main/udisks: security fix for CVE-2014-0004

1 files changed, 83 insertions, 0 deletions

diff --git a/main/udisks/CVE-2014-0004.patch b/main/udisks/CVE-2014-0004.patch
new file mode 100644
index 0000000000..37150a2c5c
--- /dev/null
+++ b/main/udisks/CVE-2014-0004.patch
@@ -0,0 +1,83 @@
+From ebf61ed8471a45cf8bce7231de00cb1bbc140708 Mon Sep 17 00:00:00 2001
+From: Martin Pitt <martin.pitt@ubuntu.com>
+Date: Wed, 05 Mar 2014 13:07:44 +0000
+Subject: Fix buffer overflow in mount path parsing
+
+In the mount monitor we parse mount points from /proc/self/mountinfo.  Ensure
+that we don't overflow the buffers on platforms where mount paths could be
+longer than PATH_MAX (unknown if that can actually happen), as at least the
+mount paths for hotpluggable devices are somewhat user-controlled.
+
+Thanks to Florian Weimer for discovering this bug, and to David Zeuthen
+for his initial patch!
+
+CVE-2014-0004
+---
+diff --git a/src/mount-monitor.c b/src/mount-monitor.c
+index d541deb..573a69c 100644
+--- a/src/mount-monitor.c
++++ b/src/mount-monitor.c
+@@ -39,6 +39,11 @@
+ #include "mount.h"
+ #include "private.h"
+ 
++/* build a %Ns format string macro with N == PATH_MAX */
++#define xstr(s) str(s)
++#define str(s) #s
++#define PATH_MAX_FMT "%" xstr(PATH_MAX) "s"
++
+ /*--------------------------------------------------------------------------------------------------------------*/
+ 
+ enum
+@@ -320,8 +325,8 @@ mount_monitor_ensure (MountMonitor *monitor)
+       guint mount_id;
+       guint parent_id;
+       guint major, minor;
+-      gchar encoded_root[PATH_MAX];
+-      gchar encoded_mount_point[PATH_MAX];
++      gchar encoded_root[PATH_MAX + 1];
++      gchar encoded_mount_point[PATH_MAX + 1];
+       gchar *mount_point;
+       dev_t dev;
+ 
+@@ -329,7 +334,7 @@ mount_monitor_ensure (MountMonitor *monitor)
+         continue;
+ 
+       if (sscanf (lines[n],
+-                  "%d %d %d:%d %s %s",
++                  "%d %d %d:%d " PATH_MAX_FMT " " PATH_MAX_FMT,
+                   &mount_id,
+                   &parent_id,
+                   &major,
+@@ -340,6 +345,8 @@ mount_monitor_ensure (MountMonitor *monitor)
+           g_warning ("Error parsing line '%s'", lines[n]);
+           continue;
+         }
++      encoded_root[sizeof encoded_root - 1] = '\0';
++      encoded_mount_point[sizeof encoded_mount_point - 1] = '\0';
+ 
+       /* ignore mounts where only a subtree of a filesystem is mounted */
+       if (g_strcmp0 (encoded_root, "/") != 0)
+@@ -358,15 +365,17 @@ mount_monitor_ensure (MountMonitor *monitor)
+           sep = strstr (lines[n], " - ");
+           if (sep != NULL)
+             {
+-              gchar fstype[PATH_MAX];
+-              gchar mount_source[PATH_MAX];
++              gchar fstype[PATH_MAX + 1];
++              gchar mount_source[PATH_MAX + 1];
+               struct stat statbuf;
+ 
+-              if (sscanf (sep + 3, "%s %s", fstype, mount_source) != 2)
++              if (sscanf (sep + 3, PATH_MAX_FMT " " PATH_MAX_FMT, fstype, mount_source) != 2)
+                 {
+                   g_warning ("Error parsing things past - for '%s'", lines[n]);
+                   continue;
+                 }
++              fstype[sizeof fstype - 1] = '\0';
++              mount_source[sizeof mount_source - 1] = '\0';
+ 
+               if (g_strcmp0 (fstype, "btrfs") != 0)
+                 continue;
+--
+cgit v0.9.0.2-2-gbebe