diff options
author | Paul Duffin <paulduffin@google.com> | 2016-06-07 15:53:38 +0100 |
---|---|---|
committer | Paul Duffin <paulduffin@google.com> | 2016-06-07 15:53:38 +0100 |
commit | 3c2f09e63ae65adffdfe07164f872e454e338789 (patch) | |
tree | 76f6a3af9e81edb73cb5fdcd26f7f2ae3b42c99f | |
parent | 4bf8f12b1d505770ce1fd3b5aa33bd7abe46ee74 (diff) |
Security Vulnerability - CVE-2012-6702 and CVE-2016-5300
Applies the patch from the bug. The change to CMakeLists.txt is
not applicable as Android does not use that to build expat. It
is not needed as it only applies to building for Windows.
Bug: 29149404
Change-Id: I557d2d5e5f338cd141db7f09fb2648f1be4cc8bc
-rw-r--r-- | lib/xmlparse.c | 48 |
1 files changed, 41 insertions, 7 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 18bfb7e..e12853c 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -6,7 +6,14 @@ #include <string.h> /* memset(), memcpy() */ #include <assert.h> #include <limits.h> /* UINT_MAX */ -#include <time.h> /* time() */ + +#ifdef COMPILED_FROM_DSP +#define getpid GetCurrentProcessId +#else +#include <sys/time.h> /* gettimeofday() */ +#include <sys/types.h> /* getpid() */ +#include <unistd.h> /* getpid() */ +#endif #define XML_BUILDING_EXPAT 1 @@ -432,7 +439,7 @@ static ELEMENT_TYPE * getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, const char *end); -static unsigned long generate_hash_secret_salt(void); +static unsigned long generate_hash_secret_salt(XML_Parser parser); static XML_Bool startParsing(XML_Parser parser); static XML_Parser @@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = { }; static unsigned long -generate_hash_secret_salt(void) +gather_time_entropy(void) { - unsigned int seed = time(NULL) % UINT_MAX; - srand(seed); - return rand(); +#ifdef COMPILED_FROM_DSP + FILETIME ft; + GetSystemTimeAsFileTime(&ft); /* never fails */ + return ft.dwHighDateTime ^ ft.dwLowDateTime; +#else + struct timeval tv; + int gettimeofday_res; + + gettimeofday_res = gettimeofday(&tv, NULL); + assert (gettimeofday_res == 0); + + /* Microseconds time is <20 bits entropy */ + return tv.tv_usec; +#endif +} + +static unsigned long +generate_hash_secret_salt(XML_Parser parser) +{ + /* Process ID is 0 bits entropy if attacker has local access + * XML_Parser address is few bits of entropy if attacker has local access */ + const unsigned long entropy = + gather_time_entropy() ^ getpid() ^ (unsigned long)parser; + + /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ + if (sizeof(unsigned long) == 4) { + return entropy * 2147483647; + } else { + return entropy * 2305843009213693951; + } } static XML_Bool /* only valid for root parser */ @@ -703,7 +737,7 @@ startParsing(XML_Parser parser) { /* hash functions must be initialized before setContext() is called */ if (hash_secret_salt == 0) - hash_secret_salt = generate_hash_secret_salt(); + hash_secret_salt = generate_hash_secret_salt(parser); if (ns) { /* implicit context only set for root parser, since child parsers (i.e. external entity parsers) will inherit it |