package/system/uci/patches/002-file-Check-buffer-size-after-strtok.patch

   1 From eae126f66663e5c73e5d290b8e3134449489340f Mon Sep 17 00:00:00 2001
   2 From: Hauke Mehrtens <hauke@hauke-m.de>
   3 Date: Sun, 4 Oct 2020 17:14:49 +0200
   4 Subject: [PATCH] file: Check buffer size after strtok()
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 This fixes a heap overflow in the parsing of the uci line.
  10
  11 The line which is parsed and put into pctx->buf is null terminated and
  12 stored on the heap. In the uci_parse_line() function we use strtok() to
  13 split this string in multiple parts after divided by a space or tab.
  14 strtok() replaces these characters with a NULL byte. If the next byte is
  15 NULL we assume that this NULL byte was added by strtok() and try to
  16 parse the string after this NULL byte. If this NULL byte was not added
  17 by strtok(), but by fgets() to mark the end of the string we would read
  18 over this end of the string in uninitialized memory and later over the
  19 allocated buffer.
  20
  21 Fix this problem by storing how long the line we read was and check if
  22 we would read over the end of the string here.
  23
  24 This also adds the input which detected this crash to the corpus of the
  25 fuzzer.
  26
  27 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
  28 [fixed merge conflict in tests]
  29 Signed-off-by: Petr Štetiar <ynezz@true.cz>
  30 ---
  31  file.c                                        | 19 ++++++++++++++++---
  32  tests/cram/test-san_uci_import.t              |  1 +
  33  tests/cram/test_uci_import.t                  |  1 +
  34  .../2e18ecc3a759dedc9357b1298e9269eccc5c5a6b  |  1 +
  35  uci_internal.h                                |  1 +
  36  5 files changed, 20 insertions(+), 3 deletions(-)
  37  create mode 100644 tests/fuzz/corpus/2e18ecc3a759dedc9357b1298e9269eccc5c5a6b
  38
  39 --- a/file.c
  40 +++ b/file.c
  41 @@ -28,6 +28,7 @@
  42  #include <glob.h>
  43  #include <string.h>
  44  #include <stdlib.h>
  45 +#include <errno.h>
  46
  47  #include "uci.h"
  48  #include "uci_internal.h"
  49 @@ -63,6 +64,7 @@ __private void uci_getln(struct uci_cont
  50                         return;
  51
  52                 ofs += strlen(p);
  53 +               pctx->buf_filled = ofs;
  54                 if (pctx->buf[ofs - 1] == '\n') {
  55                         pctx->line++;
  56                         return;
  57 @@ -120,6 +122,15 @@ static inline void addc(struct uci_conte
  58         *pos_src += 1;
  59  }
  60
  61 +static int uci_increase_pos(struct uci_parse_context *pctx, size_t add)
  62 +{
  63 +       if (pctx->pos + add > pctx->buf_filled)
  64 +               return -EINVAL;
  65 +
  66 +       pctx->pos += add;
  67 +       return 0;
  68 +}
  69 +
  70  /*
  71   * parse a double quoted string argument from the command line
  72   */
  73 @@ -384,7 +395,8 @@ static void uci_parse_package(struct uci
  74         char *name;
  75
  76         /* command string null-terminated by strtok */
  77 -       pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
  78 +       if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
  79 +               uci_parse_error(ctx, "package without name");
  80
  81         ofs_name = next_arg(ctx, true, true, true);
  82         assert_eol(ctx);
  83 @@ -416,7 +428,8 @@ static void uci_parse_config(struct uci_
  84         }
  85
  86         /* command string null-terminated by strtok */
  87 -       pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
  88 +       if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
  89 +               uci_parse_error(ctx, "config without name");
  90
  91         ofs_type = next_arg(ctx, true, false, false);
  92         type = pctx_str(pctx, ofs_type);
  93 @@ -466,7 +479,8 @@ static void uci_parse_option(struct uci_
  94                 uci_parse_error(ctx, "option/list command found before the first section");
  95
  96         /* command string null-terminated by strtok */
  97 -       pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
  98 +       if (uci_increase_pos(pctx, strlen(pctx_cur_str(pctx)) + 1))
  99 +               uci_parse_error(ctx, "option without name");
 100
 101         ofs_name = next_arg(ctx, true, true, false);
 102         ofs_value = next_arg(ctx, false, false, false);
 103 --- a/uci_internal.h
 104 +++ b/uci_internal.h
 105 @@ -33,6 +33,7 @@ struct uci_parse_context
 106         const char *name;
 107         char *buf;
 108         int bufsz;
 109 +       size_t buf_filled;
 110         int pos;
 111  };
 112  #define pctx_pos(pctx)         ((pctx)->pos)