summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorYi Zhao <yi.zhao@windriver.com>2018-08-24 15:21:27 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-28 10:30:28 +0100
commit62917950b76a02b0d5a7bf41eccde8244804cbcc (patch)
tree040aee4dc8bd885d813d673b2598c057a0348932 /meta
parentc0abc412bc63f8792ec45695d665c9bd057d2ac7 (diff)
downloadpoky-62917950b76a02b0d5a7bf41eccde8244804cbcc.tar.gz
blktrace: Security fix CVE-2018-10689
CVE-2018-10689: blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and Android, has a buffer overflow in the dev_map_read function in btt/devmap.c because the device and devno arrays are too small, as demonstrated by an invalid free when using the btt program with a crafted file. References: https://nvd.nist.gov/vuln/detail/CVE-2018-10689 Patch from: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7 (From OE-Core rev: 6a7ed8b1db10abd38bdd20c77a8f27427d381156) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch150
-rw-r--r--meta/recipes-kernel/blktrace/blktrace_git.bb1
2 files changed, 151 insertions, 0 deletions
diff --git a/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch b/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
new file mode 100644
index 0000000000..7b58568d59
--- /dev/null
+++ b/meta/recipes-kernel/blktrace/blktrace/CVE-2018-10689.patch
@@ -0,0 +1,150 @@
1From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001
2From: Jens Axboe <axboe@kernel.dk>
3Date: Wed, 2 May 2018 10:24:17 -0600
4Subject: [PATCH] btt: make device/devno use PATH_MAX to avoid overflow
5
6Herbo Zhang reports:
7
8I found a bug in blktrace/btt/devmap.c. The code is just as follows:
9
10https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757
11
12 struct devmap {
13
14struct list_head head;
15char device[32], devno[32]; // #1
16};
17
18LIST_HEAD(all_devmaps);
19
20static int dev_map_add(char *line)
21{
22struct devmap *dmp;
23
24if (strstr(line, "Device") != NULL)
25return 1;
26
27dmp = malloc(sizeof(struct devmap));
28if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) { //#2
29free(dmp);
30return 1;
31}
32
33list_add_tail(&dmp->head, &all_devmaps);
34return 0;
35}
36
37int dev_map_read(char *fname)
38{
39char line[256]; // #3
40FILE *fp = my_fopen(fname, "r");
41
42if (!fp) {
43perror(fname);
44return 1;
45}
46
47while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
48if (dev_map_add(line))
49break;
50}
51
52fclose(fp);
53return 0;
54}
55
56 The line length is 256, but the dmp->device, dmp->devno max length
57is only 32. We can put strings longer than 32 into dmp->device and
58dmp->devno , and then they will be overflowed.
59
60 we can trigger this bug just as follows:
61
62 $ python -c "print 'A'*256" > ./test
63 $ btt -M ./test
64
65 *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 ***
66 ======= Backtrace: =========
67 /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5]
68 /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a]
69 /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c]
70 btt(+0x32e0)[0x55ad7306f2e0]
71 btt(+0x2c5f)[0x55ad7306ec5f]
72 btt(+0x251f)[0x55ad7306e51f]
73 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830]
74 btt(+0x26b9)[0x55ad7306e6b9]
75 ======= Memory map: ========
76 55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139
77 /usr/bin/btt
78 55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139
79 /usr/bin/btt
80 55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139
81 /usr/bin/btt
82 55ad73280000-55ad73285000 rw-p 00000000 00:00 0
83 55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0
84 [heap]
85 7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0
86 7f7f10021000-7f7f14000000 ---p 00000000 00:00 0
87 7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237
88 /lib/x86_64-linux-gnu/libgcc_s.so.1
89 7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237
90 /lib/x86_64-linux-gnu/libgcc_s.so.1
91 7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237
92 /lib/x86_64-linux-gnu/libgcc_s.so.1
93 7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237
94 /lib/x86_64-linux-gnu/libgcc_s.so.1
95 7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477
96 /lib/x86_64-linux-gnu/libc-2.23.so
97 7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477
98 /lib/x86_64-linux-gnu/libc-2.23.so
99 7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477
100 /lib/x86_64-linux-gnu/libc-2.23.so
101 7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477
102 /lib/x86_64-linux-gnu/libc-2.23.so
103 7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0
104 7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478
105 /lib/x86_64-linux-gnu/ld-2.23.so
106 7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0
107 7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0
108 7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478
109 /lib/x86_64-linux-gnu/ld-2.23.so
110 7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478
111 /lib/x86_64-linux-gnu/ld-2.23.so
112 7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0
113 7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0
114 [stack]
115 7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0
116 [vvar]
117 7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0
118 [vdso]
119 ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
120 [vsyscall]
121 [1] 6272 abort btt -M test
122
123Signed-off-by: Jens Axboe <axboe@kernel.dk>
124
125Upstream-Status: Backport
126[https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7]
127
128CVE: CVE-2018-10689
129
130Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
131---
132 btt/devmap.c | 2 +-
133 1 file changed, 1 insertion(+), 1 deletion(-)
134
135diff --git a/btt/devmap.c b/btt/devmap.c
136index 0553a9e..5fc1cb2 100644
137--- a/btt/devmap.c
138+++ b/btt/devmap.c
139@@ -23,7 +23,7 @@
140
141 struct devmap {
142 struct list_head head;
143- char device[32], devno[32];
144+ char device[PATH_MAX], devno[PATH_MAX];
145 };
146
147 LIST_HEAD(all_devmaps);
148--
1492.7.4
150
diff --git a/meta/recipes-kernel/blktrace/blktrace_git.bb b/meta/recipes-kernel/blktrace/blktrace_git.bb
index 663de2ed53..2605ff9167 100644
--- a/meta/recipes-kernel/blktrace/blktrace_git.bb
+++ b/meta/recipes-kernel/blktrace/blktrace_git.bb
@@ -11,6 +11,7 @@ PV = "1.2.0+git${SRCPV}"
11 11
12SRC_URI = "git://git.kernel.dk/blktrace.git \ 12SRC_URI = "git://git.kernel.dk/blktrace.git \
13 file://ldflags.patch \ 13 file://ldflags.patch \
14 file://CVE-2018-10689.patch \
14" 15"
15 16
16S = "${WORKDIR}/git" 17S = "${WORKDIR}/git"