1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
From d61ff409cb4dda31386373d706ea0cfb1aaac5b7 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@kernel.dk>
Date: Wed, 2 May 2018 10:24:17 -0600
Subject: [PATCH] btt: make device/devno use PATH_MAX to avoid overflow
Herbo Zhang reports:
I found a bug in blktrace/btt/devmap.c. The code is just as follows:
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/tree/btt/devmap.c?id=8349ad2f2d19422a6241f94ea84d696b21de4757
struct devmap {
struct list_head head;
char device[32], devno[32]; // #1
};
LIST_HEAD(all_devmaps);
static int dev_map_add(char *line)
{
struct devmap *dmp;
if (strstr(line, "Device") != NULL)
return 1;
dmp = malloc(sizeof(struct devmap));
if (sscanf(line, "%s %s", dmp->device, dmp->devno) != 2) { //#2
free(dmp);
return 1;
}
list_add_tail(&dmp->head, &all_devmaps);
return 0;
}
int dev_map_read(char *fname)
{
char line[256]; // #3
FILE *fp = my_fopen(fname, "r");
if (!fp) {
perror(fname);
return 1;
}
while (fscanf(fp, "%255[a-zA-Z0-9 :.,/_-]\n", line) == 1) {
if (dev_map_add(line))
break;
}
fclose(fp);
return 0;
}
The line length is 256, but the dmp->device, dmp->devno max length
is only 32. We can put strings longer than 32 into dmp->device and
dmp->devno , and then they will be overflowed.
we can trigger this bug just as follows:
$ python -c "print 'A'*256" > ./test
$ btt -M ./test
*** Error in btt': free(): invalid next size (fast): 0x000055ad7349b250 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f7f158ce7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x7fe0a)[0x7f7f158d6e0a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f7f158da98c]
btt(+0x32e0)[0x55ad7306f2e0]
btt(+0x2c5f)[0x55ad7306ec5f]
btt(+0x251f)[0x55ad7306e51f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f7f15877830]
btt(+0x26b9)[0x55ad7306e6b9]
======= Memory map: ========
55ad7306c000-55ad7307f000 r-xp 00000000 08:14 3698139
/usr/bin/btt
55ad7327e000-55ad7327f000 r--p 00012000 08:14 3698139
/usr/bin/btt
55ad7327f000-55ad73280000 rw-p 00013000 08:14 3698139
/usr/bin/btt
55ad73280000-55ad73285000 rw-p 00000000 00:00 0
55ad7349a000-55ad734bb000 rw-p 00000000 00:00 0
[heap]
7f7f10000000-7f7f10021000 rw-p 00000000 00:00 0
7f7f10021000-7f7f14000000 ---p 00000000 00:00 0
7f7f15640000-7f7f15656000 r-xp 00000000 08:14 14942237
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f7f15656000-7f7f15855000 ---p 00016000 08:14 14942237
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f7f15855000-7f7f15856000 r--p 00015000 08:14 14942237
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f7f15856000-7f7f15857000 rw-p 00016000 08:14 14942237
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f7f15857000-7f7f15a16000 r-xp 00000000 08:14 14948477
/lib/x86_64-linux-gnu/libc-2.23.so
7f7f15a16000-7f7f15c16000 ---p 001bf000 08:14 14948477
/lib/x86_64-linux-gnu/libc-2.23.so
7f7f15c16000-7f7f15c1a000 r--p 001bf000 08:14 14948477
/lib/x86_64-linux-gnu/libc-2.23.so
7f7f15c1a000-7f7f15c1c000 rw-p 001c3000 08:14 14948477
/lib/x86_64-linux-gnu/libc-2.23.so
7f7f15c1c000-7f7f15c20000 rw-p 00000000 00:00 0
7f7f15c20000-7f7f15c46000 r-xp 00000000 08:14 14948478
/lib/x86_64-linux-gnu/ld-2.23.so
7f7f15e16000-7f7f15e19000 rw-p 00000000 00:00 0
7f7f15e42000-7f7f15e45000 rw-p 00000000 00:00 0
7f7f15e45000-7f7f15e46000 r--p 00025000 08:14 14948478
/lib/x86_64-linux-gnu/ld-2.23.so
7f7f15e46000-7f7f15e47000 rw-p 00026000 08:14 14948478
/lib/x86_64-linux-gnu/ld-2.23.so
7f7f15e47000-7f7f15e48000 rw-p 00000000 00:00 0
7ffdebe5c000-7ffdebe7d000 rw-p 00000000 00:00 0
[stack]
7ffdebebc000-7ffdebebe000 r--p 00000000 00:00 0
[vvar]
7ffdebebe000-7ffdebec0000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
[1] 6272 abort btt -M test
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Upstream-Status: Backport
[https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7]
CVE: CVE-2018-10689
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
btt/devmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/btt/devmap.c b/btt/devmap.c
index 0553a9e..5fc1cb2 100644
--- a/btt/devmap.c
+++ b/btt/devmap.c
@@ -23,7 +23,7 @@
struct devmap {
struct list_head head;
- char device[32], devno[32];
+ char device[PATH_MAX], devno[PATH_MAX];
};
LIST_HEAD(all_devmaps);
--
2.7.4
|
