CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

fuse: CVE-2018-10906

Browse Source 
* CVE-2018-10906-1:

fusermount: don't feed "escaped commas" into mount options

The old code permits the following behavior:

$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)

However, backslashes do not have any special meaning for the kernel here.

As it happens, you can't abuse this because there is no FUSE mount option
that takes a string value that can contain backslashes; but this is very
brittle. Don't interpret "escape characters" in places where they don't
work.

* CVE-2018-10906-2:

fusermount: refuse unknown options

Blacklists are notoriously fragile; especially if the kernel wishes to add
some security-critical mount option at a later date, all existing systems
with older versions of fusermount installed will suddenly have a security
problem.
Additionally, if the kernel's option parsing became a tiny bit laxer, the
blacklist could probably be bypassed.

Whitelist known-harmless flags instead, even if it's slightly more
inconvenient.

Affects fuse < 2.9.8 and fuse < 3.2.5

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Jagadeesh Krishnanjanappa 2018-08-23 16:51:23 +05:30 committed by Armin Kuster
parent aea43f26ee
commit be79b8b111
3 changed files with 102 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch Normal file
View File

@ -0,0 +1,52 @@
From 28bdae3d113ef479c1660a581ef720cdc33bf466 Mon Sep 17 00:00:00 2001
From: Jann Horn <jannh@google.com>
Date: Fri, 13 Jul 2018 15:15:36 -0700
Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
The old code permits the following behavior:
$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
However, backslashes do not have any special meaning for the kernel here.
As it happens, you can't abuse this because there is no FUSE mount option
that takes a string value that can contain backslashes; but this is very
brittle. Don't interpret "escape characters" in places where they don't
work.
CVE: CVE-2018-10906
Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/28bdae3d113ef479c1660a581ef720cdc33bf466]
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
util/fusermount.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/util/fusermount.c b/util/fusermount.c
index 0e1d34d..143bd4a 100644
--- a/util/fusermount.c
+++ b/util/fusermount.c
@@ -29,6 +29,7 @@
#include <sys/socket.h>
#include <sys/utsname.h>
#include <sched.h>
+#include <stdbool.h>
#define FUSE_COMMFD_ENV "_FUSE_COMMFD"
@@ -754,8 +755,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
unsigned len;
const char *fsname_str = "fsname=";
const char *subtype_str = "subtype=";
+ bool escape_ok = begins_with(s, fsname_str) ||
+ begins_with(s, subtype_str);
for (len = 0; s[len]; len++) {
- if (s[len] == '\\' && s[len + 1])
+ if (escape_ok && s[len] == '\\' && s[len + 1])
len++;
else if (s[len] == ',')
break;
--
2.13.3

48
meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch Normal file
View File

@ -0,0 +1,48 @@
From 5018a0c016495155ee598b7e0167b43d5d902414 Mon Sep 17 00:00:00 2001
From: Jann Horn <jannh@google.com>
Date: Sat, 14 Jul 2018 03:47:50 -0700
Subject: [PATCH] fusermount: refuse unknown options
Blacklists are notoriously fragile; especially if the kernel wishes to add
some security-critical mount option at a later date, all existing systems
with older versions of fusermount installed will suddenly have a security
problem.
Additionally, if the kernel's option parsing became a tiny bit laxer, the
blacklist could probably be bypassed.
Whitelist known-harmless flags instead, even if it's slightly more
inconvenient.
CVE: CVE-2018-10906
Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/5018a0c016495155ee598b7e0167b43d5d902414]
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
util/fusermount.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/util/fusermount.c b/util/fusermount.c
index 4e0f51a..2792407 100644
--- a/util/fusermount.c
+++ b/util/fusermount.c
@@ -819,10 +819,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
flags |= flag;
else
flags &= ~flag;
- } else {
+ } else if (opt_eq(s, len, "default_permissions") ||
+ opt_eq(s, len, "allow_other") ||
+ begins_with(s, "max_read=") ||
+ begins_with(s, "blksize=")) {
memcpy(d, s, len);
d += len;
*d++ = ',';
+ } else {
+ fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
+ exit(1);
}
}
}
--
2.13.3

2
meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
View File

@ -15,6 +15,8 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar.
file://aarch64.patch \
file://0001-fuse-fix-the-return-value-of-help-option.patch \
file://fuse.conf \
file://CVE-2018-10906-1.patch \
file://CVE-2018-10906-2.patch \
"
SRC_URI[md5sum] = "9bd4ce8184745fd3d000ca2692adacdb"
SRC_URI[sha256sum] = "832432d1ad4f833c20e13b57cf40ce5277a9d33e483205fc63c78111b3358874"