fuse: CVE-2018-10906

* CVE-2018-10906-1: fusermount: don't feed "escaped commas" into mount options The old code permits the following behavior: $ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument) However, backslashes do not have any special meaning for the kernel here. As it happens, you can't abuse this because there is no FUSE mount option that takes a string value that can contain backslashes; but this is very brittle. Don't interpret "escape characters" in places where they don't work. * CVE-2018-10906-2: fusermount: refuse unknown options Blacklists are notoriously fragile; especially if the kernel wishes to add some security-critical mount option at a later date, all existing systems with older versions of fusermount installed will suddenly have a security problem. Additionally, if the kernel's option parsing became a tiny bit laxer, the blacklist could probably be bypassed. Whitelist known-harmless flags instead, even if it's slightly more inconvenient. Affects fuse < 2.9.8 and fuse < 3.2.5 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> 2018-08-23 16:51:23 +0530
committer: Armin Kuster <akuster808@gmail.com> 2018-09-04 07:36:55 -0700
commit: 0fec2df04070651d1b7a6b3d4236e1fdd0af3974 (patch)
tree: c46d702abccc8a12f552d2a42787f6174e233c1e
parent: 086be3c7ec949aa9d5059c0e00a34e42711d66af (diff)
download: meta-openembedded-0fec2df04070651d1b7a6b3d4236e1fdd0af3974.tar.gz
3 files changed, 102 insertions, 0 deletions
diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch
new file mode 100644
index 000000000..83bef3022
--- /dev/null
+++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch
@@ -0,0 +1,52 @@
+From 28bdae3d113ef479c1660a581ef720cdc33bf466 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 13 Jul 2018 15:15:36 -0700
+Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
+The old code permits the following behavior:
+$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
+mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
+However, backslashes do not have any special meaning for the kernel here.
+As it happens, you can't abuse this because there is no FUSE mount option
+that takes a string value that can contain backslashes; but this is very
+brittle. Don't interpret "escape characters" in places where they don't
+work.
+CVE: CVE-2018-10906
+Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/28bdae3d113ef479c1660a581ef720cdc33bf466]
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ util/fusermount.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 0e1d34d..143bd4a 100644
+--- a/util/fusermount.c
+++ b/util/fusermount.c
+@@ -29,6 +29,7 @@
+ #include <sys/socket.h>
+ #include <sys/utsname.h>
+ #include <sched.h>
+#include <stdbool.h>
+ 
+ #define FUSE_COMMFD_ENV                "_FUSE_COMMFD"
+ 
+@@ -754,8 +755,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
+                unsigned len;
+                const char *fsname_str = "fsname=";
+                const char *subtype_str = "subtype=";
+               bool escape_ok = begins_with(s, fsname_str) ||
+                                begins_with(s, subtype_str);
+                for (len = 0; s[len]; len++) {
+-                       if (s[len] == '\\' && s[len + 1])
+                       if (escape_ok && s[len] == '\\' && s[len + 1])
+                                len++;
+                        else if (s[len] == ',')
+                                break;
+-- 
+2.13.3
diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch
new file mode 100644
index 000000000..104aa171b
--- /dev/null
+++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch
@@ -0,0 +1,48 @@
+From 5018a0c016495155ee598b7e0167b43d5d902414 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 14 Jul 2018 03:47:50 -0700
+Subject: [PATCH] fusermount: refuse unknown options
+Blacklists are notoriously fragile; especially if the kernel wishes to add
+some security-critical mount option at a later date, all existing systems
+with older versions of fusermount installed will suddenly have a security
+problem.
+Additionally, if the kernel's option parsing became a tiny bit laxer, the
+blacklist could probably be bypassed.
+Whitelist known-harmless flags instead, even if it's slightly more
+inconvenient.
+CVE: CVE-2018-10906
+Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/5018a0c016495155ee598b7e0167b43d5d902414]
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ util/fusermount.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 4e0f51a..2792407 100644
+--- a/util/fusermount.c
+++ b/util/fusermount.c
+@@ -819,10 +819,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
+                                                flags |= flag;
+                                        else
+                                                flags  &= ~flag;
+-                               } else {
+                               } else if (opt_eq(s, len, "default_permissions") ||
+                                          opt_eq(s, len, "allow_other") ||
+                                          begins_with(s, "max_read=") ||
+                                          begins_with(s, "blksize=")) {
+                                        memcpy(d, s, len);
+                                        d += len;
+                                        *d++ = ',';
+                               } else {
+                                       fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
+                                       exit(1);
+                                }
+                        }
+                }
+-- 
+2.13.3
diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
index 202d4c3eb..1eb9b7007 100644
--- a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
+++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
@@ -15,6 +15,8 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar.
           file://aarch64.patch \
           file://0001-fuse-fix-the-return-value-of-help-option.patch \
           file://fuse.conf \
+           file://CVE-2018-10906-1.patch \
+           file://CVE-2018-10906-2.patch \
 "
 SRC_URI[md5sum] = "9bd4ce8184745fd3d000ca2692adacdb"
 SRC_URI[sha256sum] = "832432d1ad4f833c20e13b57cf40ce5277a9d33e483205fc63c78111b3358874"
author	Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>	2018-08-23 16:51:23 +0530
committer	Armin Kuster <akuster808@gmail.com>	2018-09-04 07:36:55 -0700
commit	0fec2df04070651d1b7a6b3d4236e1fdd0af3974 (patch)
tree	c46d702abccc8a12f552d2a42787f6174e233c1e
parent	086be3c7ec949aa9d5059c0e00a34e42711d66af (diff)
download	meta-openembedded-0fec2df04070651d1b7a6b3d4236e1fdd0af3974.tar.gz

diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch new file mode 100644 index 000000000..83bef3022 --- /dev/null +++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch
@@ -0,0 +1,52 @@
		1	From 28bdae3d113ef479c1660a581ef720cdc33bf466 Mon Sep 17 00:00:00 2001
		2	From: Jann Horn <jannh@google.com>
		3	Date: Fri, 13 Jul 2018 15:15:36 -0700
		4	Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
		5
		6	The old code permits the following behavior:
		7
		8	$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
		9	mount("/dev/fuse", ".", "fuse", MS_NOSUID\|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
		10
		11	However, backslashes do not have any special meaning for the kernel here.
		12
		13	As it happens, you can't abuse this because there is no FUSE mount option
		14	that takes a string value that can contain backslashes; but this is very
		15	brittle. Don't interpret "escape characters" in places where they don't
		16	work.
		17
		18	CVE: CVE-2018-10906
		19	Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/28bdae3d113ef479c1660a581ef720cdc33bf466]
		20
		21	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		22	---
		23	util/fusermount.c \| 5 ++++-
		24	1 file changed, 4 insertions(+), 1 deletion(-)
		25
		26	diff --git a/util/fusermount.c b/util/fusermount.c
		27	index 0e1d34d..143bd4a 100644
		28	--- a/util/fusermount.c
		29	+++ b/util/fusermount.c
		30	@@ -29,6 +29,7 @@
		31	#include <sys/socket.h>
		32	#include <sys/utsname.h>
		33	#include <sched.h>
		34	+#include <stdbool.h>
		35
		36	#define FUSE_COMMFD_ENV "_FUSE_COMMFD"
		37
		38	@@ -754,8 +755,10 @@ static int do_mount(const char mnt, char *typep, mode_t rootmode,
		39	unsigned len;
		40	const char *fsname_str = "fsname=";
		41	const char *subtype_str = "subtype=";
		42	+ bool escape_ok = begins_with(s, fsname_str) \|\|
		43	+ begins_with(s, subtype_str);
		44	for (len = 0; s[len]; len++) {
		45	- if (s[len] == '\\' && s[len + 1])
		46	+ if (escape_ok && s[len] == '\\' && s[len + 1])
		47	len++;
		48	else if (s[len] == ',')
		49	break;
		50	--
		51	2.13.3
		52


diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch new file mode 100644 index 000000000..104aa171b --- /dev/null +++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch
@@ -0,0 +1,48 @@
		1	From 5018a0c016495155ee598b7e0167b43d5d902414 Mon Sep 17 00:00:00 2001
		2	From: Jann Horn <jannh@google.com>
		3	Date: Sat, 14 Jul 2018 03:47:50 -0700
		4	Subject: [PATCH] fusermount: refuse unknown options
		5
		6	Blacklists are notoriously fragile; especially if the kernel wishes to add
		7	some security-critical mount option at a later date, all existing systems
		8	with older versions of fusermount installed will suddenly have a security
		9	problem.
		10	Additionally, if the kernel's option parsing became a tiny bit laxer, the
		11	blacklist could probably be bypassed.
		12
		13	Whitelist known-harmless flags instead, even if it's slightly more
		14	inconvenient.
		15
		16	CVE: CVE-2018-10906
		17	Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/5018a0c016495155ee598b7e0167b43d5d902414]
		18
		19	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		20	---
		21	util/fusermount.c \| 8 +++++++-
		22	1 file changed, 7 insertions(+), 1 deletion(-)
		23
		24	diff --git a/util/fusermount.c b/util/fusermount.c
		25	index 4e0f51a..2792407 100644
		26	--- a/util/fusermount.c
		27	+++ b/util/fusermount.c
		28	@@ -819,10 +819,16 @@ static int do_mount(const char mnt, char *typep, mode_t rootmode,
		29	flags \|= flag;
		30	else
		31	flags &= ~flag;
		32	- } else {
		33	+ } else if (opt_eq(s, len, "default_permissions") \|\|
		34	+ opt_eq(s, len, "allow_other") \|\|
		35	+ begins_with(s, "max_read=") \|\|
		36	+ begins_with(s, "blksize=")) {
		37	memcpy(d, s, len);
		38	d += len;
		39	*d++ = ',';
		40	+ } else {
		41	+ fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
		42	+ exit(1);
		43	}
		44	}
		45	}
		46	--
		47	2.13.3
		48


diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb index 202d4c3eb..1eb9b7007 100644 --- a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb +++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
@@ -15,6 +15,8 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar.
15	file://aarch64.patch \	15	file://aarch64.patch \
16	file://0001-fuse-fix-the-return-value-of-help-option.patch \	16	file://0001-fuse-fix-the-return-value-of-help-option.patch \
17	file://fuse.conf \	17	file://fuse.conf \
		18	file://CVE-2018-10906-1.patch \
		19	file://CVE-2018-10906-2.patch \
18	"	20	"
19	SRC_URI[md5sum] = "9bd4ce8184745fd3d000ca2692adacdb"	21	SRC_URI[md5sum] = "9bd4ce8184745fd3d000ca2692adacdb"
20	SRC_URI[sha256sum] = "832432d1ad4f833c20e13b57cf40ce5277a9d33e483205fc63c78111b3358874"	22	SRC_URI[sha256sum] = "832432d1ad4f833c20e13b57cf40ce5277a9d33e483205fc63c78111b3358874"