[OE-core] [PATCH] procps:Fix CVE-2018-1122&CVE-2018-1123
Burton, Ross
ross.burton at intel.com
Tue Jun 26 11:27:24 UTC 2018
It appears that these are fixed in 3.3.15, so let's just upgrade to
that and get all the other security fixes too.
Ross
On 26 June 2018 at 08:35, Hong Liu <hongl.fnst at cn.fujitsu.com> wrote:
> 1.0001-top-Do-not-default-to-the-cwd-in-configs_read.patch fixed CVE-2018-1122
>
> 2.0001-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch fixed CVE-2018-1123
> ---
> ...put.c-Fix-outbuf-overflows-in-pr_args-etc.patch | 84 +++++++++++++++++
> ...Do-not-default-to-the-cwd-in-configs_read.patch | 101 +++++++++++++++++++++
> meta/recipes-extended/procps/procps_3.3.14.bb | 2 +
> 3 files changed, 187 insertions(+)
> create mode 100644 meta/recipes-extended/procps/procps/0001-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch
> create mode 100644 meta/recipes-extended/procps/procps/0001-top-Do-not-default-to-the-cwd-in-configs_read.patch
>
> diff --git a/meta/recipes-extended/procps/procps/0001-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch b/meta/recipes-extended/procps/procps/0001-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch
> new file mode 100644
> index 0000000..ab4fc23
> --- /dev/null
> +++ b/meta/recipes-extended/procps/procps/0001-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch
> @@ -0,0 +1,84 @@
> +From 136e3724952827bbae8887a42d9d2b6f658a48ab Mon Sep 17 00:00:00 2001
> +From: Qualys Security Advisory <qsa at qualys.com>
> +Date: Thu, 1 Jan 1970 00:00:00 +0000
> +Subject: [PATCH] ps/output.c: Fix outbuf overflows in pr_args() etc.
> +
> +Because there is usually less than OUTBUF_SIZE available at endp.
> +
> +Upstream-Status: Backport
> +---
> + ps/output.c | 23 ++++++++++++++---------
> + 1 file changed, 14 insertions(+), 9 deletions(-)
> +
> +diff --git a/ps/output.c b/ps/output.c
> +index 0c63bb6..4456f28 100644
> +--- a/ps/output.c
> ++++ b/ps/output.c
> +@@ -389,6 +389,9 @@ Modifications to the arguments are not shown.
> +
> + // FIXME: some of these may hit the guard page in forest mode
> +
> ++#define OUTBUF_SIZE_AT(endp) \
> ++ (((endp) >= outbuf && (endp) < outbuf + OUTBUF_SIZE) ? (outbuf + OUTBUF_SIZE) - (endp) : 0)
> ++
> + /*
> + * "args", "cmd", "command" are all the same: long unless c
> + * "comm", "ucmd", "ucomm" are all the same: short unless -f
> +@@ -402,15 +405,15 @@ static int pr_args(char *restrict const outbuf, const proc_t *restrict const pp)
> + rightward -= fh;
> +
> + if(pp->cmdline && !bsd_c_option)
> +- endp += escaped_copy(endp, *pp->cmdline, OUTBUF_SIZE, &rightward);
> ++ endp += escaped_copy(endp, *pp->cmdline, OUTBUF_SIZE_AT(endp), &rightward);
> + else
> +- endp += escape_command(endp, pp, OUTBUF_SIZE, &rightward, ESC_DEFUNCT);
> ++ endp += escape_command(endp, pp, OUTBUF_SIZE_AT(endp), &rightward, ESC_DEFUNCT);
> +
> +- if(bsd_e_option && rightward>1) {
> ++ if(bsd_e_option && rightward>1 && OUTBUF_SIZE_AT(endp)>1) {
> + if(pp->environ && *pp->environ) {
> + *endp++ = ' ';
> + rightward--;
> +- endp += escape_strlist(endp, pp->environ, OUTBUF_SIZE, &rightward);
> ++ endp += escape_strlist(endp, pp->environ, OUTBUF_SIZE_AT(endp), &rightward);
> + }
> + }
> + return max_rightward-rightward;
> +@@ -429,15 +432,15 @@ static int pr_comm(char *restrict const outbuf, const proc_t *restrict const pp)
> + rightward -= fh;
> +
> + if(pp->cmdline && unix_f_option)
> +- endp += escaped_copy(endp, *pp->cmdline, OUTBUF_SIZE, &rightward);
> ++ endp += escaped_copy(endp, *pp->cmdline, OUTBUF_SIZE_AT(endp), &rightward);
> + else
> +- endp += escape_command(endp, pp, OUTBUF_SIZE, &rightward, ESC_DEFUNCT);
> ++ endp += escape_command(endp, pp, OUTBUF_SIZE_AT(endp), &rightward, ESC_DEFUNCT);
> +
> +- if(bsd_e_option && rightward>1) {
> ++ if(bsd_e_option && rightward>1 && OUTBUF_SIZE_AT(endp)>1) {
> + if(pp->environ && *pp->environ) {
> + *endp++ = ' ';
> + rightward--;
> +- endp += escape_strlist(endp, pp->environ, OUTBUF_SIZE, &rightward);
> ++ endp += escape_strlist(endp, pp->environ, OUTBUF_SIZE_AT(endp), &rightward);
> + }
> + }
> + return max_rightward-rightward;
> +@@ -469,11 +472,13 @@ static int pr_fname(char *restrict const outbuf, const proc_t *restrict const pp
> + if (rightward>8) /* 8=default, but forest maybe feeds more */
> + rightward = 8;
> +
> +- endp += escape_str(endp, pp->cmd, OUTBUF_SIZE, &rightward);
> ++ endp += escape_str(endp, pp->cmd, OUTBUF_SIZE_AT(endp), &rightward);
> + //return endp - outbuf;
> + return max_rightward-rightward;
> + }
> +
> ++#undef OUTBUF_SIZE_AT
> ++
> + /* elapsed wall clock time, [[dd-]hh:]mm:ss format (not same as "time") */
> + static int pr_etime(char *restrict const outbuf, const proc_t *restrict const pp){
> + unsigned long t;
> +--
> +2.14.3
> +
> diff --git a/meta/recipes-extended/procps/procps/0001-top-Do-not-default-to-the-cwd-in-configs_read.patch b/meta/recipes-extended/procps/procps/0001-top-Do-not-default-to-the-cwd-in-configs_read.patch
> new file mode 100644
> index 0000000..8b1b904
> --- /dev/null
> +++ b/meta/recipes-extended/procps/procps/0001-top-Do-not-default-to-the-cwd-in-configs_read.patch
> @@ -0,0 +1,101 @@
> +From b45c4803dd176f4e3f9d3d47421ddec9bbbe66cd Mon Sep 17 00:00:00 2001
> +From: Qualys Security Advisory <qsa at qualys.com>
> +Date: Thu, 1 Jan 1970 00:00:00 +0000
> +Subject: [PATCH] top: Do not default to the cwd in configs_read().
> +
> +If the HOME environment variable is not set, or not absolute, use the
> +home directory returned by getpwuid(getuid()), if set and absolute
> +(instead of the cwd "."); otherwise, set p_home to NULL.
> +
> +To keep the changes to a minimum, we rely on POSIX, which requires that
> +fopen() fails with ENOENT if the pathname (Rc_name) is an empty string.
> +This integrates well into the existing code, and makes write_rcfile()
> +work without a change.
> +
> +Also, it makes the code in configs_read() easier to follow: only set and
> +use p_home if safe, and only set Rc_name if safe (in all the other cases
> +it is the empty string, and the fopen() calls fail). Plus, check for
> +snprintf() truncation (and if it happens, reset Rc_name to the empty
> +string).
> +
> +Important note: top.1 should probably be updated, since it mentions the
> +fallback to the current working directory.
> +
> +Upstream-Status: Backport
> +---
> + top/top.c | 33 ++++++++++++++++++++++++++++-----
> + 1 file changed, 28 insertions(+), 5 deletions(-)
> +
> +diff --git a/top/top.c b/top/top.c
> +index bc609aa..1b5afee 100644
> +--- a/top/top.c
> ++++ b/top/top.c
> +@@ -3810,6 +3810,20 @@ error Hey, fix the above fscanf 'PFLAGSSIZ' dependency !
> + } // end: config_file
> +
> +
> ++static int snprintf_Rc_name (const char *const format, ...) __attribute__((format(printf,1,2)));
> ++static int snprintf_Rc_name (const char *const format, ...) {
> ++ int len;
> ++ va_list ap;
> ++ va_start(ap, format);
> ++ len = vsnprintf(Rc_name, sizeof(Rc_name), format, ap);
> ++ va_end(ap);
> ++ if (len <= 0 || (size_t)len >= sizeof(Rc_name)) {
> ++ Rc_name[0] = '\0';
> ++ return 0;
> ++ }
> ++ return len;
> ++}
> ++
> + /*
> + * Try reading up to 3 rcfiles
> + * 1. 'SYS_RCRESTRICT' contains two lines consisting of the secure
> +@@ -3842,23 +3856,31 @@ static void configs_read (void) {
> + fclose(fp);
> + }
> +
> ++ Rc_name[0] = '\0'; // "fopen() shall fail if pathname is an empty string."
> + // attempt to use the legacy file first, if we cannot access that file, use
> + // the new XDG basedir locations (XDG_CONFIG_HOME or HOME/.config) instead.
> + p_home = getenv("HOME");
> +- if (!p_home || p_home[0] == '\0')
> +- p_home = ".";
> +- snprintf(Rc_name, sizeof(Rc_name), "%s/.%src", p_home, Myname);
> ++ if (!p_home || p_home[0] != '/') {
> ++ const struct passwd *const pwd = getpwuid(getuid());
> ++ if (!pwd || !(p_home = pwd->pw_dir) || p_home[0] != '/') {
> ++ p_home = NULL;
> ++ }
> ++ }
> ++ if (p_home) {
> ++ snprintf_Rc_name("%s/.%src", p_home, Myname);
> ++ }
> +
> + if (!(fp = fopen(Rc_name, "r"))) {
> + p = getenv("XDG_CONFIG_HOME");
> + // ensure the path we get is absolute, fallback otherwise.
> + if (!p || p[0] != '/') {
> ++ if (!p_home) goto system_default;
> + p = fmtmk("%s/.config", p_home);
> + (void)mkdir(p, 0700);
> + }
> +- snprintf(Rc_name, sizeof(Rc_name), "%s/procps", p);
> ++ if (!snprintf_Rc_name("%s/procps", p)) goto system_default;
> + (void)mkdir(Rc_name, 0700);
> +- snprintf(Rc_name, sizeof(Rc_name), "%s/procps/%src", p, Myname);
> ++ if (!snprintf_Rc_name("%s/procps/%src", p, Myname)) goto system_default;
> + fp = fopen(Rc_name, "r");
> + }
> +
> +@@ -3867,6 +3889,7 @@ static void configs_read (void) {
> + fclose(fp);
> + if (p) goto default_or_error;
> + } else {
> ++system_default:
> + fp = fopen(SYS_RCDEFAULTS, "r");
> + if (fp) {
> + p = config_file(fp, SYS_RCDEFAULTS, &tmp_delay);
> +--
> +2.14.3
> +
> diff --git a/meta/recipes-extended/procps/procps_3.3.14.bb b/meta/recipes-extended/procps/procps_3.3.14.bb
> index 1aba511..b7b6b6b 100644
> --- a/meta/recipes-extended/procps/procps_3.3.14.bb
> +++ b/meta/recipes-extended/procps/procps_3.3.14.bb
> @@ -15,6 +15,8 @@ inherit autotools gettext pkgconfig update-alternatives
> SRC_URI = "http://downloads.sourceforge.net/project/procps-ng/Production/procps-ng-${PV}.tar.xz \
> file://sysctl.conf \
> file://0001-Fix-out-of-tree-builds.patch \
> + file://0001-top-Do-not-default-to-the-cwd-in-configs_read.patch \
> + file://0001-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch \
> "
>
> SRC_URI[md5sum] = "fce371ccc1c15a67af9d85e4057e559d"
> --
> 2.7.4
>
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list