From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Kees Cook <keescook@chromium.org>, Michal Marek <mmarek@suse.cz>,
Brad Spengler <spender@grsecurity.net>,
PaX Team <pageexec@freemail.hu>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [ 097/105] gen_init_cpio: avoid stack overflow when expanding
Date: Sun, 28 Oct 2012 23:17:13 +0000 [thread overview]
Message-ID: <20121028231607.161726644@decadent.org.uk> (raw)
In-Reply-To: <20121028231536.970033833@decadent.org.uk>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit 20f1de659b77364d55d4e7fad2ef657e7730323f upstream.
Fix possible overflow of the buffer used for expanding environment
variables when building file list.
In the extremely unlikely case of an attacker having control over the
environment variables visible to gen_init_cpio, control over the
contents of the file gen_init_cpio parses, and gen_init_cpio was built
without compiler hardening, the attacker can gain arbitrary execution
control via a stack buffer overflow.
$ cat usr/crash.list
file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
$ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
*** buffer overflow detected ***: ./usr/gen_init_cpio terminated
This also replaces the space-indenting with tabs.
Patch based on existing fix extracted from grsecurity.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
usr/gen_init_cpio.c | 43 +++++++++++++++++++++++--------------------
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index af0f22f..aca6edc 100644
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location,
int retval;
int rc = -1;
int namesize;
- int i;
+ unsigned int i;
mode |= S_IFREG;
@@ -381,25 +381,28 @@ error:
static char *cpio_replace_env(char *new_location)
{
- char expanded[PATH_MAX + 1];
- char env_var[PATH_MAX + 1];
- char *start;
- char *end;
-
- for (start = NULL; (start = strstr(new_location, "${")); ) {
- end = strchr(start, '}');
- if (start < end) {
- *env_var = *expanded = '\0';
- strncat(env_var, start + 2, end - start - 2);
- strncat(expanded, new_location, start - new_location);
- strncat(expanded, getenv(env_var), PATH_MAX);
- strncat(expanded, end + 1, PATH_MAX);
- strncpy(new_location, expanded, PATH_MAX);
- } else
- break;
- }
-
- return new_location;
+ char expanded[PATH_MAX + 1];
+ char env_var[PATH_MAX + 1];
+ char *start;
+ char *end;
+
+ for (start = NULL; (start = strstr(new_location, "${")); ) {
+ end = strchr(start, '}');
+ if (start < end) {
+ *env_var = *expanded = '\0';
+ strncat(env_var, start + 2, end - start - 2);
+ strncat(expanded, new_location, start - new_location);
+ strncat(expanded, getenv(env_var),
+ PATH_MAX - strlen(expanded));
+ strncat(expanded, end + 1,
+ PATH_MAX - strlen(expanded));
+ strncpy(new_location, expanded, PATH_MAX);
+ new_location[PATH_MAX] = 0;
+ } else
+ break;
+ }
+
+ return new_location;
}
next prev parent reply other threads:[~2012-10-28 23:17 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-28 23:15 [ 000/105] 3.2.33-stable review Ben Hutchings
2012-10-28 23:15 ` [ 001/105] netfilter: ipset: avoid use of kernel-only types Ben Hutchings
2012-10-28 23:15 ` [ 002/105] samsung-laptop: dont handle backlight if handled by acpi/video Ben Hutchings
2012-10-28 23:15 ` [ 003/105] samsung-laptop: make the dmi check less strict (part 2) Ben Hutchings
2012-10-28 23:15 ` [ 004/105] jbd: Fix assertion failure in commit code due to lacking transaction credits Ben Hutchings
2012-10-28 23:15 ` [ 005/105] mtd: nand: allow NAND_NO_SUBPAGE_WRITE to be set from driver Ben Hutchings
2012-10-28 23:15 ` [ 006/105] ALSA: hda - Fix oops caused by recent commit "Fix internal mic for Lenovo Ideapad U300s" Ben Hutchings
2012-10-28 23:15 ` [ 007/105] e1000: fix vlan processing regression Ben Hutchings
2012-10-28 23:15 ` [ 008/105] SUNRPC: Set alloc_slot for backchannel tcp ops Ben Hutchings
2012-10-28 23:15 ` [ 009/105] drm/i915: dont pwrite tiled objects through the gtt Ben Hutchings
2012-10-28 23:15 ` [ 010/105] drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13 Ben Hutchings
2012-10-28 23:15 ` [ 011/105] sparc64: fix ptrace interaction with force_successful_syscall_return() Ben Hutchings
2012-10-28 23:15 ` [ 012/105] sparc64: Like x86 we should check current->mm during perf backtrace generation Ben Hutchings
2012-10-28 23:15 ` [ 013/105] sparc64: Fix bit twiddling in sparc_pmu_enable_event() Ben Hutchings
2012-10-28 23:15 ` [ 014/105] sparc64: do not clobber personality flags in sys_sparc64_personality() Ben Hutchings
2012-10-28 23:15 ` [ 015/105] sparc64: Be less verbose during vmemmap population Ben Hutchings
2012-10-28 23:15 ` [ 016/105] [media] au0828: fix case where STREAMOFF being called on stopped stream causes BUG() Ben Hutchings
2012-10-28 23:15 ` [ 017/105] net: Fix skb_under_panic oops in neigh_resolve_output Ben Hutchings
2012-10-28 23:15 ` [ 018/105] skge: Add DMA mask quirk for Marvell 88E8001 on ASUS P5NSLI motherboard Ben Hutchings
2012-10-28 23:15 ` [ 019/105] vlan: dont deliver frames for unknown vlans to protocols Ben Hutchings
2012-10-28 23:15 ` [ 020/105] RDS: fix rds-ping spinlock recursion Ben Hutchings
2012-10-28 23:15 ` [ 021/105] tcp: resets are misrouted Ben Hutchings
2012-10-28 23:15 ` [ 022/105] staging: comedi: amplc_pc236: fix invalid register access during detach Ben Hutchings
2012-10-28 23:15 ` [ 023/105] nfsd4: fix nfs4 stateid leak Ben Hutchings
2012-10-28 23:16 ` [ 024/105] viafb: dont touch clock state on OLPC XO-1.5 Ben Hutchings
2012-10-28 23:16 ` [ 025/105] module: taint kernel when lve module is loaded Ben Hutchings
2012-10-28 23:16 ` [ 026/105] ACPI: EC: Make the GPE storm threshold a module parameter Ben Hutchings
2012-10-29 0:04 ` Jonathan Nieder
2012-10-28 23:16 ` [ 027/105] ACPI: EC: Add a quirk for CLEVO M720T/M730T laptop Ben Hutchings
2012-10-28 23:16 ` [ 028/105] ARM: vfp: fix saving d16-d31 vfp registers on v6+ kernels Ben Hutchings
2012-10-28 23:16 ` [ 029/105] [SCSI] scsi_debug: Fix off-by-one bug when unmapping region Ben Hutchings
2012-10-28 23:16 ` [ 030/105] [SCSI] storvsc: Account for in-transit packets in the RESET path Ben Hutchings
2012-10-28 23:16 ` [ 031/105] timers: Fix endless looping between cascade() and internal_add_timer() Ben Hutchings
2012-10-28 23:16 ` [ 032/105] timekeeping: Cast raw_interval to u64 to avoid shift overflow Ben Hutchings
2012-10-28 23:16 ` [ 033/105] video/udlfb: fix line counting in fb_write Ben Hutchings
2012-10-28 23:16 ` [ 034/105] tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking Ben Hutchings
2012-10-28 23:16 ` [ 035/105] ext4: race-condition protection for ext4_convert_unwritten_extents_endio Ben Hutchings
2012-10-28 23:16 ` [ 036/105] ALSA: hda - Fix memory leaks at error path in patch_cirrus.c Ben Hutchings
2012-10-28 23:16 ` [ 037/105] nohz: Fix idle ticks in cpu summary line of /proc/stat Ben Hutchings
2012-10-28 23:16 ` [ 038/105] ALSA: hda - do not detect jack on internal speakers for Realtek Ben Hutchings
2012-10-28 23:16 ` [ 039/105] pktgen: fix crash when generating IPv6 packets Ben Hutchings
2012-10-28 23:16 ` [ 040/105] md/raid10: use correct limit variable Ben Hutchings
2012-10-28 23:16 ` [ 041/105] Bluetooth: SMP: Fix setting unknown auth_req bits Ben Hutchings
2012-10-28 23:16 ` [ 042/105] mips,kgdb: fix recursive page fault with CONFIG_KPROBES Ben Hutchings
2012-10-28 23:16 ` [ 043/105] xen/bootup: allow read_tscp call for Xen PV guests Ben Hutchings
2012-10-28 23:16 ` [ 044/105] xen/bootup: allow {read|write}_cr8 pvops call Ben Hutchings
2012-10-28 23:16 ` [ 045/105] pcmcia: sharpsl: dont discard sharpsl_pcmcia_ops Ben Hutchings
2012-10-28 23:16 ` [ 046/105] oprofile, x86: Fix wrapping bug in op_x86_get_ctrl() Ben Hutchings
2012-10-28 23:16 ` [ 047/105] drm/radeon: Dont destroy I2C Bus Rec in radeon_ext_tmds_enc_destroy() Ben Hutchings
2012-10-28 23:16 ` [ 048/105] mac80211: check if key has TKIP type before updating IV Ben Hutchings
2012-10-28 23:16 ` [ 049/105] bcma: fix unregistration of cores Ben Hutchings
2012-10-28 23:16 ` [ 050/105] net/wireless: ipw2200: Fix panic occurring in ipw_handle_promiscuous_tx() Ben Hutchings
2012-10-28 23:16 ` [ 051/105] iwlwifi: fix 6000 series channel switch command Ben Hutchings
2012-10-28 23:16 ` [ 052/105] cgroup: notify_on_release may not be triggered in some cases Ben Hutchings
2012-10-28 23:16 ` [ 053/105] ALSA: hda - Always check array bounds in alc_get_line_out_pfx Ben Hutchings
2012-10-28 23:16 ` [ 054/105] NLM: nlm_lookup_file() may return NLMv4-specific error codes Ben Hutchings
2012-10-28 23:16 ` [ 055/105] SUNRPC: Prevent kernel stack corruption on long values of flush Ben Hutchings
2012-10-28 23:16 ` [ 056/105] USB: cdc-acm: fix pipe type of write endpoint Ben Hutchings
2012-10-28 23:16 ` [ 057/105] usb: acm: fix the computation of the number of data bits Ben Hutchings
2012-10-28 23:16 ` [ 058/105] usb: host: xhci: New system added for Compliance Mode Patch on SN65LVPE502CP Ben Hutchings
2012-10-28 23:16 ` [ 059/105] USB: option: blacklist net interface on ZTE devices Ben Hutchings
2012-10-28 23:16 ` [ 060/105] USB: option: add more " Ben Hutchings
2012-10-28 23:16 ` [ 061/105] s390: fix linker script for 31 bit builds Ben Hutchings
2012-10-28 23:16 ` [ 062/105] xen/x86: dont corrupt %eip when returning from a signal handler Ben Hutchings
2012-10-28 23:16 ` [ 063/105] ALSA: hda - add dock support for Thinkpad T430 Ben Hutchings
2012-10-28 23:16 ` [ 064/105] kernel/sys.c: fix stack memory content leak via UNAME26 Ben Hutchings
2012-10-28 23:16 ` [ 065/105] ARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count Ben Hutchings
2012-10-28 23:16 ` [ 066/105] usb hub: send clear_tt_buffer_complete events when canceling TT clear work Ben Hutchings
2012-10-28 23:16 ` [ 067/105] cpufreq / powernow-k8: Remove usage of smp_processor_id() in preemptible code Ben Hutchings
2012-10-28 23:16 ` [ 068/105] arch/tile: avoid generating .eh_frame information in modules Ben Hutchings
2012-10-28 23:16 ` [ 069/105] amd64_edac:__amd64_set_scrub_rate(): avoid overindexing scrubrates[] Ben Hutchings
2012-10-28 23:16 ` [ 070/105] SUNRPC: Clear the connect flag when socket state is TCP_CLOSE_WAIT Ben Hutchings
2012-10-28 23:16 ` [ 071/105] Revert "SUNRPC: Ensure we close the socket on EPIPE errors too..." Ben Hutchings
2012-10-28 23:16 ` [ 072/105] SUNRPC: Prevent races in xs_abort_connection() Ben Hutchings
2012-10-28 23:16 ` [ 073/105] SUNRPC: Get rid of the xs_error_report socket callback Ben Hutchings
2012-10-28 23:16 ` [ 074/105] Revert "ath9k_hw: Updated AR9003 tx gain table for 5GHz" Ben Hutchings
2012-10-28 23:16 ` [ 075/105] USB: serial: Fix memory leak in sierra_release() Ben Hutchings
2012-10-28 23:16 ` [ 076/105] usb-storage: add unusual_devs entry for Casio EX-N1 digital camera Ben Hutchings
2012-10-28 23:16 ` [ 077/105] Drivers: hv: Cleanup error handling in vmbus_open() Ben Hutchings
2012-10-28 23:16 ` [ 078/105] sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat() Ben Hutchings
2012-10-28 23:16 ` [ 079/105] vhost: fix mergeable bufs on BE hosts Ben Hutchings
2012-10-28 23:16 ` [ 080/105] USB: whiteheat: fix memory leak in error path Ben Hutchings
2012-10-28 23:16 ` [ 081/105] USB: opticon: fix DMA from stack Ben Hutchings
2012-10-28 23:16 ` [ 082/105] USB: opticon: fix memory leak in error path Ben Hutchings
2012-10-28 23:16 ` [ 083/105] USB: mct_u232: fix broken close Ben Hutchings
2012-10-28 23:17 ` [ 084/105] USB: sierra: fix memory leak in attach error path Ben Hutchings
2012-10-28 23:17 ` [ 085/105] USB: sierra: fix memory leak in probe " Ben Hutchings
2012-10-28 23:17 ` [ 086/105] USB: mos7840: fix urb leak at release Ben Hutchings
2012-10-28 23:17 ` [ 087/105] USB: mos7840: fix port-device leak in error path Ben Hutchings
2012-10-28 23:17 ` [ 088/105] USB: mos7840: remove NULL-urb submission Ben Hutchings
2012-10-28 23:17 ` [ 089/105] USB: mos7840: remove invalid disconnect handling Ben Hutchings
2012-10-28 23:17 ` [ 090/105] ehci: fix Lucid nohandoff pci quirk to be more generic with BIOS versions Ben Hutchings
2012-10-28 23:17 ` [ 091/105] ehci: Add yet-another Lucid nohandoff pci quirk Ben Hutchings
2012-10-28 23:17 ` [ 092/105] xhci: Fix potential NULL ptr deref in command cancellation Ben Hutchings
2012-10-28 23:17 ` [ 093/105] freezer: exec should clear PF_NOFREEZE along with PF_KTHREAD Ben Hutchings
2012-10-28 23:17 ` [ 094/105] mm: fix XFS oops due to dirty pages without buffers on s390 Ben Hutchings
2012-10-28 23:17 ` [ 095/105] genalloc: stop crashing the system when destroying a pool Ben Hutchings
2012-10-28 23:17 ` [ 096/105] drivers/rtc/rtc-imxdi.c: add missing spin lock initialization Ben Hutchings
2012-10-28 23:17 ` Ben Hutchings [this message]
2012-10-28 23:17 ` [ 098/105] fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check Ben Hutchings
2012-10-28 23:17 ` [ 099/105] Revert "lockd: use rpc clients cl_nodename for id encoding" Ben Hutchings
2012-10-28 23:17 ` [ 100/105] netfilter: nf_conntrack: fix racy timer handling with reliable events Ben Hutchings
2012-10-28 23:17 ` [ 101/105] tpm: Propagate error from tpm_transmit to fix a timeout hang Ben Hutchings
2012-10-28 23:17 ` [ 102/105] usb: gadget: at91_udc: fix dt support Ben Hutchings
2012-10-29 6:21 ` Fabio Porcedda
2012-10-29 14:41 ` Ben Hutchings
2012-10-28 23:17 ` [ 103/105] ALSA: ac97 - Fix missing NULL check in snd_ac97_cvol_new() Ben Hutchings
2012-10-28 23:17 ` [ 104/105] ALSA: emu10k1: add chip details for E-mu 1010 PCIe card Ben Hutchings
2012-10-28 23:17 ` [ 105/105] Add CDC-ACM support for the CX93010-2x UCMxx USB Modem Ben Hutchings
2012-10-29 2:24 ` [ 000/105] 3.2.33-stable review Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121028231607.161726644@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mmarek@suse.cz \
--cc=pageexec@freemail.hu \
--cc=spender@grsecurity.net \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).