diff options
| author | Timo Teräs <timo.teras@iki.fi> | 2021-04-11 15:21:42 +0300 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2021-04-12 15:36:40 +0300 |
| commit | 49eabf33ae2bf950aee93df805b7307b91afa630 (patch) | |
| tree | 7c2c3cd655d9312b88a3adf7ef8ad9bec401ea82 | |
| parent | 6552a1d3f8126d858d64c75fa3c1eb049d8bf235 (diff) | |
| download | apk-tools-49eabf33ae2bf950aee93df805b7307b91afa630.tar.gz apk-tools-49eabf33ae2bf950aee93df805b7307b91afa630.tar.bz2 apk-tools-49eabf33ae2bf950aee93df805b7307b91afa630.tar.xz apk-tools-49eabf33ae2bf950aee93df805b7307b91afa630.zip | |
io_archive: add bounds limit for uname and gname tar header fields
Modify apk_resolve_[ug]id to take the user/groupname as a blob, so
proper length checking is done and honored.
==31584== Conditional jump or move depends on uninitialised value(s)
==31584== at 0x5C8CA5: strlen (strlen.c:17)
==31584== by 0x432575: APK_BLOB_STR (apk_blob.h:79)
==31584== by 0x4350EB: apk_resolve_uid (io.c:1112)
==31584== by 0x43696C: apk_tar_parse (io_archive.c:152)
==31584== by 0x4271BC: apk_pkg_read (package.c:929)
==31584== by 0x402D75: add_main (app_add.c:163)
==31584== by 0x40D5FF: main (apk-static.c:516)
Fixes a potential crash (DoS) on a crafted TAR file. CVE-2021-30139.
Reported-by: Sören Tempel <soeren+git@soeren-tempel.net>
Reviewed-by: Ariadne Conill <ariadne@dereferenced.org>
| -rw-r--r-- | src/apk_io.h | 4 | ||||
| -rw-r--r-- | src/archive.c | 5 | ||||
| -rw-r--r-- | src/io.c | 12 |
3 files changed, 11 insertions, 10 deletions
diff --git a/src/apk_io.h b/src/apk_io.h index 2bb0f26..86c701c 100644 --- a/src/apk_io.h +++ b/src/apk_io.h @@ -209,7 +209,7 @@ const char *apk_url_local_file(const char *url); void apk_id_cache_init(struct apk_id_cache *idc, int root_fd); void apk_id_cache_free(struct apk_id_cache *idc); void apk_id_cache_reset(struct apk_id_cache *idc); -uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t default_uid); -uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t default_gid); +uid_t apk_resolve_uid(struct apk_id_cache *idc, apk_blob_t username, uid_t default_uid); +uid_t apk_resolve_gid(struct apk_id_cache *idc, apk_blob_t groupname, uid_t default_gid); #endif diff --git a/src/archive.c b/src/archive.c index 81821dc..24a065f 100644 --- a/src/archive.c +++ b/src/archive.c @@ -58,6 +58,7 @@ struct apk_tar_digest_info { unsigned char digest[]; }; +#define TAR_BLOB(s) APK_BLOB_PTR_LEN(s, strnlen(s, sizeof(s))) #define GET_OCTAL(s) get_octal(s, sizeof(s)) #define PUT_OCTAL(s,v) put_octal(s, sizeof(s), v) @@ -225,8 +226,8 @@ int apk_tar_parse(struct apk_istream *is, apk_archive_entry_parser parser, entry = (struct apk_file_info){ .size = GET_OCTAL(buf.size), - .uid = apk_resolve_uid(idc, buf.uname, GET_OCTAL(buf.uid)), - .gid = apk_resolve_gid(idc, buf.gname, GET_OCTAL(buf.gid)), + .uid = apk_resolve_uid(idc, TAR_BLOB(buf.uname), GET_OCTAL(buf.uid)), + .gid = apk_resolve_gid(idc, TAR_BLOB(buf.gname), GET_OCTAL(buf.gid)), .mode = GET_OCTAL(buf.mode) & 07777, .mtime = GET_OCTAL(buf.mtime), .name = entry.name, @@ -1027,7 +1027,7 @@ static FILE *fopenat(int dirfd, const char *pathname) return f; } -uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t default_uid) +uid_t apk_resolve_uid(struct apk_id_cache *idc, apk_blob_t username, uid_t default_uid) { #ifdef HAVE_FGETPWENT_R char buf[1024]; @@ -1037,7 +1037,7 @@ uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t defa struct passwd *pwd; FILE *in; - ci = resolve_cache_item(&idc->uid_cache, APK_BLOB_STR(username)); + ci = resolve_cache_item(&idc->uid_cache, username); if (ci == NULL) return default_uid; @@ -1055,7 +1055,7 @@ uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t defa #endif if (pwd == NULL) break; - if (strcmp(pwd->pw_name, username) == 0) { + if (apk_blob_compare(APK_BLOB_STR(pwd->pw_name), username) == 0) { ci->uid = pwd->pw_uid; break; } @@ -1070,7 +1070,7 @@ uid_t apk_resolve_uid(struct apk_id_cache *idc, const char *username, uid_t defa return default_uid; } -uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t default_gid) +uid_t apk_resolve_gid(struct apk_id_cache *idc, apk_blob_t groupname, uid_t default_gid) { #ifdef HAVE_FGETGRENT_R char buf[1024]; @@ -1080,7 +1080,7 @@ uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t def struct group *grp; FILE *in; - ci = resolve_cache_item(&idc->gid_cache, APK_BLOB_STR(groupname)); + ci = resolve_cache_item(&idc->gid_cache, groupname); if (ci == NULL) return default_gid; @@ -1098,7 +1098,7 @@ uid_t apk_resolve_gid(struct apk_id_cache *idc, const char *groupname, uid_t def #endif if (grp == NULL) break; - if (strcmp(grp->gr_name, groupname) == 0) { + if (apk_blob_compare(APK_BLOB_STR(grp->gr_name), groupname) == 0) { ci->gid = grp->gr_gid; break; } |