From 7a5f906949beef71306957cede5d9856bd7d4fdc Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 22 Dec 2021 17:54:45 +0800 Subject: [PATCH] fix CVE-2021-39535 CVE-2021-39536 (cherry picked from commit d83b92e988575c1d0583ddd9a00f514d6f344548) --- CVE-2021-39535_CVE-2021-39536.patch | 304 ++++++++++++++++++++++++++++ libxsmm.spec | 6 +- 2 files changed, 309 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-39535_CVE-2021-39536.patch diff --git a/CVE-2021-39535_CVE-2021-39536.patch b/CVE-2021-39535_CVE-2021-39536.patch new file mode 100644 index 0000000..9e0e572 --- /dev/null +++ b/CVE-2021-39535_CVE-2021-39536.patch @@ -0,0 +1,304 @@ +From 3f417e5e0670b066d558052fd32fc8093c81ee94 Mon Sep 17 00:00:00 2001 +From: Hans Pabst +Date: Fri, 1 Oct 2021 10:22:57 +0200 +Subject: [PATCH] Issue 513: merge fixes from master/main. + +--- + src/generator_spgemm_csc_bsparse.c | 2 +- + src/generator_spgemm_csc_reader.c | 52 +++++++++++++++--------------- + src/generator_spgemm_csc_reader.h | 4 +-- + src/generator_spgemm_csr_asparse.c | 2 +- + src/generator_spgemm_csr_reader.c | 52 +++++++++++++++--------------- + src/generator_spgemm_csr_reader.h | 4 +-- + 6 files changed, 58 insertions(+), 58 deletions(-) + +diff --git a/src/generator_spgemm_csc_bsparse.c b/src/generator_spgemm_csc_bsparse.c +index 18e0fd4e7d..0ffa6bb0ae 100644 +--- a/src/generator_spgemm_csc_bsparse.c ++++ b/src/generator_spgemm_csc_bsparse.c +@@ -133,7 +133,7 @@ void libxsmm_generator_spgemm_csc_bsparse( libxsmm_generated_code* io_ge + return; + } + +- /* generate the actuel kernel */ ++ /* generate the actual kernel */ + l_code_length = LIBXSMM_SNPRINTF(l_new_code, l_max_code_length, " for ( l_m = 0; l_m < %u; l_m++) {\n", (unsigned int)i_xgemm_desc->m); + libxsmm_append_code_as_string( io_generated_code, l_new_code, l_code_length ); + +diff --git a/src/generator_spgemm_csc_reader.c b/src/generator_spgemm_csc_reader.c +index b7cc2aa2bd..50480e93a6 100644 +--- a/src/generator_spgemm_csc_reader.c ++++ b/src/generator_spgemm_csc_reader.c +@@ -56,8 +56,8 @@ void libxsmm_sparse_csc_reader( libxsmm_generated_code* io_generated_code, + unsigned int** o_row_idx, + unsigned int** o_column_idx, + double** o_values, +- unsigned int* o_row_count, +- unsigned int* o_column_count, ++ unsigned int* io_row_count, ++ unsigned int* io_column_count, + unsigned int* o_element_count ) { + FILE *l_csc_file_handle; + const unsigned int l_line_length = 512; +@@ -75,7 +75,8 @@ void libxsmm_sparse_csc_reader( libxsmm_generated_code* io_generated_code, + while (fgets(l_line, l_line_length, l_csc_file_handle) != NULL) { + if ( strlen(l_line) == l_line_length ) { + free(*o_row_idx); free(*o_column_idx); free(*o_values); free(l_column_idx_id); +- *o_row_idx = 0; *o_column_idx = 0; *o_values = 0; ++ *io_row_count = *io_column_count = *o_element_count = 0; ++ *o_row_idx = *o_column_idx = NULL; *o_values = NULL; + fclose( l_csc_file_handle ); /* close mtx file */ + LIBXSMM_HANDLE_ERROR( io_generated_code, LIBXSMM_ERR_CSC_READ_LEN ); + return; +@@ -86,18 +87,21 @@ void libxsmm_sparse_csc_reader( libxsmm_generated_code* io_generated_code, + } else { + /* if we are the first line after comment header, we allocate our data structures */ + if ( l_header_read == 0 ) { +- if (3 == sscanf(l_line, "%u %u %u", o_row_count, o_column_count, o_element_count) && +- 0 != *o_row_count && 0 != *o_column_count && 0 != *o_element_count) ++ unsigned int row_count, column_count; ++ if (3 == sscanf(l_line, "%u %u %u", &row_count, &column_count, o_element_count) && ++ 0 != row_count && 0 != column_count && 0 != *o_element_count) + { +- /* allocate CSC data structure matching mtx file */ ++ *io_column_count = LIBXSMM_MAX(*io_column_count, column_count); ++ *io_row_count = LIBXSMM_MAX(*io_row_count, row_count); ++ /* allocate CSC data structure matching mtx file, and set everything to zero for init */ + /* coverity[tainted_data] */ +- *o_row_idx = (unsigned int*) malloc(sizeof(unsigned int) * (*o_element_count)); ++ *o_row_idx = (unsigned int*)calloc(*o_element_count, sizeof(unsigned int)); + /* coverity[tainted_data] */ +- *o_column_idx = (unsigned int*) malloc(sizeof(unsigned int) * ((size_t)(*o_column_count) + 1)); ++ *o_column_idx = (unsigned int*)calloc((size_t)*io_column_count + 1, sizeof(unsigned int)); + /* coverity[tainted_data] */ +- *o_values = (double*) malloc(sizeof(double) * (*o_element_count)); ++ *o_values = (double*)calloc(*o_element_count, sizeof(double)); + /* coverity[tainted_data] */ +- l_column_idx_id = (unsigned int*) malloc(sizeof(unsigned int) * (*o_column_count)); ++ l_column_idx_id = (unsigned int*)calloc(*io_column_count, sizeof(unsigned int)); + + /* check if mallocs were successful */ + if ( ( *o_row_idx == NULL ) || +@@ -105,25 +109,16 @@ void libxsmm_sparse_csc_reader( libxsmm_generated_code* io_generated_code, + ( *o_values == NULL ) || + ( l_column_idx_id == NULL ) ) { + free(*o_row_idx); free(*o_column_idx); free(*o_values); free(l_column_idx_id); +- *o_row_idx = 0; *o_column_idx = 0; *o_values = 0; ++ *io_row_count = *io_column_count = *o_element_count = 0; ++ *o_row_idx = *o_column_idx = NULL; *o_values = NULL; + fclose(l_csc_file_handle); /* close mtx file */ + LIBXSMM_HANDLE_ERROR( io_generated_code, LIBXSMM_ERR_CSC_ALLOC_DATA ); + return; + } + +- /* set everything to zero for init */ +- /* coverity[tainted_data] */ +- memset(*o_row_idx, 0, sizeof(unsigned int) * (*o_element_count)); +- /* coverity[tainted_data] */ +- memset(*o_column_idx, 0, sizeof(unsigned int) * ((size_t)(*o_column_count) + 1)); +- /* coverity[tainted_data] */ +- memset(*o_values, 0, sizeof(double) * (*o_element_count)); +- /* coverity[tainted_data] */ +- memset(l_column_idx_id, 0, sizeof(unsigned int) * (*o_column_count)); +- + /* init column idx */ + /* coverity[tainted_data] */ +- for (l_i = 0; l_i <= *o_column_count; ++l_i) { ++ for (l_i = 0; l_i <= *io_column_count; ++l_i) { + (*o_column_idx)[l_i] = *o_element_count; + } + /* init */ +@@ -140,9 +135,13 @@ void libxsmm_sparse_csc_reader( libxsmm_generated_code* io_generated_code, + unsigned int l_row = 0, l_column = 0; + double l_value = 0; + /* read a line of content */ +- if ( sscanf(l_line, "%u %u %lf", &l_row, &l_column, &l_value) != 3 ) { ++ if ( sscanf(l_line, "%u %u %lf", &l_row, &l_column, &l_value) != 3 ++ || l_row > *io_row_count || l_column > *io_column_count ++ || l_i >= *o_element_count ) ++ { + free(*o_row_idx); free(*o_column_idx); free(*o_values); free(l_column_idx_id); +- *o_row_idx = 0; *o_column_idx = 0; *o_values = 0; ++ *io_row_count = *io_column_count = *o_element_count = 0; ++ *o_row_idx = *o_column_idx = NULL; *o_values = NULL; + fclose(l_csc_file_handle); /* close mtx file */ + LIBXSMM_HANDLE_ERROR( io_generated_code, LIBXSMM_ERR_CSC_READ_ELEMS ); + return; +@@ -168,14 +167,15 @@ void libxsmm_sparse_csc_reader( libxsmm_generated_code* io_generated_code, + /* check if we read a file which was consistent */ + if ( l_i != (*o_element_count) ) { + free(*o_row_idx); free(*o_column_idx); free(*o_values); free(l_column_idx_id); +- *o_row_idx = 0; *o_column_idx = 0; *o_values = 0; ++ *io_row_count = *io_column_count = *o_element_count = 0; ++ *o_row_idx = *o_column_idx = NULL; *o_values = NULL; + LIBXSMM_HANDLE_ERROR( io_generated_code, LIBXSMM_ERR_CSC_LEN ); + return; + } + + if ( l_column_idx_id != NULL ) { + /* let's handle empty columns */ +- for ( l_i = 0; l_i < (*o_column_count); l_i++) { ++ for ( l_i = 0; l_i < (*io_column_count); l_i++) { + if ( l_column_idx_id[l_i] == 0 ) { + (*o_column_idx)[l_i+1] = (*o_column_idx)[l_i]; + } +diff --git a/src/generator_spgemm_csc_reader.h b/src/generator_spgemm_csc_reader.h +index ff207a6752..896766bd91 100644 +--- a/src/generator_spgemm_csc_reader.h ++++ b/src/generator_spgemm_csc_reader.h +@@ -21,8 +21,8 @@ void libxsmm_sparse_csc_reader( libxsmm_generated_code* io_generated_code, + unsigned int** o_row_idx, + unsigned int** o_column_idx, + double** o_values, +- unsigned int* o_row_count, +- unsigned int* o_column_count, ++ unsigned int* io_row_count, ++ unsigned int* io_column_count, + unsigned int* o_element_count ); + + #endif /* GENERATOR_SPGEMM_CSC_READER_H */ +diff --git a/src/generator_spgemm_csr_asparse.c b/src/generator_spgemm_csr_asparse.c +index d1d7f0f8db..9d3a2aebde 100644 +--- a/src/generator_spgemm_csr_asparse.c ++++ b/src/generator_spgemm_csr_asparse.c +@@ -95,7 +95,7 @@ void libxsmm_generator_spgemm_csr_asparse( libxsmm_generated_code* io_ge + libxsmm_append_code_as_string( io_generated_code, l_new_code, l_code_length ); + } + +- /* generate the actuel kernel */ ++ /* generate the actual kernel */ + l_code_length = LIBXSMM_SNPRINTF(l_new_code, l_max_code_length, " for ( l_n = 0; l_n < %u; l_n++) {\n", (unsigned int)i_xgemm_desc->n); + libxsmm_append_code_as_string( io_generated_code, l_new_code, l_code_length ); + +diff --git a/src/generator_spgemm_csr_reader.c b/src/generator_spgemm_csr_reader.c +index c25da7f2d9..e580313a8d 100644 +--- a/src/generator_spgemm_csr_reader.c ++++ b/src/generator_spgemm_csr_reader.c +@@ -17,8 +17,8 @@ void libxsmm_sparse_csr_reader( libxsmm_generated_code* io_generated_code, + unsigned int** o_row_idx, + unsigned int** o_column_idx, + double** o_values, +- unsigned int* o_row_count, +- unsigned int* o_column_count, ++ unsigned int* io_row_count, ++ unsigned int* io_column_count, + unsigned int* o_element_count ) { + FILE *l_csr_file_handle; + const unsigned int l_line_length = 512; +@@ -36,7 +36,8 @@ void libxsmm_sparse_csr_reader( libxsmm_generated_code* io_generated_code, + while (fgets(l_line, l_line_length, l_csr_file_handle) != NULL) { + if ( strlen(l_line) == l_line_length ) { + free(*o_row_idx); free(*o_column_idx); free(*o_values); free(l_row_idx_id); +- *o_row_idx = 0; *o_column_idx = 0; *o_values = 0; ++ *io_row_count = *io_column_count = *o_element_count = 0; ++ *o_row_idx = *o_column_idx = NULL; *o_values = NULL; + fclose(l_csr_file_handle); /* close mtx file */ + LIBXSMM_HANDLE_ERROR( io_generated_code, LIBXSMM_ERR_CSR_READ_LEN ); + return; +@@ -47,18 +48,21 @@ void libxsmm_sparse_csr_reader( libxsmm_generated_code* io_generated_code, + } else { + /* if we are the first line after comment header, we allocate our data structures */ + if ( l_header_read == 0 ) { +- if (3 == sscanf(l_line, "%u %u %u", o_row_count, o_column_count, o_element_count) && +- 0 != *o_row_count && 0 != *o_column_count && 0 != *o_element_count) ++ unsigned int row_count, column_count; ++ if (3 == sscanf(l_line, "%u %u %u", &row_count, &column_count, o_element_count) && ++ 0 != row_count && 0 != column_count && 0 != *o_element_count) + { +- /* allocate CSC data-structure matching mtx file */ ++ *io_column_count = LIBXSMM_MAX(*io_column_count, column_count); ++ *io_row_count = LIBXSMM_MAX(*io_row_count, row_count); ++ /* allocate CSC data-structure matching mtx file, and set everything to zero for init */ + /* coverity[tainted_data] */ +- *o_column_idx = (unsigned int*) malloc(sizeof(unsigned int) * (*o_element_count)); ++ *o_column_idx = (unsigned int*)calloc(*o_element_count, sizeof(unsigned int)); + /* coverity[tainted_data] */ +- *o_row_idx = (unsigned int*) malloc(sizeof(unsigned int) * ((size_t)(*o_row_count) + 1)); ++ *o_row_idx = (unsigned int*)calloc((size_t)*io_row_count + 1, sizeof(unsigned int)); + /* coverity[tainted_data] */ +- *o_values = (double*) malloc(sizeof(double) * (*o_element_count)); ++ *o_values = (double*)calloc(*o_element_count, sizeof(double)); + /* coverity[tainted_data] */ +- l_row_idx_id = (unsigned int*) malloc(sizeof(unsigned int) * (*o_row_count)); ++ l_row_idx_id = (unsigned int*)calloc(*io_row_count, sizeof(unsigned int)); + + /* check if mallocs were successful */ + if ( ( *o_row_idx == NULL ) || +@@ -66,25 +70,16 @@ void libxsmm_sparse_csr_reader( libxsmm_generated_code* io_generated_code, + ( *o_values == NULL ) || + ( l_row_idx_id == NULL ) ) { + free(*o_row_idx); free(*o_column_idx); free(*o_values); free(l_row_idx_id); +- *o_row_idx = 0; *o_column_idx = 0; *o_values = 0; ++ *io_row_count = *io_column_count = *o_element_count = 0; ++ *o_row_idx = *o_column_idx = NULL; *o_values = NULL; + fclose(l_csr_file_handle); /* close mtx file */ + LIBXSMM_HANDLE_ERROR( io_generated_code, LIBXSMM_ERR_CSC_ALLOC_DATA ); + return; + } + +- /* set everything to zero for init */ +- /* coverity[tainted_data] */ +- memset(*o_row_idx, 0, sizeof(unsigned int) * ((size_t)(*o_row_count) + 1)); +- /* coverity[tainted_data] */ +- memset(*o_column_idx, 0, sizeof(unsigned int) * (*o_element_count)); +- /* coverity[tainted_data] */ +- memset(*o_values, 0, sizeof(double) * (*o_element_count)); +- /* coverity[tainted_data] */ +- memset(l_row_idx_id, 0, sizeof(unsigned int) * (*o_row_count)); +- + /* init column idx */ + /* coverity[tainted_data] */ +- for ( l_i = 0; l_i <= *o_row_count; ++l_i ) ++ for ( l_i = 0; l_i <= *io_row_count; ++l_i ) + (*o_row_idx)[l_i] = (*o_element_count); + + /* init */ +@@ -101,9 +96,13 @@ void libxsmm_sparse_csr_reader( libxsmm_generated_code* io_generated_code, + unsigned int l_row = 0, l_column = 0; + double l_value = 0; + /* read a line of content */ +- if ( sscanf(l_line, "%u %u %lf", &l_row, &l_column, &l_value) != 3 ) { ++ if ( sscanf(l_line, "%u %u %lf", &l_row, &l_column, &l_value) != 3 ++ || l_row > * io_row_count || l_column > * io_column_count ++ || l_i >= * o_element_count ) ++ { + free(*o_row_idx); free(*o_column_idx); free(*o_values); free(l_row_idx_id); +- *o_row_idx = 0; *o_column_idx = 0; *o_values = 0; ++ *io_row_count = *io_column_count = *o_element_count = 0; ++ *o_row_idx = *o_column_idx = NULL; *o_values = NULL; + fclose(l_csr_file_handle); /* close mtx file */ + LIBXSMM_HANDLE_ERROR( io_generated_code, LIBXSMM_ERR_CSR_READ_ELEMS ); + return; +@@ -129,14 +128,15 @@ void libxsmm_sparse_csr_reader( libxsmm_generated_code* io_generated_code, + /* check if we read a file which was consistent */ + if ( l_i != (*o_element_count) ) { + free(*o_row_idx); free(*o_column_idx); free(*o_values); free(l_row_idx_id); +- *o_row_idx = 0; *o_column_idx = 0; *o_values = 0; ++ *io_row_count = *io_column_count = *o_element_count = 0; ++ *o_row_idx = *o_column_idx = NULL; *o_values = NULL; + LIBXSMM_HANDLE_ERROR( io_generated_code, LIBXSMM_ERR_CSR_LEN ); + return; + } + + if ( l_row_idx_id != NULL ) { + /* let's handle empty rows */ +- for ( l_i = 0; l_i < (*o_row_count); l_i++) { ++ for ( l_i = 0; l_i < (*io_row_count); l_i++) { + if ( l_row_idx_id[l_i] == 0 ) { + (*o_row_idx)[l_i+1] = (*o_row_idx)[l_i]; + } +diff --git a/src/generator_spgemm_csr_reader.h b/src/generator_spgemm_csr_reader.h +index a282870ff7..1e852a77ae 100644 +--- a/src/generator_spgemm_csr_reader.h ++++ b/src/generator_spgemm_csr_reader.h +@@ -21,8 +21,8 @@ void libxsmm_sparse_csr_reader( libxsmm_generated_code* io_generated_code, + unsigned int** o_row_idx, + unsigned int** o_column_idx, + double** o_values, +- unsigned int* o_row_count, +- unsigned int* o_column_count, ++ unsigned int* io_row_count, ++ unsigned int* io_column_count, + unsigned int* o_element_count ); + + #endif /* GENERATOR_SPGEMM_CSR_READER_H */ diff --git a/libxsmm.spec b/libxsmm.spec index 8e4c43e..970b132 100644 --- a/libxsmm.spec +++ b/libxsmm.spec @@ -8,13 +8,14 @@ Name: libxsmm Version: 1.15 -Release: 2 +Release: 3 Summary: Small dense or sparse matrix multiplications and convolutions for x86_64 License: BSD URL: https://github.com/hfp/libxsmm Source0: https://github.com/hfp/libxsmm/archive/%version/%name-%version.tar.gz Patch0001: leverage-GNU-source-when-building-the-library.patch +Patch0002: CVE-2021-39535_CVE-2021-39536.patch BuildRequires: python3 openblas-devel %if %{with devtoolset} @@ -111,6 +112,9 @@ rm -r samples/cp2k/{build,.make,.state,cp2k-dbcsr,cp2k-collocate,cp2k-test.txt} %license LICENSE.md %changelog +* Wed Dec 22 2021 yaoxin - 1.15-3 +- Fix CVE-2021-39535 CVE-2021-39536 + * Tue Aug 10 2021 lingsheng - 1.15-2 - leverage GNU-source when building the library