:: Re: [DNG] lilo
Góra strony
Delete this message
Reply to this message
Autor: Rainer Weikusat
Data:  
Dla: dng
Temat: Re: [DNG] lilo
Rainer Weikusat <rweikusat@???> writes:

[...]

> I'll certainly fix any CVE-level issue I consider to be relevant for my
> use cases


While we're at that: There's a bunch of (very likely harmless) buffer
overflows in the bsect_common function (bsect.c), namely this here:

    if ((root = cfg_get_strg(cf_kernel,"root")) || (root = cfg_get_strg(
      cf_options,"root")))  {
    if (!strcasecmp(root,"current")) {
        if (stat("/",&st) < 0) pdie("stat /");
        sprintf(strchr(options,0),"root=%x ",(unsigned int) st.st_dev);
    }
    else if (strlen(root)>6 && !strncmp(root,"LABEL=",6)) {
        sprintf(strchr(options,0),"root=%s ", root);
    }
        else if (strlen(root)>5 && !strncmp(root,"UUID=",5)) {
            sprintf(strchr(options,0),"root=%s ", root);
        }
    else {
        sprintf(strchr(options,0),"root=%x ",dev_number(root));
    }
      }    


options is a 512 byte buffer. As there's no length check and no implicit
restriction for root device specifications starting with LABEL= or
UUID=, the config file can contain a value long enough to overwrite
whatever happens to be behind the options buffer.

Likewise,

    append_local = cfg_get_strg(cf_options,"append");    /* global, actually */
    if ((append = cfg_get_strg(cf_kernel,"append")) ||
    (append = append_local)  ) {
        if (strlen(append) > COMMAND_LINE_SIZE-1) die("Command line options > %d", COMMAND_LINE_SIZE-1);
        strcat(strcat(options,append)," ");
    }


this check is wrong: COMMAND_LINE_SIZE is 512, IOW, the total buffer
size. Hence, an append string can be used to write beyond the options
buffer, too.

NB: The worst possible effect of this is causing the lilo program to behave
bizarrely and/or crash when processing root= or append= input that's too
large for the buffer.