[PATCH 0/4] zlib: Address CVE-2016-9841
Hi,
it looks like that only CVE-2016-9841 is not fixed and this series is trying to address it. The first two patches are just preparation based on changes which happened in past. The third one is actual fix and the last one is following what has been done in Linux kernel long time ago and don't use incorrect zlib version string.
I tested it with and I can't see any issue. ./test/py/test.py --bd sandbox --build -s
And gitlab CI is also not showing any issue.
Thanks, Michal
Michal Simek (4): zlib: Rename this variable to here (current decoding table entry) zlib: Rename write variable to wnext (window write index) zlib: Port fix for CVE-2016-9841 to U-Boot zlib: Remove incorrect ZLIB_VERSION
include/u-boot/zlib.h | 16 ++-- lib/gzip.c | 2 +- lib/zlib/deflate.c | 13 +--- lib/zlib/inffast.c | 176 ++++++++++++++++-------------------------- lib/zlib/inflate.c | 31 ++++---- lib/zlib/inflate.h | 2 +- lib/zlib/zutil.c | 1 - 7 files changed, 90 insertions(+), 151 deletions(-)
There is no particular patch/description which described the reason for this change but it was done as the part of zlib 1.2.3.5 release done by zlib commit 639be997883d ("zlib 1.2.3.3") It is preparation for followup patch.
Signed-off-by: Michal Simek michal.simek@amd.com ---
lib/zlib/inffast.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/lib/zlib/inffast.c b/lib/zlib/inffast.c index e3c7f3b892bb..d61cf0e72af4 100644 --- a/lib/zlib/inffast.c +++ b/lib/zlib/inffast.c @@ -88,7 +88,7 @@ void inflate_fast(z_streamp strm, unsigned start) code const FAR *dcode; /* local strm->distcode */ unsigned lmask; /* mask for first level of length codes */ unsigned dmask; /* mask for first level of distance codes */ - code this; /* retrieved table entry */ + code here; /* retrieved table entry */ unsigned op; /* code bits, operation, extra bits, or */ /* window position, window bytes to copy */ unsigned len; /* match length, unused bytes */ @@ -133,20 +133,20 @@ void inflate_fast(z_streamp strm, unsigned start) hold += (unsigned long)(PUP(in)) << bits; bits += 8; } - this = lcode[hold & lmask]; + here = lcode[hold & lmask]; dolen: - op = (unsigned)(this.bits); + op = (unsigned)(here.bits); hold >>= op; bits -= op; - op = (unsigned)(this.op); + op = (unsigned)(here.op); if (op == 0) { /* literal */ - Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ? + Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? "inflate: literal '%c'\n" : - "inflate: literal 0x%02x\n", this.val)); - PUP(out) = (unsigned char)(this.val); + "inflate: literal 0x%02x\n", here.val)); + PUP(out) = (unsigned char)(here.val); } else if (op & 16) { /* length base */ - len = (unsigned)(this.val); + len = (unsigned)(here.val); op &= 15; /* number of extra bits */ if (op) { if (bits < op) { @@ -164,14 +164,14 @@ void inflate_fast(z_streamp strm, unsigned start) hold += (unsigned long)(PUP(in)) << bits; bits += 8; } - this = dcode[hold & dmask]; + here = dcode[hold & dmask]; dodist: - op = (unsigned)(this.bits); + op = (unsigned)(here.bits); hold >>= op; bits -= op; - op = (unsigned)(this.op); + op = (unsigned)(here.op); if (op & 16) { /* distance base */ - dist = (unsigned)(this.val); + dist = (unsigned)(here.val); op &= 15; /* number of extra bits */ if (bits < op) { hold += (unsigned long)(PUP(in)) << bits; @@ -297,7 +297,7 @@ void inflate_fast(z_streamp strm, unsigned start) } } else if ((op & 64) == 0) { /* 2nd level distance code */ - this = dcode[this.val + (hold & ((1U << op) - 1))]; + here = dcode[here.val + (hold & ((1U << op) - 1))]; goto dodist; } else { @@ -307,7 +307,7 @@ void inflate_fast(z_streamp strm, unsigned start) } } else if ((op & 64) == 0) { /* 2nd level length code */ - this = lcode[this.val + (hold & ((1U << op) - 1))]; + here = lcode[here.val + (hold & ((1U << op) - 1))]; goto dolen; } else if (op & 32) { /* end-of-block */
There is no particular patch/description which described the reason for this change but it was done as the part of zlib 1.2.3.5 release done by zlib commit d004b047838a ("zlib 1.2.3.5"). It is preparation for followup patch.
Signed-off-by: Michal Simek michal.simek@amd.com ---
lib/zlib/inffast.c | 20 ++++++++++---------- lib/zlib/inflate.c | 22 +++++++++++----------- lib/zlib/inflate.h | 2 +- 3 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/lib/zlib/inffast.c b/lib/zlib/inffast.c index d61cf0e72af4..bdaa6d0dc51f 100644 --- a/lib/zlib/inffast.c +++ b/lib/zlib/inffast.c @@ -80,7 +80,7 @@ void inflate_fast(z_streamp strm, unsigned start) #endif unsigned wsize; /* window size or zero if not using window */ unsigned whave; /* valid bytes in the window */ - unsigned write; /* window write index */ + unsigned wnext; /* window write index */ unsigned char FAR *window; /* allocated sliding window, if wsize != 0 */ unsigned long hold; /* local strm->hold */ unsigned bits; /* local strm->bits */ @@ -115,7 +115,7 @@ void inflate_fast(z_streamp strm, unsigned start) #endif wsize = state->wsize; whave = state->whave; - write = state->write; + wnext = state->wnext; window = state->window; hold = state->hold; bits = state->bits; @@ -201,7 +201,7 @@ void inflate_fast(z_streamp strm, unsigned start) break; } from = window - OFF; - if (write == 0) { /* very common case */ + if (wnext == 0) { /* very common case */ from += wsize - op; if (op < len) { /* some from window */ len -= op; @@ -211,17 +211,17 @@ void inflate_fast(z_streamp strm, unsigned start) from = out - dist; /* rest from output */ } } - else if (write < op) { /* wrap around window */ - from += wsize + write - op; - op -= write; + else if (wnext < op) { /* wrap around window */ + from += wsize + wnext - op; + op -= wnext; if (op < len) { /* some from end of window */ len -= op; do { PUP(out) = PUP(from); } while (--op); from = window - OFF; - if (write < len) { /* some from start of window */ - op = write; + if (wnext < len) { /* some from start of window */ + op = wnext; len -= op; do { PUP(out) = PUP(from); @@ -231,7 +231,7 @@ void inflate_fast(z_streamp strm, unsigned start) } } else { /* contiguous in window */ - from += write - op; + from += wnext - op; if (op < len) { /* some from window */ len -= op; do { @@ -343,7 +343,7 @@ void inflate_fast(z_streamp strm, unsigned start) inflate_fast() speedups that turned out slower (on a PowerPC G3 750CXe): - Using bit fields for code structure - Different op definition to avoid & for extra bits (do & for table bits) - - Three separate decoding do-loops for direct, window, and write == 0 + - Three separate decoding do-loops for direct, window, and wnext == 0 - Special case for distance > 1 copies to do overlapped load and store copy - Explicit branch predictions (based on measured branch probabilities) - Deferring match copy and interspersed it with decoding subsequent codes diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c index 8f767b7b9d2d..79c9e991aa33 100644 --- a/lib/zlib/inflate.c +++ b/lib/zlib/inflate.c @@ -21,7 +21,7 @@ int ZEXPORT inflateReset(z_streamp strm) state->head = Z_NULL; state->wsize = 0; state->whave = 0; - state->write = 0; + state->wnext = 0; state->hold = 0; state->bits = 0; state->lencode = state->distcode = state->next = state->codes; @@ -115,7 +115,7 @@ local int updatewindow(z_streamp strm, unsigned out) /* if window not in use yet, initialize */ if (state->wsize == 0) { state->wsize = 1U << state->wbits; - state->write = 0; + state->wnext = 0; state->whave = 0; }
@@ -123,22 +123,22 @@ local int updatewindow(z_streamp strm, unsigned out) copy = out - strm->avail_out; if (copy >= state->wsize) { zmemcpy(state->window, strm->next_out - state->wsize, state->wsize); - state->write = 0; + state->wnext = 0; state->whave = state->wsize; } else { - dist = state->wsize - state->write; + dist = state->wsize - state->wnext; if (dist > copy) dist = copy; - zmemcpy(state->window + state->write, strm->next_out - copy, dist); + zmemcpy(state->window + state->wnext, strm->next_out - copy, dist); copy -= dist; if (copy) { zmemcpy(state->window, strm->next_out - copy, copy); - state->write = copy; + state->wnext = copy; state->whave = state->wsize; } else { - state->write += dist; - if (state->write == state->wsize) state->write = 0; + state->wnext += dist; + if (state->wnext == state->wsize) state->wnext = 0; if (state->whave < state->wsize) state->whave += dist; } } @@ -823,12 +823,12 @@ int ZEXPORT inflate(z_streamp strm, int flush) copy = out - left; if (state->offset > copy) { /* copy from window */ copy = state->offset - copy; - if (copy > state->write) { - copy -= state->write; + if (copy > state->wnext) { + copy -= state->wnext; from = state->window + (state->wsize - copy); } else - from = state->window + (state->write - copy); + from = state->window + (state->wnext - copy); if (copy > state->length) copy = state->length; } else { /* copy from output */ diff --git a/lib/zlib/inflate.h b/lib/zlib/inflate.h index 07bd3e78a7c7..2657d611cda3 100644 --- a/lib/zlib/inflate.h +++ b/lib/zlib/inflate.h @@ -88,7 +88,7 @@ struct inflate_state { unsigned wbits; /* log base 2 of requested window size */ unsigned wsize; /* window size or zero if not using window */ unsigned whave; /* valid bytes in the window */ - unsigned write; /* window write index */ + unsigned wnext; /* window write index */ unsigned char FAR *window; /* allocated sliding window, if needed */ /* bit accumulator */ unsigned long hold; /* input bit accumulator */
The patch corresponds to zlib commit at https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380ce... which declares that it is fixing CVE-2016-9841. Here is c&p description from zlib: "Use post-increment only in inffast.c.
An old inffast.c optimization turns out to not be optimal anymore with modern compilers, and furthermore was not compliant with the C standard, for which decrementing a pointer before its allocated memory is undefined. Per the recommendation of a security audit of the zlib code by Trail of Bits and TrustInSoft, in support of the Mozilla Foundation, this "optimization" was removed, in order to avoid the possibility of undefined behavior."
Origin patch also updates the code when INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR is present but this code is not the part of U-Boot hence it is ignored. Also do not deal with state->sane variable which requires other changes which are also not the part of zlib.
Commit 92faa8b10918 ("zlib: handle overflow while calculating available stream input size") is kept in inffast.c too not to break described case.
Signed-off-by: Michal Simek michal.simek@amd.com ---
The first attempt to fix this is here. https://patchwork.ozlabs.org/project/uboot/patch/20220911084637.21513-1-jit.... --- lib/zlib/inffast.c | 130 +++++++++++++++------------------------------ 1 file changed, 42 insertions(+), 88 deletions(-)
diff --git a/lib/zlib/inffast.c b/lib/zlib/inffast.c index bdaa6d0dc51f..5e2a65ad4d27 100644 --- a/lib/zlib/inffast.c +++ b/lib/zlib/inffast.c @@ -1,5 +1,5 @@ /* inffast.c -- fast decoding - * Copyright (C) 1995-2004 Mark Adler + * Copyright (C) 1995-2008, 2010, 2013 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */
@@ -12,25 +12,6 @@
#ifndef ASMINF
-/* Allow machine dependent optimization for post-increment or pre-increment. - Based on testing to date, - Pre-increment preferred for: - - PowerPC G3 (Adler) - - MIPS R5000 (Randers-Pehrson) - Post-increment preferred for: - - none - No measurable difference: - - Pentium III (Anderson) - - M68060 (Nikl) - */ -#ifdef POSTINC -# define OFF 0 -# define PUP(a) *(a)++ -#else -# define OFF 1 -# define PUP(a) *++(a) -#endif - /* Decode literal, length, and distance codes and write out the resulting literal and match bytes until either not enough input or output is @@ -66,12 +47,13 @@ requires strm->avail_out >= 258 for each loop to avoid checking for output space. */ -void inflate_fast(z_streamp strm, unsigned start) -/* start: inflate()'s starting value for strm->avail_out */ +void ZLIB_INTERNAL inflate_fast(strm, start) +z_streamp strm; +unsigned start; /* inflate()'s starting value for strm->avail_out */ { struct inflate_state FAR *state; - unsigned char FAR *in; /* local strm->next_in */ - unsigned char FAR *last; /* while in < last, enough input available */ + z_const unsigned char FAR *in; /* local strm->next_in */ + z_const unsigned char FAR *last; /* have enough input while in < last */ unsigned char FAR *out; /* local strm->next_out */ unsigned char FAR *beg; /* inflate()'s initial strm->next_out */ unsigned char FAR *end; /* while out < end, enough space available */ @@ -97,7 +79,7 @@ void inflate_fast(z_streamp strm, unsigned start)
/* copy state to local variables */ state = (struct inflate_state FAR *)strm->state; - in = strm->next_in - OFF; + in = strm->next_in; last = in + (strm->avail_in - 5); if (in > last && strm->avail_in > 5) { /* @@ -107,7 +89,7 @@ void inflate_fast(z_streamp strm, unsigned start) strm->avail_in = 0xffffffff - (uintptr_t)in; last = in + (strm->avail_in - 5); } - out = strm->next_out - OFF; + out = strm->next_out; beg = out - (start - strm->avail_out); end = out + (strm->avail_out - 257); #ifdef INFLATE_STRICT @@ -128,9 +110,9 @@ void inflate_fast(z_streamp strm, unsigned start) input data or output space */ do { if (bits < 15) { - hold += (unsigned long)(PUP(in)) << bits; + hold += (unsigned long)(*in++) << bits; bits += 8; - hold += (unsigned long)(PUP(in)) << bits; + hold += (unsigned long)(*in++) << bits; bits += 8; } here = lcode[hold & lmask]; @@ -143,14 +125,14 @@ void inflate_fast(z_streamp strm, unsigned start) Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? "inflate: literal '%c'\n" : "inflate: literal 0x%02x\n", here.val)); - PUP(out) = (unsigned char)(here.val); + *out++ = (unsigned char)(here.val); } else if (op & 16) { /* length base */ len = (unsigned)(here.val); op &= 15; /* number of extra bits */ if (op) { if (bits < op) { - hold += (unsigned long)(PUP(in)) << bits; + hold += (unsigned long)(*in++) << bits; bits += 8; } len += (unsigned)hold & ((1U << op) - 1); @@ -159,9 +141,9 @@ void inflate_fast(z_streamp strm, unsigned start) } Tracevv((stderr, "inflate: length %u\n", len)); if (bits < 15) { - hold += (unsigned long)(PUP(in)) << bits; + hold += (unsigned long)(*in++) << bits; bits += 8; - hold += (unsigned long)(PUP(in)) << bits; + hold += (unsigned long)(*in++) << bits; bits += 8; } here = dcode[hold & dmask]; @@ -174,10 +156,10 @@ void inflate_fast(z_streamp strm, unsigned start) dist = (unsigned)(here.val); op &= 15; /* number of extra bits */ if (bits < op) { - hold += (unsigned long)(PUP(in)) << bits; + hold += (unsigned long)(*in++) << bits; bits += 8; if (bits < op) { - hold += (unsigned long)(PUP(in)) << bits; + hold += (unsigned long)(*in++) << bits; bits += 8; } } @@ -196,17 +178,18 @@ void inflate_fast(z_streamp strm, unsigned start) if (dist > op) { /* see if copy from window */ op = dist - op; /* distance back in window */ if (op > whave) { - strm->msg = (char *)"invalid distance too far back"; + strm->msg = + (char *)"invalid distance too far back"; state->mode = BAD; break; } - from = window - OFF; + from = window; if (wnext == 0) { /* very common case */ from += wsize - op; if (op < len) { /* some from window */ len -= op; do { - PUP(out) = PUP(from); + *out++ = *from++; } while (--op); from = out - dist; /* rest from output */ } @@ -217,14 +200,14 @@ void inflate_fast(z_streamp strm, unsigned start) if (op < len) { /* some from end of window */ len -= op; do { - PUP(out) = PUP(from); + *out++ = *from++; } while (--op); - from = window - OFF; + from = window; if (wnext < len) { /* some from start of window */ op = wnext; len -= op; do { - PUP(out) = PUP(from); + *out++ = *from++; } while (--op); from = out - dist; /* rest from output */ } @@ -235,65 +218,36 @@ void inflate_fast(z_streamp strm, unsigned start) if (op < len) { /* some from window */ len -= op; do { - PUP(out) = PUP(from); + *out++ = *from++; } while (--op); from = out - dist; /* rest from output */ } } while (len > 2) { - PUP(out) = PUP(from); - PUP(out) = PUP(from); - PUP(out) = PUP(from); + *out++ = *from++; + *out++ = *from++; + *out++ = *from++; len -= 3; } if (len) { - PUP(out) = PUP(from); + *out++ = *from++; if (len > 1) - PUP(out) = PUP(from); + *out++ = *from++; } } else { - unsigned short *sout; - unsigned long loops; - from = out - dist; /* copy direct from output */ - /* minimum length is three */ - /* Align out addr */ - if (!((long)(out - 1 + OFF) & 1)) { - PUP(out) = PUP(from); - len--; - } - sout = (unsigned short *)(out - OFF); - if (dist > 2 ) { - unsigned short *sfrom; - - sfrom = (unsigned short *)(from - OFF); - loops = len >> 1; - do - PUP(sout) = get_unaligned(++sfrom); - while (--loops); - out = (unsigned char *)sout + OFF; - from = (unsigned char *)sfrom + OFF; - } else { /* dist == 1 or dist == 2 */ - unsigned short pat16; - - pat16 = *(sout-2+2*OFF); - if (dist == 1) -#if defined(__BIG_ENDIAN) - pat16 = (pat16 & 0xff) | ((pat16 & 0xff ) << 8); -#elif defined(__LITTLE_ENDIAN) - pat16 = (pat16 & 0xff00) | ((pat16 & 0xff00 ) >> 8); -#else -#error __BIG_ENDIAN nor __LITTLE_ENDIAN is defined -#endif - loops = len >> 1; - do - PUP(sout) = pat16; - while (--loops); - out = (unsigned char *)sout + OFF; - } - if (len & 1) - PUP(out) = PUP(from); + do { /* minimum length is three */ + *out++ = *from++; + *out++ = *from++; + *out++ = *from++; + len -= 3; + } while (len > 2); + if (len) { + *out++ = *from++; + if (len > 1) + *out++ = *from++; + } } } else if ((op & 64) == 0) { /* 2nd level distance code */ @@ -329,8 +283,8 @@ void inflate_fast(z_streamp strm, unsigned start) hold &= (1U << bits) - 1;
/* update state and return */ - strm->next_in = in + OFF; - strm->next_out = out + OFF; + strm->next_in = in; + strm->next_out = out; strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last)); strm->avail_out = (unsigned)(out < end ? 257 + (end - out) : 257 - (out - end));
Get rid of zlib version which is not correct because of U-Boot related changes and various CVE backports.
The change in inspired by Linux kernel commit 4f3865fb57a0 ("[PATCH] zlib_inflate: Upgrade library code to a recent version") which described ZLIB_VERSION removal as
"This patch also removes ZLIB_VERSION as it no longer has a correct value. We don't need version checks anyway as the kernel's module handling will take care of that for us. This removal is also more in keeping with the zlib author's wishes (http://www.zlib.net/zlib_faq.html#faq24) and I've added something to the zlib.h header to note its a modified version."
Author describes wish to follow this guidance at https://www.zlib.net/zlib_faq.html#faq24: "The license says that altered source versions must be "plainly marked". So what exactly do I need to do to meet that requirement?
You need to change the ZLIB_VERSION and ZLIB_VERNUM #defines in zlib.h. In particular, the final version number needs to be changed to f, and an identification string should be appended to ZLIB_VERSION. Version numbers x.x.x.f are reserved for modifications to zlib by others than the zlib maintainers. For example, if the version of the base zlib you are altering is 1.2.3.4, then in zlib.h you should change ZLIB_VERNUM to 0x123f, and ZLIB_VERSION to something like 1.2.3.f-zachary-mods-v3. You can also update the version strings in deflate.c and inftrees.c."
But U-Boot is not exact version that's why following the same style which has been used by Linux kernel where ZLIB_VERSION is completely removed.
Signed-off-by: Michal Simek michal.simek@amd.com ---
--- include/u-boot/zlib.h | 16 ++++++---------- lib/gzip.c | 2 +- lib/zlib/deflate.c | 13 +++---------- lib/zlib/inflate.c | 9 +++------ lib/zlib/zutil.c | 1 - 5 files changed, 13 insertions(+), 28 deletions(-)
diff --git a/include/u-boot/zlib.h b/include/u-boot/zlib.h index a33cc8780d33..ee19f4609588 100644 --- a/include/u-boot/zlib.h +++ b/include/u-boot/zlib.h @@ -49,9 +49,6 @@ extern "C" { #endif
-#define ZLIB_VERSION "1.2.3" -#define ZLIB_VERNUM 0x1230 - /* #include "zconf.h" */ /* included directly here */ /* zconf.h -- configuration of the zlib compression library * Copyright (C) 1995-2005 Jean-loup Gailly. @@ -484,7 +481,6 @@ typedef gz_header FAR *gz_headerp; #define Z_DATA_ERROR (-3) #define Z_MEM_ERROR (-4) #define Z_BUF_ERROR (-5) -#define Z_VERSION_ERROR (-6) /* Return codes for the compression/decompression functions. Negative * values are errors, positive values are used for special but normal events. */ @@ -523,11 +519,11 @@ typedef gz_header FAR *gz_headerp;
ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush)); ZEXTERN int ZEXPORT deflateInit_ OF((z_streamp strm, int level, - const char *version, int stream_size)); + int stream_size)); ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm)); ZEXTERN int ZEXPORT deflateInit2_ OF((z_streamp strm, int level, int method, int windowBits, int memLevel, - int strategy, const char *version, + int strategy, int stream_size)); ZEXTERN int ZEXPORT deflateReset OF((z_streamp strm)); ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm, @@ -553,7 +549,7 @@ ZEXTERN int ZEXPORT deflateCopy OF((z_streamp dest,
ZEXTERN int ZEXPORT inflateInit_ OF((z_streamp strm, - const char *version, int stream_size)); + int stream_size)); ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush)); /* inflate decompresses as much data as possible, and stops when the input @@ -743,11 +739,11 @@ ZEXTERN int ZEXPORT uncompress2 OF((Bytef *dest, uLongf *destLen, */
ZEXTERN int ZEXPORT inflateInit2_ OF((z_streamp strm, int windowBits, - const char *version, int stream_size)); + int stream_size)); #define inflateInit(strm) \ - inflateInit_((strm), ZLIB_VERSION, sizeof(z_stream)) + inflateInit_((strm), sizeof(z_stream)) #define inflateInit2(strm, windowBits) \ - inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream)) + inflateInit2_((strm), (windowBits), sizeof(z_stream))
#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL) struct internal_state {int dummy;}; /* hack for buggy compilers */ diff --git a/lib/gzip.c b/lib/gzip.c index 5d9c19598d5e..a9a3df524de1 100644 --- a/lib/gzip.c +++ b/lib/gzip.c @@ -67,7 +67,7 @@ int zzip(void *dst, unsigned long *lenp, unsigned char *src,
r = deflateInit2_(&s, Z_BEST_SPEED, Z_DEFLATED, window, DEF_MEM_LEVEL, Z_DEFAULT_STRATEGY, - ZLIB_VERSION, sizeof(z_stream)); + sizeof(z_stream)); if (r != Z_OK) { printf ("Error: deflateInit2_() returned %d\n", r); return -1; diff --git a/lib/zlib/deflate.c b/lib/zlib/deflate.c index 4549f4dc12a0..7e1ed4f9b20a 100644 --- a/lib/zlib/deflate.c +++ b/lib/zlib/deflate.c @@ -196,37 +196,30 @@ struct static_tree_desc_s {int dummy;}; /* for buggy compilers */ zmemzero((Bytef *)s->head, (unsigned)(s->hash_size-1)*sizeof(*s->head));
/* ========================================================================= */ -int ZEXPORT deflateInit_(strm, level, version, stream_size) +int ZEXPORT deflateInit_(strm, level, stream_size) z_streamp strm; int level; - const char *version; int stream_size; { return deflateInit2_(strm, level, Z_DEFLATED, MAX_WBITS, DEF_MEM_LEVEL, - Z_DEFAULT_STRATEGY, version, stream_size); + Z_DEFAULT_STRATEGY, stream_size); /* To do: ignore strm->next_in if we use it as window */ }
/* ========================================================================= */ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy, - version, stream_size) + stream_size) z_streamp strm; int level; int method; int windowBits; int memLevel; int strategy; - const char *version; int stream_size; { deflate_state *s; int wrap = 1; - static const char my_version[] = ZLIB_VERSION;
- if (version == Z_NULL || version[0] != my_version[0] || - stream_size != sizeof(z_stream)) { - return Z_VERSION_ERROR; - } if (strm == Z_NULL) return Z_STREAM_ERROR;
strm->msg = Z_NULL; diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c index 79c9e991aa33..f7e81fc8b2a0 100644 --- a/lib/zlib/inflate.c +++ b/lib/zlib/inflate.c @@ -30,14 +30,11 @@ int ZEXPORT inflateReset(z_streamp strm) return Z_OK; }
-int ZEXPORT inflateInit2_(z_streamp strm, int windowBits, const char *version, +int ZEXPORT inflateInit2_(z_streamp strm, int windowBits, int stream_size) { struct inflate_state FAR *state;
- if (version == Z_NULL || version[0] != ZLIB_VERSION[0] || - stream_size != (int)(sizeof(z_stream))) - return Z_VERSION_ERROR; if (strm == Z_NULL) return Z_STREAM_ERROR; strm->msg = Z_NULL; /* in case we return an error */ if (strm->zalloc == (alloc_func)0) { @@ -70,9 +67,9 @@ int ZEXPORT inflateInit2_(z_streamp strm, int windowBits, const char *version, return inflateReset(strm); }
-int ZEXPORT inflateInit_(z_streamp strm, const char *version, int stream_size) +int ZEXPORT inflateInit_(z_streamp strm, int stream_size) { - return inflateInit2_(strm, DEF_WBITS, version, stream_size); + return inflateInit2_(strm, DEF_WBITS, stream_size); }
local void fixedtables(struct inflate_state FAR *state) diff --git a/lib/zlib/zutil.c b/lib/zlib/zutil.c index 609aac55ce11..ec21b458fcce 100644 --- a/lib/zlib/zutil.c +++ b/lib/zlib/zutil.c @@ -21,7 +21,6 @@ const char * const z_errmsg[10] = { "data error", /* Z_DATA_ERROR (-3) */ "insufficient memory", /* Z_MEM_ERROR (-4) */ "buffer error", /* Z_BUF_ERROR (-5) */ -"incompatible version",/* Z_VERSION_ERROR (-6) */ ""};
#ifdef DEBUG
On Wed, Mar 27, 2024 at 03:14:49PM +0100, Michal Simek wrote:
Hi,
it looks like that only CVE-2016-9841 is not fixed and this series is trying to address it. The first two patches are just preparation based on changes which happened in past. The third one is actual fix and the last one is following what has been done in Linux kernel long time ago and don't use incorrect zlib version string.
I tested it with and I can't see any issue. ./test/py/test.py --bd sandbox --build -s
And gitlab CI is also not showing any issue.
Thanks for taking this on. I've given it a quick spin on some Pi platforms as well as before/after and I see that it's also reducing the overall binary size everywhere as well.
On Wed, 27 Mar 2024 15:14:49 +0100, Michal Simek wrote:
it looks like that only CVE-2016-9841 is not fixed and this series is trying to address it. The first two patches are just preparation based on changes which happened in past. The third one is actual fix and the last one is following what has been done in Linux kernel long time ago and don't use incorrect zlib version string.
I tested it with and I can't see any issue. ./test/py/test.py --bd sandbox --build -s
[...]
Applied to u-boot/master, thanks!
participants (2)
-
Michal Simek -
Tom Rini