blktrace: Security fix CVE-2018-10689

CVE-2018-10689: blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and Android, has a buffer overflow in the dev_map_read function in btt/devmap.c because the device and devno arrays are too small, as demonstrated by an invalid free when using the btt program with a crafted file. References: https://nvd.nist.gov/vuln/detail/CVE-2018-10689 Patch from: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7 (From OE-Core rev: 6a7ed8b1db10abd38bdd20c77a8f27427d381156) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yi Zhao <yi.zhao@windriver.com> 2018-08-24 15:21:27 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-28 10:30:28 +0100
commit: 62917950b76a02b0d5a7bf41eccde8244804cbcc (patch)
tree: 040aee4dc8bd885d813d673b2598c057a0348932 /meta
parent: c0abc412bc63f8792ec45695d665c9bd057d2ac7 (diff)
download: poky-62917950b76a02b0d5a7bf41eccde8244804cbcc.tar.gz
2 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch b/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
new file mode 100644
index 0000000000..7b58568d59
--- /dev/null
+++ b/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
@@ -0,0 +1,150 @@
+From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 2 May 2018 10:24:17 -0600
+Subject: [PATCH] btt: make device/devno use PATH_MAX to avoid overflow
+Herbo Zhang reports:
+I found a bug in blktrace/btt/devmap.c. The code is just as follows:
+https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757
+       struct devmap {
+struct list_head head;
+char device[32], devno[32];    // #1
+};
+LIST_HEAD(all_devmaps);
+static int dev_map_add(char *line)
+{
+struct devmap *dmp;
+if (strstr(line, "Device") != NULL)
+return 1;
+dmp = malloc(sizeof(struct devmap));
+if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) {  //#2
+free(dmp);
+return 1;
+}
+list_add_tail(&dmp->head, &all_devmaps);
+return 0;
+}
+int dev_map_read(char *fname)
+{
+char line[256];   // #3
+FILE *fp = my_fopen(fname, "r");
+if (!fp) {
+perror(fname);
+return 1;
+}
+while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
+if (dev_map_add(line))
+break;
+}
+fclose(fp);
+return 0;
+}
+ The line length is 256, but the dmp->device, dmp->devno  max length
+is only 32. We can put strings longer than 32 into dmp->device and
+dmp->devno , and then they will be overflowed.
+ we can trigger this bug just as follows:
+ $ python -c "print 'A'*256" > ./test
+    $ btt -M ./test
+    *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 ***
+    ======= Backtrace: =========
+    /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5]
+    /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a]
+    /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c]
+    btt(+0x32e0)[0x55ad7306f2e0]
+    btt(+0x2c5f)[0x55ad7306ec5f]
+    btt(+0x251f)[0x55ad7306e51f]
+    /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830]
+    btt(+0x26b9)[0x55ad7306e6b9]
+    ======= Memory map: ========
+    55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139
+      /usr/bin/btt
+    55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139
+      /usr/bin/btt
+    55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139
+      /usr/bin/btt
+    55ad73280000-55ad73285000 rw-p 00000000 00:00 0
+    55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0
+      [heap]
+    7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0
+    7f7f10021000-7f7f14000000 ---p 00000000 00:00 0
+    7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237
+      /lib/x86_64-linux-gnu/libgcc_s.so.1
+    7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237
+      /lib/x86_64-linux-gnu/libgcc_s.so.1
+    7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237
+      /lib/x86_64-linux-gnu/libgcc_s.so.1
+    7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237
+      /lib/x86_64-linux-gnu/libgcc_s.so.1
+    7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477
+      /lib/x86_64-linux-gnu/libc-2.23.so
+    7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477
+      /lib/x86_64-linux-gnu/libc-2.23.so
+    7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477
+      /lib/x86_64-linux-gnu/libc-2.23.so
+    7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477
+      /lib/x86_64-linux-gnu/libc-2.23.so
+    7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0
+    7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478
+      /lib/x86_64-linux-gnu/ld-2.23.so
+    7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0
+    7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0
+    7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478
+      /lib/x86_64-linux-gnu/ld-2.23.so
+    7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478
+      /lib/x86_64-linux-gnu/ld-2.23.so
+    7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0
+    7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0
+      [stack]
+    7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0
+      [vvar]
+    7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0
+      [vdso]
+    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
+      [vsyscall]
+    [1]    6272 abort      btt -M test
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Upstream-Status: Backport
+[https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7]
+CVE: CVE-2018-10689
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ btt/devmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
+++ b/btt/devmap.c
+@@ -23,7 +23,7 @@
+ 
+ struct devmap {
+        struct list_head head;
+-       char device[32], devno[32];
+       char device[PATH_MAX], devno[PATH_MAX];
+ };
+ 
+ LIST_HEAD(all_devmaps);
+-- 
+2.7.4
diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb
index 663de2ed53..2605ff9167 100644
--- a/meta/recipes-kernel/blktrace/blktrace_git.bb
+++ b/meta/recipes-kernel/blktrace/blktrace_git.bb
@@ -11,6 +11,7 @@ PV = "1.2.0+git${SRCPV}"
 SRC_URI = "git://git.kernel.dk/blktrace.git \
           file://ldflags.patch \
+           file://CVE-2018-10689.patch \
 "
 S = "${WORKDIR}/git"
author	Yi Zhao <yi.zhao@windriver.com>	2018-08-24 15:21:27 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-28 10:30:28 +0100
commit	62917950b76a02b0d5a7bf41eccde8244804cbcc (patch)
tree	040aee4dc8bd885d813d673b2598c057a0348932 /meta
parent	c0abc412bc63f8792ec45695d665c9bd057d2ac7 (diff)
download	poky-62917950b76a02b0d5a7bf41eccde8244804cbcc.tar.gz

diff --git a/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch b/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch new file mode 100644 index 0000000000..7b58568d59 --- /dev/null +++ b/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
@@ -0,0 +1,150 @@
		1	From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001
		2	From: Jens Axboe <axboe@kernel.dk>
		3	Date: Wed, 2 May 2018 10:24:17 -0600
		4	Subject: [PATCH] btt: make device/devno use PATH_MAX to avoid overflow
		5
		6	Herbo Zhang reports:
		7
		8	I found a bug in blktrace/btt/devmap.c. The code is just as follows:
		9
		10	https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757
		11
		12	struct devmap {
		13
		14	struct list_head head;
		15	char device[32], devno[32]; // #1
		16	};
		17
		18	LIST_HEAD(all_devmaps);
		19
		20	static int dev_map_add(char *line)
		21	{
		22	struct devmap *dmp;
		23
		24	if (strstr(line, "Device") != NULL)
		25	return 1;
		26
		27	dmp = malloc(sizeof(struct devmap));
		28	if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) { //#2
		29	free(dmp);
		30	return 1;
		31	}
		32
		33	list_add_tail(&dmp->head, &all_devmaps);
		34	return 0;
		35	}
		36
		37	int dev_map_read(char *fname)
		38	{
		39	char line[256]; // #3
		40	FILE *fp = my_fopen(fname, "r");
		41
		42	if (!fp) {
		43	perror(fname);
		44	return 1;
		45	}
		46
		47	while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
		48	if (dev_map_add(line))
		49	break;
		50	}
		51
		52	fclose(fp);
		53	return 0;
		54	}
		55
		56	The line length is 256, but the dmp->device, dmp->devno max length
		57	is only 32. We can put strings longer than 32 into dmp->device and
		58	dmp->devno , and then they will be overflowed.
		59
		60	we can trigger this bug just as follows:
		61
		62	$ python -c "print 'A'*256" > ./test
		63	$ btt -M ./test
		64
		65	* Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 *
		66	======= Backtrace: =========
		67	/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5]
		68	/lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a]
		69	/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c]
		70	btt(+0x32e0)[0x55ad7306f2e0]
		71	btt(+0x2c5f)[0x55ad7306ec5f]
		72	btt(+0x251f)[0x55ad7306e51f]
		73	/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830]
		74	btt(+0x26b9)[0x55ad7306e6b9]
		75	======= Memory map: ========
		76	55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139
		77	/usr/bin/btt
		78	55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139
		79	/usr/bin/btt
		80	55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139
		81	/usr/bin/btt
		82	55ad73280000-55ad73285000 rw-p 00000000 00:00 0
		83	55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0
		84	[heap]
		85	7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0
		86	7f7f10021000-7f7f14000000 ---p 00000000 00:00 0
		87	7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237
		88	/lib/x86_64-linux-gnu/libgcc_s.so.1
		89	7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237
		90	/lib/x86_64-linux-gnu/libgcc_s.so.1
		91	7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237
		92	/lib/x86_64-linux-gnu/libgcc_s.so.1
		93	7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237
		94	/lib/x86_64-linux-gnu/libgcc_s.so.1
		95	7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477
		96	/lib/x86_64-linux-gnu/libc-2.23.so
		97	7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477
		98	/lib/x86_64-linux-gnu/libc-2.23.so
		99	7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477
		100	/lib/x86_64-linux-gnu/libc-2.23.so
		101	7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477
		102	/lib/x86_64-linux-gnu/libc-2.23.so
		103	7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0
		104	7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478
		105	/lib/x86_64-linux-gnu/ld-2.23.so
		106	7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0
		107	7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0
		108	7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478
		109	/lib/x86_64-linux-gnu/ld-2.23.so
		110	7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478
		111	/lib/x86_64-linux-gnu/ld-2.23.so
		112	7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0
		113	7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0
		114	[stack]
		115	7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0
		116	[vvar]
		117	7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0
		118	[vdso]
		119	ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
		120	[vsyscall]
		121	[1] 6272 abort btt -M test
		122
		123	Signed-off-by: Jens Axboe <axboe@kernel.dk>
		124
		125	Upstream-Status: Backport
		126	[https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7]
		127
		128	CVE: CVE-2018-10689
		129
		130	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		131	---
		132	btt/devmap.c \| 2 +-
		133	1 file changed, 1 insertion(+), 1 deletion(-)
		134
		135	diff --git a/btt/devmap.c b/btt/devmap.c
		136	index 0553a9e..5fc1cb2 100644
		137	--- a/btt/devmap.c
		138	+++ b/btt/devmap.c
		139	@@ -23,7 +23,7 @@
		140
		141	struct devmap {
		142	struct list_head head;
		143	- char device[32], devno[32];
		144	+ char device[PATH_MAX], devno[PATH_MAX];
		145	};
		146
		147	LIST_HEAD(all_devmaps);
		148	--
		149	2.7.4
		150


diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb index 663de2ed53..2605ff9167 100644 --- a/meta/recipes-kernel/blktrace/blktrace_git.bb +++ b/meta/recipes-kernel/blktrace/blktrace_git.bb
@@ -11,6 +11,7 @@ PV = "1.2.0+git${SRCPV}"
11		11
12	SRC_URI = "git://git.kernel.dk/blktrace.git \	12	SRC_URI = "git://git.kernel.dk/blktrace.git \
13	file://ldflags.patch \	13	file://ldflags.patch \
		14	file://CVE-2018-10689.patch \
14	"	15	"
15		16
16	S = "${WORKDIR}/git"	17	S = "${WORKDIR}/git"