| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Oct 2021 11:02:33 +0900
From: Masahiro Yamada <masahiroy@...nel.org>
To: Nicolas Schier <nicolas@...sle.eu>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>,
Thomas Kühnel <thomas.kuehnel@....de>
Subject: Re: [PATCH] initramfs: Check timestamp to prevent broken cpio archive
On Fri, Oct 8, 2021 at 3:59 AM Nicolas Schier <nicolas@...sle.eu> wrote:
>
> Cpio format reserves 8 bytes for an ASCII representation of a time_t timestamp.
> While 2106-02-07 06:28:15 (time_t = 0xffffffff) is still some years in the
> future, a poorly chosen date string for KBUILD_BUILD_TIMESTAMP, converted into
> seconds since the epoch, might lead to exceeded cpio timestamp limits that
> results in a broken cpio archive. Add timestamp checks to prevent overrun of
> the 8-byte cpio header field.
Out of curiosity, how did you figure out
"2106-02-07 06:28:15" was the overflow point?
Is it affected by leap seconds?
I got ffff816f
$ printf "%x" $(date -d'2106-02-07 06:28:15' +%s)
ffff816f
> My colleague Thomas Kühnel discovered the behaviour, when we accidentally fed
> SOURCE_DATE_EPOCH to KBUILD_BUILD_TIMESTAMP as is: some timestamps (e.g.
> 1607420928 = 2021-12-08 10:48:48) will be interpreted by `date` as a valid date
> specification of science fictional times (here: year 160742). Even though this
> is bad input for KBUILD_BUILD_TIMESTAMP, it should not break the initramfs
> cpio format.
>
> Signed-off-by: Nicolas Schier <nicolas@...sle.eu>
> Cc: Thomas Kühnel <thomas.kuehnel@....de>
> ---
> usr/gen_init_cpio.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
> index 03b21189d58b..983dcdd35925 100644
> --- a/usr/gen_init_cpio.c
> +++ b/usr/gen_init_cpio.c
> @@ -320,6 +320,12 @@ static int cpio_mkfile(const char *name, const char *location,
> goto error;
> }
>
> + if (buf.st_mtime > 0xffffffff) {
> + fprintf(stderr, "%s: Timestamp exceeds maximum cpio timestamp, clipping.\n",
> + location);
> + buf.st_mtime = 0xffffffff;
> + }
> +
> filebuf = malloc(buf.st_size);
> if (!filebuf) {
> fprintf (stderr, "out of memory\n");
> @@ -551,6 +557,17 @@ int main (int argc, char *argv[])
> }
> }
>
> + /*
> + * Timestamps after 2106-02-07 06:28:15 have an ascii hex time_t
> + * representation that exceeds 8 chars and breaks the cpio header
> + * specification.
> + */
> + if (default_mtime > 0xffffffff) {
> + fprintf(stderr, "ERROR: Timestamp 0x%08x too large for cpio format\n",
> + default_mtime);
> + exit(1);
> + }
> +
> if (argc - optind != 1) {
> usage(argv[0]);
> exit(1);
> --
> 2.30.1
>
--
Best Regards
Masahiro Yamada
Powered by blists - more mailing lists