packages/util-linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix lsblk endless loop and libblkid buffer overflow

Browse Source 
(cherry picked from commit 85d0c094d25bc5ea60c755351c0d2f07b902f933)
This commit is contained in:
z30031144 2022-11-14 15:41:27 +08:00 committed by openeuler-sync-bot
parent 2e46c204fa
commit 21b86fe6bf
3 changed files with 91 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
backport-libblkid-avoid-buffer-overflow-in-ocfs-superblock-parsing.patch Normal file
View File

@ -0,0 +1,39 @@
From d7fa8ed63891b0058c5df8aa809e34de61008f51 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Sun, 9 Oct 2022 20:20:45 +0200
Subject: [PATCH] libblkid: avoid buffer overflow in ocfs superblock parsing
Label and mount values are checked only according to on-disk
values and not checked against the real structure size.
This can lead to reading of memory outside of superblock
struct and subsequent crash.
Reproducer found with OSS-Fuzz (issue 52270) running over
cryptsetup project (blkid is used in header init).
Signed-off-by: Milan Broz <gmazyland@gmail.com>
---
libblkid/src/superblocks/ocfs.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libblkid/src/superblocks/ocfs.c b/libblkid/src/superblocks/ocfs.c
index 28df6ddfa4..e213d66b44 100644
--- a/libblkid/src/superblocks/ocfs.c
+++ b/libblkid/src/superblocks/ocfs.c
@@ -129,10 +129,12 @@ static int probe_ocfs(blkid_probe pr, const struct blkid_idmag *mag)
blkid_probe_set_value(pr, "SEC_TYPE",
(unsigned char *) "ntocfs", sizeof("ntocfs"));
- blkid_probe_set_label(pr, (unsigned char *) ovl.label,
- ocfslabellen(ovl));
- blkid_probe_set_value(pr, "MOUNT", (unsigned char *) ovh.mount,
- ocfsmountlen(ovh));
+ if (ocfslabellen(ovl) < sizeof(ovl.label))
+ blkid_probe_set_label(pr, (unsigned char *) ovl.label,
+ ocfslabellen(ovl));
+ if (ocfsmountlen(ovh) < sizeof(ovh.mount))
+ blkid_probe_set_value(pr, "MOUNT", (unsigned char *) ovh.mount,
+ ocfsmountlen(ovh));
blkid_probe_set_uuid(pr, ovl.vol_id);
blkid_probe_sprintf_version(pr, "%u.%u", maj, min);
return 0;

41
backport-lsblk-fix-endless-loop-if-device-specified-more-than-once.patch Normal file
View File

@ -0,0 +1,41 @@
From 9eb31ca7f7971101846bd3668be5d7807200fa2f Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Mon, 19 Sep 2022 14:23:25 +0200
Subject: [PATCH] lsblk: fix endless loop if device specified more than once
Fixes: https://github.com/util-linux/util-linux/issues/1814
Signed-off-by: Karel Zak <kzak@redhat.com>
---
misc-utils/lsblk-devtree.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/misc-utils/lsblk-devtree.c b/misc-utils/lsblk-devtree.c
index ce9d3e84f7..6f9dc54b3c 100644
--- a/misc-utils/lsblk-devtree.c
+++ b/misc-utils/lsblk-devtree.c
@@ -282,8 +282,25 @@ void lsblk_unref_devtree(struct lsblk_devtree *tr)
}
}
+static int has_root(struct lsblk_devtree *tr, struct lsblk_device *dev)
+{
+ struct lsblk_iter itr;
+ struct lsblk_device *x = NULL;
+
+ lsblk_reset_iter(&itr, LSBLK_ITER_FORWARD);
+
+ while (lsblk_devtree_next_root(tr, &itr, &x) == 0) {
+ if (x == dev)
+ return 1;
+ }
+ return 0;
+}
+
int lsblk_devtree_add_root(struct lsblk_devtree *tr, struct lsblk_device *dev)
{
+ if (has_root(tr, dev))
+ return 0;
+
if (!lsblk_devtree_has_device(tr, dev))
lsblk_devtree_add_device(tr, dev);

12
util-linux.spec
View File

@ -3,7 +3,7 @@
Name: util-linux Name: util-linux
Version: 2.37.2 Version: 2.37.2
Release: 11 Release: 12
Summary: A random collection of Linux utilities Summary: A random collection of Linux utilities
License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain License: GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git URL: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git
@ -51,6 +51,8 @@ Patch6029: backport-libblkid-mac-make-sure-block-size-is-large-enough-fuzzi
Patch6030: backport-libblkid-bsd-fix-buffer-pointer-use-fuzzing.patch Patch6030: backport-libblkid-bsd-fix-buffer-pointer-use-fuzzing.patch
Patch6031: backport-libblkid-hfs-fix-label-use-fuzzing.patch Patch6031: backport-libblkid-hfs-fix-label-use-fuzzing.patch
Patch6032: backport-Maybe-there-is-a-little-mistake-in-do_taskset-functi.patch Patch6032: backport-Maybe-there-is-a-little-mistake-in-do_taskset-functi.patch
Patch6033: backport-lsblk-fix-endless-loop-if-device-specified-more-than-once.patch
Patch6034: backport-libblkid-avoid-buffer-overflow-in-ocfs-superblock-parsing.patch
Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch
Patch9001: SKIPPED-no-root-permissions-test.patch Patch9001: SKIPPED-no-root-permissions-test.patch
@ -422,6 +424,14 @@ fi
%{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*} %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*}
%changelog %changelog
* Mon Nov 14 2022 zhangyao<zhangyao108@hhuawei.com> - 2.37.2-12
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:Sync community patches
[add]backport-lsblk-fix-endless-loop-if-device-specified-more-than-once.patch
backport-libblkid-avoid-buffer-overflow-in-ocfs-superblock-parsing.patch
* Tue Nov 8 2022 zhangyao<zhangyao108@hhuawei.com> - 2.37.2-11 * Tue Nov 8 2022 zhangyao<zhangyao108@hhuawei.com> - 2.37.2-11
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA