cpio: fix crash when appending to archives

The upstream fix for CVE-2016-2037 introduced a read from uninitialized memory bug when appending to an existing archive, which is an operation we perform when building an image. (From OE-Core rev: 046e3e1fca925febf47b3fdd5d4e9ee2e1fad868) (From OE-Core rev: 2ff6ab2e2944c6a53523b4b1611e1d22f6393500) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2018-11-29 11:42:14 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-01-08 20:14:43 +0000
commit: cfee41c482beb1d680d1eb038115f1f5b68abf9b (patch)
tree: 663d4ab77ac3b11560cb0f1682ff1f468dfc6f2b /meta
parent: f5a6daefa717be9ed9b026d67d781156162b872b (diff)
download: poky-cfee41c482beb1d680d1eb038115f1f5b68abf9b.tar.gz
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch b/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch
new file mode 100644
index 0000000000..2043c890cd
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch
@@ -0,0 +1,87 @@
+Upstream-Status: Submitted [bugs-cpio]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 3f0bd5a40ad0ceaee78c74a52a7166ed7f08db81 Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Thu, 29 Nov 2018 07:03:48 +0100
+Subject: [PATCH] Fix segfault with --append
+The --append mode combines both process_copy_in() and
+process_copy_out() methods, each of them working with different
+(local) file_hdr->c_name buffers.  So ensure that
+cpio_set_c_name() isn't using the same static variable for
+maintaining length of different buffers.
+Complements d36ec5f4e93130efb24fb9.  Thanks to Ross Burton.
+* src/copyin.c (process_copy_in): Always initialize file_hdr.
+* src/copyout.c (process_copy_out): Likewise.
+* src/cpiohdr.h (cpio_file_stat): Add c_name_buflen variable.
+* src/util.c (cpio_set_c_name): Use file_hdr->c_name_buflen.
+---
+ src/copyin.c  | 1 +
+ src/copyout.c | 1 +
+ src/cpiohdr.h | 1 +
+ src/util.c    | 3 ++-
+ 4 files changed, 5 insertions(+), 1 deletion(-)
+diff --git a/src/copyin.c b/src/copyin.c
+index ba887ae..767c2f8 100644
+--- a/src/copyin.c
+++ b/src/copyin.c
+@@ -1213,6 +1213,7 @@ process_copy_in ()
+ 
+   newdir_umask = umask (0);     /* Reset umask to preserve modes of
+                                   created files  */
+  memset (&file_hdr, 0, sizeof (struct cpio_file_stat));
+   
+   /* Initialize the copy in.  */
+   if (pattern_file_name)
+diff --git a/src/copyout.c b/src/copyout.c
+index 7532dac..fb890cb 100644
+--- a/src/copyout.c
+++ b/src/copyout.c
+@@ -594,6 +594,7 @@ process_copy_out ()
+ 
+   /* Initialize the copy out.  */
+   ds_init (&input_name, 128);
+  memset (&file_hdr, 0, sizeof (struct cpio_file_stat));
+   file_hdr.c_magic = 070707;
+ 
+   /* Check whether the output file might be a tape.  */
+diff --git a/src/cpiohdr.h b/src/cpiohdr.h
+index 588135b..cf64f3e 100644
+--- a/src/cpiohdr.h
+++ b/src/cpiohdr.h
+@@ -127,6 +127,7 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
+   uint32_t c_chksum;
+   char *c_name;
+   char *c_tar_linkname;
+  size_t c_name_buflen;
+ };
+ 
+ void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name);
+diff --git a/src/util.c b/src/util.c
+index 10486dc..1256469 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -1413,7 +1413,7 @@ set_file_times (int fd,
+ void
+ cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
+ {
+-  static size_t buflen = 0;
+  size_t buflen = file_hdr->c_name_buflen;
+   size_t len = strlen (name) + 1;
+ 
+   if (buflen == 0)
+@@ -1430,6 +1430,7 @@ cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
+     }
+ 
+   file_hdr->c_namesize = len;
+  file_hdr->c_name_buflen = buflen;
+   memmove (file_hdr->c_name, name, len);
+ }
+ 
+-- 
+2.11.0
diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb
index 69d36983e3..6ba8337e5d 100644
--- a/meta/recipes-extended/cpio/cpio_2.12.bb
+++ b/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
           file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
           file://0001-Fix-CVE-2015-1197.patch \
           file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
+           file://0001-Fix-segfault-with-append.patch \
           "
 SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"
author	Ross Burton <ross.burton@intel.com>	2018-11-29 11:42:14 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-01-08 20:14:43 +0000
commit	cfee41c482beb1d680d1eb038115f1f5b68abf9b (patch)
tree	663d4ab77ac3b11560cb0f1682ff1f468dfc6f2b /meta
parent	f5a6daefa717be9ed9b026d67d781156162b872b (diff)
download	poky-cfee41c482beb1d680d1eb038115f1f5b68abf9b.tar.gz

diff --git a/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch b/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch new file mode 100644 index 0000000000..2043c890cd --- /dev/null +++ b/meta/recipes-extended/cpio/cpio-2.12/0001-Fix-segfault-with-append.patch
@@ -0,0 +1,87 @@
		1	Upstream-Status: Submitted [bugs-cpio]
		2	Signed-off-by: Ross Burton <ross.burton@intel.com>
		3
		4	From 3f0bd5a40ad0ceaee78c74a52a7166ed7f08db81 Mon Sep 17 00:00:00 2001
		5	From: Pavel Raiskup <praiskup@redhat.com>
		6	Date: Thu, 29 Nov 2018 07:03:48 +0100
		7	Subject: [PATCH] Fix segfault with --append
		8
		9	The --append mode combines both process_copy_in() and
		10	process_copy_out() methods, each of them working with different
		11	(local) file_hdr->c_name buffers. So ensure that
		12	cpio_set_c_name() isn't using the same static variable for
		13	maintaining length of different buffers.
		14
		15	Complements d36ec5f4e93130efb24fb9. Thanks to Ross Burton.
		16
		17	* src/copyin.c (process_copy_in): Always initialize file_hdr.
		18	* src/copyout.c (process_copy_out): Likewise.
		19	* src/cpiohdr.h (cpio_file_stat): Add c_name_buflen variable.
		20	* src/util.c (cpio_set_c_name): Use file_hdr->c_name_buflen.
		21	---
		22	src/copyin.c \| 1 +
		23	src/copyout.c \| 1 +
		24	src/cpiohdr.h \| 1 +
		25	src/util.c \| 3 ++-
		26	4 files changed, 5 insertions(+), 1 deletion(-)
		27
		28	diff --git a/src/copyin.c b/src/copyin.c
		29	index ba887ae..767c2f8 100644
		30	--- a/src/copyin.c
		31	+++ b/src/copyin.c
		32	@@ -1213,6 +1213,7 @@ process_copy_in ()
		33
		34	newdir_umask = umask (0); /* Reset umask to preserve modes of
		35	created files */
		36	+ memset (&file_hdr, 0, sizeof (struct cpio_file_stat));
		37
		38	/* Initialize the copy in. */
		39	if (pattern_file_name)
		40	diff --git a/src/copyout.c b/src/copyout.c
		41	index 7532dac..fb890cb 100644
		42	--- a/src/copyout.c
		43	+++ b/src/copyout.c
		44	@@ -594,6 +594,7 @@ process_copy_out ()
		45
		46	/* Initialize the copy out. */
		47	ds_init (&input_name, 128);
		48	+ memset (&file_hdr, 0, sizeof (struct cpio_file_stat));
		49	file_hdr.c_magic = 070707;
		50
		51	/* Check whether the output file might be a tape. */
		52	diff --git a/src/cpiohdr.h b/src/cpiohdr.h
		53	index 588135b..cf64f3e 100644
		54	--- a/src/cpiohdr.h
		55	+++ b/src/cpiohdr.h
		56	@@ -127,6 +127,7 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
		57	uint32_t c_chksum;
		58	char *c_name;
		59	char *c_tar_linkname;
		60	+ size_t c_name_buflen;
		61	};
		62
		63	void cpio_set_c_name(struct cpio_file_stat file_hdr, char name);
		64	diff --git a/src/util.c b/src/util.c
		65	index 10486dc..1256469 100644
		66	--- a/src/util.c
		67	+++ b/src/util.c
		68	@@ -1413,7 +1413,7 @@ set_file_times (int fd,
		69	void
		70	cpio_set_c_name (struct cpio_file_stat file_hdr, char name)
		71	{
		72	- static size_t buflen = 0;
		73	+ size_t buflen = file_hdr->c_name_buflen;
		74	size_t len = strlen (name) + 1;
		75
		76	if (buflen == 0)
		77	@@ -1430,6 +1430,7 @@ cpio_set_c_name (struct cpio_file_stat file_hdr, char name)
		78	}
		79
		80	file_hdr->c_namesize = len;
		81	+ file_hdr->c_name_buflen = buflen;
		82	memmove (file_hdr->c_name, name, len);
		83	}
		84
		85	--
		86	2.11.0
		87


diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb index 69d36983e3..6ba8337e5d 100644 --- a/meta/recipes-extended/cpio/cpio_2.12.bb +++ b/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
10	file://0001-Unset-need_charset_alias-when-building-for-musl.patch \	10	file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
11	file://0001-Fix-CVE-2015-1197.patch \	11	file://0001-Fix-CVE-2015-1197.patch \
12	file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \	12	file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
		13	file://0001-Fix-segfault-with-append.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"	16	SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"