[gentoo-commits] repo/gentoo:master commit in: sys-libs/musl/, sys-libs/musl/files/

["Petr Vaněk" <arkamar@gentoo.org>]

commit:     01ca451abdf7ec4899053d0fb355403f5809bd11
Author:     Petr Vaněk <arkamar <AT> gentoo <DOT> org>
AuthorDate: Thu Feb 13 17:32:28 2025 +0000
Commit:     Petr Vaněk <arkamar <AT> gentoo <DOT> org>
CommitDate: Thu Feb 13 17:41:25 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01ca451a

sys-libs/musl: fix for input-controlled out-of-bounds write in iconv

Bug: https://bugs.gentoo.org/949712
Signed-off-by: Petr Vaněk <arkamar <AT> gentoo.org>

 .../musl/files/musl-iconv-out-of-bound-fix.patch   |  76 ++++++++
 sys-libs/musl/musl-1.2.5-r3.ebuild                 | 210 +++++++++++++++++++++
 2 files changed, 286 insertions(+)

diff --git a/sys-libs/musl/files/musl-iconv-out-of-bound-fix.patch b/sys-libs/musl/files/musl-iconv-out-of-bound-fix.patch
new file mode 100644
index 000000000000..762b4e34c160
--- /dev/null
+++ b/sys-libs/musl/files/musl-iconv-out-of-bound-fix.patch
@@ -0,0 +1,76 @@
+>From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+-- 
+2.21.0
+
+>From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+-- 
+2.21.0
+
+

diff --git a/sys-libs/musl/musl-1.2.5-r3.ebuild b/sys-libs/musl/musl-1.2.5-r3.ebuild
new file mode 100644
index 000000000000..3f1b438effb6
--- /dev/null
+++ b/sys-libs/musl/musl-1.2.5-r3.ebuild
@@ -0,0 +1,210 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit crossdev flag-o-matic toolchain-funcs prefix
+
+DESCRIPTION="Light, fast and, simple C library focused on standards-conformance and safety"
+HOMEPAGE="https://musl.libc.org"
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://git.musl-libc.org/git/musl"
+	inherit git-r3
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/musl.asc
+	inherit verify-sig
+
+	SRC_URI="https://musl.libc.org/releases/${P}.tar.gz"
+	SRC_URI+=" verify-sig? ( https://musl.libc.org/releases/${P}.tar.gz.asc )"
+	KEYWORDS="-* ~amd64 ~arm ~arm64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86"
+
+	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-musl )"
+fi
+
+GETENT_COMMIT="93a08815f8598db442d8b766b463d0150ed8e2ab"
+GETENT_FILE="musl-getent-${GETENT_COMMIT}.c"
+SRC_URI+="
+	https://dev.gentoo.org/~blueness/musl-misc/getconf.c
+	https://gitlab.alpinelinux.org/alpine/aports/-/raw/${GETENT_COMMIT}/main/musl/getent.c -> ${GETENT_FILE}
+	https://dev.gentoo.org/~blueness/musl-misc/iconv.c
+"
+
+LICENSE="MIT LGPL-2 GPL-2"
+SLOT="0"
+IUSE="crypt headers-only split-usr"
+
+QA_SONAME="usr/lib/libc.so"
+QA_DT_NEEDED="usr/lib/libc.so"
+# bug #830213
+QA_PRESTRIPPED="usr/lib/crtn.o"
+
+# We want crypt on by default for this as sys-libs/libxcrypt isn't (yet?)
+# built as part as crossdev. Also, elide the blockers when in cross-*,
+# as it doesn't make sense to block the normal CBUILD libxcrypt at all
+# there when we're installing into /usr/${CHOST} anyway.
+if is_crosspkg ; then
+	IUSE="${IUSE/crypt/+crypt}"
+else
+	RDEPEND="crypt? ( !sys-libs/libxcrypt[system] )"
+	PDEPEND="!crypt? ( sys-libs/libxcrypt[system] )"
+fi
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.2.4-arm64-crti-alignment.patch
+	"${FILESDIR}"/${PN}-sched.h-reduce-namespace-conflicts.patch
+	"${FILESDIR}"/${PN}-iconv-out-of-bound-fix.patch
+)
+
+just_headers() {
+	use headers-only && target_is_not_host
+}
+
+pkg_setup() {
+	if [[ ${CTARGET} == ${CHOST} ]] ; then
+		case ${CHOST} in
+			*-musl*) ;;
+			*) die "Use sys-devel/crossdev to build a musl toolchain" ;;
+		esac
+	fi
+
+	# Fix for bug #667126, copied from glibc ebuild:
+	# make sure host make.conf doesn't pollute us
+	if target_is_not_host || tc-is-cross-compiler ; then
+		CHOST=${CTARGET} strip-unsupported-flags
+	fi
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999 ]] ; then
+		git-r3_src_unpack
+	elif use verify-sig ; then
+		# We only verify the release; not the additional (fixed, safe) files
+		# we download.
+		# (Seem to get IPC error on verifying in cross?)
+		! target_is_not_host && verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	default
+
+	mkdir "${WORKDIR}"/misc || die
+	cp "${DISTDIR}"/getconf.c "${WORKDIR}"/misc/getconf.c || die
+	cp "${DISTDIR}/${GETENT_FILE}" "${WORKDIR}"/misc/getent.c || die
+	cp "${DISTDIR}"/iconv.c "${WORKDIR}"/misc/iconv.c || die
+}
+
+src_configure() {
+	strip-flags && filter-lto # Prevent issues caused by aggressive optimizations & bug #877343
+	tc-getCC ${CTARGET}
+
+	just_headers && export CC=true
+
+	local sysroot
+	target_is_not_host && sysroot=/usr/${CTARGET}
+	./configure \
+		--target=${CTARGET} \
+		--prefix="${EPREFIX}${sysroot}/usr" \
+		--syslibdir="${EPREFIX}${sysroot}/lib" \
+		--disable-gcc-wrapper || die
+}
+
+src_compile() {
+	emake obj/include/bits/alltypes.h
+	just_headers && return 0
+
+	emake
+	if ! is_crosspkg ; then
+		emake -C "${T}" getconf getent iconv \
+			CC="$(tc-getCC)" \
+			CFLAGS="${CFLAGS}" \
+			CPPFLAGS="${CPPFLAGS}" \
+			LDFLAGS="${LDFLAGS}" \
+			VPATH="${WORKDIR}/misc"
+	fi
+
+	$(tc-getCC) ${CPPFLAGS} ${CFLAGS} -c -o libssp_nonshared.o "${FILESDIR}"/stack_chk_fail_local.c || die
+	$(tc-getAR) -rcs libssp_nonshared.a libssp_nonshared.o || die
+}
+
+src_install() {
+	local target="install"
+	just_headers && target="install-headers"
+	emake DESTDIR="${D}" ${target}
+	just_headers && return 0
+
+	# musl provides ldd via a sym link to its ld.so
+	local sysroot=
+	target_is_not_host && sysroot=/usr/${CTARGET}
+	local ldso=$(basename "${ED}${sysroot}"/lib/ld-musl-*)
+	dosym -r "${sysroot}/lib/${ldso}" "${sysroot}/usr/bin/ldd"
+
+	if ! use crypt ; then
+		# Allow sys-libs/libxcrypt[system] to provide it instead
+		rm "${ED}${sysroot}/usr/include/crypt.h" || die
+		rm "${ED}${sysroot}"/usr/*/libcrypt.a || die
+	fi
+
+	if ! is_crosspkg ; then
+		# Fish out of config:
+		#   ARCH = ...
+		#   SUBARCH = ...
+		# and print $(ARCH)$(SUBARCH).
+		local arch=$(awk '{ k[$1] = $3 } END { printf("%s%s", k["ARCH"], k["SUBARCH"]); }' config.mak)
+
+		# The musl build system seems to create a symlink:
+		# ${D}/lib/ld-musl-${arch}.so.1 -> /usr/lib/libc.so.1 (absolute)
+		# During cross or within prefix, there's no guarantee that the host is
+		# using musl so that file may not exist. Use a relative symlink within
+		# ${D} instead.
+		rm "${ED}"/lib/ld-musl-${arch}.so.1 || die
+		if use split-usr; then
+			dosym ../usr/lib/libc.so /lib/ld-musl-${arch}.so.1
+			# If it's still a dead symlink, OK, we really do need to abort.
+			[[ -e "${ED}"/lib/ld-musl-${arch}.so.1 ]] || die
+		else
+			dosym libc.so /usr/lib/ld-musl-${arch}.so.1
+			[[ -e "${ED}"/usr/lib/ld-musl-${arch}.so.1 ]] || die
+		fi
+
+		cp "${FILESDIR}"/ldconfig.in-r3 "${T}"/ldconfig.in || die
+		sed -e "s|@@ARCH@@|${arch}|" "${T}"/ldconfig.in > "${T}"/ldconfig || die
+		eprefixify "${T}"/ldconfig
+		into /
+		dosbin "${T}"/ldconfig
+		into /usr
+		dobin "${T}"/getconf
+		dobin "${T}"/getent
+		dobin "${T}"/iconv
+		newenvd - "00musl" <<-EOF
+		# 00musl autogenerated by sys-libs/musl ebuild; DO NOT EDIT.
+		LDPATH="include ld.so.conf.d/*.conf"
+		EOF
+	fi
+
+	if target_is_not_host ; then
+		into /usr/${CTARGET}
+		dolib.a libssp_nonshared.a
+	else
+		dolib.a libssp_nonshared.a
+	fi
+}
+
+pkg_preinst() {
+	# Nothing to do if just installing headers
+	just_headers && return
+
+	# Prepare /etc/ld.so.conf.d/ for files
+	mkdir -p "${EROOT}"/etc/ld.so.conf.d
+}
+
+pkg_postinst() {
+	target_is_not_host && return 0
+
+	[[ -n "${ROOT}" ]] && return 0
+
+	ldconfig || die
+}