• Kees Cook's avatar
    gen_init_cpio: avoid stack overflow when expanding · 20f1de65
    Kees Cook authored
    Fix possible overflow of the buffer used for expanding environment
    variables when building file list.
    
    In the extremely unlikely case of an attacker having control over the
    environment variables visible to gen_init_cpio, control over the
    contents of the file gen_init_cpio parses, and gen_init_cpio was built
    without compiler hardening, the attacker can gain arbitrary execution
    control via a stack buffer overflow.
    
      $ cat usr/crash.list
      file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
      $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
      *** buffer overflow detected ***: ./usr/gen_init_cpio terminated
    
    This also replaces the space-indenting with tabs.
    
    Patch based on existing fix extracted from grsecurity.
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Michal Marek <mmarek@suse.cz>
    Cc: Brad Spengler <spender@grsecurity.net>
    Cc: PaX Team <pageexec@freemail.hu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    20f1de65
gen_init_cpio.c 13 KB