summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-09-20 04:51:14 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 22:22:04 (GMT)
commit2804850ea7b030be9b36ea1af03cd80d90466707 (patch)
tree9e4da46e82744cc0d180bc5bbd8cb6368eeecdc7
parent6998a3c1e64869b720c49f45af37862646ac5dff (diff)
downloadpoky-2804850ea7b030be9b36ea1af03cd80d90466707.tar.gz
util-linux: Security fix for CVE-2016-5011
affects util-linux < 2.28.2 (From OE-Core rev: c9c85df86cd2270b144fa824ef76adedd3636c8a) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch59
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch91
-rw-r--r--meta/recipes-core/util-linux/util-linux_2.26.2.bb2
3 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
new file mode 100644
index 0000000..9571280
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
@@ -0,0 +1,59 @@
1From 7164a1c34d18831ac61c6744ad14ce916d389b3f Mon Sep 17 00:00:00 2001
2From: Karel Zak <kzak@redhat.com>
3Date: Thu, 7 Jul 2016 14:22:41 +0200
4Subject: [PATCH] libblkid: ignore extended partition at zero offset
5
6If the extended partition starts at zero LBA then MBR is interpreted
7as EBR and all is recursively parsed... result is out-of-memory.
8
9 MBR --extended-partition--> EBR --> MBR --> ENB --> MBR ...
10
11Note that such PT is not possible to create by standard partitioning
12tools.
13
14Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
15Signed-off-by: Karel Zak <kzak@redhat.com>
16
17Upstream-status: Backport
18CVE: CVE-2016-5011 patch 1
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 libblkid/src/partitions/dos.c | 14 ++++++++++++--
23 1 file changed, 12 insertions(+), 2 deletions(-)
24
25diff --git a/libblkid/src/partitions/dos.c b/libblkid/src/partitions/dos.c
26index 9bba32f..e79f124 100644
27--- a/libblkid/src/partitions/dos.c
28+++ b/libblkid/src/partitions/dos.c
29@@ -47,6 +47,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
30 int ct_nodata = 0; /* count ext.partitions without data partitions */
31 int i;
32
33+ DBG(LOWPROBE, ul_debug("parse EBR [start=%d, size=%d]", ex_start/ssf, ex_size/ssf));
34+ if (ex_start == 0) {
35+ DBG(LOWPROBE, ul_debug("Bad offset in primary extended partition -- ignore"));
36+ return 0;
37+ }
38+
39 while (1) {
40 struct dos_partition *p, *p0;
41 uint32_t start, size;
42@@ -116,8 +122,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
43 start = dos_partition_get_start(p) * ssf;
44 size = dos_partition_get_size(p) * ssf;
45
46- if (size && is_extended(p))
47- break;
48+ if (size && is_extended(p)) {
49+ if (start == 0)
50+ DBG(LOWPROBE, ul_debug("#%d: EBR link offset is zero -- ignore", i + 1));
51+ else
52+ break;
53+ }
54 }
55 if (i == 4)
56 goto leave;
57--
582.7.4
59
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch
new file mode 100644
index 0000000..9c6960f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch
@@ -0,0 +1,91 @@
1From 50d1594c2e6142a3b51d2143c74027480df082e0 Mon Sep 17 00:00:00 2001
2From: Karel Zak <kzak@redhat.com>
3Date: Tue, 12 Jul 2016 13:34:54 +0200
4Subject: [PATCH] libblkid: avoid non-empty recursion in EBR
5
6This is extension to the patch 7164a1c34d18831ac61c6744ad14ce916d389b3f.
7
8We also need to detect non-empty recursion in the EBR chain. It's
9possible to create standard valid logical partitions and in the last one
10points back to the EBR chain. In this case all offsets will be non-empty.
11
12Unfortunately, it's valid to create logical partitions that are not in
13the "disk order" (sorted by start offset). So link somewhere back is
14valid, but this link cannot points to already existing partition
15(otherwise we will see recursion).
16
17This patch forces libblkid to ignore duplicate logical partitions, the
18duplicate chain segment is interpreted as non-data segment, after 100
19iterations with non-data segments it will break the loop -- no memory
20is allocated in this case by the loop.
21
22Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
23References: http://seclists.org/oss-sec/2016/q3/40
24Signed-off-by: Karel Zak <kzak@redhat.com>
25
26Upstream-status: Backport
27CVE: CVE-2016-5011 patch 2
28Signed-off-by: Armin Kuster <akuster@mvista.com>
29
30---
31 libblkid/src/partitions/dos.c | 7 +++++++
32 libblkid/src/partitions/partitions.c | 14 ++++++++++++++
33 libblkid/src/partitions/partitions.h | 2 ++
34 3 files changed, 23 insertions(+)
35
36Index: util-linux-2.26.2/libblkid/src/partitions/dos.c
37===================================================================
38--- util-linux-2.26.2.orig/libblkid/src/partitions/dos.c
39+++ util-linux-2.26.2/libblkid/src/partitions/dos.c
40@@ -105,6 +105,13 @@ static int parse_dos_extended(blkid_prob
41 continue;
42 }
43
44+ /* Avoid recursive non-empty links, see ct_nodata counter */
45+ if (blkid_partlist_get_partition_by_start(ls, abs_start)) {
46+ DBG(LOWPROBE, ul_debug("#%d: EBR duplicate data partition [abs start=%u] -- ignore",
47+ i + 1, abs_start));
48+ continue;
49+ }
50+
51 par = blkid_partlist_add_partition(ls, tab, abs_start, size);
52 if (!par)
53 return -ENOMEM;
54Index: util-linux-2.26.2/libblkid/src/partitions/partitions.c
55===================================================================
56--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.c
57+++ util-linux-2.26.2/libblkid/src/partitions/partitions.c
58@@ -940,6 +940,20 @@ blkid_partition blkid_partlist_get_parti
59 return &ls->parts[n];
60 }
61
62+blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start)
63+{
64+ int i, nparts;
65+ blkid_partition par;
66+
67+ nparts = blkid_partlist_numof_partitions(ls);
68+ for (i = 0; i < nparts; i++) {
69+ par = blkid_partlist_get_partition(ls, i);
70+ if ((uint64_t) blkid_partition_get_start(par) == start)
71+ return par;
72+ }
73+ return NULL;
74+}
75+
76 /**
77 * blkid_partlist_get_partition_by_partno
78 * @ls: partitions list
79Index: util-linux-2.26.2/libblkid/src/partitions/partitions.h
80===================================================================
81--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.h
82+++ util-linux-2.26.2/libblkid/src/partitions/partitions.h
83@@ -21,6 +21,8 @@ extern int blkid_partlist_increment_part
84
85 extern blkid_partition blkid_partlist_get_parent(blkid_partlist ls);
86
87+extern blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start);
88+
89 extern int blkid_partitions_do_subprobe(blkid_probe pr,
90 blkid_partition parent, const struct blkid_idinfo *id);
91
diff --git a/meta/recipes-core/util-linux/util-linux_2.26.2.bb b/meta/recipes-core/util-linux/util-linux_2.26.2.bb
index e09fdfa..56d5c19 100644
--- a/meta/recipes-core/util-linux/util-linux_2.26.2.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.26.2.bb
@@ -16,6 +16,8 @@ SRC_URI += "file://util-linux-ng-replace-siginterrupt.patch \
16 file://runuser.pamd \ 16 file://runuser.pamd \
17 file://runuser-l.pamd \ 17 file://runuser-l.pamd \
18 ${OLDHOST} \ 18 ${OLDHOST} \
19 file://CVE-2016-5011.patch \
20 file://CVE-2016-5011_p2.patch \
19" 21"
20SRC_URI[md5sum] = "9bdf368c395f1b70325d0eb22c7f48fb" 22SRC_URI[md5sum] = "9bdf368c395f1b70325d0eb22c7f48fb"
21SRC_URI[sha256sum] = "0e29bda142528a48a0a953c39ff63093651a4809042e1790fbd6aa8663fd9666" 23SRC_URI[sha256sum] = "0e29bda142528a48a0a953c39ff63093651a4809042e1790fbd6aa8663fd9666"