[oe-commits] [meta-openembedded] 08/08: fuse: CVE-2018-10906

git at git.openembedded.org git at git.openembedded.org
Thu Sep 6 05:34:00 UTC 2018 

This is an automated email from the git hooks/post-receive script.

armin_kuster pushed a commit to branch sumo-next
in repository meta-openembedded.

commit be79b8b111a968efdbe5e1482d0c246d0b24763e
Author: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
AuthorDate: Thu Aug 23 16:51:23 2018 +0530

    fuse: CVE-2018-10906
    
    * CVE-2018-10906-1:
    
    fusermount: don't feed "escaped commas" into mount options
    
    The old code permits the following behavior:
    
    $ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
    mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
    
    However, backslashes do not have any special meaning for the kernel here.
    
    As it happens, you can't abuse this because there is no FUSE mount option
    that takes a string value that can contain backslashes; but this is very
    brittle. Don't interpret "escape characters" in places where they don't
    work.
    
    * CVE-2018-10906-2:
    
    fusermount: refuse unknown options
    
    Blacklists are notoriously fragile; especially if the kernel wishes to add
    some security-critical mount option at a later date, all existing systems
    with older versions of fusermount installed will suddenly have a security
    problem.
    Additionally, if the kernel's option parsing became a tiny bit laxer, the
    blacklist could probably be bypassed.
    
    Whitelist known-harmless flags instead, even if it's slightly more
    inconvenient.
    
    Affects fuse < 2.9.8 and fuse < 3.2.5
    
    Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 .../fuse/files/CVE-2018-10906-1.patch              | 52 ++++++++++++++++++++++
 .../fuse/files/CVE-2018-10906-2.patch              | 48 ++++++++++++++++++++
 .../recipes-support/fuse/fuse_2.9.7.bb             |  2 +
 3 files changed, 102 insertions(+)

diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch
new file mode 100644
index 0000000..83bef30
--- /dev/null
+++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch
@@ -0,0 +1,52 @@
+From 28bdae3d113ef479c1660a581ef720cdc33bf466 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh at google.com>
+Date: Fri, 13 Jul 2018 15:15:36 -0700
+Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
+
+The old code permits the following behavior:
+
+$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
+mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
+
+However, backslashes do not have any special meaning for the kernel here.
+
+As it happens, you can't abuse this because there is no FUSE mount option
+that takes a string value that can contain backslashes; but this is very
+brittle. Don't interpret "escape characters" in places where they don't
+work.
+
+CVE: CVE-2018-10906
+Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/28bdae3d113ef479c1660a581ef720cdc33bf466]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
+---
+ util/fusermount.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 0e1d34d..143bd4a 100644
+--- a/util/fusermount.c
++++ b/util/fusermount.c
+@@ -29,6 +29,7 @@
+ #include <sys/socket.h>
+ #include <sys/utsname.h>
+ #include <sched.h>
++#include <stdbool.h>
+ 
+ #define FUSE_COMMFD_ENV		"_FUSE_COMMFD"
+ 
+@@ -754,8 +755,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
+ 		unsigned len;
+ 		const char *fsname_str = "fsname=";
+ 		const char *subtype_str = "subtype=";
++		bool escape_ok = begins_with(s, fsname_str) ||
++				 begins_with(s, subtype_str);
+ 		for (len = 0; s[len]; len++) {
+-			if (s[len] == '\\' && s[len + 1])
++			if (escape_ok && s[len] == '\\' && s[len + 1])
+ 				len++;
+ 			else if (s[len] == ',')
+ 				break;
+-- 
+2.13.3
+
diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch
new file mode 100644
index 0000000..104aa17
--- /dev/null
+++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch
@@ -0,0 +1,48 @@
+From 5018a0c016495155ee598b7e0167b43d5d902414 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh at google.com>
+Date: Sat, 14 Jul 2018 03:47:50 -0700
+Subject: [PATCH] fusermount: refuse unknown options
+
+Blacklists are notoriously fragile; especially if the kernel wishes to add
+some security-critical mount option at a later date, all existing systems
+with older versions of fusermount installed will suddenly have a security
+problem.
+Additionally, if the kernel's option parsing became a tiny bit laxer, the
+blacklist could probably be bypassed.
+
+Whitelist known-harmless flags instead, even if it's slightly more
+inconvenient.
+
+CVE: CVE-2018-10906
+Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/5018a0c016495155ee598b7e0167b43d5d902414]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
+---
+ util/fusermount.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 4e0f51a..2792407 100644
+--- a/util/fusermount.c
++++ b/util/fusermount.c
+@@ -819,10 +819,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
+ 						flags |= flag;
+ 					else
+ 						flags  &= ~flag;
+-				} else {
++				} else if (opt_eq(s, len, "default_permissions") ||
++					   opt_eq(s, len, "allow_other") ||
++					   begins_with(s, "max_read=") ||
++					   begins_with(s, "blksize=")) {
+ 					memcpy(d, s, len);
+ 					d += len;
+ 					*d++ = ',';
++				} else {
++					fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
++					exit(1);
+ 				}
+ 			}
+ 		}
+-- 
+2.13.3
+
diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
index 202d4c3..1eb9b70 100644
--- a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
+++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
@@ -15,6 +15,8 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar.
            file://aarch64.patch \
            file://0001-fuse-fix-the-return-value-of-help-option.patch \
            file://fuse.conf \
+           file://CVE-2018-10906-1.patch \
+           file://CVE-2018-10906-2.patch \
 "
 SRC_URI[md5sum] = "9bd4ce8184745fd3d000ca2692adacdb"
 SRC_URI[sha256sum] = "832432d1ad4f833c20e13b57cf40ce5277a9d33e483205fc63c78111b3358874"

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list