capnproto: Fix CVE-2022-46149

This patch contains a fix for CVE-2022-46149

Patch backported from :
https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9

Signed-off-by: Virendra Thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 52 insertions, 1 deletions

diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
index cb748d3cb6..fa1751e566 100644
--- a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
+++ b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb
@@ -5,7 +5,9 @@ SECTION = "console/tools"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9"
 
-SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https"
+SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \
+           file://CVE-2022-46149.patch \
+"
 SRCREV = "3f44c6db0f0f6c0cab0633f15f15d0a2acd01d19"
 
 S = "${WORKDIR}/git/c++"
diff --git a/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch
new file mode 100644
index 0000000000..b6b1fa6514
--- /dev/null
+++ b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch
@@ -0,0 +1,49 @@
+From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001
+From: Kenton Varda <kenton@cloudflare.com>
+Date: Wed, 23 Nov 2022 12:02:29 -0600
+Subject: [PATCH] Apply data offset for list-of-pointers at access time rather
+ than ListReader creation time.
+
+Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected.
+
+CVE: CVE-2022-46149
+Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+---
+ c++/src/capnp/layout.c++ | 4 ----
+ c++/src/capnp/layout.h   | 6 +++++-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+Index: c++/src/capnp/layout.c++
+===================================================================
+--- c++.orig/src/capnp/layout.c++
++++ c++/src/capnp/layout.c++
+@@ -2322,10 +2322,6 @@ struct WireHelpers {
+             break;
+ 
+           case ElementSize::POINTER:
+-            // We expected a list of pointers but got a list of structs.  Assuming the first field
+-            // in the struct is the pointer we were looking for, we want to munge the pointer to
+-            // point at the first element's pointer section.
+-            ptr += tag->structRef.dataSize.get();
+             KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS,
+                        "Expected a pointer list, but got a list of data-only structs.") {
+               goto useDefault;
+Index: c++/src/capnp/layout.h
+===================================================================
+--- c++.orig/src/capnp/layout.h
++++ c++/src/capnp/layout.h
+@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V
+ }
+ 
+ inline PointerReader ListReader::getPointerElement(ElementCount index) const {
++  // If the list elements have data sections we need to skip those. Note that for pointers to be
++  // present at all (which already must be true if we get here), then `structDataSize` must be a
++  // whole number of words, so we don't have to worry about unaligned reads here.
++  auto offset = structDataSize / BITS_PER_BYTE;
+   return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>(
+-      ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
++      ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit);
+ }
+ 
+ // -------------------------------------------------------------------