[Buildroot] [PATCH 1/1] package/blktrace: fix CVE-2018-10689
Yann E. MORIN
yann.morin.1998 at free.fr
Sun Mar 1 17:55:08 UTC 2020
Fabrice, All,
On 2020-03-01 18:45 +0100, Fabrice Fontaine spake thusly:
> blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and
> Android, has a buffer overflow in the dev_map_read function in
> btt/devmap.c because the device and devno arrays are too small, as
> demonstrated by an invalid free when using the btt program with a
> crafted file.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...devno-use-PATH_MAX-to-avoid-overflow.patch | 146 ++++++++++++++++++
> package/blktrace/blktrace.mk | 3 +
> 2 files changed, 149 insertions(+)
> create mode 100644 package/blktrace/0001-btt-make-device-devno-use-PATH_MAX-to-avoid-overflow.patch
>
> diff --git a/package/blktrace/0001-btt-make-device-devno-use-PATH_MAX-to-avoid-overflow.patch b/package/blktrace/0001-btt-make-device-devno-use-PATH_MAX-to-avoid-overflow.patch
> new file mode 100644
> index 0000000000..764410d472
> --- /dev/null
> +++ b/package/blktrace/0001-btt-make-device-devno-use-PATH_MAX-to-avoid-overflow.patch
> @@ -0,0 +1,146 @@
> +From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001
> +From: Jens Axboe <axboe at kernel.dk>
> +Date: Wed, 2 May 2018 10:24:17 -0600
> +Subject: btt: make device/devno use PATH_MAX to avoid overflow
> +
> +Herbo Zhang reports:
> +
> +I found a bug in blktrace/btt/devmap.c. The code is just as follows:
> +
> +https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757
> +
> + struct devmap {
> +
> +struct list_head head;
> +char device[32], devno[32]; // #1
> +};
> +
> +LIST_HEAD(all_devmaps);
> +
> +static int dev_map_add(char *line)
> +{
> +struct devmap *dmp;
> +
> +if (strstr(line, "Device") != NULL)
> +return 1;
> +
> +dmp = malloc(sizeof(struct devmap));
> +if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) { //#2
> +free(dmp);
> +return 1;
> +}
> +
> +list_add_tail(&dmp->head, &all_devmaps);
> +return 0;
> +}
> +
> +int dev_map_read(char *fname)
> +{
> +char line[256]; // #3
> +FILE *fp = my_fopen(fname, "r");
> +
> +if (!fp) {
> +perror(fname);
> +return 1;
> +}
> +
> +while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
> +if (dev_map_add(line))
> +break;
> +}
> +
> +fclose(fp);
> +return 0;
> +}
> +
> + The line length is 256, but the dmp->device, dmp->devno max length
> +is only 32. We can put strings longer than 32 into dmp->device and
> +dmp->devno , and then they will be overflowed.
> +
> + we can trigger this bug just as follows:
> +
> + $ python -c "print 'A'*256" > ./test
> + $ btt -M ./test
> +
> + *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 ***
> + ======= Backtrace: =========
> + /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5]
> + /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a]
> + /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c]
> + btt(+0x32e0)[0x55ad7306f2e0]
> + btt(+0x2c5f)[0x55ad7306ec5f]
> + btt(+0x251f)[0x55ad7306e51f]
> + /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830]
> + btt(+0x26b9)[0x55ad7306e6b9]
> + ======= Memory map: ========
> + 55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139
> + /usr/bin/btt
> + 55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139
> + /usr/bin/btt
> + 55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139
> + /usr/bin/btt
> + 55ad73280000-55ad73285000 rw-p 00000000 00:00 0
> + 55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0
> + [heap]
> + 7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0
> + 7f7f10021000-7f7f14000000 ---p 00000000 00:00 0
> + 7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237
> + /lib/x86_64-linux-gnu/libgcc_s.so.1
> + 7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237
> + /lib/x86_64-linux-gnu/libgcc_s.so.1
> + 7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237
> + /lib/x86_64-linux-gnu/libgcc_s.so.1
> + 7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237
> + /lib/x86_64-linux-gnu/libgcc_s.so.1
> + 7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477
> + /lib/x86_64-linux-gnu/libc-2.23.so
> + 7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477
> + /lib/x86_64-linux-gnu/libc-2.23.so
> + 7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477
> + /lib/x86_64-linux-gnu/libc-2.23.so
> + 7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477
> + /lib/x86_64-linux-gnu/libc-2.23.so
> + 7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0
> + 7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478
> + /lib/x86_64-linux-gnu/ld-2.23.so
> + 7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0
> + 7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0
> + 7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478
> + /lib/x86_64-linux-gnu/ld-2.23.so
> + 7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478
> + /lib/x86_64-linux-gnu/ld-2.23.so
> + 7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0
> + 7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0
> + [stack]
> + 7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0
> + [vvar]
> + 7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0
> + [vdso]
> + ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
> + [vsyscall]
> + [1] 6272 abort btt -M test
> +
> +Signed-off-by: Jens Axboe <axboe at kernel.dk>
> +[Retrieved from:
> +https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> +---
> + btt/devmap.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/btt/devmap.c b/btt/devmap.c
> +index 0553a9e..5fc1cb2 100644
> +--- a/btt/devmap.c
> ++++ b/btt/devmap.c
> +@@ -23,7 +23,7 @@
> +
> + struct devmap {
> + struct list_head head;
> +- char device[32], devno[32];
> ++ char device[PATH_MAX], devno[PATH_MAX];
> + };
> +
> + LIST_HEAD(all_devmaps);
> +--
> +cgit 1.2-0.3.lf.el7
> +
> diff --git a/package/blktrace/blktrace.mk b/package/blktrace/blktrace.mk
> index 6d1c8e3b92..4ada2e8e4b 100644
> --- a/package/blktrace/blktrace.mk
> +++ b/package/blktrace/blktrace.mk
> @@ -10,6 +10,9 @@ BLKTRACE_DEPENDENCIES = libaio
> BLKTRACE_LICENSE = GPL-2.0+
> BLKTRACE_LICENSE_FILES = COPYING
>
> +# 0001-btt-make-device-devno-use-PATH_MAX-to-avoid-overflow.patch
> +BLKTRACE_IGNORE_CVES += CVE-2018-10689
> +
> define BLKTRACE_BUILD_CMDS
> $(TARGET_MAKE_ENV) $(MAKE1) -C $(@D) $(TARGET_CONFIGURE_OPTS)
> endef
> --
> 2.25.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list