Rainer Weikusat <[email protected]> writes:
[...]
> I'll certainly fix any CVE-level issue I consider to be relevant for my
> use cases
While we're at that: There's a bunch of (very likely harmless) buffer
overflows in the bsect_common function (bsect.c), namely this here:
if ((root = cfg_get_strg(cf_kernel,"root")) || (root = cfg_get_strg(
cf_options,"root"))) {
if (!strcasecmp(root,"current")) {
if (stat("/",&st) < 0) pdie("stat /");
sprintf(strchr(options,0),"root=%x ",(unsigned int) st.st_dev);
}
else if (strlen(root)>6 && !strncmp(root,"LABEL=",6)) {
sprintf(strchr(options,0),"root=%s ", root);
}
else if (strlen(root)>5 && !strncmp(root,"UUID=",5)) {
sprintf(strchr(options,0),"root=%s ", root);
}
else {
sprintf(strchr(options,0),"root=%x ",dev_number(root));
}
}
options is a 512 byte buffer. As there's no length check and no implicit
restriction for root device specifications starting with LABEL= or
UUID=, the config file can contain a value long enough to overwrite
whatever happens to be behind the options buffer.
Likewise,
append_local = cfg_get_strg(cf_options,"append"); /* global, actually */
if ((append = cfg_get_strg(cf_kernel,"append")) ||
(append = append_local) ) {
if (strlen(append) > COMMAND_LINE_SIZE-1) die("Command line
options > %d", COMMAND_LINE_SIZE-1);
strcat(strcat(options,append)," ");
}
this check is wrong: COMMAND_LINE_SIZE is 512, IOW, the total buffer
size. Hence, an append string can be used to write beyond the options
buffer, too.
NB: The worst possible effect of this is causing the lilo program to behave
bizarrely and/or crash when processing root= or append= input that's too
large for the buffer.
_______________________________________________
Dng mailing list
[email protected]
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
