[LEDE-DEV] [PATCH 1/2] firmware-utils: mkdapimg2: Fix potential buffer overflow

Arjen de Korte build+openwrt at de-korte.org
Mon Apr 23 08:01:20 PDT 2018 

Citeren Rosen Penev <rosenp at gmail.com>:

> If GCC is built with stack smashing protection enabled (SSP), it  
> errors when compiling lzma-loader.
>
> Switching to strncpy seems to be an easy way to fix this. It's  
> probably better to use snprintf or strlcpy but the latter is not  
> available for glibc systems.

This seems to be the wrong solution to a problem. For each of the  
strings involved, storage is allocated on the stack. There is a length  
check before the contents of the arguments provided, is copied.  
However, the values checked against are incorrect. The required  
storage length for a string will be strlen(string) + 1 (to allow for  
the terminating NUL byte).

So instead of

117	if (strlen(optarg) > MAX_SIGN_LEN + 1) {
125	if (strlen(optarg) > MAX_FW_VER_LEN + 1) {
133	if (strlen(optarg) > MAX_REG_LEN + 1) {

the correct check would have been

117	if (strlen(optarg) > MAX_SIGN_LEN - 1) {
125	if (strlen(optarg) > MAX_FW_VER_LEN - 1) {
133	if (strlen(optarg) > MAX_REG_LEN - 1) {

Good catch though.

> Output of crash below:
>
> *** buffer overflow detected ***:  
> /home/mangix/devstuff/openwrt/staging_dir/host/bin/mkdapimg2  
> terminated
> ======= Backtrace: =========
> /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f6318ea77e5]
> /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f6318f4915c]
> /lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7f6318f47160]
> /home/mangix/devstuff/openwrt/staging_dir/host/bin/mkdapimg2[0x400ab7]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6318e50830]
> /home/mangix/devstuff/openwrt/staging_dir/host/bin/mkdapimg2[0x400e69]
> ======= Memory map: ========
> 00400000-00402000 r-xp 00000000 00:00 223275                      
> /home/mangix/devstuff/openwrt/staging_dir/host/bin/mkdapimg200601000-00602000 r--p 00001000 00:00 223275                     /home/mangix/devstuff/openwrt/staging_dir/host/bin/mkdapimg200602000-00603000 rw-p 00002000 00:00 223275                     /home/mangix/devstuff/openwrt/staging_dir/host/bin/mkdapimg2018c2000-018e3000 rw-p 00000000 00:00 0                           
> [heap]
> 7f6318c10000-7f6318c26000 r-xp 00000000 00:00 122040              
> /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f6318c26000-7f6318e25000 ---p 00016000 00:00 122040              
> /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f6318e25000-7f6318e26000 rw-p 00015000 00:00 122040              
> /lib/x86_64-linux-gnu/libgcc_s.so.1
> 7f6318e30000-7f6318ff0000 r-xp 00000000 00:00 123971              
> /lib/x86_64-linux-gnu/libc-2.23.so
> 7f6318ff0000-7f6318ff9000 ---p 001c0000 00:00 123971              
> /lib/x86_64-linux-gnu/libc-2.23.so
> 7f6318ff9000-7f63191f0000 ---p 001c9000 00:00 123971              
> /lib/x86_64-linux-gnu/libc-2.23.so
> 7f63191f0000-7f63191f4000 r--p 001c0000 00:00 123971              
> /lib/x86_64-linux-gnu/libc-2.23.so
> 7f63191f4000-7f63191f6000 rw-p 001c4000 00:00 123971              
> /lib/x86_64-linux-gnu/libc-2.23.so
> 7f63191f6000-7f63191fa000 rw-p 00000000 00:00 0
> 7f6319200000-7f6319226000 r-xp 00000000 00:00 123969              
> /lib/x86_64-linux-gnu/ld-2.23.so
> 7f6319425000-7f6319426000 r--p 00025000 00:00 123969              
> /lib/x86_64-linux-gnu/ld-2.23.so
> 7f6319426000-7f6319427000 rw-p 00026000 00:00 123969              
> /lib/x86_64-linux-gnu/ld-2.23.so
> 7f6319427000-7f6319428000 rw-p 00000000 00:00 0
> 7f6319460000-7f6319461000 rw-p 00000000 00:00 0
> 7f6319470000-7f6319471000 rw-p 00000000 00:00 0
> 7f6319480000-7f6319481000 rw-p 00000000 00:00 0
> 7f6319490000-7f6319491000 rw-p 00000000 00:00 0
> 7fffca52e000-7fffcad2e000 rw-p 00000000 00:00 0                  [stack]
> 7fffcb121000-7fffcb122000 r-xp 00000000 00:00 0                  [vdso]
> make -r world: build failed. Please re-run make with -j1 V=s to see  
> what's going on
>
> Signed-off-by: Rosen Penev <rosenp at gmail.com>
> ---
>  tools/firmware-utils/src/mkdapimg2.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tools/firmware-utils/src/mkdapimg2.c  
> b/tools/firmware-utils/src/mkdapimg2.c
> index aef003c..59c9f00 100644
> --- a/tools/firmware-utils/src/mkdapimg2.c
> +++ b/tools/firmware-utils/src/mkdapimg2.c
> @@ -119,7 +119,7 @@ main(int ac, char *av[])
>  					progname, MAX_SIGN_LEN);
>  				exit(1);
>  			}
> -			strcpy(signature, optarg);
> +			strncpy(signature, optarg, MAX_SIGN_LEN);
>  			break;
>  		case 'v':
>  			if (strlen(optarg) > MAX_FW_VER_LEN + 1) {
> @@ -127,7 +127,7 @@ main(int ac, char *av[])
>  					progname, MAX_FW_VER_LEN);
>  				exit(1);
>  			}
> -			strcpy(version, optarg);
> +			strncpy(version, optarg, MAX_FW_VER_LEN);
>  			break;
>  		case 'r':
>  			if (strlen(optarg) > MAX_REG_LEN + 1) {
> @@ -135,7 +135,7 @@ main(int ac, char *av[])
>  					progname, MAX_REG_LEN);
>  				exit(1);
>  			}
> -			strcpy(region, optarg);
> +			strncpy(region, optarg, MAX_REG_LEN);
>  			break;
>  		case 'k':
>  			kernel = strtoul(optarg, &ptr, 0);

More information about the Lede-dev mailing list