diff options
author | Ross Burton <ross.burton@intel.com> | 2018-11-29 11:42:14 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-12-01 11:38:36 +0000 |
commit | 572990892e22b4e31345d370053ad6f875071b59 (patch) | |
tree | db9aa96a5435bdf1394c5b8d1ae91d69dd24af31 | |
parent | 28cbaf1de10bb6afb5986404912e0a3956863886 (diff) | |
download | poky-572990892e22b4e31345d370053ad6f875071b59.tar.gz |
cpio: fix crash when appending to archives
The upstream fix for CVE-2016-2037 introduced a read from uninitialized memory
bug when appending to an existing archive, which is an operation we perform when
building an image.
(From OE-Core rev: 046e3e1fca925febf47b3fdd5d4e9ee2e1fad868)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch | 87 | ||||
-rw-r--r-- | meta/recipes-extended/cpio/cpio_2.12.bb | 1 |
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch b/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch new file mode 100644 index 0000000000..2043c890cd --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | Upstream-Status: Submitted [bugs-cpio] | ||
2 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
3 | |||
4 | From 3f0bd5a40ad0ceaee78c74a52a7166ed7f08db81 Mon Sep 17 00:00:00 2001 | ||
5 | From: Pavel Raiskup <praiskup@redhat.com> | ||
6 | Date: Thu, 29 Nov 2018 07:03:48 +0100 | ||
7 | Subject: [PATCH] Fix segfault with --append | ||
8 | |||
9 | The --append mode combines both process_copy_in() and | ||
10 | process_copy_out() methods, each of them working with different | ||
11 | (local) file_hdr->c_name buffers. So ensure that | ||
12 | cpio_set_c_name() isn't using the same static variable for | ||
13 | maintaining length of different buffers. | ||
14 | |||
15 | Complements d36ec5f4e93130efb24fb9. Thanks to Ross Burton. | ||
16 | |||
17 | * src/copyin.c (process_copy_in): Always initialize file_hdr. | ||
18 | * src/copyout.c (process_copy_out): Likewise. | ||
19 | * src/cpiohdr.h (cpio_file_stat): Add c_name_buflen variable. | ||
20 | * src/util.c (cpio_set_c_name): Use file_hdr->c_name_buflen. | ||
21 | --- | ||
22 | src/copyin.c | 1 + | ||
23 | src/copyout.c | 1 + | ||
24 | src/cpiohdr.h | 1 + | ||
25 | src/util.c | 3 ++- | ||
26 | 4 files changed, 5 insertions(+), 1 deletion(-) | ||
27 | |||
28 | diff --git a/src/copyin.c b/src/copyin.c | ||
29 | index ba887ae..767c2f8 100644 | ||
30 | --- a/src/copyin.c | ||
31 | +++ b/src/copyin.c | ||
32 | @@ -1213,6 +1213,7 @@ process_copy_in () | ||
33 | |||
34 | newdir_umask = umask (0); /* Reset umask to preserve modes of | ||
35 | created files */ | ||
36 | + memset (&file_hdr, 0, sizeof (struct cpio_file_stat)); | ||
37 | |||
38 | /* Initialize the copy in. */ | ||
39 | if (pattern_file_name) | ||
40 | diff --git a/src/copyout.c b/src/copyout.c | ||
41 | index 7532dac..fb890cb 100644 | ||
42 | --- a/src/copyout.c | ||
43 | +++ b/src/copyout.c | ||
44 | @@ -594,6 +594,7 @@ process_copy_out () | ||
45 | |||
46 | /* Initialize the copy out. */ | ||
47 | ds_init (&input_name, 128); | ||
48 | + memset (&file_hdr, 0, sizeof (struct cpio_file_stat)); | ||
49 | file_hdr.c_magic = 070707; | ||
50 | |||
51 | /* Check whether the output file might be a tape. */ | ||
52 | diff --git a/src/cpiohdr.h b/src/cpiohdr.h | ||
53 | index 588135b..cf64f3e 100644 | ||
54 | --- a/src/cpiohdr.h | ||
55 | +++ b/src/cpiohdr.h | ||
56 | @@ -127,6 +127,7 @@ struct cpio_file_stat /* Internal representation of a CPIO header */ | ||
57 | uint32_t c_chksum; | ||
58 | char *c_name; | ||
59 | char *c_tar_linkname; | ||
60 | + size_t c_name_buflen; | ||
61 | }; | ||
62 | |||
63 | void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name); | ||
64 | diff --git a/src/util.c b/src/util.c | ||
65 | index 10486dc..1256469 100644 | ||
66 | --- a/src/util.c | ||
67 | +++ b/src/util.c | ||
68 | @@ -1413,7 +1413,7 @@ set_file_times (int fd, | ||
69 | void | ||
70 | cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name) | ||
71 | { | ||
72 | - static size_t buflen = 0; | ||
73 | + size_t buflen = file_hdr->c_name_buflen; | ||
74 | size_t len = strlen (name) + 1; | ||
75 | |||
76 | if (buflen == 0) | ||
77 | @@ -1430,6 +1430,7 @@ cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name) | ||
78 | } | ||
79 | |||
80 | file_hdr->c_namesize = len; | ||
81 | + file_hdr->c_name_buflen = buflen; | ||
82 | memmove (file_hdr->c_name, name, len); | ||
83 | } | ||
84 | |||
85 | -- | ||
86 | 2.11.0 | ||
87 | |||
diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb index 69d36983e3..6ba8337e5d 100644 --- a/meta/recipes-extended/cpio/cpio_2.12.bb +++ b/meta/recipes-extended/cpio/cpio_2.12.bb | |||
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ | |||
10 | file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ | 10 | file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ |
11 | file://0001-Fix-CVE-2015-1197.patch \ | 11 | file://0001-Fix-CVE-2015-1197.patch \ |
12 | file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \ | 12 | file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \ |
13 | file://0001-Fix-segfault-with-append.patch \ | ||
13 | " | 14 | " |
14 | 15 | ||
15 | SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86" | 16 | SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86" |