godotengine/buildroot
1
0
Fork 0
mirror of https://github.com/godotengine/buildroot.git synced 2026-01-02 21:48:20 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
2020.02.10
buildroot/package/cryptsetup/0006-Simplify-validation-code-a-bit.patch
Peter Korsgaard 957ff8fa25 package/cryptsetup: backport upstream security fixes 
Fixes CVE-2020-14382: A vulnerability was found in upstream release
cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code, that
is effectively invoked on every device/image presenting itself as LUKS2
container.  The bug is in segments validation code in file
'lib/luks2/luks2_json_metadata.c' in function hdr_validate_segments(struct
crypt_device *cd, json_object *hdr_jobj) where the code does not check for
possible overflow on memory allocation used for intervals array (see
statement "intervals = malloc(first_backup * sizeof(*intervals));").  Due to
the bug, library can be *tricked* to expect such allocation was successful
but for far less memory then originally expected.  Later it may read data
FROM image crafted by an attacker and actually write such data BEYOND
allocated memory.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-30 09:32:00 +01:00

65 lines
2.3 KiB
Diff
Raw Permalink Blame History

From 45de1eb6e3d31ac3ece6b02671ddcc9dfab06e76 Mon Sep 17 00:00:00 2001
From: Ondrej Kozina <okozina@redhat.com>
Date: Tue, 25 Aug 2020 19:23:21 +0200
Subject: [PATCH 6/6] Simplify validation code a bit.
Keep it simple. If there's not enough memory we can't validate
segments. The LUKS2 specification does not recommend to continue
processing LUKS2 metadata if it can not be properly validated.
(cherry picked from commit 752c9a52798f11d3b765b673ebaa3058eb25316e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
lib/luks2/luks2_json_metadata.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
index cd28400c..66ee0b91 100644
--- a/lib/luks2/luks2_json_metadata.c
+++ b/lib/luks2/luks2_json_metadata.c
@@ -594,9 +594,9 @@ static bool validate_segment_intervals(struct crypt_device *cd,
static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
{
json_object *jobj_segments, *jobj_digests, *jobj_offset, *jobj_size, *jobj_type, *jobj_flags, *jobj;
- struct interval *intervals;
uint64_t offset, size;
int i, r, count, first_backup = -1;
+ struct interval *intervals = NULL;
if (!json_object_object_get_ex(hdr_jobj, "segments", &jobj_segments)) {
log_dbg(cd, "Missing segments section.");
@@ -687,8 +687,11 @@ static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
if ((size_t)first_backup < SIZE_MAX / sizeof(*intervals))
intervals = malloc(first_backup * sizeof(*intervals));
- else
- intervals = NULL;
+
+ if (!intervals) {
+ log_dbg(cd, "Not enough memory.");
+ return 1;
+ }
for (i = 0; i < first_backup; i++) {
jobj = json_segments_get_segment(jobj_segments, i);
@@ -697,14 +700,8 @@ static int hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
free(intervals);
return 1;
}
- if (intervals != NULL) {
- intervals[i].offset = json_segment_get_offset(jobj, 0);
- intervals[i].length = json_segment_get_size(jobj, 0) ?: UINT64_MAX;
- }
- }
- if (intervals == NULL) {
- log_dbg(cd, "Not enough memory.");
- return 1;
+ intervals[i].offset = json_segment_get_offset(jobj, 0);
+ intervals[i].length = json_segment_get_size(jobj, 0) ?: UINT64_MAX;
}
r = !validate_segment_intervals(cd, first_backup, intervals);
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink