Skip to content

Commit

Permalink
gen_init_cpio: avoid stack overflow when expanding
Browse files Browse the repository at this point in the history
Fix possible overflow of the buffer used for expanding environment
variables when building file list.

In the extremely unlikely case of an attacker having control over the
environment variables visible to gen_init_cpio, control over the
contents of the file gen_init_cpio parses, and gen_init_cpio was built
without compiler hardening, the attacker can gain arbitrary execution
control via a stack buffer overflow.

  $ cat usr/crash.list
  file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
  $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
  *** buffer overflow detected ***: ./usr/gen_init_cpio terminated

This also replaces the space-indenting with tabs.

Patch based on existing fix extracted from grsecurity.

Signed-off-by: Kees Cook <[email protected]>
Cc: Michal Marek <[email protected]>
Cc: Brad Spengler <[email protected]>
Cc: PaX Team <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
kees authored and torvalds committed Oct 25, 2012
1 parent fee0de7 commit 20f1de6
Showing 1 changed file with 23 additions and 20 deletions.
43 changes: 23 additions & 20 deletions usr/gen_init_cpio.c
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location,
int retval;
int rc = -1;
int namesize;
int i;
unsigned int i;

mode |= S_IFREG;

Expand Down Expand Up @@ -381,25 +381,28 @@ static int cpio_mkfile(const char *name, const char *location,

static char *cpio_replace_env(char *new_location)
{
char expanded[PATH_MAX + 1];
char env_var[PATH_MAX + 1];
char *start;
char *end;

for (start = NULL; (start = strstr(new_location, "${")); ) {
end = strchr(start, '}');
if (start < end) {
*env_var = *expanded = '\0';
strncat(env_var, start + 2, end - start - 2);
strncat(expanded, new_location, start - new_location);
strncat(expanded, getenv(env_var), PATH_MAX);
strncat(expanded, end + 1, PATH_MAX);
strncpy(new_location, expanded, PATH_MAX);
} else
break;
}

return new_location;
char expanded[PATH_MAX + 1];
char env_var[PATH_MAX + 1];
char *start;
char *end;

for (start = NULL; (start = strstr(new_location, "${")); ) {
end = strchr(start, '}');
if (start < end) {
*env_var = *expanded = '\0';
strncat(env_var, start + 2, end - start - 2);
strncat(expanded, new_location, start - new_location);
strncat(expanded, getenv(env_var),
PATH_MAX - strlen(expanded));
strncat(expanded, end + 1,
PATH_MAX - strlen(expanded));
strncpy(new_location, expanded, PATH_MAX);
new_location[PATH_MAX] = 0;
} else
break;
}

return new_location;
}


Expand Down

0 comments on commit 20f1de6

Please sign in to comment.