Typical Examples

Security Patches contains multiple categories.

  • buffer overflow
  • improper input validation
  • info leakage
  • double free/use after free
  • integer overflow
  • NULL pointer dereference
  • improper authentication
  • uncontrolled resource consumption
  • race condition
  • unintialized use
  • et al.

Below are some typical examples in PatchDB.

Example I: Buffer Overflow 

From 8514068150759c1d6a46d4605d2351babfde1601 Mon Sep 17 00:00:00 2001
From: Johan Hedberg 
Date: Wed, 7 Sep 2016 08:45:12 +0300
Subject: tools/csr: Fix possible buffer overflow

Make sure we don't write past the end of the array.
---
 tools/csr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/csr.c b/tools/csr.c
index 2c0918909..15ae7c4fb 100644
--- a/tools/csr.c
+++ b/tools/csr.c
@@ -2756,7 +2756,7 @@ static int parse_line(char *str)
 
 	off++;
 
-	while (1) {
+	while (length <= sizeof(array) - 2) {
 		value = strtol(off, &end, 16);
 		if (value == 0 && off == end)
 			break;
-- 
cgit 1.2-0.3.lf.el7

Example II: Info Leakage 

From 0f6ceabab0a8849b47f67d727aa526c2656089ba Mon Sep 17 00:00:00 2001
From: Klas Lindfors 
Date: Tue, 3 Apr 2018 09:19:53 +0200
Subject: [PATCH] util: make sure to close the authfile before returning
 success

fixes #136
---
 util.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/util.c b/util.c
index 6cb4a79..32bca06 100644
--- a/util.c
+++ b/util.c
@@ -167,6 +167,8 @@ check_user_token (const char *authfile,
 		{
 		  if(verbose)
 		      D (debug_file, "Match user/token as %s/%s", username, otp_id);
+
+		  fclose(opwfile);
 		  return AUTH_FOUND;
 		}
 	    }

Example III: Double Free 

From 9b54d816e00425c3a517514e0d677bb3cec49258 Mon Sep 17 00:00:00 2001
From: Hou Tao 
Date: Fri, 3 Feb 2017 17:19:07 +0800
Subject: [PATCH] blkcg: fix double free of new_blkg in blkcg_init_queue

If blkg_create fails, new_blkg passed as an argument will
be freed by blkg_create, so there is no need to free it again.

Signed-off-by: Hou Tao 
Signed-off-by: Jens Axboe 
---
 block/blk-cgroup.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 37fe595cfd700..295e98c2c8ccd 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -1079,10 +1079,8 @@ int blkcg_init_queue(struct request_queue *q)
 	if (preloaded)
 		radix_tree_preload_end();
 
-	if (IS_ERR(blkg)) {
-		blkg_free(new_blkg);
+	if (IS_ERR(blkg))
 		return PTR_ERR(blkg);
-	}
 
 	q->root_blkg = blkg;
 	q->root_rl.blkg = blkg;

Example IV: Integer Overflow 

From cab60de930684c33f67d4e32c7509b567f8c445b Mon Sep 17 00:00:00 2001
From: Kevin Wolf 
Date: Wed, 26 Mar 2014 13:05:53 +0100
Subject: [PATCH] qcow2: Fix new L1 table size check (CVE-2014-0143)

The size in bytes is assigned to an int later, so check that instead of
the number of entries.

Signed-off-by: Kevin Wolf 
Reviewed-by: Max Reitz 
Signed-off-by: Stefan Hajnoczi 
---
 block/qcow2-cluster.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 9499df9..242e1f8 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -55,7 +55,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, uint64_t min_size,
         }
     }
 
-    if (new_l1_size > INT_MAX) {
+    if (new_l1_size > INT_MAX / sizeof(uint64_t)) {
         return -EFBIG;
     }
 
-- 
1.8.3.1

Example V: NULL Pointer Dereference 

From f58c25069cf4a986fe17a80c5b38687e31feb539 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping 
Date: Wed, 10 Oct 2018 14:49:51 +0200
Subject: [PATCH] ResetUri: Protect against NULL

---
 src/UriCommon.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/UriCommon.c b/src/UriCommon.c
index 3775306..039beda 100644
--- a/src/UriCommon.c
+++ b/src/UriCommon.c
@@ -75,6 +75,9 @@
 
 
 void URI_FUNC(ResetUri)(URI_TYPE(Uri) * uri) {
+	if (uri == NULL) {
+		return;
+	}
 	memset(uri, 0, sizeof(URI_TYPE(Uri)));
 }

Example VI: Race Condition 

From 2febc839133280d5a5e8e1179c94ea674489dae2 Mon Sep 17 00:00:00 2001
From: Andy Honig 
Date: Wed, 27 Aug 2014 14:42:54 -0700
Subject: [PATCH] KVM: x86: Improve thread safety in pit

There's a race condition in the PIT emulation code in KVM.  In
__kvm_migrate_pit_timer the pit_timer object is accessed without
synchronization.  If the race condition occurs at the wrong time this
can crash the host kernel.

This fixes CVE-2014-3611.

Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig 
Signed-off-by: Paolo Bonzini 
---
 arch/x86/kvm/i8254.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 518d86471b76f..298781d4cfb44 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -262,8 +262,10 @@ void __kvm_migrate_pit_timer(struct kvm_vcpu *vcpu)
 		return;
 
 	timer = &pit->pit_state.timer;
+	mutex_lock(&pit->pit_state.lock);
 	if (hrtimer_cancel(timer))
 		hrtimer_start_expires(timer, HRTIMER_MODE_ABS);
+	mutex_unlock(&pit->pit_state.lock);
 }
 
 static void destroy_pit_timer(struct kvm_pit *pit)

Example VII: Non-security Patch 

commit 822959238c224535e2d71e936e9f8c8d27a10a59
Author: roberto@precise64 
Date:   Thu Feb 23 16:58:36 2012 +0100

    fixed a bug with --set

diff --git a/uwsgi.c b/uwsgi.c
index 3a24f6aa..178fb5db 100644
--- a/uwsgi.c
+++ b/uwsgi.c
@@ -3387,7 +3387,7 @@ void uwsgi_opt_set_placeholder(char *opt, char *value, void *none) {
 
 	p[0] = 0;
 	add_exported_option(uwsgi_str(value), p+1, 1);
-	p[1] = '=';
+	p[0] = '=';
 	
 }


The PatchDB Dataset | Sun Security Laboratory at George Mason University