New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pax-utils: Out of bounds read fix #24186
Conversation
Maybe then just use a git checkout as source? |
Maybe. Which ever way you guys choose. Just trying to help 😀
…Sent from my iphone
On Mar 21, 2017, 6:15 PM -0500, Nikolay Amiantov ***@***.***>, wrote:
>
> I created the patch by downloading current version and diff'ing it with upstream's master git copy
>
Maybe then just use a git checkout as source?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub (#24186 (comment)), or mute the thread (https://github.com/notifications/unsubscribe-auth/AAHL7-cYD1QlCS5kgXaWMONGzPn3bkQhks5roFongaJpZM4MkhTD).
|
@ndowens No problem, thank you for help ^_^ If noone objects I can move |
I prefer to wait for upstream or at least use their patch. |
Nice problem solving with the diff! Generally diffing between our current version and the upstream's master version will include way too much, and is equivalent to just switching to their unstable / git version. This isn't usually what we want to do. Reading the report, I saw:
We usually prefer to use patches directly from upstream, and if a report includes a fix, even better. These commits can be accessed as patches directly, at:
Here we can use patches = [
(fetchpatch {
name = "scanelf-check-range-of-hash-bucket.patch";
url = "https://github.com/gentoo/pax-utils/commit/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d.patch";
sha256 = "";
})
(fetchpatch {
name = "checking-memory-elf-ranges.patch";
url = "https://github.com/gentoo/pax-utils/commit/858939ea6ad63f1acb4ec74bba705c197a67d559.patch";
sha256 = "";
})
]; I'm now reminded that you tried this already, and ran in to the patches not applying cleanly. Running
Looking at the rejected patch at --- paxelf.h
+++ paxelf.h
@@ -39,17 +39,15 @@
#define SYM32(ptr) ((Elf32_Sym *)(ptr))
#define SYM64(ptr) ((Elf64_Sym *)(ptr))
+#define VALID_RANGE(elf, offset, size) \
+ ((uint64_t)(size) <= (uint64_t)elf->len && \
+ (uint64_t)(offset) <= (uint64_t)elf->len - (uint64_t)(size))
#define VALID_SHDR(elf, shdr) \
(shdr && \
EGET(shdr->sh_type) != SHT_NOBITS && \
- EGET(shdr->sh_offset) < (uint64_t)elf->len && \
- EGET(shdr->sh_size) < (uint64_t)elf->len && \
- EGET(shdr->sh_offset) <= elf->len - EGET(shdr->sh_size))
+ VALID_RANGE(elf, EGET(shdr->sh_offset), EGET(shdr->sh_size)))
#define VALID_PHDR(elf, phdr) \
- (phdr && \
- EGET(phdr->p_filesz) < (uint64_t)elf->len && \
- EGET(phdr->p_offset) < (uint64_t)elf->len && \
- EGET(phdr->p_filesz) <= elf->len - EGET(phdr->p_offset))
+ (phdr && VALID_RANGE(elf, EGET(phdr->p_offset), EGET(phdr->p_filesz)))
/* prototypes */
extern char *pax_short_hf_flags(unsigned long flags); vs: #define SYM32(ptr) ((Elf32_Sym *)(ptr))
#define SYM64(ptr) ((Elf64_Sym *)(ptr))
#define VALID_SHDR(elf, shdr) \
(shdr && \
EGET(shdr->sh_type) != SHT_NOBITS && \
EGET(shdr->sh_offset) < (uint64_t)elf->len && \
EGET(shdr->sh_size) < (uint64_t)elf->len && \
EGET(shdr->sh_offset) <= elf->len - EGET(shdr->sh_size))
/* prototypes */
extern char *pax_short_hf_flags(unsigned long flags); At this point, we could fix the patch to work for us, but given: (1) there is no CVE I think it is best to wait for a new release. |
@grahamc Why not just take the upstream I agree that the problem seems to be exploitable mainly if you process the ELF files under a more privileged (maybe in terms of accessible data) user account than the account that will run them afterwards. No such situation is encouraged in Nix*. |
For context: these tools are typically used to check for build QA issues, so you're supposed to be feeding it output from your local tool chain, not random stuff from untrusted sources. |
Now I know. Just thought maybe it would be ok. Since it had more than one commit to use to diff. I would have just used the commit as diff if it was one. So I didn't know how to exactly do two at one time |
What if use the last commit point that should include the other as well? |
Motivation for this change
CVE: NixOS/security#23
I created the patch by downloading current version and diff'ing it with upstream's master git copy. I asked if this is ok, but no answer. AFAIK the binaries work fine.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)