From: Mark Hatle <mark.hatle@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] Fix for CVE-2014-6277 and CVE-2014-6278
Date: Thu, 2 Oct 2014 09:42:36 -0500 [thread overview]
Message-ID: <542D645C.60803@windriver.com> (raw)
In-Reply-To: <1412260123-56944-1-git-send-email-sona.sarmadi@enea.com>
On 10/2/14, 9:28 AM, Sona Sarmadi wrote:
> This is a followup patch to incomplete CVE-2014-6271 fix code execution via
> specially-crafted environment.
>
> CVE-2014-6277: bash: untrusted pointer use issue leading to code execution
> CVE-2014-6278: bash: code execution via specially crafted environment variables
This is not actually the fix to the problem, but a mitigation to help prevent it
from being exploitable.
(The patch is fine, just want to make sure that the subject of the commit and
patch message are adjusted to match what it really is.)
--Mark
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> ---
> .../bash-3.2.48/cve-2014-6277_cve-2014-6278.patch | 146 ++++++++++++++++++
> .../bash/bash/cve-2014-6277_cve-2014-6278.patch | 163 +++++++++++++++++++++
> meta/recipes-extended/bash/bash_3.2.48.bb | 1 +
> meta/recipes-extended/bash/bash_4.3.bb | 1 +
> 4 files changed, 311 insertions(+)
> create mode 100644 meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277_cve-2014-6278.patch
> create mode 100644 meta/recipes-extended/bash/bash/cve-2014-6277_cve-2014-6278.patch
>
> diff --git a/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277_cve-2014-6278.patch b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277_cve-2014-6278.patch
> new file mode 100644
> index 0000000..42b559a
> --- /dev/null
> +++ b/meta/recipes-extended/bash/bash-3.2.48/cve-2014-6277_cve-2014-6278.patch
> @@ -0,0 +1,146 @@
> +Fix for CVE-2014-6277 and CVE-2014-6278
> +
> +Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
> +
> +Bug-Description:
> +
> +This patch changes the encoding bash uses for exported functions to avoid
> +clashes with shell variables and to avoid depending only on an environment
> +variable's contents to determine whether or not to interpret it as a shell
> +function.
> +
> +Upstream-Status: Backport {GNU Patch-ID: bash32-054}
> +
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> +--- a/variables.c 2014-09-16 19:10:39.000000000 -0400
> ++++ b/variables.c 2014-09-27 21:02:08.000000000 -0400
> +@@ -75,4 +75,9 @@
> + #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')
> +
> ++#define BASHFUNC_PREFIX "BASH_FUNC_"
> ++#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
> ++#define BASHFUNC_SUFFIX "%%"
> ++#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
> ++
> + extern char **environ;
> +
> +@@ -242,5 +247,5 @@
> + static void dispose_temporary_env __P((sh_free_func_t *));
> +
> +-static inline char *mk_env_string __P((const char *, const char *));
> ++static inline char *mk_env_string __P((const char *, const char *, int));
> + static char **make_env_array_from_var_list __P((SHELL_VAR **));
> + static char **make_var_export_array __P((VAR_CONTEXT *));
> +@@ -310,19 +315,30 @@
> + /* If exported function, define it now. Don't import functions from
> + the environment in privileged mode. */
> +- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
> ++ if (privmode == 0 && read_but_dont_execute == 0 &&
> ++ STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
> ++ STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
> ++ STREQN ("() {", string, 4))
> + {
> ++ size_t namelen;
> ++ char *tname; /* desired imported function name */
> ++
> ++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
> ++
> ++ tname = name + BASHFUNC_PREFLEN; /* start of func name */
> ++ tname[namelen] = '\0'; /* now tname == func name */
> ++
> + string_length = strlen (string);
> +- temp_string = (char *)xmalloc (3 + string_length + char_index);
> ++ temp_string = (char *)xmalloc (namelen + string_length + 2);
> +
> +- strcpy (temp_string, name);
> +- temp_string[char_index] = ' ';
> +- strcpy (temp_string + char_index + 1, string);
> ++ memcpy (temp_string, tname, namelen);
> ++ temp_string[namelen] = ' ';
> ++ memcpy (temp_string + namelen + 1, string, string_length + 1);
> +
> + /* Don't import function names that are invalid identifiers from the
> + environment. */
> +- if (legal_identifier (name))
> +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
> ++ if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
> ++ parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
> +
> +- if (temp_var = find_function (name))
> ++ if (temp_var = find_function (tname))
> + {
> + VSETATTR (temp_var, (att_exported|att_imported));
> +@@ -330,5 +346,8 @@
> + }
> + else
> +- report_error (_("error importing function definition for `%s'"), name);
> ++ report_error (_("error importing function definition for `%s'"), tname);
> ++
> ++ /* Restore original suffix */
> ++ tname[namelen] = BASHFUNC_SUFFIX[0];
> + }
> + #if defined (ARRAY_VARS)
> +@@ -2208,5 +2227,5 @@
> +
> + INVALIDATE_EXPORTSTR (var);
> +- var->exportstr = mk_env_string (name, value);
> ++ var->exportstr = mk_env_string (name, value, 0);
> +
> + array_needs_making = 1;
> +@@ -2999,19 +3018,40 @@
> +
> + static inline char *
> +-mk_env_string (name, value)
> ++mk_env_string (name, value, isfunc)
> + const char *name, *value;
> ++ int isfunc;
> + {
> +- int name_len, value_len;
> +- char *p;
> ++ size_t name_len, value_len;
> ++ char *p, *q;
> +
> + name_len = strlen (name);
> + value_len = STRLEN (value);
> +- p = (char *)xmalloc (2 + name_len + value_len);
> +- strcpy (p, name);
> +- p[name_len] = '=';
> ++
> ++ /* If we are exporting a shell function, construct the encoded function
> ++ name. */
> ++ if (isfunc && value)
> ++ {
> ++ p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
> ++ q = p;
> ++ memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
> ++ q += BASHFUNC_PREFLEN;
> ++ memcpy (q, name, name_len);
> ++ q += name_len;
> ++ memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
> ++ q += BASHFUNC_SUFFLEN;
> ++ }
> ++ else
> ++ {
> ++ p = (char *)xmalloc (2 + name_len + value_len);
> ++ memcpy (p, name, name_len);
> ++ q = p + name_len;
> ++ }
> ++
> ++ q[0] = '=';
> + if (value && *value)
> +- strcpy (p + name_len + 1, value);
> ++ memcpy (q + 1, value, value_len + 1);
> + else
> +- p[name_len + 1] = '\0';
> ++ q[1] = '\0';
> ++
> + return (p);
> + }
> +@@ -3088,5 +3128,5 @@
> + using the cached exportstr... */
> + list[list_index] = USE_EXPORTSTR ? savestring (value)
> +- : mk_env_string (var->name, value);
> ++ : mk_env_string (var->name, value, function_p (var));
> +
> + if (USE_EXPORTSTR == 0)
> diff --git a/meta/recipes-extended/bash/bash/cve-2014-6277_cve-2014-6278.patch b/meta/recipes-extended/bash/bash/cve-2014-6277_cve-2014-6278.patch
> new file mode 100644
> index 0000000..d346f25
> --- /dev/null
> +++ b/meta/recipes-extended/bash/bash/cve-2014-6277_cve-2014-6278.patch
> @@ -0,0 +1,163 @@
> +Fix for CVE-2014-6277 and CVE-2014-6278
> +
> +Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
> +
> +Bug-Description:
> +
> +This patch changes the encoding bash uses for exported functions to avoid
> +clashes with shell variables and to avoid depending only on an environment
> +variable's contents to determine whether or not to interpret it as a shell
> +function.
> +
> +Upstream-Status: Backport {GNU Patch-ID: bash43-027}
> +
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> +diff -ruN a/variables.c b/variables.c
> +--- a/variables.c 2014-09-30 10:21:12.481674914 +0200
> ++++ b/variables.c 2014-09-30 10:21:40.820459492 +0200
> +@@ -83,6 +83,11 @@
> +
> + #define ifsname(s) ((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')
> +
> ++#define BASHFUNC_PREFIX "BASH_FUNC_"
> ++#define BASHFUNC_PREFLEN 10 /* == strlen(BASHFUNC_PREFIX */
> ++#define BASHFUNC_SUFFIX "%%"
> ++#define BASHFUNC_SUFFLEN 2 /* == strlen(BASHFUNC_SUFFIX) */
> ++
> + extern char **environ;
> +
> + /* Variables used here and defined in other files. */
> +@@ -279,7 +284,7 @@
> + static void propagate_temp_var __P((PTR_T));
> + static void dispose_temporary_env __P((sh_free_func_t *));
> +
> +-static inline char *mk_env_string __P((const char *, const char *));
> ++static inline char *mk_env_string __P((const char *, const char *, int));
> + static char **make_env_array_from_var_list __P((SHELL_VAR **));
> + static char **make_var_export_array __P((VAR_CONTEXT *));
> + static char **make_func_export_array __P((void));
> +@@ -349,22 +354,33 @@
> +
> + /* If exported function, define it now. Don't import functions from
> + the environment in privileged mode. */
> +- if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
> ++ if (privmode == 0 && read_but_dont_execute == 0 &&
> ++ STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
> ++ STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
> ++ STREQN ("() {", string, 4))
> + {
> ++ size_t namelen;
> ++ char *tname; /* desired imported function name */
> ++
> ++ namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
> ++
> ++ tname = name + BASHFUNC_PREFLEN; /* start of func name */
> ++ tname[namelen] = '\0'; /* now tname == func name */
> ++
> + string_length = strlen (string);
> +- temp_string = (char *)xmalloc (3 + string_length + char_index);
> ++ temp_string = (char *)xmalloc (namelen + string_length + 2);
> +
> +- strcpy (temp_string, name);
> +- temp_string[char_index] = ' ';
> +- strcpy (temp_string + char_index + 1, string);
> ++ memcpy (temp_string, tname, namelen);
> ++ temp_string[namelen] = ' ';
> ++ memcpy (temp_string + namelen + 1, string, string_length + 1);
> +
> + /* Don't import function names that are invalid identifiers from the
> + environment, though we still allow them to be defined as shell
> + variables. */
> +- if (legal_identifier (name))
> +- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
> ++ if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
> ++ parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
> +
> +- if (temp_var = find_function (name))
> ++ if (temp_var = find_function (tname))
> + {
> + VSETATTR (temp_var, (att_exported|att_imported));
> + array_needs_making = 1;
> +@@ -377,8 +393,11 @@
> + array_needs_making = 1;
> + }
> + last_command_exit_value = 1;
> +- report_error (_("error importing function definition for `%s'"), name);
> ++ report_error (_("error importing function definition for `%s'"), tname);
> + }
> ++
> ++ /* Restore original suffix */
> ++ tname[namelen] = BASHFUNC_SUFFIX[0];
> + }
> + #if defined (ARRAY_VARS)
> + # if ARRAY_EXPORT
> +@@ -2957,7 +2976,7 @@
> + var->context = variable_context; /* XXX */
> +
> + INVALIDATE_EXPORTSTR (var);
> +- var->exportstr = mk_env_string (name, value);
> ++ var->exportstr = mk_env_string (name, value, 0);
> +
> + array_needs_making = 1;
> +
> +@@ -3855,21 +3874,42 @@
> + /* **************************************************************** */
> +
> + static inline char *
> +-mk_env_string (name, value)
> ++mk_env_string (name, value, isfunc)
> + const char *name, *value;
> ++ int isfunc;
> + {
> +- int name_len, value_len;
> +- char *p;
> ++ size_t name_len, value_len;
> ++ char *p, *q;
> +
> + name_len = strlen (name);
> + value_len = STRLEN (value);
> +- p = (char *)xmalloc (2 + name_len + value_len);
> +- strcpy (p, name);
> +- p[name_len] = '=';
> ++
> ++ /* If we are exporting a shell function, construct the encoded function
> ++ name. */
> ++ if (isfunc && value)
> ++ {
> ++ p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
> ++ q = p;
> ++ memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
> ++ q += BASHFUNC_PREFLEN;
> ++ memcpy (q, name, name_len);
> ++ q += name_len;
> ++ memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
> ++ q += BASHFUNC_SUFFLEN;
> ++ }
> ++ else
> ++ {
> ++ p = (char *)xmalloc (2 + name_len + value_len);
> ++ memcpy (p, name, name_len);
> ++ q = p + name_len;
> ++ }
> ++
> ++ q[0] = '=';
> + if (value && *value)
> +- strcpy (p + name_len + 1, value);
> ++ memcpy (q + 1, value, value_len + 1);
> + else
> +- p[name_len + 1] = '\0';
> ++ q[1] = '\0';
> ++
> + return (p);
> + }
> +
> +@@ -3955,7 +3995,7 @@
> + /* Gee, I'd like to get away with not using savestring() if we're
> + using the cached exportstr... */
> + list[list_index] = USE_EXPORTSTR ? savestring (value)
> +- : mk_env_string (var->name, value);
> ++ : mk_env_string (var->name, value, function_p (var));
> +
> + if (USE_EXPORTSTR == 0)
> + SAVE_EXPORTSTR (var, list[list_index]);
> diff --git a/meta/recipes-extended/bash/bash_3.2.48.bb b/meta/recipes-extended/bash/bash_3.2.48.bb
> index e6a04cd..94c81a4 100644
> --- a/meta/recipes-extended/bash/bash_3.2.48.bb
> +++ b/meta/recipes-extended/bash/bash_3.2.48.bb
> @@ -14,6 +14,7 @@ SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
> file://test-output.patch \
> file://cve-2014-6271.patch;striplevel=0 \
> file://cve-2014-7169.patch \
> + file://cve-2014-6277_cve-2014-6278.patch \
> file://run-ptest \
> "
>
> diff --git a/meta/recipes-extended/bash/bash_4.3.bb b/meta/recipes-extended/bash/bash_4.3.bb
> index 69ddecc..915be68 100644
> --- a/meta/recipes-extended/bash/bash_4.3.bb
> +++ b/meta/recipes-extended/bash/bash_4.3.bb
> @@ -11,6 +11,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BPN}-${PV}.tar.gz;name=tarball \
> file://test-output.patch \
> file://cve-2014-6271.patch;striplevel=0 \
> file://cve-2014-7169.patch \
> + file://cve-2014-6277_cve-2014-6278.patch \
> file://run-ptest \
> "
>
>
prev parent reply other threads:[~2014-10-02 14:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-02 14:28 [PATCH] Fix for CVE-2014-6277 and CVE-2014-6278 Sona Sarmadi
2014-10-02 14:42 ` Mark Hatle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=542D645C.60803@windriver.com \
--to=mark.hatle@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox