[meta-gplv2,v2] dosfstools: fix out of bound writes

Submitted by aj.bagwell@gmail.com on Nov. 11, 2019, 10:32 a.m. | Patch ID: 166834

Details

Message ID 20191111103222.86510-1-aj.bagwell@gmail.com
State New
Headers show

Commit Message

aj.bagwell@gmail.com Nov. 11, 2019, 10:32 a.m.
From: AJ Bagwell <anthony.bagwell@hivehome.com>

Fix write issues where sprintf writes across both name and ext fields
and drops the final null ternimator outside the struct

Signed-off-by: AJ Bagwell <anthony.bagwell@hivehome.com>
---
 .../fixing-out-of-bound-writes.patch          | 54 +++++++++++++++++++
 .../dosfstools/dosfstools_2.11.bb             |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch

Patch hide | download patch | download mbox

diff --git a/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch b/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch
new file mode 100644
index 0000000..f80f5ab
--- /dev/null
+++ b/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch
@@ -0,0 +1,54 @@ 
+Fix out of bound write issues where sprintf writes across both
+name and ext fields and drops the final null ternimator outside the struct
+
+Upstream-Status: Inappropriate [licensing]
+We're tracking an old release of dosfstools due to licensing issues.
+
+diff --git a/dosfsck/check.c b/dosfsck/check.c
+index e8c13bb..91177d3 100644
+--- a/dosfsck/check.c
++++ b/dosfsck/check.c
+@@ -58,6 +58,13 @@ static DOS_FILE *root;
+     }									\
+   } while(0)
+ 
++static void de_printf(DIR_ENT *de, const char *pattern, int curr_num)
++{
++    char buffer[12];
++    sprintf(buffer, pattern, curr_num);
++    memcpy(de->name, buffer, 8);
++    memcpy(de->ext, buffer + 8, 3);
++}
+ 
+ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ {
+@@ -110,7 +117,8 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ 	}
+ 	memset(de,0,sizeof(DIR_ENT));
+ 	while (1) {
+-	    sprintf(de->name,pattern,curr_num);
++	    de_printf(de, pattern, curr_num);
++
+ 	    clu_num = fs->root_cluster;
+ 	    i = 0;
+ 	    offset2 = cluster_start(fs,clu_num);
+@@ -150,7 +158,7 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ 	offset = fs->root_start+next_free*sizeof(DIR_ENT);
+ 	memset(de,0,sizeof(DIR_ENT));
+ 	while (1) {
+-	    sprintf(de->name,pattern,curr_num);
++	    de_printf(de, pattern, curr_num);
+ 	    for (scan = 0; scan < fs->root_entries; scan++)
+ 		if (scan != next_free &&
+ 		    !strncmp(root[scan].name,de->name,MSDOS_NAME))
+@@ -311,8 +319,8 @@ static void auto_rename(DOS_FILE *file)
+     first = file->parent ? file->parent->first : root;
+     number = 0;
+     while (1) {
+-	sprintf(file->dir_ent.name,"FSCK%04d",number);
+-	strncpy(file->dir_ent.ext,"REN",3);
++	de_printf(&file->dir_ent, "FSCK%04dREN", number);
++
+ 	for (walk = first; walk; walk = walk->next)
+ 	    if (walk != file && !strncmp(walk->dir_ent.name,file->dir_ent.
+ 	      name,MSDOS_NAME)) break;
diff --git a/recipes-devtools/dosfstools/dosfstools_2.11.bb b/recipes-devtools/dosfstools/dosfstools_2.11.bb
index dd543b1..37c2181 100644
--- a/recipes-devtools/dosfstools/dosfstools_2.11.bb
+++ b/recipes-devtools/dosfstools/dosfstools_2.11.bb
@@ -19,6 +19,7 @@  SRC_URI = "http://pkgs.fedoraproject.org/repo/pkgs/${BPN}/${BP}.src.tar.gz/407d4
            file://nofat32_autoselect.patch \
            file://fix_populated_dosfs_creation.patch \
            file://0001-Include-fcntl.h-for-getting-loff_t-definition.patch \
+	   file://fixing-out-of-bound-writes.patch \
 "
 
 SRC_URI[md5sum] = "407d405ade410f7597d364ab5dc8c9f6"

Comments

Khem Raj Nov. 11, 2019, 3:44 p.m.
On Mon, 2019-11-11 at 10:32 +0000, aj.bagwell@gmail.com wrote:
> From: AJ Bagwell <anthony.bagwell@hivehome.com>
> 
> Fix write issues where sprintf writes across both name and ext fields
> and drops the final null ternimator outside the struct
> 
> Signed-off-by: AJ Bagwell <anthony.bagwell@hivehome.com>
> ---
>  .../fixing-out-of-bound-writes.patch          | 54
> +++++++++++++++++++
>  .../dosfstools/dosfstools_2.11.bb             |  1 +
>  2 files changed, 55 insertions(+)
>  create mode 100644 recipes-devtools/dosfstools/dosfstools/fixing-
> out-of-bound-writes.patch
> 
> diff --git a/recipes-devtools/dosfstools/dosfstools/fixing-out-of-
> bound-writes.patch b/recipes-devtools/dosfstools/dosfstools/fixing-
> out-of-bound-writes.patch
> new file mode 100644
> index 0000000..f80f5ab
> --- /dev/null
> +++ b/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-
> writes.patch
> @@ -0,0 +1,54 @@
> +Fix out of bound write issues where sprintf writes across both
> +name and ext fields and drops the final null ternimator outside the
> struct
> +
> +Upstream-Status: Inappropriate [licensing]
> +We're tracking an old release of dosfstools due to licensing issues.
> +

patch is fine, I wonder if the latest version in OE-Core is also
affected by this issue ?


> +diff --git a/dosfsck/check.c b/dosfsck/check.c
> +index e8c13bb..91177d3 100644
> +--- a/dosfsck/check.c
> ++++ b/dosfsck/check.c
> +@@ -58,6 +58,13 @@ static DOS_FILE *root;
> +     }								
> 	\
> +   } while(0)
> + 
> ++static void de_printf(DIR_ENT *de, const char *pattern, int
> curr_num)
> ++{
> ++    char buffer[12];
> ++    sprintf(buffer, pattern, curr_num);
> ++    memcpy(de->name, buffer, 8);
> ++    memcpy(de->ext, buffer + 8, 3);
> ++}
> + 
> + loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char
> *pattern)
> + {
> +@@ -110,7 +117,8 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT
> *de, const char *pattern)
> + 	}
> + 	memset(de,0,sizeof(DIR_ENT));
> + 	while (1) {
> +-	    sprintf(de->name,pattern,curr_num);
> ++	    de_printf(de, pattern, curr_num);
> ++
> + 	    clu_num = fs->root_cluster;
> + 	    i = 0;
> + 	    offset2 = cluster_start(fs,clu_num);
> +@@ -150,7 +158,7 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT
> *de, const char *pattern)
> + 	offset = fs->root_start+next_free*sizeof(DIR_ENT);
> + 	memset(de,0,sizeof(DIR_ENT));
> + 	while (1) {
> +-	    sprintf(de->name,pattern,curr_num);
> ++	    de_printf(de, pattern, curr_num);
> + 	    for (scan = 0; scan < fs->root_entries; scan++)
> + 		if (scan != next_free &&
> + 		    !strncmp(root[scan].name,de->name,MSDOS_NAME))
> +@@ -311,8 +319,8 @@ static void auto_rename(DOS_FILE *file)
> +     first = file->parent ? file->parent->first : root;
> +     number = 0;
> +     while (1) {
> +-	sprintf(file->dir_ent.name,"FSCK%04d",number);
> +-	strncpy(file->dir_ent.ext,"REN",3);
> ++	de_printf(&file->dir_ent, "FSCK%04dREN", number);
> ++
> + 	for (walk = first; walk; walk = walk->next)
> + 	    if (walk != file && !strncmp(walk->dir_ent.name,file-
> >dir_ent.
> + 	      name,MSDOS_NAME)) break;
> diff --git a/recipes-devtools/dosfstools/dosfstools_2.11.bb
> b/recipes-devtools/dosfstools/dosfstools_2.11.bb
> index dd543b1..37c2181 100644
> --- a/recipes-devtools/dosfstools/dosfstools_2.11.bb
> +++ b/recipes-devtools/dosfstools/dosfstools_2.11.bb
> @@ -19,6 +19,7 @@ SRC_URI = "
> http://pkgs.fedoraproject.org/repo/pkgs/${BPN}/${BP}.src.tar.gz/407d4
>             file://nofat32_autoselect.patch \
>             file://fix_populated_dosfs_creation.patch \
>             file://0001-Include-fcntl.h-for-getting-loff_t-
> definition.patch \
> +	   file://fixing-out-of-bound-writes.patch \
>  "
>  
>  SRC_URI[md5sum] = "407d405ade410f7597d364ab5dc8c9f6"
> -- 
> 2.17.1
>
Alex Kiernan Jan. 18, 2020, 12:15 p.m.
On Mon, Nov 11, 2019 at 3:45 PM Khem Raj <raj.khem@gmail.com> wrote:
>
> On Mon, 2019-11-11 at 10:32 +0000, aj.bagwell@gmail.com wrote:
> > From: AJ Bagwell <anthony.bagwell@hivehome.com>
> >
> > Fix write issues where sprintf writes across both name and ext fields
> > and drops the final null ternimator outside the struct
> >
> > Signed-off-by: AJ Bagwell <anthony.bagwell@hivehome.com>
> > ---
> >  .../fixing-out-of-bound-writes.patch          | 54
> > +++++++++++++++++++
> >  .../dosfstools/dosfstools_2.11.bb             |  1 +
> >  2 files changed, 55 insertions(+)
> >  create mode 100644 recipes-devtools/dosfstools/dosfstools/fixing-
> > out-of-bound-writes.patch
> >
> > diff --git a/recipes-devtools/dosfstools/dosfstools/fixing-out-of-
> > bound-writes.patch b/recipes-devtools/dosfstools/dosfstools/fixing-
> > out-of-bound-writes.patch
> > new file mode 100644
> > index 0000000..f80f5ab
> > --- /dev/null
> > +++ b/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-
> > writes.patch
> > @@ -0,0 +1,54 @@
> > +Fix out of bound write issues where sprintf writes across both
> > +name and ext fields and drops the final null ternimator outside the
> > struct
> > +
> > +Upstream-Status: Inappropriate [licensing]
> > +We're tracking an old release of dosfstools due to licensing issues.
> > +
>
> patch is fine, I wonder if the latest version in OE-Core is also
> affected by this issue ?
>

It's not - upstream has an equivalent fix.

>
> > +diff --git a/dosfsck/check.c b/dosfsck/check.c
> > +index e8c13bb..91177d3 100644
> > +--- a/dosfsck/check.c
> > ++++ b/dosfsck/check.c
> > +@@ -58,6 +58,13 @@ static DOS_FILE *root;
> > +     }
> >       \
> > +   } while(0)
> > +
> > ++static void de_printf(DIR_ENT *de, const char *pattern, int
> > curr_num)
> > ++{
> > ++    char buffer[12];
> > ++    sprintf(buffer, pattern, curr_num);
> > ++    memcpy(de->name, buffer, 8);
> > ++    memcpy(de->ext, buffer + 8, 3);
> > ++}
> > +
> > + loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char
> > *pattern)
> > + {
> > +@@ -110,7 +117,8 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT
> > *de, const char *pattern)
> > +     }
> > +     memset(de,0,sizeof(DIR_ENT));
> > +     while (1) {
> > +-        sprintf(de->name,pattern,curr_num);
> > ++        de_printf(de, pattern, curr_num);
> > ++
> > +         clu_num = fs->root_cluster;
> > +         i = 0;
> > +         offset2 = cluster_start(fs,clu_num);
> > +@@ -150,7 +158,7 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT
> > *de, const char *pattern)
> > +     offset = fs->root_start+next_free*sizeof(DIR_ENT);
> > +     memset(de,0,sizeof(DIR_ENT));
> > +     while (1) {
> > +-        sprintf(de->name,pattern,curr_num);
> > ++        de_printf(de, pattern, curr_num);
> > +         for (scan = 0; scan < fs->root_entries; scan++)
> > +             if (scan != next_free &&
> > +                 !strncmp(root[scan].name,de->name,MSDOS_NAME))
> > +@@ -311,8 +319,8 @@ static void auto_rename(DOS_FILE *file)
> > +     first = file->parent ? file->parent->first : root;
> > +     number = 0;
> > +     while (1) {
> > +-    sprintf(file->dir_ent.name,"FSCK%04d",number);
> > +-    strncpy(file->dir_ent.ext,"REN",3);
> > ++    de_printf(&file->dir_ent, "FSCK%04dREN", number);
> > ++
> > +     for (walk = first; walk; walk = walk->next)
> > +         if (walk != file && !strncmp(walk->dir_ent.name,file-
> > >dir_ent.
> > +           name,MSDOS_NAME)) break;
> > diff --git a/recipes-devtools/dosfstools/dosfstools_2.11.bb
> > b/recipes-devtools/dosfstools/dosfstools_2.11.bb
> > index dd543b1..37c2181 100644
> > --- a/recipes-devtools/dosfstools/dosfstools_2.11.bb
> > +++ b/recipes-devtools/dosfstools/dosfstools_2.11.bb
> > @@ -19,6 +19,7 @@ SRC_URI = "
> > http://pkgs.fedoraproject.org/repo/pkgs/${BPN}/${BP}.src.tar.gz/407d4
> >             file://nofat32_autoselect.patch \
> >             file://fix_populated_dosfs_creation.patch \
> >             file://0001-Include-fcntl.h-for-getting-loff_t-
> > definition.patch \
> > +        file://fixing-out-of-bound-writes.patch \
> >  "
> >
> >  SRC_URI[md5sum] = "407d405ade410f7597d364ab5dc8c9f6"
> > --
> > 2.17.1
> >
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto