diff options
author | Paul Duffin <paulduffin@google.com> | 2016-09-21 09:51:26 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-09-21 09:51:26 +0000 |
commit | 50d390704521c128036c249edcda24f026489d22 (patch) | |
tree | 4ba786b7b8046d955287afdecf8ca95c8e7666df | |
parent | 1cdeb339158bd4590e46baa889084b9b262045b3 (diff) | |
parent | 38057dc17d81b423339fad7e6936198a1079c31d (diff) |
Security Vulnerability - CVE-2012-6702 and CVE-2016-5300 am: 3c2f09e63a am: 3188d5f5bd am: ae32ff2022 am: f6f28331b0 am: 15477bfab1 am: 3072d16e4a am: e743a91b62 am: 214efe5205 am: 012577cb41 am: 27cda699dc am: a3d54029c5
am: 38057dc17d
Change-Id: I64113ab46f84f53e483b2132960784158a1455e8
-rw-r--r-- | lib/xmlparse.c | 48 |
1 files changed, 41 insertions, 7 deletions
diff --git a/lib/xmlparse.c b/lib/xmlparse.c index 18bfb7e..e12853c 100644 --- a/lib/xmlparse.c +++ b/lib/xmlparse.c @@ -6,7 +6,14 @@ #include <string.h> /* memset(), memcpy() */ #include <assert.h> #include <limits.h> /* UINT_MAX */ -#include <time.h> /* time() */ + +#ifdef COMPILED_FROM_DSP +#define getpid GetCurrentProcessId +#else +#include <sys/time.h> /* gettimeofday() */ +#include <sys/types.h> /* getpid() */ +#include <unistd.h> /* getpid() */ +#endif #define XML_BUILDING_EXPAT 1 @@ -432,7 +439,7 @@ static ELEMENT_TYPE * getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, const char *end); -static unsigned long generate_hash_secret_salt(void); +static unsigned long generate_hash_secret_salt(XML_Parser parser); static XML_Bool startParsing(XML_Parser parser); static XML_Parser @@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = { }; static unsigned long -generate_hash_secret_salt(void) +gather_time_entropy(void) { - unsigned int seed = time(NULL) % UINT_MAX; - srand(seed); - return rand(); +#ifdef COMPILED_FROM_DSP + FILETIME ft; + GetSystemTimeAsFileTime(&ft); /* never fails */ + return ft.dwHighDateTime ^ ft.dwLowDateTime; +#else + struct timeval tv; + int gettimeofday_res; + + gettimeofday_res = gettimeofday(&tv, NULL); + assert (gettimeofday_res == 0); + + /* Microseconds time is <20 bits entropy */ + return tv.tv_usec; +#endif +} + +static unsigned long +generate_hash_secret_salt(XML_Parser parser) +{ + /* Process ID is 0 bits entropy if attacker has local access + * XML_Parser address is few bits of entropy if attacker has local access */ + const unsigned long entropy = + gather_time_entropy() ^ getpid() ^ (unsigned long)parser; + + /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ + if (sizeof(unsigned long) == 4) { + return entropy * 2147483647; + } else { + return entropy * 2305843009213693951; + } } static XML_Bool /* only valid for root parser */ @@ -703,7 +737,7 @@ startParsing(XML_Parser parser) { /* hash functions must be initialized before setContext() is called */ if (hash_secret_salt == 0) - hash_secret_salt = generate_hash_secret_salt(); + hash_secret_salt = generate_hash_secret_salt(parser); if (ns) { /* implicit context only set for root parser, since child parsers (i.e. external entity parsers) will inherit it |