Page MenuHomeFreeBSD

Fix intra-object buffer overread for labeled msdosfs volumes
ClosedPublic

Authored by jrtc27 on Oct 20 2021, 2:02 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Oct 20, 12:37 AM
Unknown Object (File)
Oct 4 2024, 3:53 AM
Unknown Object (File)
Sep 20 2024, 2:19 PM
Unknown Object (File)
Sep 19 2024, 2:55 PM
Unknown Object (File)
Sep 16 2024, 11:56 PM
Unknown Object (File)
Sep 8 2024, 10:56 AM
Unknown Object (File)
Sep 4 2024, 2:51 PM
Unknown Object (File)
Sep 4 2024, 2:50 PM
Subscribers

Details

Summary

Volume labels, like directory entries, are padded with spaces and so
have no NUL terminator. Whilst the MIN for the dsize argument to strlcpy
ensures that the copy does not overflow the destination, strlcpy is
defined to return the number of characters in the source string,
regardless of the provided dsize, and so keeps reading until it finds a
NUL, which likely exists somewhere within the following fields, but On
CHERI with the subobject bounds enabled in the compiler this buffer
overread will be detected and trap with a bounds violation.

Found by: CHERI

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jrtc27 created this revision.

Might be worth making the same change to usr/sbin/fstyp/msdosfs.c; it's largely copy/pasted from here.

I like it. Is there a coccinelle script we can run on the whole tree?

This revision is now accepted and ready to land.Oct 20 2021, 3:31 PM
In D32579#735324, @imp wrote:

I like it. Is there a coccinelle script we can run on the whole tree?

Presumably the transform isn't hard to write for someone who knows coccinelle, but the issue is knowing whether a string is from a trusted source or not (in the sense that we can trust it to have a NUL byte; strlcpy is safe if you know there's a NUL in the object but just cannot guarantee a bound on its length). For that you'd presumably need taint tracking via annotations on every data structure.

jrtc27 retitled this revision from geom_label: Avoid buffer overread for labeled msdosfs volumes to Fix intra-object buffer overread for labeled msdosfs volumes.Oct 20 2021, 3:40 PM

Apply identical patch to fstyp

This revision now requires review to proceed.Oct 20 2021, 3:40 PM

Might be worth making the same change to usr/sbin/fstyp/msdosfs.c; it's largely copy/pasted from here.

Indeed, git show | patch usr.sbin/fstyp/msdosfs.c just worked :D

Presumably the transform isn't hard to write for someone who knows coccinelle, but the issue is knowing whether a string is from a trusted source or not (in the sense that we can trust it to have a NUL byte; strlcpy is safe if you know there's a NUL in the object but just cannot guarantee a bound on its length). For that you'd presumably need taint tracking via annotations on every data structure.

I'll take a stab at writing it.

Without a tag, coccinelle is a bit limited to looking for access via a structure...

This revision was not accepted when it landed; it landed in state Needs Review.Oct 27 2021, 5:39 PM
This revision was automatically updated to reflect the committed changes.

The following script

// xxx
@@
FAT_BSBPB *bsb;
expression E1, E2;
@@
- strlcpy(E1,bsb->BS_VolLab,E2)
+ THIS_IS_BOGUS(E1,bsb->BS_VolLab,E2)

@@
FAT32_BSBPB *bsb;
expression E1, E2;
@@
- strlcpy(E1,bsb->BS_VolLab,E2)
+ THIS_IS_BOGUS(E1,bsb->BS_VolLab,E2)

Found no further instances of this in the tree.

This comment was removed by imp.