Fix intra-object buffer overread for labeled msdosfs volumes
ClosedPublic
Actions

Authored by jrtc27 on Oct 20 2021, 2:02 PM.

Details

Reviewers

cem
imp

Commits

rG34fb1c133c5b: Fix intra-object buffer overread for labeled msdosfs volumes

Summary

Volume labels, like directory entries, are padded with spaces and so
have no NUL terminator. Whilst the MIN for the dsize argument to strlcpy
ensures that the copy does not overflow the destination, strlcpy is
defined to return the number of characters in the source string,
regardless of the provided dsize, and so keeps reading until it finds a
NUL, which likely exists somewhere within the following fields, but On
CHERI with the subobject bounds enabled in the compiler this buffer
overread will be detected and trap with a bounds violation.

Found by: CHERI

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jrtc27 requested review of this revision.Oct 20 2021, 2:02 PM

jrtc27 created this revision.

Harbormaster completed remote builds in B42273: Diff 97169.Oct 20 2021, 2:02 PM

Might be worth making the same change to usr/sbin/fstyp/msdosfs.c; it's largely copy/pasted from here.

I like it. Is there a coccinelle script we can run on the whole tree?

imp accepted this revision.Oct 20 2021, 3:31 PM

This revision is now accepted and ready to land.Oct 20 2021, 3:31 PM

In D32579#735324, @imp wrote:

I like it. Is there a coccinelle script we can run on the whole tree?

Presumably the transform isn't hard to write for someone who knows coccinelle, but the issue is knowing whether a string is from a trusted source or not (in the sense that we can trust it to have a NUL byte; strlcpy is safe if you know there's a NUL in the object but just cannot guarantee a bound on its length). For that you'd presumably need taint tracking via annotations on every data structure.

jrtc27 retitled this revision from geom_label: Avoid buffer overread for labeled msdosfs volumes to Fix intra-object buffer overread for labeled msdosfs volumes.Oct 20 2021, 3:40 PM

Apply identical patch to fstyp

This revision now requires review to proceed.Oct 20 2021, 3:40 PM

Harbormaster completed remote builds in B42276: Diff 97174.Oct 20 2021, 3:40 PM

In D32579#735297, @trasz wrote:

Might be worth making the same change to usr/sbin/fstyp/msdosfs.c; it's largely copy/pasted from here.

Indeed, git show | patch usr.sbin/fstyp/msdosfs.c just worked :D

In D32579#735327, @jrtc27 wrote:

Presumably the transform isn't hard to write for someone who knows coccinelle, but the issue is knowing whether a string is from a trusted source or not (in the sense that we can trust it to have a NUL byte; strlcpy is safe if you know there's a NUL in the object but just cannot guarantee a bound on its length). For that you'd presumably need taint tracking via annotations on every data structure.

I'll take a stab at writing it.

Without a tag, coccinelle is a bit limited to looking for access via a structure...

This revision was not accepted when it landed; it landed in state Needs Review.Oct 27 2021, 5:39 PM

Closed by commit rG34fb1c133c5b: Fix intra-object buffer overread for labeled msdosfs volumes (authored by jrtc27). · Explain Why

This revision was automatically updated to reflect the committed changes.

jrtc27 added a commit: rG34fb1c133c5b: Fix intra-object buffer overread for labeled msdosfs volumes.

The following script

// xxx
@@
FAT_BSBPB *bsb;
expression E1, E2;
@@
- strlcpy(E1,bsb->BS_VolLab,E2)
+ THIS_IS_BOGUS(E1,bsb->BS_VolLab,E2)

@@
FAT32_BSBPB *bsb;
expression E1, E2;
@@
- strlcpy(E1,bsb->BS_VolLab,E2)
+ THIS_IS_BOGUS(E1,bsb->BS_VolLab,E2)

Found no further instances of this in the tree.

imp added a comment.Oct 27 2021, 6:16 PM

This comment was removed by imp.