t n) { + if (n > size() + growth_left()) { ++ ABSL_RAW_CHECK(n <= max_size(), "Hash table size overflow"); + size_t m = GrowthToLowerboundCapacity(n); + resize(NormalizeCapacity(m)); + +diff --git a/absl/container/internal/raw_hash_set_test.cc b/absl/container/internal/raw_hash_set_test.cc +index f77ffbc..078bbad 100644 +--- a/absl/container/internal/raw_hash_set_test.cc ++++ b/absl/container/internal/raw_hash_set_test.cc +@@ -2181,6 +2181,14 @@ TEST(Table, AlignOne) { + } + } + ++TEST(Table, MaxSizeOverflow) { ++ size_t overflow = (std::numeric_limits::max)(); ++ EXPECT_DEATH_IF_SUPPORTED(IntTable t(overflow), "Hash table size overflow"); ++ IntTable t; ++ EXPECT_DEATH_IF_SUPPORTED(t.reserve(overflow), "Hash table size overflow"); ++ EXPECT_DEATH_IF_SUPPORTED(t.rehash(overflow), "Hash table size overflow"); ++} ++ + } // namespace + } // namespace container_internal + ABSL_NAMESPACE_END +-- +2.43.0 \ No newline at end of file