git.fsl.cs.sunysb.edu Git - unionfs-2.6.39.y.git/commit

author	Kees Cook <keescook@chromium.org>
	Thu, 25 Oct 2012 20:38:14 +0000 (13:38 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 31 Oct 2012 17:09:37 +0000 (10:09 -0700)
commit	73e75b4b4bd0ff7d2911165e9119306b95282c21
tree	5266f995313ec3c892b764b18187145e96de4aec	tree \| snapshot
parent	f625bfd3fb3768dd116303e87799c40f1a4cd92e	commit \| diff

gen_init_cpio: avoid stack overflow when expanding

commit 20f1de659b77364d55d4e7fad2ef657e7730323f upstream.

Fix possible overflow of the buffer used for expanding environment
variables when building file list.

In the extremely unlikely case of an attacker having control over the
environment variables visible to gen_init_cpio, control over the
contents of the file gen_init_cpio parses, and gen_init_cpio was built
without compiler hardening, the attacker can gain arbitrary execution
control via a stack buffer overflow.

  $ cat usr/crash.list
  file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
  $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
  *** buffer overflow detected ***: ./usr/gen_init_cpio terminated

This also replaces the space-indenting with tabs.

Patch based on existing fix extracted from grsecurity.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>