diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2018-08-24 15:21:27 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-28 10:30:28 +0100 |
commit | 62917950b76a02b0d5a7bf41eccde8244804cbcc (patch) | |
tree | 040aee4dc8bd885d813d673b2598c057a0348932 /meta/recipes-kernel/blktrace | |
parent | c0abc412bc63f8792ec45695d665c9bd057d2ac7 (diff) | |
download | poky-62917950b76a02b0d5a7bf41eccde8244804cbcc.tar.gz |
blktrace: Security fix CVE-2018-10689
CVE-2018-10689: blktrace (aka Block IO Tracing) 1.2.0, as used with the
Linux kernel and Android, has a buffer overflow in the dev_map_read
function in btt/devmap.c because the device and devno arrays are too
small, as demonstrated by an invalid free when using the btt program
with a crafted file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-10689
Patch from:
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
(From OE-Core rev: 6a7ed8b1db10abd38bdd20c77a8f27427d381156)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-kernel/blktrace')
-rw-r--r-- | meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch | 150 | ||||
-rw-r--r-- | meta/recipes-kernel/blktrace/blktrace_git.bb | 1 |
2 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch b/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch new file mode 100644 index 0000000000..7b58568d59 --- /dev/null +++ b/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch | |||
@@ -0,0 +1,150 @@ | |||
1 | From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jens Axboe <axboe@kernel.dk> | ||
3 | Date: Wed, 2 May 2018 10:24:17 -0600 | ||
4 | Subject: [PATCH] btt: make device/devno use PATH_MAX to avoid overflow | ||
5 | |||
6 | Herbo Zhang reports: | ||
7 | |||
8 | I found a bug in blktrace/btt/devmap.c. The code is just as follows: | ||
9 | |||
10 | https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757 | ||
11 | |||
12 | struct devmap { | ||
13 | |||
14 | struct list_head head; | ||
15 | char device[32], devno[32]; // #1 | ||
16 | }; | ||
17 | |||
18 | LIST_HEAD(all_devmaps); | ||
19 | |||
20 | static int dev_map_add(char *line) | ||
21 | { | ||
22 | struct devmap *dmp; | ||
23 | |||
24 | if (strstr(line, "Device") != NULL) | ||
25 | return 1; | ||
26 | |||
27 | dmp = malloc(sizeof(struct devmap)); | ||
28 | if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) { //#2 | ||
29 | free(dmp); | ||
30 | return 1; | ||
31 | } | ||
32 | |||
33 | list_add_tail(&dmp->head, &all_devmaps); | ||
34 | return 0; | ||
35 | } | ||
36 | |||
37 | int dev_map_read(char *fname) | ||
38 | { | ||
39 | char line[256]; // #3 | ||
40 | FILE *fp = my_fopen(fname, "r"); | ||
41 | |||
42 | if (!fp) { | ||
43 | perror(fname); | ||
44 | return 1; | ||
45 | } | ||
46 | |||
47 | while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) { | ||
48 | if (dev_map_add(line)) | ||
49 | break; | ||
50 | } | ||
51 | |||
52 | fclose(fp); | ||
53 | return 0; | ||
54 | } | ||
55 | |||
56 | The line length is 256, but the dmp->device, dmp->devno max length | ||
57 | is only 32. We can put strings longer than 32 into dmp->device and | ||
58 | dmp->devno , and then they will be overflowed. | ||
59 | |||
60 | we can trigger this bug just as follows: | ||
61 | |||
62 | $ python -c "print 'A'*256" > ./test | ||
63 | $ btt -M ./test | ||
64 | |||
65 | *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 *** | ||
66 | ======= Backtrace: ========= | ||
67 | /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5] | ||
68 | /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a] | ||
69 | /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c] | ||
70 | btt(+0x32e0)[0x55ad7306f2e0] | ||
71 | btt(+0x2c5f)[0x55ad7306ec5f] | ||
72 | btt(+0x251f)[0x55ad7306e51f] | ||
73 | /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830] | ||
74 | btt(+0x26b9)[0x55ad7306e6b9] | ||
75 | ======= Memory map: ======== | ||
76 | 55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139 | ||
77 | /usr/bin/btt | ||
78 | 55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139 | ||
79 | /usr/bin/btt | ||
80 | 55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139 | ||
81 | /usr/bin/btt | ||
82 | 55ad73280000-55ad73285000 rw-p 00000000 00:00 0 | ||
83 | 55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0 | ||
84 | [heap] | ||
85 | 7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0 | ||
86 | 7f7f10021000-7f7f14000000 ---p 00000000 00:00 0 | ||
87 | 7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237 | ||
88 | /lib/x86_64-linux-gnu/libgcc_s.so.1 | ||
89 | 7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237 | ||
90 | /lib/x86_64-linux-gnu/libgcc_s.so.1 | ||
91 | 7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237 | ||
92 | /lib/x86_64-linux-gnu/libgcc_s.so.1 | ||
93 | 7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237 | ||
94 | /lib/x86_64-linux-gnu/libgcc_s.so.1 | ||
95 | 7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477 | ||
96 | /lib/x86_64-linux-gnu/libc-2.23.so | ||
97 | 7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477 | ||
98 | /lib/x86_64-linux-gnu/libc-2.23.so | ||
99 | 7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477 | ||
100 | /lib/x86_64-linux-gnu/libc-2.23.so | ||
101 | 7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477 | ||
102 | /lib/x86_64-linux-gnu/libc-2.23.so | ||
103 | 7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0 | ||
104 | 7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478 | ||
105 | /lib/x86_64-linux-gnu/ld-2.23.so | ||
106 | 7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0 | ||
107 | 7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0 | ||
108 | 7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478 | ||
109 | /lib/x86_64-linux-gnu/ld-2.23.so | ||
110 | 7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478 | ||
111 | /lib/x86_64-linux-gnu/ld-2.23.so | ||
112 | 7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0 | ||
113 | 7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0 | ||
114 | [stack] | ||
115 | 7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0 | ||
116 | [vvar] | ||
117 | 7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0 | ||
118 | [vdso] | ||
119 | ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 | ||
120 | [vsyscall] | ||
121 | [1] 6272 abort btt -M test | ||
122 | |||
123 | Signed-off-by: Jens Axboe <axboe@kernel.dk> | ||
124 | |||
125 | Upstream-Status: Backport | ||
126 | [https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7] | ||
127 | |||
128 | CVE: CVE-2018-10689 | ||
129 | |||
130 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
131 | --- | ||
132 | btt/devmap.c | 2 +- | ||
133 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
134 | |||
135 | diff --git a/btt/devmap.c b/btt/devmap.c | ||
136 | index 0553a9e..5fc1cb2 100644 | ||
137 | --- a/btt/devmap.c | ||
138 | +++ b/btt/devmap.c | ||
139 | @@ -23,7 +23,7 @@ | ||
140 | |||
141 | struct devmap { | ||
142 | struct list_head head; | ||
143 | - char device[32], devno[32]; | ||
144 | + char device[PATH_MAX], devno[PATH_MAX]; | ||
145 | }; | ||
146 | |||
147 | LIST_HEAD(all_devmaps); | ||
148 | -- | ||
149 | 2.7.4 | ||
150 | |||
diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb index 663de2ed53..2605ff9167 100644 --- a/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/meta/recipes-kernel/blktrace/blktrace_git.bb | |||
@@ -11,6 +11,7 @@ PV = "1.2.0+git${SRCPV}" | |||
11 | 11 | ||
12 | SRC_URI = "git://git.kernel.dk/blktrace.git \ | 12 | SRC_URI = "git://git.kernel.dk/blktrace.git \ |
13 | file://ldflags.patch \ | 13 | file://ldflags.patch \ |
14 | file://CVE-2018-10689.patch \ | ||
14 | " | 15 | " |
15 | 16 | ||
16 | S = "${WORKDIR}/git" | 17 | S = "${WORKDIR}/git" |