From 2228e7f396f48890e2d7bc272fed90594fc2e1752d7bf27323a35795bc5cb409 Mon Sep 17 00:00:00 2001 From: Stanislav Brabec Date: Wed, 4 Feb 2015 18:38:40 +0000 Subject: [PATCH] - libblkid: care about unsafe chars and possible buffer overflow in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch, util-linux-libblkid-overflow.patch, bsc#907434) OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=274 --- python-libmount.changes | 7 ++ python-libmount.spec | 6 + util-linux-libblkid-overflow.patch | 101 +++++++++++++++ util-linux-libblkid-unsafe-chars.patch | 167 +++++++++++++++++++++++++ util-linux-systemd.changes | 7 ++ util-linux-systemd.spec | 6 + util-linux.changes | 7 ++ util-linux.spec | 6 + 8 files changed, 307 insertions(+) create mode 100644 util-linux-libblkid-overflow.patch create mode 100644 util-linux-libblkid-unsafe-chars.patch diff --git a/python-libmount.changes b/python-libmount.changes index b972a08..d45f52b 100644 --- a/python-libmount.changes +++ b/python-libmount.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 4 19:08:43 CET 2015 - sbrabec@suse.cz + +- libblkid: care about unsafe chars and possible buffer overflow + in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch, + util-linux-libblkid-overflow.patch, bsc#907434) + ------------------------------------------------------------------- Thu Jan 29 14:13:41 UTC 2015 - sweet_f_a@gmx.de diff --git a/python-libmount.spec b/python-libmount.spec index e8fef39..4611e66 100644 --- a/python-libmount.spec +++ b/python-libmount.spec @@ -160,6 +160,10 @@ Source51: blkid.conf Patch4: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff # PATCH-FEATURE-SUSE -- Report about disabled encryption to stderr. Patch12: util-linux-noenc-suse.patch +# PATCH-FIX-SECURITY util-linux-libblkid-unsafe-chars.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: care about unsafe chars in cache +Patch13: util-linux-libblkid-unsafe-chars.patch +# PATCH-FIX-SECURITY util-linux-libblkid-overflow.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: fix possible buffer overflow +Patch14: util-linux-libblkid-overflow.patch ## ## klogconsole ## @@ -383,6 +387,8 @@ xzcat %{S:0} | %gpg_verify -p %{_name} %{S:12} - %setup -q -n %{_name}-%{version} -b 40 %patch4 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 # # setctsid cp -p %{S:22} %{S:23} . diff --git a/util-linux-libblkid-overflow.patch b/util-linux-libblkid-overflow.patch new file mode 100644 index 0000000..0f8e763 --- /dev/null +++ b/util-linux-libblkid-overflow.patch @@ -0,0 +1,101 @@ +From 109df14fad4e9570e26950913ebace6c79289400 Mon Sep 17 00:00:00 2001 +From: Sebastian Krahmer +Date: Fri, 5 Dec 2014 10:06:42 +0100 +Subject: [PATCH] libblkid: fix potential bufer overflows + +While digging deeper into libblk probing, I found that some +computations might wrap and allocate too few buffer space which then +overflows. In particular on 32bit systems (chromebook) where size_t is +32bit, this is problematic (for 64bit the result fits into the calloc +size_t). + +Signed-off-by: Karel Zak +--- + libblkid/src/partitions/gpt.c | 12 ++++++++---- + libblkid/src/probe.c | 7 +++++++ + libblkid/src/superblocks/zfs.c | 3 +++ + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/libblkid/src/partitions/gpt.c b/libblkid/src/partitions/gpt.c +index 6ab4f71..665577f 100644 +--- a/libblkid/src/partitions/gpt.c ++++ b/libblkid/src/partitions/gpt.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include "partitions.h" + #include "crc32.h" +@@ -263,14 +264,17 @@ static struct gpt_header *get_gpt_header( + return NULL; + } + +- /* Size of blocks with GPT entries */ +- esz = le32_to_cpu(h->num_partition_entries) * +- le32_to_cpu(h->sizeof_partition_entry); +- if (!esz) { ++ if (le32_to_cpu(h->num_partition_entries) == 0 || ++ le32_to_cpu(h->sizeof_partition_entry) == 0 || ++ ULONG_MAX / le32_to_cpu(h->num_partition_entries) < le32_to_cpu(h->sizeof_partition_entry)) { + DBG(LOWPROBE, ul_debug("GPT entries undefined")); + return NULL; + } + ++ /* Size of blocks with GPT entries */ ++ esz = le32_to_cpu(h->num_partition_entries) * ++ le32_to_cpu(h->sizeof_partition_entry); ++ + /* The header seems valid, save it + * (we don't care about zeros in hdr->reserved2 area) */ + memcpy(hdr, h, sizeof(*h)); +diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c +index 3f7e43b..70e882a 100644 +--- a/libblkid/src/probe.c ++++ b/libblkid/src/probe.c +@@ -103,6 +103,7 @@ + #include + #include + #include ++#include + + #ifdef HAVE_LIBUUID + # include +@@ -578,6 +579,12 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr, + return NULL; + } + ++ /* someone trying to overflow some buffers? */ ++ if (len > ULONG_MAX - sizeof(struct blkid_bufinfo)) { ++ errno = ENOMEM; ++ return NULL; ++ } ++ + /* allocate info and space for data by why call */ + bf = calloc(1, sizeof(struct blkid_bufinfo) + len); + if (!bf) { +diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c +index 6ffa24d..86da59d 100644 +--- a/libblkid/src/superblocks/zfs.c ++++ b/libblkid/src/superblocks/zfs.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #include "superblocks.h" + +@@ -108,6 +109,8 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset) + + nvs->nvs_type = be32_to_cpu(nvs->nvs_type); + nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen); ++ if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs)) ++ break; + avail -= nvs->nvs_strlen + sizeof(*nvs); + nvdebug("nvstring: type %u string %*s\n", nvs->nvs_type, + nvs->nvs_strlen, nvs->nvs_string); +-- +2.2.2 + diff --git a/util-linux-libblkid-unsafe-chars.patch b/util-linux-libblkid-unsafe-chars.patch new file mode 100644 index 0000000..833f603 --- /dev/null +++ b/util-linux-libblkid-unsafe-chars.patch @@ -0,0 +1,167 @@ +From 89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Thu, 27 Nov 2014 13:39:35 +0100 +Subject: [PATCH] libblkid: care about unsafe chars in cache + +The high-level libblkid API uses /run/blkid/blkid.tab cache to +store probing results. The cache format is + + devname + +and unfortunately the cache code does not escape quotation marks: + + # mkfs.ext4 -L 'AAA"BBB' + + # cat /run/blkid/blkid.tab + ... + /dev/sdb1 + +such string is later incorrectly parsed and blkid(8) returns +nonsenses. And for use-cases like + + # eval $(blkid -o export /dev/sdb1) + +it's also insecure. + +Note that mount, udevd and blkid -p are based on low-level libblkid +API, it bypass the cache and directly read data from the devices. + +The current udevd upstream does not depend on blkid(8) output at all, +it's directly linked with the library and all unsafe chars are encoded by +\x notation. + + # mkfs.ext4 -L 'X"`/tmp/foo` "' /dev/sdb1 + # udevadm info --export-db | grep LABEL + ... + E: ID_FS_LABEL=X__/tmp/foo___ + E: ID_FS_LABEL_ENC=X\x22\x60\x2ftmp\x2ffoo\x60\x20\x22 + +Signed-off-by: Karel Zak +--- + libblkid/src/read.c | 21 ++++++++++++++++++--- + libblkid/src/save.c | 22 +++++++++++++++++++++- + misc-utils/blkid.8 | 5 ++++- + misc-utils/blkid.c | 4 ++-- + 4 files changed, 45 insertions(+), 7 deletions(-) + +diff --git a/libblkid/src/read.c b/libblkid/src/read.c +index 0e91c9c..81ab0df 100644 +--- a/libblkid/src/read.c ++++ b/libblkid/src/read.c +@@ -252,15 +252,30 @@ static int parse_token(char **name, char **value, char **cp) + *value = skip_over_blank(*value + 1); + + if (**value == '"') { +- end = strchr(*value + 1, '"'); +- if (!end) { ++ char *p = end = *value + 1; ++ ++ /* convert 'foo\"bar' to 'foo"bar' */ ++ while (*p) { ++ if (*p == '\\') { ++ p++; ++ *end = *p; ++ } else { ++ *end = *p; ++ if (*p == '"') ++ break; ++ } ++ p++; ++ end++; ++ } ++ ++ if (*end != '"') { + DBG(READ, ul_debug("unbalanced quotes at: %s", *value)); + *cp = *value; + return -BLKID_ERR_CACHE; + } + (*value)++; + *end = '\0'; +- end++; ++ end = ++p; + } else { + end = skip_over_word(*value); + if (*end) { +diff --git a/libblkid/src/save.c b/libblkid/src/save.c +index 8216f09..5e8bbee 100644 +--- a/libblkid/src/save.c ++++ b/libblkid/src/save.c +@@ -26,6 +26,21 @@ + + #include "blkidP.h" + ++ ++static void save_quoted(const char *data, FILE *file) ++{ ++ const char *p; ++ ++ fputc('"', file); ++ for (p = data; p && *p; p++) { ++ if ((unsigned char) *p == 0x22 || /* " */ ++ (unsigned char) *p == 0x5c) /* \ */ ++ fputc('\\', file); ++ ++ fputc(*p, file); ++ } ++ fputc('"', file); ++} + static int save_dev(blkid_dev dev, FILE *file) + { + struct list_head *p; +@@ -43,9 +58,14 @@ static int save_dev(blkid_dev dev, FILE *file) + + if (dev->bid_pri) + fprintf(file, " PRI=\"%d\"", dev->bid_pri); ++ + list_for_each(p, &dev->bid_tags) { + blkid_tag tag = list_entry(p, struct blkid_struct_tag, bit_tags); +- fprintf(file, " %s=\"%s\"", tag->bit_name,tag->bit_val); ++ ++ fputc(' ', file); /* space between tags */ ++ fputs(tag->bit_name, file); /* tag NAME */ ++ fputc('=', file); /* separator between NAME and VALUE */ ++ save_quoted(tag->bit_val, file); /* tag "VALUE" */ + } + fprintf(file, ">%s\n", dev->bid_name); + +diff --git a/misc-utils/blkid.8 b/misc-utils/blkid.8 +index 156a14b..c95b833 100644 +--- a/misc-utils/blkid.8 ++++ b/misc-utils/blkid.8 +@@ -200,7 +200,10 @@ partitions. This output format is \fBDEPRECATED\fR. + .TP + .B export + print key=value pairs for easy import into the environment; this output format +-is automatically enabled when I/O Limits (\fB-i\fR option) are requested ++is automatically enabled when I/O Limits (\fB-i\fR option) are requested. ++ ++The non-printing characters are encoded by ^ and M- notation and all ++potentially unsafe characters are escaped. + .RE + .TP + .BI \-O " offset" +diff --git a/misc-utils/blkid.c b/misc-utils/blkid.c +index a6ca660..1bd8646 100644 +--- a/misc-utils/blkid.c ++++ b/misc-utils/blkid.c +@@ -306,7 +306,7 @@ static void print_value(int output, int num, const char *devname, + printf("DEVNAME=%s\n", devname); + fputs(name, stdout); + fputs("=", stdout); +- safe_print(value, valsz, NULL); ++ safe_print(value, valsz, " \\\"'$`<>"); + fputs("\n", stdout); + + } else { +@@ -315,7 +315,7 @@ static void print_value(int output, int num, const char *devname, + fputs(" ", stdout); + fputs(name, stdout); + fputs("=\"", stdout); +- safe_print(value, valsz, "\""); ++ safe_print(value, valsz, "\"\\"); + fputs("\"", stdout); + } + } +-- +2.2.2 + diff --git a/util-linux-systemd.changes b/util-linux-systemd.changes index b972a08..d45f52b 100644 --- a/util-linux-systemd.changes +++ b/util-linux-systemd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 4 19:08:43 CET 2015 - sbrabec@suse.cz + +- libblkid: care about unsafe chars and possible buffer overflow + in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch, + util-linux-libblkid-overflow.patch, bsc#907434) + ------------------------------------------------------------------- Thu Jan 29 14:13:41 UTC 2015 - sweet_f_a@gmx.de diff --git a/util-linux-systemd.spec b/util-linux-systemd.spec index 9b1a9a5..3449ba7 100644 --- a/util-linux-systemd.spec +++ b/util-linux-systemd.spec @@ -160,6 +160,10 @@ Source51: blkid.conf Patch4: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff # PATCH-FEATURE-SUSE -- Report about disabled encryption to stderr. Patch12: util-linux-noenc-suse.patch +# PATCH-FIX-SECURITY util-linux-libblkid-unsafe-chars.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: care about unsafe chars in cache +Patch13: util-linux-libblkid-unsafe-chars.patch +# PATCH-FIX-SECURITY util-linux-libblkid-overflow.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: fix possible buffer overflow +Patch14: util-linux-libblkid-overflow.patch ## ## klogconsole ## @@ -383,6 +387,8 @@ xzcat %{S:0} | %gpg_verify -p %{_name} %{S:12} - %setup -q -n %{_name}-%{version} -b 40 %patch4 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 # # setctsid cp -p %{S:22} %{S:23} . diff --git a/util-linux.changes b/util-linux.changes index b972a08..d45f52b 100644 --- a/util-linux.changes +++ b/util-linux.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Feb 4 19:08:43 CET 2015 - sbrabec@suse.cz + +- libblkid: care about unsafe chars and possible buffer overflow + in cache (CVE-2014-9114, util-linux-libblkid-unsafe-chars.patch, + util-linux-libblkid-overflow.patch, bsc#907434) + ------------------------------------------------------------------- Thu Jan 29 14:13:41 UTC 2015 - sweet_f_a@gmx.de diff --git a/util-linux.spec b/util-linux.spec index a5a40af..61bf76f 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -160,6 +160,10 @@ Source51: blkid.conf Patch4: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff # PATCH-FEATURE-SUSE -- Report about disabled encryption to stderr. Patch12: util-linux-noenc-suse.patch +# PATCH-FIX-SECURITY util-linux-libblkid-unsafe-chars.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: care about unsafe chars in cache +Patch13: util-linux-libblkid-unsafe-chars.patch +# PATCH-FIX-SECURITY util-linux-libblkid-overflow.patch bsc907434 CVE-2014-9114 sbrabec@suse.cz -- libblkid: fix possible buffer overflow +Patch14: util-linux-libblkid-overflow.patch ## ## klogconsole ## @@ -383,6 +387,8 @@ xzcat %{S:0} | %gpg_verify -p %{_name} %{S:12} - %setup -q -n %{_name}-%{version} -b 40 %patch4 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 # # setctsid cp -p %{S:22} %{S:23} .