summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndre McCurdy <armccurdy@gmail.com>2018-05-24 17:14:19 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-06-15 17:56:24 +0100
commit31a87d4d1dc80c6054c15a6f7dbc83b4d79bf0b2 (patch)
tree750028c0d52529c6775317f8a4dbbebec338f9db
parenta0a395a8c614277cdbfe3f13ae7f200c85d1f2b5 (diff)
downloadpoky-31a87d4d1dc80c6054c15a6f7dbc83b4d79bf0b2.tar.gz
cpio: fix CVE-2016-2037
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file." https://nvd.nist.gov/vuln/detail/CVE-2016-2037 Note that there appear to be two versions of this fix. The original patch posted to the bug-cpio mailing list [1] is used by Debian [2], but apparently causes regression [3]. The patch accepted to the upstream git repo [4] seems to be the most complete fix. [1] https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html [2] https://security-tracker.debian.org/tracker/CVE-2016-2037 [3] https://www.mail-archive.com/bug-cpio@gnu.org/msg00584.html [4] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b (From OE-Core rev: f170288ac706126e69a504a14d564b2e5c3513e4) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch346
-rw-r--r--meta/recipes-extended/cpio/cpio_2.12.bb1
2 files changed, 347 insertions, 0 deletions
diff --git a/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch b/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch
new file mode 100644
index 0000000000..0a3054483c
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch
@@ -0,0 +1,346 @@
1From ebf9a2d776474181936a720ce811d72bbd1da3b6 Mon Sep 17 00:00:00 2001
2From: Pavel Raiskup <praiskup@redhat.com>
3Date: Tue, 26 Jan 2016 23:17:54 +0100
4Subject: [PATCH] CVE-2016-2037 - 1 byte out-of-bounds write
5
6Ensure that cpio_safer_name_suffix always works with dynamically
7allocated buffer, and that it has size of at least 32 bytes.
8Then, any call to cpio_safer_name_suffix is safe (it requires at
9least 2 bytes in the buffer).
10
11Also ensure that c_namesize is always correctly initialized (by
12cpio_set_c_name) to avoid undefined behavior when reading
13file_hdr.c_namesize (previously happened for tar archives).
14
15References:
16http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html
17
18* src/copyin.c (query_rename): Drop the hack, as we now work with
19dynamically allocated buffer. Use cpio_set_c_name.
20(create_defered_links_to_skipped): Use cpio_set_c_name rather than
21manual assignment.
22(read_name_from_file): New function to avoid C&P.
23(read_in_old_ascii, read_in_new_ascii, read_in_binary): Use
24read_name_from_file.
25(process_copy_in): Initialize file_hdr.c_namesize.
26* src/copyout.c (process_copy_out): Use cpio_set_c_name.
27* src/cpiohdr.h (cpio_set_c_name): New prototype.
28* src/tar.c (read_in_tar_header): Use cpio_set_c_name.
29* src/util.c (cpio_set_c_name): New function to set
30file_hdr->c_name and c_namesize from arbitrary string.
31(cpio_safer_name_suffix): Some docs fixes.
32* tests/inout.at: Also test copy-in, and try various formats.
33
34CVE: CVE-2016-2037
35
36Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b]
37
38Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
39---
40 src/copyin.c | 68 +++++++++++++++++++---------------------------------------
41 src/copyout.c | 13 +++++------
42 src/cpiohdr.h | 1 +
43 src/tar.c | 10 +++++----
44 src/util.c | 32 ++++++++++++++++++++++++++-
45 tests/inout.at | 19 ++++++++++++++--
46 6 files changed, 82 insertions(+), 61 deletions(-)
47
48diff --git a/src/copyin.c b/src/copyin.c
49index cde911e..972f8a6 100644
50--- a/src/copyin.c
51+++ b/src/copyin.c
52@@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
53 return -1;
54 }
55 else
56- /* Debian hack: file_hrd.c_name is sometimes set to
57- point to static memory by code in tar.c. This
58- causes a segfault. This has been fixed and an
59- additional check to ensure that the file name
60- is not too long has been added. (Reported by
61- Horst Knobloch.) This bug has been reported to
62- "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */
63- {
64- if (archive_format != arf_tar && archive_format != arf_ustar)
65- {
66- free (file_hdr->c_name);
67- file_hdr->c_name = xstrdup (new_name.ds_string);
68- }
69- else
70- {
71- if (is_tar_filename_too_long (new_name.ds_string))
72- error (0, 0, _("%s: file name too long"),
73- new_name.ds_string);
74- else
75- strcpy (file_hdr->c_name, new_name.ds_string);
76- }
77- }
78+ cpio_set_c_name (file_hdr, new_name.ds_string);
79 return 0;
80 }
81
82@@ -344,8 +323,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr,
83 d_prev->next = d->next;
84 else
85 deferments = d->next;
86- free (file_hdr->c_name);
87- file_hdr->c_name = xstrdup(d->header.c_name);
88+ cpio_set_c_name (file_hdr, d->header.c_name);
89 free_deferment (d);
90 copyin_regular_file(file_hdr, in_file_des);
91 return 0;
92@@ -1064,6 +1042,22 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
93 }
94 }
95
96+static void
97+read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len)
98+{
99+ static char *tmp_filename;
100+ static size_t buflen;
101+
102+ if (buflen < len)
103+ {
104+ buflen = len;
105+ tmp_filename = xrealloc (tmp_filename, buflen);
106+ }
107+
108+ tape_buffered_read (tmp_filename, fd, len);
109+ cpio_set_c_name (file_hdr, tmp_filename);
110+}
111+
112 /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from
113 file descriptor IN_DES, except for the magic number, which is
114 already filled in. */
115@@ -1090,14 +1084,8 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des)
116 file_hdr->c_rdev_min = minor (dev);
117
118 file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime);
119- file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize);
120 file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize);
121-
122- /* Read file name from input. */
123- if (file_hdr->c_name != NULL)
124- free (file_hdr->c_name);
125- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1);
126- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
127+ read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize));
128
129 /* HP/UX cpio creates archives that look just like ordinary archives,
130 but for devices it sets major = 0, minor = 1, and puts the
131@@ -1152,14 +1140,8 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des)
132 file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min);
133 file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj);
134 file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min);
135- file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize);
136 file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum);
137-
138- /* Read file name from input. */
139- if (file_hdr->c_name != NULL)
140- free (file_hdr->c_name);
141- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
142- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
143+ read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize));
144
145 /* In SVR4 ASCII format, the amount of space allocated for the header
146 is rounded up to the next long-word, so we might need to drop
147@@ -1207,16 +1189,9 @@ read_in_binary (struct cpio_file_stat *file_hdr,
148 file_hdr->c_rdev_min = minor (short_hdr->c_rdev);
149 file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
150 | short_hdr->c_mtimes[1];
151-
152- file_hdr->c_namesize = short_hdr->c_namesize;
153 file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16
154 | short_hdr->c_filesizes[1];
155-
156- /* Read file name from input. */
157- if (file_hdr->c_name != NULL)
158- free (file_hdr->c_name);
159- file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
160- tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
161+ read_name_from_file (file_hdr, in_des, short_hdr->c_namesize);
162
163 /* In binary mode, the amount of space allocated in the header for
164 the filename is `c_namesize' rounded up to the next short-word,
165@@ -1297,6 +1272,7 @@ process_copy_in ()
166 read_pattern_file ();
167 }
168 file_hdr.c_name = NULL;
169+ file_hdr.c_namesize = 0;
170
171 if (rename_batch_file)
172 {
173diff --git a/src/copyout.c b/src/copyout.c
174index 1f0987a..bb39559 100644
175--- a/src/copyout.c
176+++ b/src/copyout.c
177@@ -660,8 +660,7 @@ process_copy_out ()
178 cpio_safer_name_suffix (input_name.ds_string, false,
179 !no_abs_paths_flag, true);
180 #ifndef HPUX_CDF
181- file_hdr.c_name = input_name.ds_string;
182- file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
183+ cpio_set_c_name (&file_hdr, input_name.ds_string);
184 #else
185 if ( (archive_format != arf_tar) && (archive_format != arf_ustar) )
186 {
187@@ -670,16 +669,15 @@ process_copy_out ()
188 properly recreate the directory as hidden (in case the
189 files of a directory go into the archive before the
190 directory itself (e.g from "find ... -depth ... | cpio")). */
191- file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string);
192- file_hdr.c_namesize = strlen (file_hdr.c_name) + 1;
193+ cpio_set_c_name (&file_hdr,
194+ add_cdf_double_slashes (input_name.ds_string));
195 }
196 else
197 {
198 /* We don't mark CDF's in tar files. We assume the "hidden"
199 directory will always go into the archive before any of
200 its files. */
201- file_hdr.c_name = input_name.ds_string;
202- file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
203+ cpio_set_c_name (&file_hdr, input_name.ds_string);
204 }
205 #endif
206
207@@ -866,8 +864,7 @@ process_copy_out ()
208 file_hdr.c_chksum = 0;
209
210 file_hdr.c_filesize = 0;
211- file_hdr.c_namesize = 11;
212- file_hdr.c_name = CPIO_TRAILER_NAME;
213+ cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME);
214 if (archive_format != arf_tar && archive_format != arf_ustar)
215 write_out_header (&file_hdr, out_file_des);
216 else
217diff --git a/src/cpiohdr.h b/src/cpiohdr.h
218index b29e6fb..f4c63be 100644
219--- a/src/cpiohdr.h
220+++ b/src/cpiohdr.h
221@@ -129,5 +129,6 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
222 char *c_tar_linkname;
223 };
224
225+void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name);
226
227 #endif /* cpiohdr.h */
228diff --git a/src/tar.c b/src/tar.c
229index a2ce171..e41f89d 100644
230--- a/src/tar.c
231+++ b/src/tar.c
232@@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
233 if (null_block ((long *) &tar_rec, TARRECORDSIZE))
234 #endif
235 {
236- file_hdr->c_name = CPIO_TRAILER_NAME;
237+ cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME);
238 return;
239 }
240 #if 0
241@@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
242 }
243
244 if (archive_format != arf_ustar)
245- file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name);
246+ cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name));
247 else
248- file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name);
249+ cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix,
250+ tar_hdr->name));
251+
252 file_hdr->c_nlink = 1;
253 file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode);
254 file_hdr->c_mode = file_hdr->c_mode & 07777;
255@@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
256 case AREGTYPE:
257 /* Old tar format; if the last char in filename is '/' then it is
258 a directory, otherwise it's a regular file. */
259- if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/')
260+ if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/')
261 file_hdr->c_mode |= CP_IFDIR;
262 else
263 file_hdr->c_mode |= CP_IFREG;
264diff --git a/src/util.c b/src/util.c
265index 6ff6032..4f3c073 100644
266--- a/src/util.c
267+++ b/src/util.c
268@@ -1410,8 +1410,34 @@ set_file_times (int fd,
269 utime_error (name);
270 }
271
272+
273+void
274+cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
275+{
276+ static size_t buflen = 0;
277+ size_t len = strlen (name) + 1;
278+
279+ if (buflen == 0)
280+ {
281+ buflen = len;
282+ if (buflen < 32)
283+ buflen = 32;
284+ file_hdr->c_name = xmalloc (buflen);
285+ }
286+ else if (buflen < len)
287+ {
288+ buflen = len;
289+ file_hdr->c_name = xrealloc (file_hdr->c_name, buflen);
290+ }
291+
292+ file_hdr->c_namesize = len;
293+ memmove (file_hdr->c_name, name, len);
294+}
295+
296 /* Do we have to ignore absolute paths, and if so, does the filename
297- have an absolute path? */
298+ have an absolute path? Before calling this function make sure that the
299+ allocated NAME buffer has capacity at least 2 bytes. */
300+
301 void
302 cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
303 bool strip_leading_dots)
304@@ -1426,6 +1452,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
305 ++p;
306 }
307 if (p != name)
308+ /* The 'p' string is shortened version of 'name' with one exception; when
309+ the 'name' points to an empty string (buffer where name[0] == '\0') the
310+ 'p' then points to static string ".". So caller needs to ensure there
311+ are at least two bytes available in 'name' buffer so memmove succeeds. */
312 memmove (name, p, (size_t)(strlen (p) + 1));
313 }
314
315diff --git a/tests/inout.at b/tests/inout.at
316index 60c3716..730cbd2 100644
317--- a/tests/inout.at
318+++ b/tests/inout.at
319@@ -35,7 +35,22 @@ while read NAME LENGTH
320 do
321 genfile --length $LENGTH > $NAME
322 echo $NAME
323-done < filelist |
324- cpio --quiet -o > archive])
325+done < filelist > filelist_raw
326+
327+for format in bin odc newc crc tar ustar hpbin hpodc
328+do
329+ cpio --format=$format --quiet -o < filelist_raw > archive.$format
330+ rm -rf output
331+ mkdir output && cd output
332+ cpio -i --quiet < ../archive.$format
333+
334+ while read file
335+ do
336+ test -f $file || echo "$file not found"
337+ done < ../filelist_raw
338+
339+ cd ..
340+done
341+])
342
343 AT_CLEANUP
344--
3451.9.1
346
diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb
index 19ad69b037..69d36983e3 100644
--- a/meta/recipes-extended/cpio/cpio_2.12.bb
+++ b/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
9SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ 9SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
10 file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ 10 file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
11 file://0001-Fix-CVE-2015-1197.patch \ 11 file://0001-Fix-CVE-2015-1197.patch \
12 file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
12 " 13 "
13 14
14SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86" 15SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"