3
0
forked from pool/util-linux

- libblkid: care about unsafe chars and possible buffer overflow

in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch,
  util-linux-libblkid-overflow.patch, bsc#907434)

OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=274
This commit is contained in:
Stanislav Brabec 2015-02-04 18:38:40 +00:00 committed by Git OBS Bridge
parent 74542b9d34
commit 2228e7f396
8 changed files with 307 additions and 0 deletions

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Feb 4 19:08:43 CET 2015 - sbrabec@suse.cz
- libblkid: care about unsafe chars and possible buffer overflow
in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch,
util-linux-libblkid-overflow.patch, bsc#907434)
-------------------------------------------------------------------
Thu Jan 29 14:13:41 UTC 2015 - sweet_f_a@gmx.de

View File

@ -160,6 +160,10 @@ Source51: blkid.conf
Patch4: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
# PATCH-FEATURE-SUSE -- Report about disabled encryption to stderr.
Patch12: util-linux-noenc-suse.patch
# PATCH-FIX-SECURITY util-linux-libblkid-unsafe-chars.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: care about unsafe chars in cache
Patch13: util-linux-libblkid-unsafe-chars.patch
# PATCH-FIX-SECURITY util-linux-libblkid-overflow.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: fix possible buffer overflow
Patch14: util-linux-libblkid-overflow.patch
##
## klogconsole
##
@ -383,6 +387,8 @@ xzcat %{S:0} | %gpg_verify -p %{_name} %{S:12} -
%setup -q -n %{_name}-%{version} -b 40
%patch4 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
#
# setctsid
cp -p %{S:22} %{S:23} .

View File

@ -0,0 +1,101 @@
From 109df14fad4e9570e26950913ebace6c79289400 Mon Sep 17 00:00:00 2001
From: Sebastian Krahmer <krahmer@suse.de>
Date: Fri, 5 Dec 2014 10:06:42 +0100
Subject: [PATCH] libblkid: fix potential bufer overflows
While digging deeper into libblk probing, I found that some
computations might wrap and allocate too few buffer space which then
overflows. In particular on 32bit systems (chromebook) where size_t is
32bit, this is problematic (for 64bit the result fits into the calloc
size_t).
Signed-off-by: Karel Zak <kzak@redhat.com>
---
libblkid/src/partitions/gpt.c | 12 ++++++++----
libblkid/src/probe.c | 7 +++++++
libblkid/src/superblocks/zfs.c | 3 +++
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/libblkid/src/partitions/gpt.c b/libblkid/src/partitions/gpt.c
index 6ab4f71..665577f 100644
--- a/libblkid/src/partitions/gpt.c
+++ b/libblkid/src/partitions/gpt.c
@@ -17,6 +17,7 @@
#include <stdlib.h>
#include <stdint.h>
#include <stddef.h>
+#include <limits.h>
#include "partitions.h"
#include "crc32.h"
@@ -263,14 +264,17 @@ static struct gpt_header *get_gpt_header(
return NULL;
}
- /* Size of blocks with GPT entries */
- esz = le32_to_cpu(h->num_partition_entries) *
- le32_to_cpu(h->sizeof_partition_entry);
- if (!esz) {
+ if (le32_to_cpu(h->num_partition_entries) == 0 ||
+ le32_to_cpu(h->sizeof_partition_entry) == 0 ||
+ ULONG_MAX / le32_to_cpu(h->num_partition_entries) < le32_to_cpu(h->sizeof_partition_entry)) {
DBG(LOWPROBE, ul_debug("GPT entries undefined"));
return NULL;
}
+ /* Size of blocks with GPT entries */
+ esz = le32_to_cpu(h->num_partition_entries) *
+ le32_to_cpu(h->sizeof_partition_entry);
+
/* The header seems valid, save it
* (we don't care about zeros in hdr->reserved2 area) */
memcpy(hdr, h, sizeof(*h));
diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c
index 3f7e43b..70e882a 100644
--- a/libblkid/src/probe.c
+++ b/libblkid/src/probe.c
@@ -103,6 +103,7 @@
#include <inttypes.h>
#include <stdint.h>
#include <stdarg.h>
+#include <limits.h>
#ifdef HAVE_LIBUUID
# include <uuid.h>
@@ -578,6 +579,12 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr,
return NULL;
}
+ /* someone trying to overflow some buffers? */
+ if (len > ULONG_MAX - sizeof(struct blkid_bufinfo)) {
+ errno = ENOMEM;
+ return NULL;
+ }
+
/* allocate info and space for data by why call */
bf = calloc(1, sizeof(struct blkid_bufinfo) + len);
if (!bf) {
diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c
index 6ffa24d..86da59d 100644
--- a/libblkid/src/superblocks/zfs.c
+++ b/libblkid/src/superblocks/zfs.c
@@ -12,6 +12,7 @@
#include <errno.h>
#include <ctype.h>
#include <inttypes.h>
+#include <limits.h>
#include "superblocks.h"
@@ -108,6 +109,8 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
+ if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
+ break;
avail -= nvs->nvs_strlen + sizeof(*nvs);
nvdebug("nvstring: type %u string %*s\n", nvs->nvs_type,
nvs->nvs_strlen, nvs->nvs_string);
--
2.2.2

View File

@ -0,0 +1,167 @@
From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 27 Nov 2014 13:39:35 +0100
Subject: [PATCH] libblkid: care about unsafe chars in cache
The high-level libblkid API uses /run/blkid/blkid.tab cache to
store probing results. The cache format is
<device NAME="value" ...>devname</device>
and unfortunately the cache code does not escape quotation marks:
# mkfs.ext4 -L 'AAA"BBB'
# cat /run/blkid/blkid.tab
...
<device ... LABEL="AAA"BBB" ...>/dev/sdb1</device>
such string is later incorrectly parsed and blkid(8) returns
nonsenses. And for use-cases like
# eval $(blkid -o export /dev/sdb1)
it's also insecure.
Note that mount, udevd and blkid -p are based on low-level libblkid
API, it bypass the cache and directly read data from the devices.
The current udevd upstream does not depend on blkid(8) output at all,
it's directly linked with the library and all unsafe chars are encoded by
\x<hex> notation.
# mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1
# udevadm info --export-db | grep LABEL
...
E: ID_FS_LABEL=X__/tmp/foo___
E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22
Signed-off-by: Karel Zak <kzak@redhat.com>
---
libblkid/src/read.c | 21 ++++++++++++++++++---
libblkid/src/save.c | 22 +++++++++++++++++++++-
misc-utils/blkid.8 | 5 ++++-
misc-utils/blkid.c | 4 ++--
4 files changed, 45 insertions(+), 7 deletions(-)
diff --git a/libblkid/src/read.c b/libblkid/src/read.c
index 0e91c9c..81ab0df 100644
--- a/libblkid/src/read.c
+++ b/libblkid/src/read.c
@@ -252,15 +252,30 @@ static int parse_token(char **name, char **value, char **cp)
*value = skip_over_blank(*value + 1);
if (**value == '"') {
- end = strchr(*value + 1, '"');
- if (!end) {
+ char *p = end = *value + 1;
+
+ /* convert 'foo\"bar' to 'foo"bar' */
+ while (*p) {
+ if (*p == '\\') {
+ p++;
+ *end = *p;
+ } else {
+ *end = *p;
+ if (*p == '"')
+ break;
+ }
+ p++;
+ end++;
+ }
+
+ if (*end != '"') {
DBG(READ, ul_debug("unbalanced quotes at: %s", *value));
*cp = *value;
return -BLKID_ERR_CACHE;
}
(*value)++;
*end = '\0';
- end++;
+ end = ++p;
} else {
end = skip_over_word(*value);
if (*end) {
diff --git a/libblkid/src/save.c b/libblkid/src/save.c
index 8216f09..5e8bbee 100644
--- a/libblkid/src/save.c
+++ b/libblkid/src/save.c
@@ -26,6 +26,21 @@
#include "blkidP.h"
+
+static void save_quoted(const char *data, FILE *file)
+{
+ const char *p;
+
+ fputc('"', file);
+ for (p = data; p && *p; p++) {
+ if ((unsigned char) *p == 0x22 || /* " */
+ (unsigned char) *p == 0x5c) /* \ */
+ fputc('\\', file);
+
+ fputc(*p, file);
+ }
+ fputc('"', file);
+}
static int save_dev(blkid_dev dev, FILE *file)
{
struct list_head *p;
@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE *file)
if (dev->bid_pri)
fprintf(file, " PRI=\"%d\"", dev->bid_pri);
+
list_for_each(p, &dev->bid_tags) {
blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags);
- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val);
+
+ fputc(' ', file); /* space between tags */
+ fputs(tag->bit_name, file); /* tag NAME */
+ fputc('=', file); /* separator between NAME and VALUE */
+ save_quoted(tag->bit_val, file); /* tag "VALUE" */
}
fprintf(file, ">%s</device>\n", dev->bid_name);
diff --git a/misc-utils/blkid.8 b/misc-utils/blkid.8
index 156a14b..c95b833 100644
--- a/misc-utils/blkid.8
+++ b/misc-utils/blkid.8
@@ -200,7 +200,10 @@ partitions. This output format is \fBDEPRECATED\fR.
.TP
.B export
print key=value pairs for easy import into the environment; this output format
-is automatically enabled when I/O Limits (\fB-i\fR option) are requested
+is automatically enabled when I/O Limits (\fB-i\fR option) are requested.
+
+The non-printing characters are encoded by ^ and M- notation and all
+potentially unsafe characters are escaped.
.RE
.TP
.BI \-O " offset"
diff --git a/misc-utils/blkid.c b/misc-utils/blkid.c
index a6ca660..1bd8646 100644
--- a/misc-utils/blkid.c
+++ b/misc-utils/blkid.c
@@ -306,7 +306,7 @@ static void print_value(int output, int num, const char *devname,
printf("DEVNAME=%s\n", devname);
fputs(name, stdout);
fputs("=", stdout);
- safe_print(value, valsz, NULL);
+ safe_print(value, valsz, " \\\"'$`<>");
fputs("\n", stdout);
} else {
@@ -315,7 +315,7 @@ static void print_value(int output, int num, const char *devname,
fputs(" ", stdout);
fputs(name, stdout);
fputs("=\"", stdout);
- safe_print(value, valsz, "\"");
+ safe_print(value, valsz, "\"\\");
fputs("\"", stdout);
}
}
--
2.2.2

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Feb 4 19:08:43 CET 2015 - sbrabec@suse.cz
- libblkid: care about unsafe chars and possible buffer overflow
in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch,
util-linux-libblkid-overflow.patch, bsc#907434)
-------------------------------------------------------------------
Thu Jan 29 14:13:41 UTC 2015 - sweet_f_a@gmx.de

View File

@ -160,6 +160,10 @@ Source51: blkid.conf
Patch4: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
# PATCH-FEATURE-SUSE -- Report about disabled encryption to stderr.
Patch12: util-linux-noenc-suse.patch
# PATCH-FIX-SECURITY util-linux-libblkid-unsafe-chars.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: care about unsafe chars in cache
Patch13: util-linux-libblkid-unsafe-chars.patch
# PATCH-FIX-SECURITY util-linux-libblkid-overflow.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: fix possible buffer overflow
Patch14: util-linux-libblkid-overflow.patch
##
## klogconsole
##
@ -383,6 +387,8 @@ xzcat %{S:0} | %gpg_verify -p %{_name} %{S:12} -
%setup -q -n %{_name}-%{version} -b 40
%patch4 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
#
# setctsid
cp -p %{S:22} %{S:23} .

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Feb 4 19:08:43 CET 2015 - sbrabec@suse.cz
- libblkid: care about unsafe chars and possible buffer overflow
in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch,
util-linux-libblkid-overflow.patch, bsc#907434)
-------------------------------------------------------------------
Thu Jan 29 14:13:41 UTC 2015 - sweet_f_a@gmx.de

View File

@ -160,6 +160,10 @@ Source51: blkid.conf
Patch4: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
# PATCH-FEATURE-SUSE -- Report about disabled encryption to stderr.
Patch12: util-linux-noenc-suse.patch
# PATCH-FIX-SECURITY util-linux-libblkid-unsafe-chars.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: care about unsafe chars in cache
Patch13: util-linux-libblkid-unsafe-chars.patch
# PATCH-FIX-SECURITY util-linux-libblkid-overflow.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: fix possible buffer overflow
Patch14: util-linux-libblkid-overflow.patch
##
## klogconsole
##
@ -383,6 +387,8 @@ xzcat %{S:0} | %gpg_verify -p %{_name} %{S:12} -
%setup -q -n %{_name}-%{version} -b 40
%patch4 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
#
# setctsid
cp -p %{S:22} %{S:23} .