packages/boost
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

filesystem: backport upstream security patches

Browse Source
This commit is contained in:
Liu Zixian 2022-03-20 01:09:00 +08:00
parent 882b9eaa42
commit 70c2a6f02c
3 changed files with 363 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

330
boost-1.78-filesystem-Added-protection-for-CVE-2022-21658.patch Normal file
View File

@ -0,0 +1,330 @@
From 41d076ace558cfae01e233f9746dc955dcf78dba Mon Sep 17 00:00:00 2001
From: Andrey Semashev <andrey.semashev@gmail.com>
Date: Sun, 30 Jan 2022 23:41:06 +0300
Subject: [PATCH] Added protection for CVE-2022-21658 in remove_all on POSIX
systems.
Another process could replace the directory being processed by remove_all
with a symlink after remove_all called symlink_status but before
it creates a directory iterator. As a result, remove_all would remove
the linked directory contents instead of removing the symlink.
On POSIX systems that support fdopendir and O_NOFOLLOW flag for open(2),
this can be prevented by opening the directory with O_NOFOLLOW before
iterating. This will fail if the directory was replaced with a symlink.
No protection on other systems.
Reported in https://github.com/boostorg/filesystem/issues/224.
---
libs/filesystem/CMakeLists.txt | 4 ++
libs/filesystem/build/Jamfile.v2 | 1 +
libs/filesystem/config/Jamfile.v2 | 2 +
libs/filesystem/config/has_fdopendir_nofollow.cpp | 20 ++++++
boost/filesystem/directory.hpp | 3 +-
libs/filesystem/src/directory.cpp | 53 ++++++++++++++--
libs/filesystem/src/operations.cpp | 86 ++++++++++++++++----------
7 files changed, 131 insertions(+), 38 deletions(-)
create mode 100644 config/has_fdopendir_nofollow.cpp
diff --git a/libs/filesystem/CMakeLists.txt b/libs/filesystem/CMakeLists.txt
index 5a8678309..37ef7e161 100644
--- a/libs/filesystem/CMakeLists.txt
+++ b/libs/filesystem/CMakeLists.txt
@@ -59,6 +59,7 @@ if(NOT BOOST_FILESYSTEM_DISABLE_STATX)
check_cxx_source_compiles("#include <${CMAKE_CURRENT_SOURCE_DIR}/config/has_statx_syscall.cpp>" BOOST_FILESYSTEM_HAS_STATX_SYSCALL)
endif()
endif()
+check_cxx_source_compiles("#include <${CMAKE_CURRENT_SOURCE_DIR}/config/has_fdopendir_nofollow.cpp>" BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
if(WIN32 AND NOT BOOST_FILESYSTEM_DISABLE_BCRYPT)
set(CMAKE_REQUIRED_LIBRARIES bcrypt)
check_cxx_source_compiles("#include <${CMAKE_CURRENT_SOURCE_DIR}/config/has_bcrypt.cpp>" BOOST_FILESYSTEM_HAS_BCRYPT)
@@ -170,6 +171,9 @@ endif()
if(BOOST_FILESYSTEM_HAS_STATX_SYSCALL)
target_compile_definitions(boost_filesystem PRIVATE BOOST_FILESYSTEM_HAS_STATX_SYSCALL)
endif()
+if(BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
+ target_compile_definitions(boost_filesystem PRIVATE BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
+endif()
target_link_libraries(boost_filesystem
PUBLIC
diff --git a/libs/filesystem/build/Jamfile.v2 b/libs/filesystem/build/Jamfile.v2
index 6ab58ddb8..02e3b8971 100644
--- a/libs/filesystem/build/Jamfile.v2
+++ b/libs/filesystem/build/Jamfile.v2
@@ -112,6 +112,7 @@ project boost/filesystem
[ check-target-builds ../config//has_stat_st_birthtim "has stat::st_birthtim" : <define>BOOST_FILESYSTEM_HAS_STAT_ST_BIRTHTIM ]
[ check-target-builds ../config//has_stat_st_birthtimensec "has stat::st_birthtimensec" : <define>BOOST_FILESYSTEM_HAS_STAT_ST_BIRTHTIMENSEC ]
[ check-target-builds ../config//has_stat_st_birthtimespec "has stat::st_birthtimespec" : <define>BOOST_FILESYSTEM_HAS_STAT_ST_BIRTHTIMESPEC ]
+ [ check-target-builds ../config//has_fdopendir_nofollow "has fdopendir(O_NOFOLLOW)" : <define>BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW ]
<conditional>@check-statx
<conditional>@select-windows-crypto-api
<conditional>@check-cxx20-atomic-ref
diff --git a/libs/filesystem/config/Jamfile.v2 b/libs/filesystem/config/Jamfile.v2
index 2e9ee4bd6..5ea7dc6c7 100644
--- a/libs/filesystem/config/Jamfile.v2
+++ b/libs/filesystem/config/Jamfile.v2
@@ -27,6 +27,8 @@ obj has_stat_st_birthtimensec : has_stat_st_birthtimensec.cpp : <include>../src
explicit has_stat_st_birthtimensec ;
obj has_stat_st_birthtimespec : has_stat_st_birthtimespec.cpp : <include>../src ;
explicit has_stat_st_birthtimespec ;
+obj has_fdopendir_nofollow : has_fdopendir_nofollow.cpp : <include>../src ;
+explicit has_fdopendir_nofollow ;
lib bcrypt ;
explicit bcrypt ;
diff --git a/libs/filesystem/config/has_fdopendir_nofollow.cpp b/libs/filesystem/config/has_fdopendir_nofollow.cpp
new file mode 100644
index 000000000..009a73084
--- /dev/null
+++ b/libs/filesystem/config/has_fdopendir_nofollow.cpp
@@ -0,0 +1,20 @@
+// Copyright 2022 Andrey Semashev
+
+// Distributed under the Boost Software License, Version 1.0.
+// See http://www.boost.org/LICENSE_1_0.txt
+
+// See library home page at http://www.boost.org/libs/filesystem
+
+#include "platform_config.hpp"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#include <fcntl.h>
+
+int main()
+{
+ int fd = open(".", O_DIRECTORY | O_RDONLY | O_NOFOLLOW);
+ DIR* dir = fdopendir(fd);
+ return dir != 0;
+}
diff --git a/boost/filesystem/directory.hpp b/boost/filesystem/directory.hpp
index f487633fc..fa1e69be5 100644
--- a/boost/filesystem/directory.hpp
+++ b/boost/filesystem/directory.hpp
@@ -247,7 +247,8 @@ BOOST_SCOPED_ENUM_UT_DECLARE_BEGIN(directory_options, unsigned int)
skip_dangling_symlinks = 1u << 2, // non-standard extension for recursive_directory_iterator: don't follow dangling directory symlinks,
pop_on_error = 1u << 3, // non-standard extension for recursive_directory_iterator: instead of producing an end iterator on errors,
// repeatedly invoke pop() until it succeeds or the iterator becomes equal to end iterator
- _detail_no_push = 1u << 4 // internal use only
+ _detail_no_follow = 1u << 4, // internal use only
+ _detail_no_push = 1u << 5 // internal use only
}
BOOST_SCOPED_ENUM_DECLARE_END(directory_options)
diff --git a/libs/filesystem/src/directory.cpp b/libs/filesystem/src/directory.cpp
index 554277580..8b41ae5e1 100644
--- a/libs/filesystem/src/directory.cpp
+++ b/libs/filesystem/src/directory.cpp
@@ -2,7 +2,7 @@
// Copyright 2002-2009, 2014 Beman Dawes
// Copyright 2001 Dietmar Kuehl
-// Copyright 2019 Andrey Semashev
+// Copyright 2019, 2022 Andrey Semashev
// Distributed under the Boost Software License, Version 1.0.
// See http://www.boost.org/LICENSE_1_0.txt
@@ -33,6 +33,8 @@
#ifdef BOOST_POSIX_API
+#include <sys/types.h>
+#include <sys/stat.h>
#include <dirent.h>
#include <unistd.h>
#include <fcntl.h>
@@ -47,6 +49,14 @@
#define BOOST_FILESYSTEM_USE_READDIR_R
#endif
+// At least Mac OS X 10.6 and older doesn't support O_CLOEXEC
+#ifndef O_CLOEXEC
+#define O_CLOEXEC 0
+#define BOOST_FILESYSTEM_NO_O_CLOEXEC
+#endif
+
+#include "posix_tools.hpp"
+
#else // BOOST_WINDOWS_API
#include <cwchar>
@@ -206,13 +216,46 @@ inline std::size_t path_max()
#endif // BOOST_FILESYSTEM_USE_READDIR_R
-error_code dir_itr_first(void*& handle, void*& buffer, const char* dir, std::string& target, fs::file_status&, fs::file_status&)
+error_code dir_itr_first(void*& handle, void*& buffer, const char* dir, std::string& target, unsigned int opts, fs::file_status&, fs::file_status&)
{
- if ((handle = ::opendir(dir)) == 0)
+#if defined(BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
+ int flags = O_DIRECTORY | O_RDONLY | O_NDELAY | O_CLOEXEC;
+ if ((opts & static_cast< unsigned int >(directory_options::_detail_no_follow)) != 0u)
+ flags |= O_NOFOLLOW;
+
+ int fd = ::open(dir, flags);
+ if (BOOST_UNLIKELY(fd < 0))
+ {
+ const int err = errno;
+ return error_code(err, system_category());
+ }
+
+#if defined(BOOST_FILESYSTEM_NO_O_CLOEXEC) && defined(FD_CLOEXEC)
+ int res = ::fcntl(fd, F_SETFD, FD_CLOEXEC);
+ if (BOOST_UNLIKELY(res < 0))
+ {
+ const int err = errno;
+ close_fd(fd);
+ return error_code(err, system_category());
+ }
+#endif
+
+ handle = ::fdopendir(fd);
+ if (BOOST_UNLIKELY(!handle))
{
const int err = errno;
+ close_fd(fd);
return error_code(err, system_category());
}
+#else // defined(BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
+ handle = ::opendir(dir);
+ if (BOOST_UNLIKELY(!handle))
+ {
+ const int err = errno;
+ return error_code(err, system_category());
+ }
+#endif // defined(BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
+
target.assign("."); // string was static but caused trouble
// when iteration called from dtor, after
// static had already been destroyed
@@ -342,7 +385,7 @@ error_code dir_itr_increment(void*& handle, void*& buffer, std::string& target,
#else // BOOST_WINDOWS_API
-error_code dir_itr_first(void*& handle, fs::path const& dir, std::wstring& target, fs::file_status& sf, fs::file_status& symlink_sf)
+error_code dir_itr_first(void*& handle, fs::path const& dir, std::wstring& target, unsigned int opts, fs::file_status& sf, fs::file_status& symlink_sf)
// Note: an empty root directory has no "." or ".." entries, so this
// causes a ERROR_FILE_NOT_FOUND error which we do not considered an
// error. It is treated as eof instead.
@@ -512,7 +555,7 @@ void directory_iterator_construct(directory_iterator& it, path const& p, unsigne
#if defined(BOOST_POSIX_API)
imp->buffer,
#endif
- p.c_str(), filename, file_stat, symlink_file_stat);
+ p.c_str(), filename, opts, file_stat, symlink_file_stat);
if (result)
{
diff --git a/libs/filesystem/src/operations.cpp b/libs/filesystem/src/operations.cpp
index e14b598b7..bf42105b9 100644
--- a/libs/filesystem/src/operations.cpp
+++ b/libs/filesystem/src/operations.cpp
@@ -945,51 +945,73 @@ inline bool remove_impl(path const& p, error_code* ec)
//! remove_all() implementation
uintmax_t remove_all_impl(path const& p, error_code* ec)
{
- fs::file_type type;
+ for (unsigned int attempt = 0u; attempt < 5u; ++attempt)
{
- error_code local_ec;
- type = fs::detail::symlink_status(p, &local_ec).type();
+ fs::file_type type;
+ {
+ error_code local_ec;
+ type = fs::detail::symlink_status(p, &local_ec).type();
- if (type == fs::file_not_found)
- return 0u;
+ if (type == fs::file_not_found)
+ return 0u;
- if (BOOST_UNLIKELY(type == fs::status_error))
- {
- if (!ec)
- BOOST_FILESYSTEM_THROW(filesystem_error("boost::filesystem::remove_all", p, local_ec));
+ if (BOOST_UNLIKELY(type == fs::status_error))
+ {
+ if (!ec)
+ BOOST_FILESYSTEM_THROW(filesystem_error("boost::filesystem::remove_all", p, local_ec));
- *ec = local_ec;
- return static_cast< uintmax_t >(-1);
+ *ec = local_ec;
+ return static_cast< uintmax_t >(-1);
+ }
}
- }
- uintmax_t count = 0u;
+ uintmax_t count = 0u;
- if (type == fs::directory_file) // but not a directory symlink
- {
- fs::directory_iterator itr;
- fs::detail::directory_iterator_construct(itr, p, static_cast< unsigned int >(directory_options::none), ec);
- if (ec && *ec)
- return static_cast< uintmax_t >(-1);
-
- const fs::directory_iterator end_dit;
- while (itr != end_dit)
+ if (type == fs::directory_file) // but not a directory symlink
{
- count += fs::detail::remove_all_impl(itr->path(), ec);
- if (ec && *ec)
- return static_cast< uintmax_t >(-1);
+ fs::directory_iterator itr;
+ error_code local_ec;
+ fs::detail::directory_iterator_construct(itr, p, static_cast< unsigned int >(directory_options::_detail_no_follow), &local_ec);
+ if (BOOST_UNLIKELY(!!local_ec))
+ {
+#if defined(BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
+ // If open(2) with O_NOFOLLOW fails with ELOOP, this means that either the path contains a loop
+ // of symbolic links, or the last element of the path is a symbolic link. Given that lstat(2) above
+ // did not fail, most likely it is the latter case. I.e. between the lstat above and this open call
+ // the filesystem was modified so that the path no longer refers to a directory file (as opposed to a symlink).
+ if (local_ec == error_code(ELOOP, system_category()))
+ continue;
+#endif // defined(BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
- fs::detail::directory_iterator_increment(itr, ec);
- if (ec && *ec)
+ if (!ec)
+ BOOST_FILESYSTEM_THROW(filesystem_error("boost::filesystem::remove_all", p, local_ec));
+
+ *ec = local_ec;
return static_cast< uintmax_t >(-1);
+ }
+
+ const fs::directory_iterator end_dit;
+ while (itr != end_dit)
+ {
+ count += fs::detail::remove_all_impl(itr->path(), ec);
+ if (ec && *ec)
+ return static_cast< uintmax_t >(-1);
+
+ fs::detail::directory_iterator_increment(itr, ec);
+ if (ec && *ec)
+ return static_cast< uintmax_t >(-1);
+ }
}
- }
- count += fs::detail::remove_impl(p, type, ec);
- if (ec && *ec)
- return static_cast< uintmax_t >(-1);
+ count += fs::detail::remove_impl(p, type, ec);
+ if (ec && *ec)
+ return static_cast< uintmax_t >(-1);
- return count;
+ return count;
+ }
+
+ emit_error(ELOOP, p, ec, "boost::filesystem::remove_all: path cannot be opened as a directory");
+ return static_cast< uintmax_t >(-1);
}
#else // defined(BOOST_POSIX_API)

23
boost-1.78-filesystem-Use-O_NONBLOCK-instead-of-O_NDELAY.patch Normal file
View File

@ -0,0 +1,23 @@
From dbec3baaadf7d899e66aa90843d285e749e88b2d Mon Sep 17 00:00:00 2001
From: Andrey Semashev <andrey.semashev@gmail.com>
Date: Thu, 3 Feb 2022 20:58:42 +0300
Subject: [PATCH] Use O_NONBLOCK instead of O_NDELAY as it is the flag defined
by POSIX.
---
libs/filesystem/src/directory.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libs/filesystem/src/directory.cpp b/libs/filesystem/src/directory.cpp
index 8b41ae5e1..dd2f9413b 100644
--- a/libs/filesystem/src/directory.cpp
+++ b/libs/filesystem/src/directory.cpp
@@ -219,7 +219,7 @@ inline std::size_t path_max()
error_code dir_itr_first(void*& handle, void*& buffer, const char* dir, std::string& target, unsigned int opts, fs::file_status&, fs::file_status&)
{
#if defined(BOOST_FILESYSTEM_HAS_FDOPENDIR_NOFOLLOW)
- int flags = O_DIRECTORY | O_RDONLY | O_NDELAY | O_CLOEXEC;
+ int flags = O_DIRECTORY | O_RDONLY | O_NONBLOCK | O_CLOEXEC;
if ((opts & static_cast< unsigned int >(directory_options::_detail_no_follow)) != 0u)
flags |= O_NOFOLLOW;

13
boost.spec
View File

@ -2,7 +2,7 @@
Name: boost Name: boost
Version: 1.78.0 Version: 1.78.0
Release: 11 Release: 12
Summary: The free peer-reviewed portable C++ source libraries Summary: The free peer-reviewed portable C++ source libraries
License: Boost Software License 1.0 License: Boost Software License 1.0
URL: http://www.boost.org URL: http://www.boost.org
@ -20,9 +20,13 @@ Patch2: boost-1.77-locale-remove-linking-with-boost-system.patch
Patch3: boost-1.77-type_erasure-remove-boost-system-linkage.patch Patch3: boost-1.77-type_erasure-remove-boost-system-linkage.patch
# https://github.com/bfgroup/b2/pull/113 # https://github.com/bfgroup/b2/pull/113
Patch4: boost-1.78-build-Don-t-skip-install-targets-if-there-s-build-no-in-ureqs.patch Patch4: boost-1.78-build-Don-t-skip-install-targets-if-there-s-build-no-in-ureqs.patch
# https://github.com/boostorg/filesystem/commit/41d076ace558cfae01e233f9746dc955dcf78dba
Patch5: boost-1.78-filesystem-Added-protection-for-CVE-2022-21658.patch
# https://github.com/boostorg/filesystem/commit/dbec3baaadf7d899e66aa90843d285e749e88b2d
Patch6: boost-1.78-filesystem-Use-O_NONBLOCK-instead-of-O_NDELAY.patch
# These patches have not been merged yet. # These patches have not been merged yet.
# https://github.com/boostorg/python/pull/320 # https://github.com/boostorg/python/pull/373
Patch5: boost-1.78-python-Update-call_method-hpp.patch Patch9000: boost-1.78-python-Update-call_method-hpp.patch
Requires: %{name}-atomic%{?_isa} = %{version}-%{release} Requires: %{name}-atomic%{?_isa} = %{version}-%{release}
Requires: %{name}-chrono%{?_isa} = %{version}-%{release} Requires: %{name}-chrono%{?_isa} = %{version}-%{release}
@ -438,6 +442,9 @@ find libs -name example -exec cp {} boost-example --parents -r \;
%{_libdir}/*.a %{_libdir}/*.a
%changelog %changelog
* Sun Mar 20 2022 Liu Zixian <liuzixian4@huawei.com> - 1.78.0-12
- backport upstream filesystem patches to fix a possible security issue
* Wed Mar 02 2022 Liu Zixian <liuzixian4@huawei.com> - 1.78.0-11 * Wed Mar 02 2022 Liu Zixian <liuzixian4@huawei.com> - 1.78.0-11
- fix boost-example, only libs/*/example should go into boost-example. - fix boost-example, only libs/*/example should go into boost-example.