Security fix for CVE-2018-10689

2018-05-07 10:04:41 -05:00 · 2018-05-07 10:04:41 -05:00 · 2ac3f32455
commit 2ac3f32455
parent 4cba3f9cc3
2 changed files with 152 additions and 1 deletions
--- a/blktrace-fix-btt-overflow.patch
+++ b/blktrace-fix-btt-overflow.patch
@ -0,0 +1,144 @@
 From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001
 From: Jens Axboe <axboe@kernel.dk>
 Date: Wed, 2 May 2018 10:24:17 -0600
 Subject: btt: make device/devno use PATH_MAX to avoid overflow
 Herbo Zhang reports:
 I found a bug in blktrace/btt/devmap.c. The code is just as follows:
 https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757
       struct devmap {
 struct list_head head;
 char device[32], devno[32];    // #1
 };
 LIST_HEAD(all_devmaps);
 static int dev_map_add(char *line)
 {
 struct devmap *dmp;
 if (strstr(line, "Device") != NULL)
 return 1;
 dmp = malloc(sizeof(struct devmap));
 if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) {  //#2
 free(dmp);
 return 1;
 }
 list_add_tail(&dmp->head, &all_devmaps);
 return 0;
 }
 int dev_map_read(char *fname)
 {
 char line[256];   // #3
 FILE *fp = my_fopen(fname, "r");
 if (!fp) {
 perror(fname);
 return 1;
 }
 while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
 if (dev_map_add(line))
 break;
 }
 fclose(fp);
 return 0;
 }
 The line length is 256, but the dmp->device, dmp->devno  max length
 is only 32. We can put strings longer than 32 into dmp->device and
 dmp->devno , and then they will be overflowed.
 we can trigger this bug just as follows:
 $ python -c "print 'A'*256" > ./test
    $ btt -M ./test
    *** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 ***
    ======= Backtrace: =========
    /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5]
    /lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a]
    /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c]
    btt(+0x32e0)[0x55ad7306f2e0]
    btt(+0x2c5f)[0x55ad7306ec5f]
    btt(+0x251f)[0x55ad7306e51f]
    /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830]
    btt(+0x26b9)[0x55ad7306e6b9]
    ======= Memory map: ========
    55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139
      /usr/bin/btt
    55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139
      /usr/bin/btt
    55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139
      /usr/bin/btt
    55ad73280000-55ad73285000 rw-p 00000000 00:00 0
    55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0
      [heap]
    7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0
    7f7f10021000-7f7f14000000 ---p 00000000 00:00 0
    7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237
      /lib/x86_64-linux-gnu/libgcc_s.so.1
    7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237
      /lib/x86_64-linux-gnu/libgcc_s.so.1
    7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237
      /lib/x86_64-linux-gnu/libgcc_s.so.1
    7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237
      /lib/x86_64-linux-gnu/libgcc_s.so.1
    7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477
      /lib/x86_64-linux-gnu/libc-2.23.so
    7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477
      /lib/x86_64-linux-gnu/libc-2.23.so
    7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477
      /lib/x86_64-linux-gnu/libc-2.23.so
    7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477
      /lib/x86_64-linux-gnu/libc-2.23.so
    7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0
    7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478
      /lib/x86_64-linux-gnu/ld-2.23.so
    7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0
    7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0
    7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478
      /lib/x86_64-linux-gnu/ld-2.23.so
    7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478
      /lib/x86_64-linux-gnu/ld-2.23.so
    7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0
    7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0
      [stack]
    7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0
      [vvar]
    7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0
      [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
      [vsyscall]
    [1]    6272 abort      btt -M test
 Signed-off-by: Jens Axboe <axboe@kernel.dk>
 ---
 btt/devmap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/btt/devmap.c b/btt/devmap.c
 index 0553a9e..5fc1cb2 100644
 --- a/btt/devmap.c
 +++ b/btt/devmap.c
@@ -23,7 +23,7 @@
 struct devmap {
 	struct list_head head;
 -	char device[32], devno[32];
 +	char device[PATH_MAX], devno[PATH_MAX];
 };
 LIST_HEAD(all_devmaps);
 -- 
 cgit v1.1
--- a/blktrace.spec
+++ b/blktrace.spec
@ -1,7 +1,7 @@
 Summary: Utilities for performing block layer IO tracing in the Linux kernel
 Name: blktrace
 Version: 1.2.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: Development/System
 Source:  http://brick.kernel.dk/snaps/blktrace-%{version}.tar.bz2
@ -10,6 +10,8 @@ Url: http://brick.kernel.dk/snaps
 Requires: python2
 BuildRequires: gcc, libaio-devel python2 librsvg2-devel
 Patch0: blktrace-fix-btt-overflow.patch
 %description
 blktrace is a block layer IO tracing mechanism which provides detailed
 information about request queue operations to user space.  This package
@ -19,8 +21,10 @@ and blkparse, a utility which formats trace data collected by blktrace.
 You should install the blktrace package if you need to gather detailed
 information about IO patterns.
 %prep
 %setup -q
 %patch0 -p1
 %build
 make CFLAGS="%{optflags} %{build_ldflags}" all
@ -71,6 +75,9 @@ information about IO patterns.
 %{_mandir}/man1/iowatcher.*
 %changelog
 * Mon May 07 2018 Eric Sandeen <sandeen@redhat.com> - 1.2.0-6
 - Fix for CVE-2018-10689 (#1575120)
 * Mon Feb 26 2018 Eric Sandeen <sandeen@redhat.com> - 1.2.0-5
 - BuildRequires: gcc