Commit 20f1de65 authored by Kees Cook's avatar Kees Cook Committed by Linus Torvalds

gen_init_cpio: avoid stack overflow when expanding

Fix possible overflow of the buffer used for expanding environment
variables when building file list.

In the extremely unlikely case of an attacker having control over the
environment variables visible to gen_init_cpio, control over the
contents of the file gen_init_cpio parses, and gen_init_cpio was built
without compiler hardening, the attacker can gain arbitrary execution
control via a stack buffer overflow.

  $ cat usr/crash.list
  file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
  $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
  *** buffer overflow detected ***: ./usr/gen_init_cpio terminated

This also replaces the space-indenting with tabs.

Patch based on existing fix extracted from grsecurity.
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent fee0de77
...@@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location, ...@@ -303,7 +303,7 @@ static int cpio_mkfile(const char *name, const char *location,
int retval; int retval;
int rc = -1; int rc = -1;
int namesize; int namesize;
int i; unsigned int i;
mode |= S_IFREG; mode |= S_IFREG;
...@@ -392,9 +392,12 @@ static char *cpio_replace_env(char *new_location) ...@@ -392,9 +392,12 @@ static char *cpio_replace_env(char *new_location)
*env_var = *expanded = '\0'; *env_var = *expanded = '\0';
strncat(env_var, start + 2, end - start - 2); strncat(env_var, start + 2, end - start - 2);
strncat(expanded, new_location, start - new_location); strncat(expanded, new_location, start - new_location);
strncat(expanded, getenv(env_var), PATH_MAX); strncat(expanded, getenv(env_var),
strncat(expanded, end + 1, PATH_MAX); PATH_MAX - strlen(expanded));
strncat(expanded, end + 1,
PATH_MAX - strlen(expanded));
strncpy(new_location, expanded, PATH_MAX); strncpy(new_location, expanded, PATH_MAX);
new_location[PATH_MAX] = 0;
} else } else
break; break;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment