coreutils: fix CVE-2025-5278

Backport patch to fix CVE-2025-5278. The patch is adjusted to fit 9.0 version. And the test case is also adjusted to avoid using valgrind. valgrind in kirkstone is reporting errors for coreutils' sort utility with/without this patch. To avoid ptest failure, we disable valgrind explicitly. (From OE-Core rev: bb7dbb195b55d9aaa0180906843f5af2dcf7509f) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Chen Qi <Qi.Chen@windriver.com> 2025-07-14 12:58:31 +0800
committer: Steve Sakoman <steve@sakoman.com> 2025-07-18 08:32:26 -0700
commit: 7def40e0b15ea45ea46c1981024ee040f81e34c3 (patch)
tree: 6b306dd9a21ccf59886061966a41f308dc6de473
parent: be98aa95ada7d8d004f7e40533362eb1951bf7ff (diff)
download: poky-7def40e0b15ea45ea46c1981024ee040f81e34c3.tar.gz
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
new file mode 100644
index 0000000000..2f262ea0b5
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
@@ -0,0 +1,113 @@
+From ed9ae6a4a02d322378739a895ae2090ca2bf6cdc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
+Date: Tue, 20 May 2025 16:03:44 +0100
+Subject: [PATCH] sort: fix buffer under-read (CWE-127)
+* src/sort.c (begfield): Check pointer adjustment
+to avoid Out-of-range pointer offset (CWE-823).
+(limfield): Likewise.
+* tests/sort/sort-field-limit.sh: Add a new test,
+which triggers with ASAN or Valgrind.
+* tests/local.mk: Reference the new test.
+* NEWS: Mention bug fix introduced in v7.2 (2009).
+Fixes https://bugs.gnu.org/78507
+CVE: CVE-2025-5278
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
+[Adjusted for 9.0 version and adjusted test case to not use valgrind.]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/sort.c                     | 12 ++++++++++--
+ tests/local.mk                 |  1 +
+ tests/misc/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 2 deletions(-)
+ create mode 100755 tests/misc/sort-field-limit.sh
+diff --git a/src/sort.c b/src/sort.c
+index 5f4c817de..07b96d34b 100644
+--- a/src/sort.c
+++ b/src/sort.c
+@@ -1642,7 +1642,11 @@ begfield (struct line const *line, struct keyfield const *key)
+       ++ptr;
+ 
+   /* Advance PTR by SCHAR (if possible), but no further than LIM.  */
+-  ptr = MIN (lim, ptr + schar);
+  size_t remaining_bytes = lim - ptr;
+  if (schar < remaining_bytes)
+    ptr += schar;
+  else
+    ptr = lim;
+ 
+   return ptr;
+ }
+@@ -1743,7 +1747,11 @@ limfield (struct line const *line, struct keyfield const *key)
+           ++ptr;
+ 
+       /* Advance PTR by ECHAR (if possible), but no further than LIM.  */
+-      ptr = MIN (lim, ptr + echar);
+      size_t remaining_bytes = lim - ptr;
+      if (echar < remaining_bytes)
+        ptr += echar;
+      else
+        ptr = lim;
+     }
+ 
+   return ptr;
+diff --git a/tests/local.mk b/tests/local.mk
+index 228d0e368..ced85c44c 100644
+--- a/tests/local.mk
+++ b/tests/local.mk
+@@ -373,6 +373,7 @@ all_tests =                                 \
+   tests/misc/sort-debug-keys.sh                        \
+   tests/misc/sort-debug-warn.sh                        \
+   tests/misc/sort-discrim.sh                   \
+  tests/misc/sort-field-limit.sh               \
+   tests/misc/sort-files0-from.pl               \
+   tests/misc/sort-float.sh                     \
+   tests/misc/sort-h-thousands-sep.sh           \
+diff --git a/tests/misc/sort-field-limit.sh b/tests/misc/sort-field-limit.sh
+new file mode 100755
+index 000000000..dc5b4c964
+--- /dev/null
+++ b/tests/misc/sort-field-limit.sh
+@@ -0,0 +1,35 @@
+#!/bin/sh
+# From 7.2-9.7, this would trigger an out of bounds mem read
+
+# Copyright (C) 2025 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ sort
+getlimits_
+
+# This issue triggers with valgrind or ASAN
+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
+  VALGRIND='valgrind --error-exitcode=1'
+
+{ printf '%s\n' aa bb; } > in || framework_failure_
+
+_POSIX2_VERSION=200809 sort +0.${SIZE_MAX}R in > out || fail=1
+compare in out || fail=1
+
+_POSIX2_VERSION=200809 sort +1 -1.${SIZE_MAX}R in > out || fail=1
+compare in out || fail=1
+
+Exit $fail
+-- 
+2.34.1
diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb b/meta/recipes-core/coreutils/coreutils_9.0.bb
index 1cce9192ec..7c975708f4 100644
--- a/meta/recipes-core/coreutils/coreutils_9.0.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.0.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
           file://0001-uname-report-processor-and-hardware-correctly.patch \
           file://0001-local.mk-fix-cross-compiling-problem.patch \
           file://e8b56ebd536e82b15542a00c888109471936bfda.patch \
+           file://CVE-2025-5278.patch \
           file://run-ptest \
           file://0001-split-do-not-shrink-hold-buffer.patch \
           "
author	Chen Qi <Qi.Chen@windriver.com>	2025-07-14 12:58:31 +0800
committer	Steve Sakoman <steve@sakoman.com>	2025-07-18 08:32:26 -0700
commit	7def40e0b15ea45ea46c1981024ee040f81e34c3 (patch)
tree	6b306dd9a21ccf59886061966a41f308dc6de473
parent	be98aa95ada7d8d004f7e40533362eb1951bf7ff (diff)
download	poky-7def40e0b15ea45ea46c1981024ee040f81e34c3.tar.gz

diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch new file mode 100644 index 0000000000..2f262ea0b5 --- /dev/null +++ b/meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
@@ -0,0 +1,113 @@
		1	From ed9ae6a4a02d322378739a895ae2090ca2bf6cdc Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
		3	Date: Tue, 20 May 2025 16:03:44 +0100
		4	Subject: [PATCH] sort: fix buffer under-read (CWE-127)
		5
		6	* src/sort.c (begfield): Check pointer adjustment
		7	to avoid Out-of-range pointer offset (CWE-823).
		8	(limfield): Likewise.
		9	* tests/sort/sort-field-limit.sh: Add a new test,
		10	which triggers with ASAN or Valgrind.
		11	* tests/local.mk: Reference the new test.
		12	* NEWS: Mention bug fix introduced in v7.2 (2009).
		13	Fixes https://bugs.gnu.org/78507
		14
		15	CVE: CVE-2025-5278
		16
		17	Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
		18	[Adjusted for 9.0 version and adjusted test case to not use valgrind.]
		19
		20	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		21	---
		22	src/sort.c \| 12 ++++++++++--
		23	tests/local.mk \| 1 +
		24	tests/misc/sort-field-limit.sh \| 35 ++++++++++++++++++++++++++++++++++
		25	3 files changed, 46 insertions(+), 2 deletions(-)
		26	create mode 100755 tests/misc/sort-field-limit.sh
		27
		28	diff --git a/src/sort.c b/src/sort.c
		29	index 5f4c817de..07b96d34b 100644
		30	--- a/src/sort.c
		31	+++ b/src/sort.c
		32	@@ -1642,7 +1642,11 @@ begfield (struct line const line, struct keyfield const key)
		33	++ptr;
		34
		35	/* Advance PTR by SCHAR (if possible), but no further than LIM. */
		36	- ptr = MIN (lim, ptr + schar);
		37	+ size_t remaining_bytes = lim - ptr;
		38	+ if (schar < remaining_bytes)
		39	+ ptr += schar;
		40	+ else
		41	+ ptr = lim;
		42
		43	return ptr;
		44	}
		45	@@ -1743,7 +1747,11 @@ limfield (struct line const line, struct keyfield const key)
		46	++ptr;
		47
		48	/* Advance PTR by ECHAR (if possible), but no further than LIM. */
		49	- ptr = MIN (lim, ptr + echar);
		50	+ size_t remaining_bytes = lim - ptr;
		51	+ if (echar < remaining_bytes)
		52	+ ptr += echar;
		53	+ else
		54	+ ptr = lim;
		55	}
		56
		57	return ptr;
		58	diff --git a/tests/local.mk b/tests/local.mk
		59	index 228d0e368..ced85c44c 100644
		60	--- a/tests/local.mk
		61	+++ b/tests/local.mk
		62	@@ -373,6 +373,7 @@ all_tests = \
		63	tests/misc/sort-debug-keys.sh \
		64	tests/misc/sort-debug-warn.sh \
		65	tests/misc/sort-discrim.sh \
		66	+ tests/misc/sort-field-limit.sh \
		67	tests/misc/sort-files0-from.pl \
		68	tests/misc/sort-float.sh \
		69	tests/misc/sort-h-thousands-sep.sh \
		70	diff --git a/tests/misc/sort-field-limit.sh b/tests/misc/sort-field-limit.sh
		71	new file mode 100755
		72	index 000000000..dc5b4c964
		73	--- /dev/null
		74	+++ b/tests/misc/sort-field-limit.sh
		75	@@ -0,0 +1,35 @@
		76	+#!/bin/sh
		77	+# From 7.2-9.7, this would trigger an out of bounds mem read
		78	+
		79	+# Copyright (C) 2025 Free Software Foundation, Inc.
		80	+
		81	+# This program is free software: you can redistribute it and/or modify
		82	+# it under the terms of the GNU General Public License as published by
		83	+# the Free Software Foundation, either version 3 of the License, or
		84	+# (at your option) any later version.
		85	+
		86	+# This program is distributed in the hope that it will be useful,
		87	+# but WITHOUT ANY WARRANTY; without even the implied warranty of
		88	+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		89	+# GNU General Public License for more details.
		90	+
		91	+# You should have received a copy of the GNU General Public License
		92	+# along with this program. If not, see <https://www.gnu.org/licenses/>.
		93	+
		94	+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
		95	+print_ver_ sort
		96	+getlimits_
		97	+
		98	+# This issue triggers with valgrind or ASAN
		99	+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
		100	+ VALGRIND='valgrind --error-exitcode=1'
		101	+
		102	+{ printf '%s\n' aa bb; } > in \|\| framework_failure_
		103	+
		104	+_POSIX2_VERSION=200809 sort +0.${SIZE_MAX}R in > out \|\| fail=1
		105	+compare in out \|\| fail=1
		106	+
		107	+_POSIX2_VERSION=200809 sort +1 -1.${SIZE_MAX}R in > out \|\| fail=1
		108	+compare in out \|\| fail=1
		109	+
		110	+Exit $fail
		111	--
		112	2.34.1
		113


diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb b/meta/recipes-core/coreutils/coreutils_9.0.bb index 1cce9192ec..7c975708f4 100644 --- a/meta/recipes-core/coreutils/coreutils_9.0.bb +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
19	file://0001-uname-report-processor-and-hardware-correctly.patch \	19	file://0001-uname-report-processor-and-hardware-correctly.patch \
20	file://0001-local.mk-fix-cross-compiling-problem.patch \	20	file://0001-local.mk-fix-cross-compiling-problem.patch \
21	file://e8b56ebd536e82b15542a00c888109471936bfda.patch \	21	file://e8b56ebd536e82b15542a00c888109471936bfda.patch \
		22	file://CVE-2025-5278.patch \
22	file://run-ptest \	23	file://run-ptest \
23	file://0001-split-do-not-shrink-hold-buffer.patch \	24	file://0001-split-do-not-shrink-hold-buffer.patch \
24	"	25	"