[oe-commits] [openembedded-core] 46/61: util-linux: Security fix for CVE-2016-5011
git at git.openembedded.org
git at git.openembedded.org
Fri Sep 23 14:28:53 UTC 2016
rpurdie pushed a commit to branch krogoth
in repository openembedded-core.
commit 72a8636e3cfdfef8d95fee4af721dd7acaa89ffc
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Mon Sep 19 21:51:14 2016 -0700
util-linux: Security fix for CVE-2016-5011
affects util-linux < 2.28.2
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../util-linux/util-linux/CVE-2016-5011.patch | 59 ++++++++++++++
.../util-linux/util-linux/CVE-2016-5011_p2.patch | 91 ++++++++++++++++++++++
meta/recipes-core/util-linux/util-linux_2.27.1.bb | 2 +
3 files changed, 152 insertions(+)
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
new file mode 100644
index 0000000..9571280
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
@@ -0,0 +1,59 @@
+From 7164a1c34d18831ac61c6744ad14ce916d389b3f Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak at redhat.com>
+Date: Thu, 7 Jul 2016 14:22:41 +0200
+Subject: [PATCH] libblkid: ignore extended partition at zero offset
+
+If the extended partition starts at zero LBA then MBR is interpreted
+as EBR and all is recursively parsed... result is out-of-memory.
+
+ MBR --extended-partition--> EBR --> MBR --> ENB --> MBR ...
+
+Note that such PT is not possible to create by standard partitioning
+tools.
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
+Signed-off-by: Karel Zak <kzak at redhat.com>
+
+Upstream-status: Backport
+CVE: CVE-2016-5011 patch 1
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ libblkid/src/partitions/dos.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libblkid/src/partitions/dos.c b/libblkid/src/partitions/dos.c
+index 9bba32f..e79f124 100644
+--- a/libblkid/src/partitions/dos.c
++++ b/libblkid/src/partitions/dos.c
+@@ -47,6 +47,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
+ int ct_nodata = 0; /* count ext.partitions without data partitions */
+ int i;
+
++ DBG(LOWPROBE, ul_debug("parse EBR [start=%d, size=%d]", ex_start/ssf, ex_size/ssf));
++ if (ex_start == 0) {
++ DBG(LOWPROBE, ul_debug("Bad offset in primary extended partition -- ignore"));
++ return 0;
++ }
++
+ while (1) {
+ struct dos_partition *p, *p0;
+ uint32_t start, size;
+@@ -116,8 +122,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
+ start = dos_partition_get_start(p) * ssf;
+ size = dos_partition_get_size(p) * ssf;
+
+- if (size && is_extended(p))
+- break;
++ if (size && is_extended(p)) {
++ if (start == 0)
++ DBG(LOWPROBE, ul_debug("#%d: EBR link offset is zero -- ignore", i + 1));
++ else
++ break;
++ }
+ }
+ if (i == 4)
+ goto leave;
+--
+2.7.4
+
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch
new file mode 100644
index 0000000..9c6960f
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch
@@ -0,0 +1,91 @@
+From 50d1594c2e6142a3b51d2143c74027480df082e0 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak at redhat.com>
+Date: Tue, 12 Jul 2016 13:34:54 +0200
+Subject: [PATCH] libblkid: avoid non-empty recursion in EBR
+
+This is extension to the patch 7164a1c34d18831ac61c6744ad14ce916d389b3f.
+
+We also need to detect non-empty recursion in the EBR chain. It's
+possible to create standard valid logical partitions and in the last one
+points back to the EBR chain. In this case all offsets will be non-empty.
+
+Unfortunately, it's valid to create logical partitions that are not in
+the "disk order" (sorted by start offset). So link somewhere back is
+valid, but this link cannot points to already existing partition
+(otherwise we will see recursion).
+
+This patch forces libblkid to ignore duplicate logical partitions, the
+duplicate chain segment is interpreted as non-data segment, after 100
+iterations with non-data segments it will break the loop -- no memory
+is allocated in this case by the loop.
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
+References: http://seclists.org/oss-sec/2016/q3/40
+Signed-off-by: Karel Zak <kzak at redhat.com>
+
+Upstream-status: Backport
+CVE: CVE-2016-5011 patch 2
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ libblkid/src/partitions/dos.c | 7 +++++++
+ libblkid/src/partitions/partitions.c | 14 ++++++++++++++
+ libblkid/src/partitions/partitions.h | 2 ++
+ 3 files changed, 23 insertions(+)
+
+Index: util-linux-2.26.2/libblkid/src/partitions/dos.c
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/dos.c
++++ util-linux-2.26.2/libblkid/src/partitions/dos.c
+@@ -105,6 +105,13 @@ static int parse_dos_extended(blkid_prob
+ continue;
+ }
+
++ /* Avoid recursive non-empty links, see ct_nodata counter */
++ if (blkid_partlist_get_partition_by_start(ls, abs_start)) {
++ DBG(LOWPROBE, ul_debug("#%d: EBR duplicate data partition [abs start=%u] -- ignore",
++ i + 1, abs_start));
++ continue;
++ }
++
+ par = blkid_partlist_add_partition(ls, tab, abs_start, size);
+ if (!par)
+ return -ENOMEM;
+Index: util-linux-2.26.2/libblkid/src/partitions/partitions.c
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.c
++++ util-linux-2.26.2/libblkid/src/partitions/partitions.c
+@@ -940,6 +940,20 @@ blkid_partition blkid_partlist_get_parti
+ return &ls->parts[n];
+ }
+
++blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start)
++{
++ int i, nparts;
++ blkid_partition par;
++
++ nparts = blkid_partlist_numof_partitions(ls);
++ for (i = 0; i < nparts; i++) {
++ par = blkid_partlist_get_partition(ls, i);
++ if ((uint64_t) blkid_partition_get_start(par) == start)
++ return par;
++ }
++ return NULL;
++}
++
+ /**
+ * blkid_partlist_get_partition_by_partno
+ * @ls: partitions list
+Index: util-linux-2.26.2/libblkid/src/partitions/partitions.h
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.h
++++ util-linux-2.26.2/libblkid/src/partitions/partitions.h
+@@ -21,6 +21,8 @@ extern int blkid_partlist_increment_part
+
+ extern blkid_partition blkid_partlist_get_parent(blkid_partlist ls);
+
++extern blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start);
++
+ extern int blkid_partitions_do_subprobe(blkid_probe pr,
+ blkid_partition parent, const struct blkid_idinfo *id);
+
diff --git a/meta/recipes-core/util-linux/util-linux_2.27.1.bb b/meta/recipes-core/util-linux/util-linux_2.27.1.bb
index 7549158..5ad73c7 100644
--- a/meta/recipes-core/util-linux/util-linux_2.27.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.27.1.bb
@@ -20,6 +20,8 @@ SRC_URI += "file://util-linux-ng-2.16-mount_lock_path.patch \
file://display_testname_for_subtest.patch \
file://avoid_parallel_tests.patch \
file://uuid-test-error-api.patch \
+ file://CVE-2016-5011.patch \
+ file://CVE-2016-5011_p2.patch \
"
SRC_URI[md5sum] = "3cd2698d1363a2c64091c2dadc974647"
SRC_URI[sha256sum] = "0a818fcdede99aec43ffe6ca5b5388bff80d162f2f7bd4541dca94fecb87a290"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list