Re: [RESEND][PATCH] gen_init_cpio: avoid stack overflow when expanding
On Wed, 24 Oct 2012 14:53:33 -0700 Kees Cook wrote: > > Well, I do think that a description of the user impact of the bug > > should be included in the changelog so that poor old Greg can work out > > why we sent it at him. > > > > If you can suggest some suitable text I can copy-n-slurp that into the > > changelog. > > How about replacing the first paragraph with: > > Fix possible overflow of the buffer used for expanding environment > variables when building file list. In the extremely unlikely case of > an attacker having control over the environment variables visible to > gen_init_cpio, control over the contents of the file gen_init_cpio > parses, and gen_init_cpio was built without compiler hardening, the > attacker can gain arbitrary execution control via a stack buffer > overflow. ooh, spiffy - even I understood that! -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RESEND][PATCH] gen_init_cpio: avoid stack overflow when expanding
On Wed, Oct 24, 2012 at 2:44 PM, Andrew Morton wrote: > On Wed, 24 Oct 2012 14:33:02 -0700 > Kees Cook wrote: > >> On Wed, Oct 24, 2012 at 2:02 PM, Andrew Morton >> wrote: >> > On Wed, 24 Oct 2012 13:57:56 -0700 >> > Kees Cook wrote: >> > >> >> Fix possible overflow of the buffer used for expanding environment >> >> variables when building file list. >> >> >> >> $ cat usr/crash.list >> >> file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0 >> >> $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list >> >> *** buffer overflow detected ***: ./usr/gen_init_cpio terminated >> >> >> >> This also replaces the space-indenting with tabs. >> >> >> >> Patch based on existing fix extracted from grsecurity. >> >> >> >> ... >> >> >> >> Cc: sta...@vger.kernel.org >> > >> > Why did you feel we need to backport this to -stable? >> >> It's an extremely hard to hit security issue, but it's a security fix >> regardless. I won't cry if it doesn't go to stable, but it seems a >> trivial fix, so I included it for stable. > > Well, I do think that a description of the user impact of the bug > should be included in the changelog so that poor old Greg can work out > why we sent it at him. > > If you can suggest some suitable text I can copy-n-slurp that into the > changelog. How about replacing the first paragraph with: Fix possible overflow of the buffer used for expanding environment variables when building file list. In the extremely unlikely case of an attacker having control over the environment variables visible to gen_init_cpio, control over the contents of the file gen_init_cpio parses, and gen_init_cpio was built without compiler hardening, the attacker can gain arbitrary execution control via a stack buffer overflow. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RESEND][PATCH] gen_init_cpio: avoid stack overflow when expanding
On Wed, 24 Oct 2012 14:33:02 -0700 Kees Cook wrote: > On Wed, Oct 24, 2012 at 2:02 PM, Andrew Morton > wrote: > > On Wed, 24 Oct 2012 13:57:56 -0700 > > Kees Cook wrote: > > > >> Fix possible overflow of the buffer used for expanding environment > >> variables when building file list. > >> > >> $ cat usr/crash.list > >> file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0 > >> $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list > >> *** buffer overflow detected ***: ./usr/gen_init_cpio terminated > >> > >> This also replaces the space-indenting with tabs. > >> > >> Patch based on existing fix extracted from grsecurity. > >> > >> ... > >> > >> Cc: sta...@vger.kernel.org > > > > Why did you feel we need to backport this to -stable? > > It's an extremely hard to hit security issue, but it's a security fix > regardless. I won't cry if it doesn't go to stable, but it seems a > trivial fix, so I included it for stable. Well, I do think that a description of the user impact of the bug should be included in the changelog so that poor old Greg can work out why we sent it at him. If you can suggest some suitable text I can copy-n-slurp that into the changelog. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RESEND][PATCH] gen_init_cpio: avoid stack overflow when expanding
On Wed, Oct 24, 2012 at 2:02 PM, Andrew Morton wrote: > On Wed, 24 Oct 2012 13:57:56 -0700 > Kees Cook wrote: > >> Fix possible overflow of the buffer used for expanding environment >> variables when building file list. >> >> $ cat usr/crash.list >> file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0 >> $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list >> *** buffer overflow detected ***: ./usr/gen_init_cpio terminated >> >> This also replaces the space-indenting with tabs. >> >> Patch based on existing fix extracted from grsecurity. >> >> ... >> >> Cc: sta...@vger.kernel.org > > Why did you feel we need to backport this to -stable? It's an extremely hard to hit security issue, but it's a security fix regardless. I won't cry if it doesn't go to stable, but it seems a trivial fix, so I included it for stable. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RESEND][PATCH] gen_init_cpio: avoid stack overflow when expanding
On Wed, 24 Oct 2012 13:57:56 -0700 Kees Cook wrote: > Fix possible overflow of the buffer used for expanding environment > variables when building file list. > > $ cat usr/crash.list > file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0 > $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list > *** buffer overflow detected ***: ./usr/gen_init_cpio terminated > > This also replaces the space-indenting with tabs. > > Patch based on existing fix extracted from grsecurity. > > ... > > Cc: sta...@vger.kernel.org Why did you feel we need to backport this to -stable? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[RESEND][PATCH] gen_init_cpio: avoid stack overflow when expanding
Fix possible overflow of the buffer used for expanding environment variables when building file list. $ cat usr/crash.list file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0 $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list *** buffer overflow detected ***: ./usr/gen_init_cpio terminated This also replaces the space-indenting with tabs. Patch based on existing fix extracted from grsecurity. Cc: Andrew Morton Cc: Michal Marek Cc: Brad Spengler Cc: PaX Team Cc: sta...@vger.kernel.org Signed-off-by: Kees Cook --- usr/gen_init_cpio.c | 43 +++ 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c index af0f22f..aca6edc 100644 --- a/usr/gen_init_cpio.c +++ b/usr/gen_init_cpio.c @@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location, int retval; int rc = -1; int namesize; - int i; + unsigned int i; mode |= S_IFREG; @@ -381,25 +381,28 @@ error: static char *cpio_replace_env(char *new_location) { - char expanded[PATH_MAX + 1]; - char env_var[PATH_MAX + 1]; - char *start; - char *end; - - for (start = NULL; (start = strstr(new_location, "${")); ) { - end = strchr(start, '}'); - if (start < end) { - *env_var = *expanded = '\0'; - strncat(env_var, start + 2, end - start - 2); - strncat(expanded, new_location, start - new_location); - strncat(expanded, getenv(env_var), PATH_MAX); - strncat(expanded, end + 1, PATH_MAX); - strncpy(new_location, expanded, PATH_MAX); - } else - break; - } - - return new_location; + char expanded[PATH_MAX + 1]; + char env_var[PATH_MAX + 1]; + char *start; + char *end; + + for (start = NULL; (start = strstr(new_location, "${")); ) { + end = strchr(start, '}'); + if (start < end) { + *env_var = *expanded = '\0'; + strncat(env_var, start + 2, end - start - 2); + strncat(expanded, new_location, start - new_location); + strncat(expanded, getenv(env_var), + PATH_MAX - strlen(expanded)); + strncat(expanded, end + 1, + PATH_MAX - strlen(expanded)); + strncpy(new_location, expanded, PATH_MAX); + new_location[PATH_MAX] = 0; + } else + break; + } + + return new_location; } -- 1.7.9.5 -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] gen_init_cpio: avoid stack overflow when expanding
Fix possible overflow of the buffer used for expanding environment variables when building file list. $ cat usr/crash.list file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0 $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list *** buffer overflow detected ***: ./usr/gen_init_cpio terminated This also replaces the space-indenting with tabs. Patch based on existing fix extracted from grsecurity. Cc: Michal Marek Cc: Gene Sally Cc: Brad Spengler Cc: PaX Team Cc: sta...@vger.kernel.org Signed-off-by: Kees Cook --- usr/gen_init_cpio.c | 43 +++ 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c index af0f22f..aca6edc 100644 --- a/usr/gen_init_cpio.c +++ b/usr/gen_init_cpio.c @@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location, int retval; int rc = -1; int namesize; - int i; + unsigned int i; mode |= S_IFREG; @@ -381,25 +381,28 @@ error: static char *cpio_replace_env(char *new_location) { - char expanded[PATH_MAX + 1]; - char env_var[PATH_MAX + 1]; - char *start; - char *end; - - for (start = NULL; (start = strstr(new_location, "${")); ) { - end = strchr(start, '}'); - if (start < end) { - *env_var = *expanded = '\0'; - strncat(env_var, start + 2, end - start - 2); - strncat(expanded, new_location, start - new_location); - strncat(expanded, getenv(env_var), PATH_MAX); - strncat(expanded, end + 1, PATH_MAX); - strncpy(new_location, expanded, PATH_MAX); - } else - break; - } - - return new_location; + char expanded[PATH_MAX + 1]; + char env_var[PATH_MAX + 1]; + char *start; + char *end; + + for (start = NULL; (start = strstr(new_location, "${")); ) { + end = strchr(start, '}'); + if (start < end) { + *env_var = *expanded = '\0'; + strncat(env_var, start + 2, end - start - 2); + strncat(expanded, new_location, start - new_location); + strncat(expanded, getenv(env_var), + PATH_MAX - strlen(expanded)); + strncat(expanded, end + 1, + PATH_MAX - strlen(expanded)); + strncpy(new_location, expanded, PATH_MAX); + new_location[PATH_MAX] = 0; + } else + break; + } + + return new_location; } -- 1.7.9.5 -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/