summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-09-19 21:51:14 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 23:21:43 +0100
commitc9c85df86cd2270b144fa824ef76adedd3636c8a (patch)
treecf10ba94aec0fd2a2f6544b8d328c99a1647e49a
parent2f3f09dfbff21fb74e50e4e3ce90c252d32ebf61 (diff)
downloadopenembedded-core-c9c85df86cd2270b144fa824ef76adedd3636c8a.tar.gz
openembedded-core-c9c85df86cd2270b144fa824ef76adedd3636c8a.tar.bz2
openembedded-core-c9c85df86cd2270b144fa824ef76adedd3636c8a.zip
util-linux: Security fix for CVE-2016-5011
affects util-linux < 2.28.2 Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch59
-rw-r--r--meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch91
-rw-r--r--meta/recipes-core/util-linux/util-linux_2.26.2.bb2
3 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
new file mode 100644
index 0000000000..9571280dc9
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011.patch
@@ -0,0 +1,59 @@
+From 7164a1c34d18831ac61c6744ad14ce916d389b3f Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 7 Jul 2016 14:22:41 +0200
+Subject: [PATCH] libblkid: ignore extended partition at zero offset
+
+If the extended partition starts at zero LBA then MBR is interpreted
+as EBR and all is recursively parsed... result is out-of-memory.
+
+ MBR --extended-partition--> EBR --> MBR --> ENB --> MBR ...
+
+Note that such PT is not possible to create by standard partitioning
+tools.
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+CVE: CVE-2016-5011 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libblkid/src/partitions/dos.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libblkid/src/partitions/dos.c b/libblkid/src/partitions/dos.c
+index 9bba32f..e79f124 100644
+--- a/libblkid/src/partitions/dos.c
++++ b/libblkid/src/partitions/dos.c
+@@ -47,6 +47,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
+ int ct_nodata = 0; /* count ext.partitions without data partitions */
+ int i;
+
++ DBG(LOWPROBE, ul_debug("parse EBR [start=%d, size=%d]", ex_start/ssf, ex_size/ssf));
++ if (ex_start == 0) {
++ DBG(LOWPROBE, ul_debug("Bad offset in primary extended partition -- ignore"));
++ return 0;
++ }
++
+ while (1) {
+ struct dos_partition *p, *p0;
+ uint32_t start, size;
+@@ -116,8 +122,12 @@ static int parse_dos_extended(blkid_probe pr, blkid_parttable tab,
+ start = dos_partition_get_start(p) * ssf;
+ size = dos_partition_get_size(p) * ssf;
+
+- if (size && is_extended(p))
+- break;
++ if (size && is_extended(p)) {
++ if (start == 0)
++ DBG(LOWPROBE, ul_debug("#%d: EBR link offset is zero -- ignore", i + 1));
++ else
++ break;
++ }
+ }
+ if (i == 4)
+ goto leave;
+--
+2.7.4
+
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch
new file mode 100644
index 0000000000..9c6960f793
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2016-5011_p2.patch
@@ -0,0 +1,91 @@
+From 50d1594c2e6142a3b51d2143c74027480df082e0 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 12 Jul 2016 13:34:54 +0200
+Subject: [PATCH] libblkid: avoid non-empty recursion in EBR
+
+This is extension to the patch 7164a1c34d18831ac61c6744ad14ce916d389b3f.
+
+We also need to detect non-empty recursion in the EBR chain. It's
+possible to create standard valid logical partitions and in the last one
+points back to the EBR chain. In this case all offsets will be non-empty.
+
+Unfortunately, it's valid to create logical partitions that are not in
+the "disk order" (sorted by start offset). So link somewhere back is
+valid, but this link cannot points to already existing partition
+(otherwise we will see recursion).
+
+This patch forces libblkid to ignore duplicate logical partitions, the
+duplicate chain segment is interpreted as non-data segment, after 100
+iterations with non-data segments it will break the loop -- no memory
+is allocated in this case by the loop.
+
+Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1349536
+References: http://seclists.org/oss-sec/2016/q3/40
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+Upstream-status: Backport
+CVE: CVE-2016-5011 patch 2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libblkid/src/partitions/dos.c | 7 +++++++
+ libblkid/src/partitions/partitions.c | 14 ++++++++++++++
+ libblkid/src/partitions/partitions.h | 2 ++
+ 3 files changed, 23 insertions(+)
+
+Index: util-linux-2.26.2/libblkid/src/partitions/dos.c
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/dos.c
++++ util-linux-2.26.2/libblkid/src/partitions/dos.c
+@@ -105,6 +105,13 @@ static int parse_dos_extended(blkid_prob
+ continue;
+ }
+
++ /* Avoid recursive non-empty links, see ct_nodata counter */
++ if (blkid_partlist_get_partition_by_start(ls, abs_start)) {
++ DBG(LOWPROBE, ul_debug("#%d: EBR duplicate data partition [abs start=%u] -- ignore",
++ i + 1, abs_start));
++ continue;
++ }
++
+ par = blkid_partlist_add_partition(ls, tab, abs_start, size);
+ if (!par)
+ return -ENOMEM;
+Index: util-linux-2.26.2/libblkid/src/partitions/partitions.c
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.c
++++ util-linux-2.26.2/libblkid/src/partitions/partitions.c
+@@ -940,6 +940,20 @@ blkid_partition blkid_partlist_get_parti
+ return &ls->parts[n];
+ }
+
++blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start)
++{
++ int i, nparts;
++ blkid_partition par;
++
++ nparts = blkid_partlist_numof_partitions(ls);
++ for (i = 0; i < nparts; i++) {
++ par = blkid_partlist_get_partition(ls, i);
++ if ((uint64_t) blkid_partition_get_start(par) == start)
++ return par;
++ }
++ return NULL;
++}
++
+ /**
+ * blkid_partlist_get_partition_by_partno
+ * @ls: partitions list
+Index: util-linux-2.26.2/libblkid/src/partitions/partitions.h
+===================================================================
+--- util-linux-2.26.2.orig/libblkid/src/partitions/partitions.h
++++ util-linux-2.26.2/libblkid/src/partitions/partitions.h
+@@ -21,6 +21,8 @@ extern int blkid_partlist_increment_part
+
+ extern blkid_partition blkid_partlist_get_parent(blkid_partlist ls);
+
++extern blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start);
++
+ extern int blkid_partitions_do_subprobe(blkid_probe pr,
+ blkid_partition parent, const struct blkid_idinfo *id);
+
diff --git a/meta/recipes-core/util-linux/util-linux_2.26.2.bb b/meta/recipes-core/util-linux/util-linux_2.26.2.bb
index e09fdfaf5d..56d5c19282 100644
--- a/meta/recipes-core/util-linux/util-linux_2.26.2.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.26.2.bb
@@ -16,6 +16,8 @@ SRC_URI += "file://util-linux-ng-replace-siginterrupt.patch \
file://runuser.pamd \
file://runuser-l.pamd \
${OLDHOST} \
+ file://CVE-2016-5011.patch \
+ file://CVE-2016-5011_p2.patch \
"
SRC_URI[md5sum] = "9bdf368c395f1b70325d0eb22c7f48fb"
SRC_URI[sha256sum] = "0e29bda142528a48a0a953c39ff63093651a4809042e1790fbd6aa8663fd9666"