Skip to content

Commit d03e5fd

Browse files
CBL-Mariner-Botsindhu-karri
CBL-Mariner-Bot
and
sindhu-karri
authored
[AUTO-CHERRYPICK] Fix fluent-bit CVE-2024-34250 with a patch - branch main (#9293)
Co-authored-by: sindhu-karri <33163197+sindhu-karri@users.noreply.github.com>
1 parent 3eef9c8 commit d03e5fd

2 files changed

Lines changed: 119 additions & 1 deletion

File tree

SPECS/fluent-bit/CVE-2024-34250.patch

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
2+
index 2a06f42..87af852 100644
3+
--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
4+
+++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
5+
@@ -219,7 +219,10 @@ type2str(uint8 type)
6+
static bool
7+
is_32bit_type(uint8 type)
8+
{
9+
- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
10+
+ if (type == VALUE_TYPE_I32
11+
+ || type == VALUE_TYPE_F32
12+
+ /* the operand stack is in polymorphic state */
13+
+ || type == VALUE_TYPE_ANY
14+
#if WASM_ENABLE_REF_TYPES != 0
15+
|| type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
16+
#endif
17+
@@ -6690,6 +6693,7 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth,
18+
int32 i, available_stack_cell;
19+
uint16 cell_num;
20+
21+
+ bh_assert(loader_ctx->csp_num > 0);
22+
if (loader_ctx->csp_num < depth + 1) {
23+
set_error_buf(error_buf, error_buf_size,
24+
"unknown label, "
25+
@@ -7758,8 +7762,7 @@ re_scan:
26+
}
27+
28+
if (available_stack_cell > 0) {
29+
- if (is_32bit_type(*(loader_ctx->frame_ref - 1))
30+
- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) {
31+
+ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) {
32+
loader_ctx->frame_ref--;
33+
loader_ctx->stack_cell_num--;
34+
#if WASM_ENABLE_FAST_INTERP != 0
35+
diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
36+
index 47ec549..157a82c 100644
37+
--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
38+
+++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
39+
@@ -51,7 +51,10 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string)
40+
static bool
41+
is_32bit_type(uint8 type)
42+
{
43+
- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
44+
+ if (type == VALUE_TYPE_I32
45+
+ || type == VALUE_TYPE_F32
46+
+ /* the operand stack is in polymorphic state */
47+
+ || type == VALUE_TYPE_ANY
48+
#if WASM_ENABLE_REF_TYPES != 0
49+
|| type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
50+
#endif
51+
@@ -3930,7 +3933,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf,
52+
ctx->frame_ref--;
53+
ctx->stack_cell_num--;
54+
55+
- if (is_32bit_type(type) || *ctx->frame_ref == VALUE_TYPE_ANY)
56+
+ if (is_32bit_type(type))
57+
return true;
58+
59+
ctx->frame_ref--;
60+
@@ -5839,13 +5842,11 @@ re_scan:
61+
case WASM_OP_BR_TABLE:
62+
{
63+
uint8 *ret_types = NULL;
64+
- uint32 ret_count = 0;
65+
+ uint32 ret_count = 0, depth = 0;
66+
#if WASM_ENABLE_FAST_INTERP == 0
67+
- uint8 *p_depth_begin, *p_depth;
68+
- uint32 depth, j;
69+
BrTableCache *br_table_cache = NULL;
70+
-
71+
- p_org = p - 1;
72+
+ uint8 *p_depth_begin, *p_depth, *p_opcode = p - 1;
73+
+ uint32 j;
74+
#endif
75+
76+
read_leb_uint32(p, p_end, count);
77+
@@ -5854,6 +5855,16 @@ re_scan:
78+
#endif
79+
POP_I32();
80+
81+
+ /* Get each depth and check it */
82+
+ p_org = p;
83+
+ for (i = 0; i <= count; i++) {
84+
+ read_leb_uint32(p, p_end, depth);
85+
+ bh_assert(loader_ctx->csp_num > 0);
86+
+ bh_assert(loader_ctx->csp_num - 1 >= depth);
87+
+ (void)depth;
88+
+ }
89+
+ p = p_org;
90+
+
91+
#if WASM_ENABLE_FAST_INTERP == 0
92+
p_depth_begin = p_depth = p;
93+
#endif
94+
@@ -5879,8 +5890,8 @@ re_scan:
95+
error_buf, error_buf_size))) {
96+
goto fail;
97+
}
98+
- *p_org = EXT_OP_BR_TABLE_CACHE;
99+
- br_table_cache->br_table_op_addr = p_org;
100+
+ *p_opcode = EXT_OP_BR_TABLE_CACHE;
101+
+ br_table_cache->br_table_op_addr = p_opcode;
102+
br_table_cache->br_count = count;
103+
/* Copy previous depths which are one byte */
104+
for (j = 0; j < i; j++) {
105+
@@ -6099,8 +6110,7 @@ re_scan:
106+
&& !cur_block->is_stack_polymorphic));
107+
108+
if (available_stack_cell > 0) {
109+
- if (is_32bit_type(*(loader_ctx->frame_ref - 1))
110+
- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) {
111+
+ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) {
112+
loader_ctx->frame_ref--;
113+
loader_ctx->stack_cell_num--;
114+
#if WASM_ENABLE_FAST_INTERP != 0

SPECS/fluent-bit/fluent-bit.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,13 @@
11
Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
22
Name: fluent-bit
33
Version: 2.2.3
4-
Release: 1%{?dist}
4+
Release: 2%{?dist}
55
License: Apache-2.0
66
Vendor: Microsoft Corporation
77
Distribution: Mariner
88
URL: https://fluentbit.io
99
Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
10+
Patch0: CVE-2024-34250.patch
1011
BuildRequires: bison
1112
BuildRequires: cmake
1213
BuildRequires: cyrus-sasl-devel
@@ -80,6 +81,9 @@ Development files for %{name}
8081
%{_libdir}/fluent-bit/*.so
8182

8283
%changelog
84+
* Wed May 30 2024 Sindhu Karri <lakarri@microsoft.com> - 2.2.3-2
85+
- Fix CVE-2024-34250 with a patch
86+
8387
* Tue May 28 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.2.3-1
8488
- Auto-upgrade to 2.2.3 - CVE-2024-4323
8589

0 commit comments

Comments
 (0)