Fix heap-buffer-overflow in fdisk_partname

2021-03-01 19:22:11 +08:00 · 2021-03-01 19:22:11 +08:00 · eec4386b14
commit eec4386b14
parent e059a336a6
3 changed files with 97 additions and 1 deletions
--- a/backport-libfdisk-make-fdisk_partname-more-robust.patch
+++ b/backport-libfdisk-make-fdisk_partname-more-robust.patch
@ -0,0 +1,22 @@
+From 9f03ad60e58f7bdcac6a1046471a3374550ee384 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 13 Aug 2020 10:12:01 +0200
+Subject: [PATCH] libfdisk: make fdisk_partname() more robust
+
+---
+ libfdisk/src/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libfdisk/src/utils.c b/libfdisk/src/utils.c
+index 6056e7f1f..38ad23393 100644
+--- a/libfdisk/src/utils.c
+++ b/libfdisk/src/utils.c
+@@ -142,7 +142,7 @@ char *fdisk_partname(const char *dev, size_t partno)
+ 
+ 	/* devfs kludge - note: fdisk partition names are not supposed
+ 	   to equal kernel names, so there is no reason to do this */
+-	if (strcmp(dev + w - 4, "disc") == 0) {
+	if (endswith(dev, "disc")) {
+ 		w -= 4;
+ 		p = "part";
+ 	}
--- a/backport-libmount-fix-tab-parser-for-badly-terminated-lines.patch
+++ b/backport-libmount-fix-tab-parser-for-badly-terminated-lines.patch
@ -0,0 +1,66 @@
+From 72f783d0ea5297e3fab22a93574aa63f421c5f69 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Mon, 17 Aug 2020 16:33:59 +0200
+Subject: [PATCH] libmount: fix tab parser for badly terminated lines
+
+Signed-off-by: Karel Zak <kzak@redhat.com>
+---
+ libmount/src/tab_parse.c | 26 +++++++++++---------------
+ 1 file changed, 11 insertions(+), 15 deletions(-)
+
+diff --git a/libmount/src/tab_parse.c b/libmount/src/tab_parse.c
+index fa2d31b81..329987bcb 100644
+--- a/libmount/src/tab_parse.c
+++ b/libmount/src/tab_parse.c
+@@ -481,7 +481,7 @@ static int is_terminated_by_blank(const char *str)
+ 	if (p == str)
+ 		return 1;		/* only '\n' */
+ 	p--;
+-	while (p >= str && (*p == ' ' || *p == '\t'))
+	while (p > str && (*p == ' ' || *p == '\t'))
+ 		p--;
+ 	return *p == '\n' ? 1 : 0;
+ }
+@@ -553,22 +553,16 @@ static int mnt_table_parse_next(struct libmnt_parser *pa,
+ 		pa->line++;
+ 		s = strchr(pa->buf, '\n');
+ 		if (!s) {
+			DBG(TAB, ul_debugobj(tb, "%s:%zu: no final newline",
+						pa->filename, pa->line));
+
+ 			/* Missing final newline?  Otherwise an extremely */
+ 			/* long line - assume file was corrupted */
+-			if (feof(pa->f)) {
+-				DBG(TAB, ul_debugobj(tb,
+-					"%s: no final newline",	pa->filename));
+-				s = strchr(pa->buf, '\0');
+-			} else {
+-				DBG(TAB, ul_debugobj(tb,
+-					"%s:%zu: missing newline at line",
+-					pa->filename, pa->line));
+-				goto err;
+-			}
+-		}
+			if (feof(pa->f))
+				s = memchr(pa->buf, '\0', pa->bufsiz);
+ 
+ 		/* comments parser */
+-		if (tb->comms
+		} else if (tb->comms
+ 		    && (tb->fmt == MNT_FMT_GUESS || tb->fmt == MNT_FMT_FSTAB)
+ 		    && is_comment_line(pa->buf)) {
+ 			do {
+@@ -584,9 +578,11 @@ static int mnt_table_parse_next(struct libmnt_parser *pa,
+ 
+ 		}
+ 
+		if (!s)
+			goto err;
+ 		*s = '\0';
+-		if (--s >= pa->buf && *s == '\r')
+-			*s = '\0';
+		if (s > pa->buf && *(s - 1)  == '\r')
+			*(--s) = '\0';
+ 		s = (char *) skip_blank(pa->buf);
+ 	} while (*s == '\0' || *s == '#');
+ 
--- a/util-linux.spec
+++ b/util-linux.spec
@ -3,7 +3,7 @@

 Name:           util-linux
 Version:        2.36.1
-Release:        1
+Release:        2
 Summary:        A random collection of Linux utilities
 License:        GPLv2 and GPLv2+ and LGPLv2+ and BSD with advertising and Public Domain
 URL:            https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git
@ -37,6 +37,8 @@ Obsoletes:      eject <= 2.1.5 rfkill <= 0.5 util-linux-ng < 2.19 hardlink <= 1:

 Patch0:         2.36-login-lastlog-create.patch
 Patch1:         Do-not-excute-Utmp-testcases.patch
+Patch2:         backport-libfdisk-make-fdisk_partname-more-robust.patch
+Patch3:         backport-libmount-fix-tab-parser-for-badly-terminated-lines.patch

 Patch9000:	Add-check-to-resolve-uname26-version-test-failed.patch

@ -386,6 +388,12 @@ fi
 %{_mandir}/man8/{swapoff.8*,swapon.8*,switch_root.8*,umount.8*,wdctl.8.gz,wipefs.8*,zramctl.8*}

 %changelog
+* Mon Mar 1 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 2.36.1-2
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Fix heap-buffer-overflow in fdisk_partname
+
 * Tue Jan 26 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 2.36.1-1
 - Type:enhancement
 - ID:NA