From 2804850ea7b030be9b36ea1af03cd80d90466707 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Mon, 19 Sep 2016 21:51:14 -0700
Subject: util-linux: Security fix for CVE-2016-5011

affects util-linux < 2.28.2

(From OE-Core rev: c9c85df86cd2270b144fa824ef76adedd3636c8a)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../util-linux/util-linux/CVE-2016-5011.patch      | 59 ++++++++++++++
 .../util-linux/util-linux/CVE-2016-5011_p2.patch   | 91 ++++++++++++++++++++++
 meta/recipes-core/util-linux/util-linux_2.26.2.bb  |  2 +
 3 files changed, 152 insertions(+)
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch

diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
new file mode 100644
index 0000000000..9571280dc9
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
@@ -0,0 +1,59 @@
+From 7164a1c34d18831ac61c6744ad14ce916d389b3f Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 7 Jul 2016 14:22:41 +0200
+Subject: [PATCH] libblkid: ignore extended partition at zero offset
+
+If the extended partition starts at zero LBA then MBR is interpreted
+as EBR and all is recursively parsed... result is out-of-memory.
+
+ MBR --extended-partition--> EBR --> MBR --> ENB --> MBR ...
+
+Note that such PT is not possible to create by standard partitioning
+tools.
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+CVE: CVE-2016-5011 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libblkid/src/partitions/dos.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libblkid/src/partitions/dos.c b/libblkid/src/partitions/dos.c
+index 9bba32f..e79f124 100644
+--- a/libblkid/src/partitions/dos.c
++++ b/libblkid/src/partitions/dos.c
+@@ -47,6 +47,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
+ 	int ct_nodata = 0;	/* count ext.partitions without data partitions */
+ 	int i;
+ 
++	DBG(LOWPROBE, ul_debug("parse EBR [start=%d, size=%d]", ex_start/ssf, ex_size/ssf));
++	if (ex_start == 0) {
++		DBG(LOWPROBE, ul_debug("Bad offset in primary extended partition -- ignore"));
++		return 0;
++	}
++
+ 	while (1) {
+ 		struct dos_partition *p, *p0;
+ 		uint32_t start, size;
+@@ -116,8 +122,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
+ 			start = dos_partition_get_start(p) * ssf;
+ 			size = dos_partition_get_size(p) * ssf;
+ 
+-			if (size && is_extended(p))
+-				break;
++			if (size && is_extended(p)) {
++				if (start == 0)
++					DBG(LOWPROBE, ul_debug("#%d: EBR link offset is zero -- ignore", i + 1));
++				else
++					break;
++			}
+ 		}
+ 		if (i == 4)
+ 			goto leave;
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch
new file mode 100644
index 0000000000..9c6960f793
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch
@@ -0,0 +1,91 @@
+From 50d1594c2e6142a3b51d2143c74027480df082e0 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 12 Jul 2016 13:34:54 +0200
+Subject: [PATCH] libblkid: avoid non-empty recursion in EBR
+
+This is extension to the patch 7164a1c34d18831ac61c6744ad14ce916d389b3f.
+
+We also need to detect non-empty recursion in the EBR chain. It's
+possible to create standard valid logical partitions and in the last one
+points back to the EBR chain. In this case all offsets will be non-empty.
+
+Unfortunately, it's valid to create logical partitions that are not in
+the "disk order" (sorted by start offset). So link somewhere back is
+valid, but this link cannot points to already existing partition
+(otherwise we will see recursion).
+
+This patch forces libblkid to ignore duplicate logical partitions, the
+duplicate chain segment is interpreted as non-data segment, after 100
+iterations with non-data segments it will break the loop -- no memory
+is allocated in this case by the loop.
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
+References: http://seclists.org/oss-sec/2016/q3/40
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+CVE: CVE-2016-5011 patch 2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libblkid/src/partitions/dos.c        |  7 +++++++
+ libblkid/src/partitions/partitions.c | 14 ++++++++++++++
+ libblkid/src/partitions/partitions.h |  2 ++
+ 3 files changed, 23 insertions(+)
+
+Index: util-linux-2.26.2/libblkid/src/partitions/dos.c
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/dos.c
++++ util-linux-2.26.2/libblkid/src/partitions/dos.c
+@@ -105,6 +105,13 @@ static int parse_dos_extended(blkid_prob
+ 					continue;
+ 			}
+ 
++			/* Avoid recursive non-empty links, see ct_nodata counter */
++			if (blkid_partlist_get_partition_by_start(ls, abs_start)) {
++				DBG(LOWPROBE, ul_debug("#%d: EBR duplicate data partition [abs start=%u] -- ignore",
++							i + 1, abs_start));
++				continue;
++			}
++
+ 			par = blkid_partlist_add_partition(ls, tab, abs_start, size);
+ 			if (!par)
+ 				return -ENOMEM;
+Index: util-linux-2.26.2/libblkid/src/partitions/partitions.c
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.c
++++ util-linux-2.26.2/libblkid/src/partitions/partitions.c
+@@ -940,6 +940,20 @@ blkid_partition blkid_partlist_get_parti
+ 	return &ls->parts[n];
+ }
+ 
++blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start)
++{
++	int i, nparts;
++	blkid_partition par;
++
++	nparts = blkid_partlist_numof_partitions(ls);
++	for (i = 0; i < nparts; i++) {
++		par = blkid_partlist_get_partition(ls, i);
++		if ((uint64_t) blkid_partition_get_start(par) == start)
++			return par;
++	}
++	return NULL;
++}
++
+ /**
+  * blkid_partlist_get_partition_by_partno
+  * @ls: partitions list
+Index: util-linux-2.26.2/libblkid/src/partitions/partitions.h
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.h
++++ util-linux-2.26.2/libblkid/src/partitions/partitions.h
+@@ -21,6 +21,8 @@ extern int blkid_partlist_increment_part
+ 
+ extern blkid_partition blkid_partlist_get_parent(blkid_partlist ls);
+ 
++extern blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start);
++
+ extern int blkid_partitions_do_subprobe(blkid_probe pr,
+ 			blkid_partition parent, const struct blkid_idinfo *id);
+ 
diff --git a/meta/recipes-core/util-linux/util-linux_2.26.2.bb b/meta/recipes-core/util-linux/util-linux_2.26.2.bb
index e09fdfaf5d..56d5c19282 100644
--- a/meta/recipes-core/util-linux/util-linux_2.26.2.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.26.2.bb
@@ -16,6 +16,8 @@ SRC_URI += "file://util-linux-ng-replace-siginterrupt.patch \
             file://runuser.pamd \
             file://runuser-l.pamd \
             ${OLDHOST} \
+            file://CVE-2016-5011.patch \
+            file://CVE-2016-5011_p2.patch \
 "
 SRC_URI[md5sum] = "9bdf368c395f1b70325d0eb22c7f48fb"
 SRC_URI[sha256sum] = "0e29bda142528a48a0a953c39ff63093651a4809042e1790fbd6aa8663fd9666"
-- 
cgit v1.2.3-54-g00ecf