1. photon
  2. Commit f4c3a1d35c71ee1be5c355ba8ce2faf9fb28815b
Browse code

fuse: Fix for CVE-2018-10906

* Added two patches:
** fusermount: don't feed "escaped commas" into mount options
** fusermount: refuse unknown options

Change-Id: If7680fa82e57319884efa183f2c0b737a6b9ff03
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6531
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>

Ankit Jain authored on 2019/01/19 05:32:28
Showing 3 changed files
SPECS/fuse/fuse-escaped-commas-CVE-2018-10906.patch
History View file @ f4c3a1d
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,44 @@
0 
+From 28bdae3d113ef479c1660a581ef720cdc33bf466 Mon Sep 17 00:00:00 2001
1 
+From: Jann Horn <jannh@google.com>
2 
+Date: Fri, 13 Jul 2018 15:15:36 -0700
3 
+Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
4 
+
5 
+The old code permits the following behavior:
6 
+
7 
+$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
8 
+mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
9 
+
10 
+However, backslashes do not have any special meaning for the kernel here.
11 
+
12 
+As it happens, you can't abuse this because there is no FUSE mount option
13 
+that takes a string value that can contain backslashes; but this is very
14 
+brittle. Don't interpret "escape characters" in places where they don't
15 
+work.
16 
+---
17 
+ util/fusermount.c | 5 ++++-
18 
+ 1 file changed, 4 insertions(+), 1 deletion(-)
19 
+
20 
+diff --git a/util/fusermount.c b/util/fusermount.c
21 
+index 0e1d34d1..143bd4ac 100644
22 
+--- a/util/fusermount.c
23 
+@@ -29,6 +29,7 @@
24 
+ #include <sys/socket.h>
25 
+ #include <sys/utsname.h>
26 
+ #include <sched.h>
27 
++#include <stdbool.h>
28 
+
29 
+ #define FUSE_COMMFD_ENV		"_FUSE_COMMFD"
30 
+
31 
+@@ -754,8 +755,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
32 
+ 		unsigned len;
33 
+ 		const char *fsname_str = "fsname=";
34 
+ 		const char *subtype_str = "subtype=";
35 
++		bool escape_ok = begins_with(s, fsname_str) ||
36 
++				 begins_with(s, subtype_str);
37 
+ 		for (len = 0; s[len]; len++) {
38 
+-			if (s[len] == '\\' && s[len + 1])
39 
++			if (escape_ok && s[len] == '\\' && s[len + 1])
40 
+ 				len++;
41 
+ 			else if (s[len] == ',')
42 
+ 				break;
SPECS/fuse/fuse-refuse-unknown-options-CVE-2018-10906.patch
History View file @ f4c3a1d
0 43 
new file mode 100644
... ... 
@@ -0,0 +1,40 @@
0 
+From 5018a0c016495155ee598b7e0167b43d5d902414 Mon Sep 17 00:00:00 2001
1 
+From: Jann Horn <jannh@google.com>
2 
+Date: Sat, 14 Jul 2018 03:47:50 -0700
3 
+Subject: [PATCH] fusermount: refuse unknown options
4 
+
5 
+Blacklists are notoriously fragile; especially if the kernel wishes to add
6 
+some security-critical mount option at a later date, all existing systems
7 
+with older versions of fusermount installed will suddenly have a security
8 
+problem.
9 
+Additionally, if the kernel's option parsing became a tiny bit laxer, the
10 
+blacklist could probably be bypassed.
11 
+
12 
+Whitelist known-harmless flags instead, even if it's slightly more
13 
+inconvenient.
14 
+---
15 
+ util/fusermount.c | 8 +++++++-
16 
+ 1 file changed, 7 insertions(+), 1 deletion(-)
17 
+
18 
+diff --git a/util/fusermount.c b/util/fusermount.c
19 
+index 4e0f51a3..27924073 100644
20 
+--- a/util/fusermount.c
21 
+@@ -819,10 +819,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
22 
+ 						flags |= flag;
23 
+ 					else
24 
+ 						flags  &= ~flag;
25 
+-				} else {
26 
++				} else if (opt_eq(s, len, "default_permissions") ||
27 
++					   opt_eq(s, len, "allow_other") ||
28 
++					   begins_with(s, "max_read=") ||
29 
++					   begins_with(s, "blksize=")) {
30 
+ 					memcpy(d, s, len);
31 
+ 					d += len;
32 
+ 					*d++ = ',';
33 
++				} else {
34 
++					fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
35 
++					exit(1);
36 
+ 				}
37 
+ 			}
38 
+ 		}
SPECS/fuse/fuse.spec
History View file @ f4c3a1d
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:	File System in Userspace (FUSE) utilities
2 2 
 Name:           fuse
3 3 
 Version:        2.9.5
4 
-Release:        2%{?dist}
4 
+Release:        3%{?dist}
5 5 
 License:        GPL+
6 6 
 Url:		http://fuse.sourceforge.net/
7 7 
 Group:		System Environment/Base
... ... 
@@ -9,6 +9,8 @@ Vendor:		VMware, Inc.
9 9 
 Distribution:	Photon
10 10 
 Source0:        https://github.com/libfuse/libfuse/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
11 11 
 %define sha1 fuse=bf71181cdc25f65e5757a8a14d352296722de2e3
12 
+Patch0:         fuse-escaped-commas-CVE-2018-10906.patch
13 
+Patch1:         fuse-refuse-unknown-options-CVE-2018-10906.patch
12 14 
 %description
13 15 
 With FUSE it is possible to implement a fully functional filesystem in a
14 16 
 userspace program.
... ... 
@@ -22,6 +24,8 @@ It contains the libraries and header files to create fuse applications.
22 22
23 23 
 %prep
24 24 
 %setup -q
25 
+%patch0 -p1
26 
+%patch1 -p1
25 27 
 %build
26 28 
 ./configure --prefix=%{_prefix} --disable-static INIT_D_PATH=/tmp/init.d &&
27 29 
 make %{?_smp_mflags}
... ... 
@@ -51,6 +55,8 @@ install -v -m644    doc/{how-fuse-works,kernel.txt} \
51 51 
 %{_prefix}/bin/fusermount
52 52
53 53 
 %changelog
54 
+*	Fri Jan 18 2019 Ankit Jain <ankitja@vmware.com> 2.9.5-3
55 
+-	Fix for CVE-2018-10906, added two patches
54 56 
 *	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.9.5-2
55 57 
 -	GA - Bump release of all rpms
56 58 
 *   Tue Jan 26 2016 Xiaolin Li <xiaolinl@vmware.com> 2.9.5-1