NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6081e7e53d
kumquat-buildroot/package/lapack/0001-Fix-out-of-bounds-read-in-slarrv.patch
Fabrice Fontaine 83134027a0 package/lapack: fix CVE-2021-4048 
Fix CVE-2021-4048: An out-of-bounds read flaw was found in the CLARRV,
DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0,
as also used in OpenBLAS before version 0.3.18. Specially crafted inputs
passed to these functions could cause an application using lapack to
crash or possibly disclose portions of its memory.

It should be noted that commit 59a1fcc696
wrongly assumed that this CVE was fixed in version 3.10.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-12-18 22:49:17 +01:00

83 lines
2.5 KiB
Diff
Raw Blame History

From 0631b6beaed60ba118b0b027c0f8d35397bf5df0 Mon Sep 17 00:00:00 2001
From: Keno Fischer <keno@juliacomputing.com>
Date: Thu, 30 Sep 2021 03:51:23 -0400
Subject: [PATCH] Fix out of bounds read in slarrv
This was originally reported as https://github.com/JuliaLang/julia/issues/42415.
I've tracked this down to an our of bounds read on the following line:
https://github.com/Reference-LAPACK/lapack/blob/44ecb6a5ff821b1cbb39f8cc2166cb098e060b4d/SRC/slarrv.f#L423
In the crashing example, `M` is `0`, causing `slarrv` to read uninitialized
memory from the work array. I believe the `0` for `M` is correct and indeed,
the documentation above supports that `M` may be zero:
https://github.com/Reference-LAPACK/lapack/blob/44ecb6a5ff821b1cbb39f8cc2166cb098e060b4d/SRC/slarrv.f#L113-L116
I believe it may be sufficient to early-out this function as suggested
in this PR. However, I have limited context for the full routine here,
so I would appreciate a sanity check.
[Retrieved from:
https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
SRC/clarrv.f | 2 +-
SRC/dlarrv.f | 2 +-
SRC/slarrv.f | 2 +-
SRC/zlarrv.f | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/SRC/clarrv.f b/SRC/clarrv.f
index 1f09e4da6..42f710757 100644
--- a/SRC/clarrv.f
+++ b/SRC/clarrv.f
@@ -348,7 +348,7 @@ SUBROUTINE CLARRV( N, VL, VU, D, L, PIVMIN,
*
* Quick return if possible
*
- IF( N.LE.0 ) THEN
+ IF( (N.LE.0).OR.(M.LE.0) ) THEN
RETURN
END IF
*
diff --git a/SRC/dlarrv.f b/SRC/dlarrv.f
index b036c1e66..299430361 100644
--- a/SRC/dlarrv.f
+++ b/SRC/dlarrv.f
@@ -350,7 +350,7 @@ SUBROUTINE DLARRV( N, VL, VU, D, L, PIVMIN,
*
* Quick return if possible
*
- IF( N.LE.0 ) THEN
+ IF( (N.LE.0).OR.(M.LE.0) ) THEN
RETURN
END IF
*
diff --git a/SRC/slarrv.f b/SRC/slarrv.f
index 9d72b339a..95f94fd1b 100644
--- a/SRC/slarrv.f
+++ b/SRC/slarrv.f
@@ -350,7 +350,7 @@ SUBROUTINE SLARRV( N, VL, VU, D, L, PIVMIN,
*
* Quick return if possible
*
- IF( N.LE.0 ) THEN
+ IF( (N.LE.0).OR.(M.LE.0) ) THEN
RETURN
END IF
*
diff --git a/SRC/zlarrv.f b/SRC/zlarrv.f
index 51ec558f5..e4be63e0d 100644
--- a/SRC/zlarrv.f
+++ b/SRC/zlarrv.f
@@ -348,7 +348,7 @@ SUBROUTINE ZLARRV( N, VL, VU, D, L, PIVMIN,
*
* Quick return if possible
*
- IF( N.LE.0 ) THEN
+ IF( (N.LE.0).OR.(M.LE.0) ) THEN
RETURN
END IF
*
Reference in New Issue View Git Blame Copy Permalink