Browse code
Fix for CVE-2018-10689 in blktrace
Change-Id: I5b7e5e13e8d798efbcee45e124b496f2aa22b1ce
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5395
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
keerthanakalyan authored on 2018/07/24 07:32:08Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,142 @@ |
| 0 |
+From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: Jens Axboe <axboe@kernel.dk> |
|
| 2 |
+Date: Wed, 2 May 2018 10:24:17 -0600 |
|
| 3 |
+Subject: btt: make device/devno use PATH_MAX to avoid overflow |
|
| 4 |
+ |
|
| 5 |
+Herbo Zhang reports: |
|
| 6 |
+ |
|
| 7 |
+I found a bug in blktrace/btt/devmap.c. The code is just as follows: |
|
| 8 |
+ |
|
| 9 |
+https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757 |
|
| 10 |
+ |
|
| 11 |
+ struct devmap {
|
|
| 12 |
+ |
|
| 13 |
+struct list_head head; |
|
| 14 |
+char device[32], devno[32]; // #1 |
|
| 15 |
+}; |
|
| 16 |
+ |
|
| 17 |
+LIST_HEAD(all_devmaps); |
|
| 18 |
+ |
|
| 19 |
+static int dev_map_add(char *line) |
|
| 20 |
+{
|
|
| 21 |
+struct devmap *dmp; |
|
| 22 |
+ |
|
| 23 |
+if (strstr(line, "Device") != NULL) |
|
| 24 |
+return 1; |
|
| 25 |
+ |
|
| 26 |
+dmp = malloc(sizeof(struct devmap)); |
|
| 27 |
+if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) { //#2
|
|
| 28 |
+free(dmp); |
|
| 29 |
+return 1; |
|
| 30 |
+} |
|
| 31 |
+ |
|
| 32 |
+list_add_tail(&dmp->head, &all_devmaps); |
|
| 33 |
+return 0; |
|
| 34 |
+} |
|
| 35 |
+ |
|
| 36 |
+int dev_map_read(char *fname) |
|
| 37 |
+{
|
|
| 38 |
+char line[256]; // #3 |
|
| 39 |
+FILE *fp = my_fopen(fname, "r"); |
|
| 40 |
+ |
|
| 41 |
+if (!fp) {
|
|
| 42 |
+perror(fname); |
|
| 43 |
+return 1; |
|
| 44 |
+} |
|
| 45 |
+ |
|
| 46 |
+while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
|
|
| 47 |
+if (dev_map_add(line)) |
|
| 48 |
+break; |
|
| 49 |
+} |
|
| 50 |
+ |
|
| 51 |
+fclose(fp); |
|
| 52 |
+return 0; |
|
| 53 |
+} |
|
| 54 |
+ |
|
| 55 |
+ The line length is 256, but the dmp->device, dmp->devno max length |
|
| 56 |
+is only 32. We can put strings longer than 32 into dmp->device and |
|
| 57 |
+dmp->devno , and then they will be overflowed. |
|
| 58 |
+ |
|
| 59 |
+ we can trigger this bug just as follows: |
|
| 60 |
+ |
|
| 61 |
+ $ python -c "print 'A'*256" > ./test |
|
| 62 |
+ $ btt -M ./test |
|
| 63 |
+ |
|
| 64 |
+ *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 *** |
|
| 65 |
+ ======= Backtrace: ========= |
|
| 66 |
+ /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5] |
|
| 67 |
+ /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a] |
|
| 68 |
+ /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c] |
|
| 69 |
+ btt(+0x32e0)[0x55ad7306f2e0] |
|
| 70 |
+ btt(+0x2c5f)[0x55ad7306ec5f] |
|
| 71 |
+ btt(+0x251f)[0x55ad7306e51f] |
|
| 72 |
+ /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830] |
|
| 73 |
+ btt(+0x26b9)[0x55ad7306e6b9] |
|
| 74 |
+ ======= Memory map: ======== |
|
| 75 |
+ 55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139 |
|
| 76 |
+ /usr/bin/btt |
|
| 77 |
+ 55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139 |
|
| 78 |
+ /usr/bin/btt |
|
| 79 |
+ 55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139 |
|
| 80 |
+ /usr/bin/btt |
|
| 81 |
+ 55ad73280000-55ad73285000 rw-p 00000000 00:00 0 |
|
| 82 |
+ 55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0 |
|
| 83 |
+ [heap] |
|
| 84 |
+ 7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0 |
|
| 85 |
+ 7f7f10021000-7f7f14000000 ---p 00000000 00:00 0 |
|
| 86 |
+ 7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237 |
|
| 87 |
+ /lib/x86_64-linux-gnu/libgcc_s.so.1 |
|
| 88 |
+ 7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237 |
|
| 89 |
+ /lib/x86_64-linux-gnu/libgcc_s.so.1 |
|
| 90 |
+ 7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237 |
|
| 91 |
+ /lib/x86_64-linux-gnu/libgcc_s.so.1 |
|
| 92 |
+ 7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237 |
|
| 93 |
+ /lib/x86_64-linux-gnu/libgcc_s.so.1 |
|
| 94 |
+ 7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477 |
|
| 95 |
+ /lib/x86_64-linux-gnu/libc-2.23.so |
|
| 96 |
+ 7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477 |
|
| 97 |
+ /lib/x86_64-linux-gnu/libc-2.23.so |
|
| 98 |
+ 7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477 |
|
| 99 |
+ /lib/x86_64-linux-gnu/libc-2.23.so |
|
| 100 |
+ 7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477 |
|
| 101 |
+ /lib/x86_64-linux-gnu/libc-2.23.so |
|
| 102 |
+ 7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0 |
|
| 103 |
+ 7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478 |
|
| 104 |
+ /lib/x86_64-linux-gnu/ld-2.23.so |
|
| 105 |
+ 7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0 |
|
| 106 |
+ 7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0 |
|
| 107 |
+ 7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478 |
|
| 108 |
+ /lib/x86_64-linux-gnu/ld-2.23.so |
|
| 109 |
+ 7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478 |
|
| 110 |
+ /lib/x86_64-linux-gnu/ld-2.23.so |
|
| 111 |
+ 7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0 |
|
| 112 |
+ 7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0 |
|
| 113 |
+ [stack] |
|
| 114 |
+ 7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0 |
|
| 115 |
+ [vvar] |
|
| 116 |
+ 7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0 |
|
| 117 |
+ [vdso] |
|
| 118 |
+ ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 |
|
| 119 |
+ [vsyscall] |
|
| 120 |
+ [1] 6272 abort btt -M test |
|
| 121 |
+ |
|
| 122 |
+Signed-off-by: Jens Axboe <axboe@kernel.dk> |
|
| 123 |
+--- |
|
| 124 |
+ btt/devmap.c | 2 +- |
|
| 125 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
| 126 |
+ |
|
| 127 |
+diff --git a/btt/devmap.c b/btt/devmap.c |
|
| 128 |
+index 0553a9e..5fc1cb2 100644 |
|
| 129 |
+--- a/btt/devmap.c |
|
| 130 |
+@@ -23,7 +23,7 @@ |
|
| 131 |
+ |
|
| 132 |
+ struct devmap {
|
|
| 133 |
+ struct list_head head; |
|
| 134 |
+- char device[32], devno[32]; |
|
| 135 |
++ char device[PATH_MAX], devno[PATH_MAX]; |
|
| 136 |
+ }; |
|
| 137 |
+ |
|
| 138 |
+ LIST_HEAD(all_devmaps); |
|
| 139 |
+-- |
|
| 140 |
+cgit 1.2-0.3.lf.el7 |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Utilities for block layer IO tracing |
| 2 | 2 |
Name: blktrace |
| 3 | 3 |
Version: 1.1.0 |
| 4 |
-Release: 2%{?dist}
|
|
| 4 |
+Release: 3%{?dist}
|
|
| 5 | 5 |
License: GPLv2 |
| 6 | 6 |
URL: http://git.kernel.org/cgit/linux/kernel/git/axboe/blktrace.git/tree/README |
| 7 | 7 |
Group: Development/Tools/Other |
| ... | ... |
@@ -9,6 +9,7 @@ Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://blktrace.sourcearchive.com/downloads/1.1.0-2/%{name}_%{version}.orig.tar.bz2
|
| 11 | 11 |
%define sha1 blktrace=0a3a3203dbb5406098ad1d480d31d5104d4be823 |
| 12 |
+Patch0: blktrace-fix-CVE-2018-10689.patch |
|
| 12 | 13 |
BuildRequires: libaio-devel |
| 13 | 14 |
Requires: libaio |
| 14 | 15 |
|
| ... | ... |
@@ -17,6 +18,7 @@ Requires: libaio |
| 17 | 17 |
information about request queue operations up to user space. |
| 18 | 18 |
%prep |
| 19 | 19 |
%setup -q |
| 20 |
+%patch0 -p1 |
|
| 20 | 21 |
|
| 21 | 22 |
%build |
| 22 | 23 |
make |
| ... | ... |
@@ -34,9 +36,11 @@ rm -rf %{buildroot}/*
|
| 34 | 34 |
%{_mandir}
|
| 35 | 35 |
|
| 36 | 36 |
%changelog |
| 37 |
-* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.1.0-2 |
|
| 38 |
-- GA - Bump release of all rpms |
|
| 37 |
+* Mon Jul 23 2018 Keerthana K <keerthanak@vmware.com> 1.1.0-3 |
|
| 38 |
+- Fix for CVE-2018-10689. |
|
| 39 |
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.1.0-2 |
|
| 40 |
+- GA - Bump release of all rpms |
|
| 39 | 41 |
* Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 1.1.0-1 |
| 40 | 42 |
- Updated to version 1.1.0 |
| 41 |
-* Mon Nov 30 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.0.5-1 |
|
| 42 |
-- Initial build. First version |
|
| 43 |
+* Mon Nov 30 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.0.5-1 |
|
| 44 |
+- Initial build. First version |