diff options
| author | Patrick J Volkerding <volkerdi@slackware.com> | 2018-05-25 23:29:36 +0000 |
|---|---|---|
| committer | Eric Hameleers <alien@slackware.com> | 2018-06-01 00:36:01 +0200 |
| commit | 39366733c3fe943363566756e2e152c45a1b3cb2 (patch) | |
| tree | 228b0735896af90ca78151c9a69aa3efd12c8cae /patches/source/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch | |
| parent | d31c50870d0bee042ce660e445c9294a59a3a65b (diff) | |
| download | current-14.2.tar.gz | |
Fri May 25 23:29:36 UTC 201814.2
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt.
Handle removal of US/Pacific-New timezone. If we see that the machine is
using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'patches/source/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch')
| -rw-r--r-- | patches/source/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/patches/source/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch b/patches/source/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch new file mode 100644 index 00000000..d81639f6 --- /dev/null +++ b/patches/source/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch @@ -0,0 +1,76 @@ +From 6777e08cc38bc780d27c69c1d8c272867b74524f Mon Sep 17 00:00:00 2001 +From: Giancarlo Canales Barreto <gcanalesb@me.com> +Date: Wed, 17 Jun 2015 00:22:19 -0400 +Subject: [PATCH] Update unsquash-4.c + +There seems to be a stack overflow in read_fragment_table_4 at via what seems to be an integer overflow. Still looking into this problem, it seems like two or three different problems combined. + +The first problem overflows the bytes variable, so that the allocation is enormous. +```c +int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments); +``` + +If we fix this by making the variable size_t, we run into an unrelated problem in which the stack VLA allocation of fragment_table_index can easily exceed RLIMIT_STACK. +```c +long long fragment_table_index[indexes]; +``` + +In the case of my system, the RLIMIT_STACK is 8388608, and VLA is asking for 15728648. Plus the stack probably already has a bunch of other things. This is what I believe ultimately leads to the stack overflow. + +Afterwards, the heap allocation seems to succeed, and the disastrous call to read_fs_bytes is made, which initiates transfer from the squashfs image to the stack. At this stage, a stack overflow appears to be in full effect. + +```c + res = read_fs_bytes(fd, sBlk.s.fragment_table_start, + SQUASHFS_FRAGMENT_INDEX_BYTES(sBlk.s.fragments), + fragment_table_index); +``` +This problem is also present in other read_fragment_table_N functions, and in in the original squashfs-tools. + +``` +Parallel unsquashfs: Using 8 processors +ASAN:SIGSEGV +================================================================= +==8221==ERROR: AddressSanitizer: stack-overflow on address 0x7ffef3ae9608 (pc 0x000000559011 bp 0x7ffef49e9670 sp 0x7ffef3ae9610 T0) + #0 0x559010 in read_fragment_table_4 /home/septimus/vr/squashfs-vr/squashfs-tools/unsquash-4.c:40:9 + #1 0x525073 in main /home/septimus/vr/squashfs-vr/squashfs-tools/unsquashfs.c:2763:5 + #2 0x7fb56c533a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) + #3 0x418468 in _start (/home/septimus/vr/squashfs-vr/squashfs-tools/unsquashfs+0x418468) +SUMMARY: AddressSanitizer: stack-overflow /home/septimus/vr/squashfs-vr/squashfs-tools/unsquash-4.c:40:9 in read_fragment_table_4 +==8221==ABORTING +``` + +Perhaps we should avoid using VLA altogether, and allocate fragment_table_index to the heap? +This pull request is an example implementation of the fix for unsquash-4, but I don't have enough test vectors to verify it will not break anything. +--- + unsquash-4.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c +index ecdaac7..2c0cf63 100644 +--- a/squashfs-tools/unsquash-4.c ++++ b/squashfs-tools/unsquash-4.c +@@ -31,9 +31,9 @@ static unsigned int *id_table; + int read_fragment_table_4(long long *directory_table_end) + { + int res, i; +- int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments); +- int indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments); +- long long fragment_table_index[indexes]; ++ size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments); ++ size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments); ++ long long *fragment_table_index; + + TRACE("read_fragment_table: %d fragments, reading %d fragment indexes " + "from 0x%llx\n", sBlk.s.fragments, indexes, +@@ -44,6 +44,11 @@ int read_fragment_table_4(long long *directory_table_end) + return TRUE; + } + ++ fragment_table_index = malloc(indexes*sizeof(long long)); ++ if(fragment_table_index == NULL) ++ EXIT_UNSQUASH("read_fragment_table: failed to allocate " ++ "fragment table index\n"); ++ + fragment_table = malloc(bytes); + if(fragment_table == NULL) + EXIT_UNSQUASH("read_fragment_table: failed to allocate " |