parted/0098-Fix-potential-command-line-buffer-overflow.patch

From a52926f6d3cd2520419c60d4f81a410d33d6d970 Mon Sep 17 00:00:00 2001
From: Simon Xu <xu.simon@oracle.com>
Date: Mon, 20 Aug 2018 20:31:26 +0800
Subject: [PATCH 098/103] Fix potential command line buffer overflow

parted terminates with 'stack smashing detected' when fed with a long command
line argument, and segfaults when the argument is long enough:

root # /sbin/parted /dev/sda $(perl -e 'print "a"x265')
*** stack smashing detected ***: /sbin/parted terminated
...
Aborted

root # /sbin/parted /dev/sda $(perl -e 'print "a"x328')
*** stack smashing detected ***: /sbin/parted terminated
...
Command History:
Segmentation fault

parted should be able to detect it and exit with error and usage messages.
This also makes command line buffer overflow exploit more possible.  Fix it by
adding length check in the condition of the for loop where command line
arguments are copied.

Signed-off-by: Simon Xu <xu.simon@oracle.com>
Signed-off-by: Brian C. Lane <bcl@redhat.com>
---
 parted/ui.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parted/ui.c b/parted/ui.c
index 4f42b7c..d421768 100644
--- a/parted/ui.c
+++ b/parted/ui.c
@@ -728,7 +728,7 @@ command_line_push_line (const char* line, int multi_word)
                         line++;
 
                 i = 0;
-                for (; *line; line++) {
+                for (; *line && i < sizeof (this_word) - 1; line++) {
                         if (*line == ' ' && !quoted) {
                                 if (multi_word)
                                         break;
-- 
2.17.2
- Read NVMe model names from sysfs (dann.frazier) - Fix warnings from GCC 7's -Wimplicit-fallthrough (dann.frazier) - ped_unit_get_name: Resolve conflicting attributes 'const' and 'pure' (dann.frazier) - Add udf to t1700-probe-fs and to the manpage (bcl) - libparted: Add support for MBR id, GPT GUID and detection of UDF filesystem (pali.rohar) - Fix potential command line buffer overflow (xu.simon) - t6100-mdraid-partitions: Use v0.90 metadata for the test (bcl) - parted.c: Make sure dev_name is freed (bcl) - parted.c: Always free peek_word (bcl) - Fix the length of several strncpy calls (bcl) 2018-10-16 22:38:03 +00:00			`From a52926f6d3cd2520419c60d4f81a410d33d6d970 Mon Sep 17 00:00:00 2001`
			`From: Simon Xu <xu.simon@oracle.com>`
			`Date: Mon, 20 Aug 2018 20:31:26 +0800`
			`Subject: [PATCH 098/103] Fix potential command line buffer overflow`

			`parted terminates with 'stack smashing detected' when fed with a long command`
			`line argument, and segfaults when the argument is long enough:`

			`root # /sbin/parted /dev/sda $(perl -e 'print "a"x265')`
			`* stack smashing detected *: /sbin/parted terminated`
			`...`
			`Aborted`

			`root # /sbin/parted /dev/sda $(perl -e 'print "a"x328')`
			`* stack smashing detected *: /sbin/parted terminated`
			`...`
			`Command History:`
			`Segmentation fault`

			`parted should be able to detect it and exit with error and usage messages.`
			`This also makes command line buffer overflow exploit more possible. Fix it by`
			`adding length check in the condition of the for loop where command line`
			`arguments are copied.`

			`Signed-off-by: Simon Xu <xu.simon@oracle.com>`
			`Signed-off-by: Brian C. Lane <bcl@redhat.com>`
			`---`
			`parted/ui.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/parted/ui.c b/parted/ui.c`
			`index 4f42b7c..d421768 100644`
			`--- a/parted/ui.c`
			`+++ b/parted/ui.c`
			`@@ -728,7 +728,7 @@ command_line_push_line (const char* line, int multi_word)`
			`line++;`

			`i = 0;`
			`- for (; *line; line++) {`
			`+ for (; *line && i < sizeof (this_word) - 1; line++) {`
			`if (*line == ' ' && !quoted) {`
			`if (multi_word)`
			`break;`
			`--`
			`2.17.2`