diff options
author | Andre McCurdy <armccurdy@gmail.com> | 2018-05-24 17:14:19 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-06-15 17:56:24 +0100 |
commit | 31a87d4d1dc80c6054c15a6f7dbc83b4d79bf0b2 (patch) | |
tree | 750028c0d52529c6775317f8a4dbbebec338f9db /meta | |
parent | a0a395a8c614277cdbfe3f13ae7f200c85d1f2b5 (diff) | |
download | poky-31a87d4d1dc80c6054c15a6f7dbc83b4d79bf0b2.tar.gz |
cpio: fix CVE-2016-2037
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows
remote attackers to cause a denial of service (out-of-bounds write)
via a crafted cpio file."
https://nvd.nist.gov/vuln/detail/CVE-2016-2037
Note that there appear to be two versions of this fix. The original
patch posted to the bug-cpio mailing list [1] is used by Debian [2],
but apparently causes regression [3]. The patch accepted to the
upstream git repo [4] seems to be the most complete fix.
[1] https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
[2] https://security-tracker.debian.org/tracker/CVE-2016-2037
[3] https://www.mail-archive.com/bug-cpio@gnu.org/msg00584.html
[4] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b
(From OE-Core rev: f170288ac706126e69a504a14d564b2e5c3513e4)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch | 346 | ||||
-rw-r--r-- | meta/recipes-extended/cpio/cpio_2.12.bb | 1 |
2 files changed, 347 insertions, 0 deletions
diff --git a/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch b/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch new file mode 100644 index 0000000000..0a3054483c --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch | |||
@@ -0,0 +1,346 @@ | |||
1 | From ebf9a2d776474181936a720ce811d72bbd1da3b6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Pavel Raiskup <praiskup@redhat.com> | ||
3 | Date: Tue, 26 Jan 2016 23:17:54 +0100 | ||
4 | Subject: [PATCH] CVE-2016-2037 - 1 byte out-of-bounds write | ||
5 | |||
6 | Ensure that cpio_safer_name_suffix always works with dynamically | ||
7 | allocated buffer, and that it has size of at least 32 bytes. | ||
8 | Then, any call to cpio_safer_name_suffix is safe (it requires at | ||
9 | least 2 bytes in the buffer). | ||
10 | |||
11 | Also ensure that c_namesize is always correctly initialized (by | ||
12 | cpio_set_c_name) to avoid undefined behavior when reading | ||
13 | file_hdr.c_namesize (previously happened for tar archives). | ||
14 | |||
15 | References: | ||
16 | http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html | ||
17 | |||
18 | * src/copyin.c (query_rename): Drop the hack, as we now work with | ||
19 | dynamically allocated buffer. Use cpio_set_c_name. | ||
20 | (create_defered_links_to_skipped): Use cpio_set_c_name rather than | ||
21 | manual assignment. | ||
22 | (read_name_from_file): New function to avoid C&P. | ||
23 | (read_in_old_ascii, read_in_new_ascii, read_in_binary): Use | ||
24 | read_name_from_file. | ||
25 | (process_copy_in): Initialize file_hdr.c_namesize. | ||
26 | * src/copyout.c (process_copy_out): Use cpio_set_c_name. | ||
27 | * src/cpiohdr.h (cpio_set_c_name): New prototype. | ||
28 | * src/tar.c (read_in_tar_header): Use cpio_set_c_name. | ||
29 | * src/util.c (cpio_set_c_name): New function to set | ||
30 | file_hdr->c_name and c_namesize from arbitrary string. | ||
31 | (cpio_safer_name_suffix): Some docs fixes. | ||
32 | * tests/inout.at: Also test copy-in, and try various formats. | ||
33 | |||
34 | CVE: CVE-2016-2037 | ||
35 | |||
36 | Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b] | ||
37 | |||
38 | Signed-off-by: Andre McCurdy <armccurdy@gmail.com> | ||
39 | --- | ||
40 | src/copyin.c | 68 +++++++++++++++++++--------------------------------------- | ||
41 | src/copyout.c | 13 +++++------ | ||
42 | src/cpiohdr.h | 1 + | ||
43 | src/tar.c | 10 +++++---- | ||
44 | src/util.c | 32 ++++++++++++++++++++++++++- | ||
45 | tests/inout.at | 19 ++++++++++++++-- | ||
46 | 6 files changed, 82 insertions(+), 61 deletions(-) | ||
47 | |||
48 | diff --git a/src/copyin.c b/src/copyin.c | ||
49 | index cde911e..972f8a6 100644 | ||
50 | --- a/src/copyin.c | ||
51 | +++ b/src/copyin.c | ||
52 | @@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out, | ||
53 | return -1; | ||
54 | } | ||
55 | else | ||
56 | - /* Debian hack: file_hrd.c_name is sometimes set to | ||
57 | - point to static memory by code in tar.c. This | ||
58 | - causes a segfault. This has been fixed and an | ||
59 | - additional check to ensure that the file name | ||
60 | - is not too long has been added. (Reported by | ||
61 | - Horst Knobloch.) This bug has been reported to | ||
62 | - "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */ | ||
63 | - { | ||
64 | - if (archive_format != arf_tar && archive_format != arf_ustar) | ||
65 | - { | ||
66 | - free (file_hdr->c_name); | ||
67 | - file_hdr->c_name = xstrdup (new_name.ds_string); | ||
68 | - } | ||
69 | - else | ||
70 | - { | ||
71 | - if (is_tar_filename_too_long (new_name.ds_string)) | ||
72 | - error (0, 0, _("%s: file name too long"), | ||
73 | - new_name.ds_string); | ||
74 | - else | ||
75 | - strcpy (file_hdr->c_name, new_name.ds_string); | ||
76 | - } | ||
77 | - } | ||
78 | + cpio_set_c_name (file_hdr, new_name.ds_string); | ||
79 | return 0; | ||
80 | } | ||
81 | |||
82 | @@ -344,8 +323,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr, | ||
83 | d_prev->next = d->next; | ||
84 | else | ||
85 | deferments = d->next; | ||
86 | - free (file_hdr->c_name); | ||
87 | - file_hdr->c_name = xstrdup(d->header.c_name); | ||
88 | + cpio_set_c_name (file_hdr, d->header.c_name); | ||
89 | free_deferment (d); | ||
90 | copyin_regular_file(file_hdr, in_file_des); | ||
91 | return 0; | ||
92 | @@ -1064,6 +1042,22 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des) | ||
93 | } | ||
94 | } | ||
95 | |||
96 | +static void | ||
97 | +read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len) | ||
98 | +{ | ||
99 | + static char *tmp_filename; | ||
100 | + static size_t buflen; | ||
101 | + | ||
102 | + if (buflen < len) | ||
103 | + { | ||
104 | + buflen = len; | ||
105 | + tmp_filename = xrealloc (tmp_filename, buflen); | ||
106 | + } | ||
107 | + | ||
108 | + tape_buffered_read (tmp_filename, fd, len); | ||
109 | + cpio_set_c_name (file_hdr, tmp_filename); | ||
110 | +} | ||
111 | + | ||
112 | /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from | ||
113 | file descriptor IN_DES, except for the magic number, which is | ||
114 | already filled in. */ | ||
115 | @@ -1090,14 +1084,8 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des) | ||
116 | file_hdr->c_rdev_min = minor (dev); | ||
117 | |||
118 | file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime); | ||
119 | - file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize); | ||
120 | file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize); | ||
121 | - | ||
122 | - /* Read file name from input. */ | ||
123 | - if (file_hdr->c_name != NULL) | ||
124 | - free (file_hdr->c_name); | ||
125 | - file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1); | ||
126 | - tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); | ||
127 | + read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize)); | ||
128 | |||
129 | /* HP/UX cpio creates archives that look just like ordinary archives, | ||
130 | but for devices it sets major = 0, minor = 1, and puts the | ||
131 | @@ -1152,14 +1140,8 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des) | ||
132 | file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min); | ||
133 | file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj); | ||
134 | file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min); | ||
135 | - file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize); | ||
136 | file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum); | ||
137 | - | ||
138 | - /* Read file name from input. */ | ||
139 | - if (file_hdr->c_name != NULL) | ||
140 | - free (file_hdr->c_name); | ||
141 | - file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize); | ||
142 | - tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); | ||
143 | + read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize)); | ||
144 | |||
145 | /* In SVR4 ASCII format, the amount of space allocated for the header | ||
146 | is rounded up to the next long-word, so we might need to drop | ||
147 | @@ -1207,16 +1189,9 @@ read_in_binary (struct cpio_file_stat *file_hdr, | ||
148 | file_hdr->c_rdev_min = minor (short_hdr->c_rdev); | ||
149 | file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16 | ||
150 | | short_hdr->c_mtimes[1]; | ||
151 | - | ||
152 | - file_hdr->c_namesize = short_hdr->c_namesize; | ||
153 | file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16 | ||
154 | | short_hdr->c_filesizes[1]; | ||
155 | - | ||
156 | - /* Read file name from input. */ | ||
157 | - if (file_hdr->c_name != NULL) | ||
158 | - free (file_hdr->c_name); | ||
159 | - file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize); | ||
160 | - tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize); | ||
161 | + read_name_from_file (file_hdr, in_des, short_hdr->c_namesize); | ||
162 | |||
163 | /* In binary mode, the amount of space allocated in the header for | ||
164 | the filename is `c_namesize' rounded up to the next short-word, | ||
165 | @@ -1297,6 +1272,7 @@ process_copy_in () | ||
166 | read_pattern_file (); | ||
167 | } | ||
168 | file_hdr.c_name = NULL; | ||
169 | + file_hdr.c_namesize = 0; | ||
170 | |||
171 | if (rename_batch_file) | ||
172 | { | ||
173 | diff --git a/src/copyout.c b/src/copyout.c | ||
174 | index 1f0987a..bb39559 100644 | ||
175 | --- a/src/copyout.c | ||
176 | +++ b/src/copyout.c | ||
177 | @@ -660,8 +660,7 @@ process_copy_out () | ||
178 | cpio_safer_name_suffix (input_name.ds_string, false, | ||
179 | !no_abs_paths_flag, true); | ||
180 | #ifndef HPUX_CDF | ||
181 | - file_hdr.c_name = input_name.ds_string; | ||
182 | - file_hdr.c_namesize = strlen (input_name.ds_string) + 1; | ||
183 | + cpio_set_c_name (&file_hdr, input_name.ds_string); | ||
184 | #else | ||
185 | if ( (archive_format != arf_tar) && (archive_format != arf_ustar) ) | ||
186 | { | ||
187 | @@ -670,16 +669,15 @@ process_copy_out () | ||
188 | properly recreate the directory as hidden (in case the | ||
189 | files of a directory go into the archive before the | ||
190 | directory itself (e.g from "find ... -depth ... | cpio")). */ | ||
191 | - file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string); | ||
192 | - file_hdr.c_namesize = strlen (file_hdr.c_name) + 1; | ||
193 | + cpio_set_c_name (&file_hdr, | ||
194 | + add_cdf_double_slashes (input_name.ds_string)); | ||
195 | } | ||
196 | else | ||
197 | { | ||
198 | /* We don't mark CDF's in tar files. We assume the "hidden" | ||
199 | directory will always go into the archive before any of | ||
200 | its files. */ | ||
201 | - file_hdr.c_name = input_name.ds_string; | ||
202 | - file_hdr.c_namesize = strlen (input_name.ds_string) + 1; | ||
203 | + cpio_set_c_name (&file_hdr, input_name.ds_string); | ||
204 | } | ||
205 | #endif | ||
206 | |||
207 | @@ -866,8 +864,7 @@ process_copy_out () | ||
208 | file_hdr.c_chksum = 0; | ||
209 | |||
210 | file_hdr.c_filesize = 0; | ||
211 | - file_hdr.c_namesize = 11; | ||
212 | - file_hdr.c_name = CPIO_TRAILER_NAME; | ||
213 | + cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME); | ||
214 | if (archive_format != arf_tar && archive_format != arf_ustar) | ||
215 | write_out_header (&file_hdr, out_file_des); | ||
216 | else | ||
217 | diff --git a/src/cpiohdr.h b/src/cpiohdr.h | ||
218 | index b29e6fb..f4c63be 100644 | ||
219 | --- a/src/cpiohdr.h | ||
220 | +++ b/src/cpiohdr.h | ||
221 | @@ -129,5 +129,6 @@ struct cpio_file_stat /* Internal representation of a CPIO header */ | ||
222 | char *c_tar_linkname; | ||
223 | }; | ||
224 | |||
225 | +void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name); | ||
226 | |||
227 | #endif /* cpiohdr.h */ | ||
228 | diff --git a/src/tar.c b/src/tar.c | ||
229 | index a2ce171..e41f89d 100644 | ||
230 | --- a/src/tar.c | ||
231 | +++ b/src/tar.c | ||
232 | @@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) | ||
233 | if (null_block ((long *) &tar_rec, TARRECORDSIZE)) | ||
234 | #endif | ||
235 | { | ||
236 | - file_hdr->c_name = CPIO_TRAILER_NAME; | ||
237 | + cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME); | ||
238 | return; | ||
239 | } | ||
240 | #if 0 | ||
241 | @@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) | ||
242 | } | ||
243 | |||
244 | if (archive_format != arf_ustar) | ||
245 | - file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name); | ||
246 | + cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name)); | ||
247 | else | ||
248 | - file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name); | ||
249 | + cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix, | ||
250 | + tar_hdr->name)); | ||
251 | + | ||
252 | file_hdr->c_nlink = 1; | ||
253 | file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode); | ||
254 | file_hdr->c_mode = file_hdr->c_mode & 07777; | ||
255 | @@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des) | ||
256 | case AREGTYPE: | ||
257 | /* Old tar format; if the last char in filename is '/' then it is | ||
258 | a directory, otherwise it's a regular file. */ | ||
259 | - if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/') | ||
260 | + if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/') | ||
261 | file_hdr->c_mode |= CP_IFDIR; | ||
262 | else | ||
263 | file_hdr->c_mode |= CP_IFREG; | ||
264 | diff --git a/src/util.c b/src/util.c | ||
265 | index 6ff6032..4f3c073 100644 | ||
266 | --- a/src/util.c | ||
267 | +++ b/src/util.c | ||
268 | @@ -1410,8 +1410,34 @@ set_file_times (int fd, | ||
269 | utime_error (name); | ||
270 | } | ||
271 | |||
272 | + | ||
273 | +void | ||
274 | +cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name) | ||
275 | +{ | ||
276 | + static size_t buflen = 0; | ||
277 | + size_t len = strlen (name) + 1; | ||
278 | + | ||
279 | + if (buflen == 0) | ||
280 | + { | ||
281 | + buflen = len; | ||
282 | + if (buflen < 32) | ||
283 | + buflen = 32; | ||
284 | + file_hdr->c_name = xmalloc (buflen); | ||
285 | + } | ||
286 | + else if (buflen < len) | ||
287 | + { | ||
288 | + buflen = len; | ||
289 | + file_hdr->c_name = xrealloc (file_hdr->c_name, buflen); | ||
290 | + } | ||
291 | + | ||
292 | + file_hdr->c_namesize = len; | ||
293 | + memmove (file_hdr->c_name, name, len); | ||
294 | +} | ||
295 | + | ||
296 | /* Do we have to ignore absolute paths, and if so, does the filename | ||
297 | - have an absolute path? */ | ||
298 | + have an absolute path? Before calling this function make sure that the | ||
299 | + allocated NAME buffer has capacity at least 2 bytes. */ | ||
300 | + | ||
301 | void | ||
302 | cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, | ||
303 | bool strip_leading_dots) | ||
304 | @@ -1426,6 +1452,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names, | ||
305 | ++p; | ||
306 | } | ||
307 | if (p != name) | ||
308 | + /* The 'p' string is shortened version of 'name' with one exception; when | ||
309 | + the 'name' points to an empty string (buffer where name[0] == '\0') the | ||
310 | + 'p' then points to static string ".". So caller needs to ensure there | ||
311 | + are at least two bytes available in 'name' buffer so memmove succeeds. */ | ||
312 | memmove (name, p, (size_t)(strlen (p) + 1)); | ||
313 | } | ||
314 | |||
315 | diff --git a/tests/inout.at b/tests/inout.at | ||
316 | index 60c3716..730cbd2 100644 | ||
317 | --- a/tests/inout.at | ||
318 | +++ b/tests/inout.at | ||
319 | @@ -35,7 +35,22 @@ while read NAME LENGTH | ||
320 | do | ||
321 | genfile --length $LENGTH > $NAME | ||
322 | echo $NAME | ||
323 | -done < filelist | | ||
324 | - cpio --quiet -o > archive]) | ||
325 | +done < filelist > filelist_raw | ||
326 | + | ||
327 | +for format in bin odc newc crc tar ustar hpbin hpodc | ||
328 | +do | ||
329 | + cpio --format=$format --quiet -o < filelist_raw > archive.$format | ||
330 | + rm -rf output | ||
331 | + mkdir output && cd output | ||
332 | + cpio -i --quiet < ../archive.$format | ||
333 | + | ||
334 | + while read file | ||
335 | + do | ||
336 | + test -f $file || echo "$file not found" | ||
337 | + done < ../filelist_raw | ||
338 | + | ||
339 | + cd .. | ||
340 | +done | ||
341 | +]) | ||
342 | |||
343 | AT_CLEANUP | ||
344 | -- | ||
345 | 1.9.1 | ||
346 | |||
diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb index 19ad69b037..69d36983e3 100644 --- a/meta/recipes-extended/cpio/cpio_2.12.bb +++ b/meta/recipes-extended/cpio/cpio_2.12.bb | |||
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" | |||
9 | SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ | 9 | SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ |
10 | file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ | 10 | file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ |
11 | file://0001-Fix-CVE-2015-1197.patch \ | 11 | file://0001-Fix-CVE-2015-1197.patch \ |
12 | file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \ | ||
12 | " | 13 | " |
13 | 14 | ||
14 | SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86" | 15 | SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86" |