packages/sudo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix an out of bounds read and another issue found by fuzz

Browse Source
This commit is contained in:
panxiaohe 2021-12-23 10:43:33 +08:00
parent 7fd1c2ce68
commit eade560e36
4 changed files with 217 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
backport-Only-strip-double-quotes-from-an-include-path-if-len.patch Normal file
View File

@ -0,0 +1,108 @@
From 665f8d2e3e52c3260bfc682044843a4183ecc210 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Wed, 3 Feb 2021 16:50:04 -0700
Subject: [PATCH] Only strip double quotes from an include path if len >= 2.
Found locally using libfuzzer/oss-fuzz.
---
plugins/sudoers/toke.c | 13 ++++++++-----
plugins/sudoers/toke.l | 13 ++++++++-----
2 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c
index 6717e4f..f8dd1e1 100644
--- a/plugins/sudoers/toke.c
+++ b/plugins/sudoers/toke.c
@@ -5201,26 +5201,29 @@ init_lexer(void)
* Returns a reference-counted string.
*/
static char *
-expand_include(const char *opath, size_t olen)
+expand_include(const char *opath)
{
const char *cp, *ep;
char *path, *pp;
- int dirlen = 0, len;
+ size_t len, olen, dirlen = 0;
size_t shost_len = 0;
bool subst = false;
debug_decl(expand_include, SUDOERS_DEBUG_PARSER);
/* Strip double quotes if present. */
- if (*opath == '"') {
+ olen = strlen(opath);
+ if (olen > 1 && opath[0] == '"' && opath[olen - 1] == '"') {
opath++;
olen -= 2;
}
+ if (olen == 0)
+ debug_return_ptr(NULL);
/* Relative paths are located in the same dir as the sudoers file. */
if (*opath != '/') {
char *dirend = strrchr(sudoers, '/');
if (dirend != NULL)
- dirlen = (int)(dirend - sudoers) + 1;
+ dirlen = (size_t)(dirend - sudoers) + 1;
}
len = olen;
@@ -5278,7 +5281,7 @@ push_include(const char *opath, bool isdir)
FILE *fp;
debug_decl(push_include, SUDOERS_DEBUG_PARSER);
- if ((path = expand_include(opath, strlen(opath))) == NULL)
+ if ((path = expand_include(opath)) == NULL)
debug_return_bool(false);
/* push current state onto stack */
diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l
index 499f3b1..22430ac 100644
--- a/plugins/sudoers/toke.l
+++ b/plugins/sudoers/toke.l
@@ -1006,26 +1006,29 @@ init_lexer(void)
* Returns a reference-counted string.
*/
static char *
-expand_include(const char *opath, size_t olen)
+expand_include(const char *opath)
{
const char *cp, *ep;
char *path, *pp;
- int dirlen = 0, len;
+ size_t len, olen, dirlen = 0;
size_t shost_len = 0;
bool subst = false;
debug_decl(expand_include, SUDOERS_DEBUG_PARSER);
/* Strip double quotes if present. */
- if (*opath == '"') {
+ olen = strlen(opath);
+ if (olen > 1 && opath[0] == '"' && opath[olen - 1] == '"') {
opath++;
olen -= 2;
}
+ if (olen == 0)
+ debug_return_ptr(NULL);
/* Relative paths are located in the same dir as the sudoers file. */
if (*opath != '/') {
char *dirend = strrchr(sudoers, '/');
if (dirend != NULL)
- dirlen = (int)(dirend - sudoers) + 1;
+ dirlen = (size_t)(dirend - sudoers) + 1;
}
len = olen;
@@ -1083,7 +1086,7 @@ push_include(const char *opath, bool isdir)
FILE *fp;
debug_decl(push_include, SUDOERS_DEBUG_PARSER);
- if ((path = expand_include(opath, strlen(opath))) == NULL)
+ if ((path = expand_include(opath)) == NULL)
debug_return_bool(false);
/* push current state onto stack */
--
1.8.3.1

32
backport-Strict-tz-offset-parsing.patch Normal file
View File

@ -0,0 +1,32 @@
From 439660c7fb02c17f43497fab3fa04bd59fe7ac53 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Sat, 30 Jan 2021 09:29:31 -0700
Subject: [PATCH] Strict tz offset parsing. Fixes an out of bounds read found
locally using libfuzzer/oss-fuzz.
---
plugins/sudoers/gentime.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/plugins/sudoers/gentime.c b/plugins/sudoers/gentime.c
index efee05e..eb6d081 100644
--- a/plugins/sudoers/gentime.c
+++ b/plugins/sudoers/gentime.c
@@ -104,6 +104,14 @@ parse_gentime(const char *timestr)
/* No DST */
tm.tm_isdst = 0;
+ /* time zone offset must be hh or hhmm */
+ len = strspn(cp + 1, "0123456789");
+ if (len != 2 && len != 4) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "unable to parse time zone offset in %s, bad tz offset",
+ timestr);
+ debug_return_time_t(-1);
+ }
/* parse time zone offset */
items = sscanf(cp + 1, "%2d%2d", &hour, &min);
if (items == EOF || items < 1) {
--
1.8.3.1

67
backport-Stricter-parsing-of-generalized-time.patch Normal file
View File

@ -0,0 +1,67 @@
From 995601c621b5f6d1e57bccf267308b37b0d7ad49 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Sat, 30 Jan 2021 05:39:23 -0700
Subject: [PATCH] Stricter parsing of generalized time. Fixes potential out of
bounds read found by libfuzzer/oss-fuzz.
---
plugins/sudoers/gentime.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/plugins/sudoers/gentime.c b/plugins/sudoers/gentime.c
index 7f7cf7e..efee05e 100644
--- a/plugins/sudoers/gentime.c
+++ b/plugins/sudoers/gentime.c
@@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
- * Copyright (c) 2017 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2017, 2021 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -47,7 +47,7 @@
time_t
parse_gentime(const char *timestr)
{
- char tcopy[sizeof("yyyymmddHHMMSS.F")];
+ char tcopy[sizeof("yyyymmddHHMMSS")];
const char *cp;
time_t result;
struct tm tm;
@@ -56,9 +56,9 @@ parse_gentime(const char *timestr)
bool islocal = false;
debug_decl(parse_gentime, SUDOERS_DEBUG_PARSER);
- /* Make a copy of the time without time zone for easy parsing. */
- len = strspn(timestr, "0123456789.,");
- if (len >= sizeof(tcopy)) {
+ /* Make a copy of the non-fractional time without zone for easy parsing. */
+ len = strspn(timestr, "0123456789");
+ if (len >= sizeof(tcopy) || len < sizeof("yyyymmddHH") -1 || (len & 1)) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
"unable to parse general time string %s", timestr);
debug_return_time_t(-1);
@@ -75,9 +75,9 @@ parse_gentime(const char *timestr)
"only parsed %d items in general time string %s", items, timestr);
debug_return_time_t(-1);
}
- cp = timestr + ((items + 1) * 2);
/* Parse optional fractional hours/minute/second if present. */
+ cp = timestr + len;
if ((cp[0] == '.' || cp[0] == ',') && isdigit((unsigned char)cp[1])) {
int frac = cp[1] - '0';
switch (items) {
@@ -96,6 +96,7 @@ parse_gentime(const char *timestr)
cp += 2; /* skip over radix and fraction */
}
+ /* Parse optional time zone. */
switch (*cp) {
case '-':
case '+': {
--
1.8.3.1

11
sudo.spec
View File

@ -1,6 +1,6 @@
Name: sudo
Version: 1.9.2
Release: 4
Release: 5
Summary: Allows restricted root access for specified users
License: ISC
URL: http://www.courtesan.com/sudo/
@ -20,6 +20,9 @@ Patch6: backport-0004-CVE-2021-3156-Fix-the-memset-offset.patch
Patch7: backport-0005-CVE-2021-3156-Dont-assume-that-argv.patch
Patch8: backport-Fix-runstatedir-handling-for-distros-that-do-not-support-it.patch
Patch9: backport-In-json_stack_push-treat-stack-exhaustion-like-memory-allocation-failure.patch
Patch10: backport-Stricter-parsing-of-generalized-time.patch
Patch11: backport-Strict-tz-offset-parsing.patch
Patch12: backport-Only-strip-double-quotes-from-an-include-path-if-len.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam
@ -160,6 +163,12 @@ install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
%exclude %{_pkgdocdir}/ChangeLog
%changelog
* Thu Dec 23 2021 panxiaohe <panxiaohe@huawei.com> - 1.9.2-5
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:fix an out of bounds read and another issue found by fuzz
* Thu Sep 16 2021 yixiangzhike <zhangxingliang3@huawei.com> - 1.9.2-4
- Type:bugfix
- ID:NA