[yocto] [meta-gplv2][PATCH] dosfstools: fix out of bound writes

Bagwell, Anthony anthony.bagwell at hivehome.com
Wed Nov 6 04:37:54 PST 2019 

Fix write issues where sprintf writes across both name and ext fields
and drops the final null terminator outside the struct

Signed-off-by: AJ Bagwell <anthony.bagwell at hivehome.com>
---
 .../fixing-out-of-bound-writes.patch          | 54 +++++++++++++++++++
 .../dosfstools/dosfstools_2.11.bb             |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch

diff --git a/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch b/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch
new file mode 100644
index 0000000..f80f5ab
--- /dev/null
+++ b/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch
@@ -0,0 +1,54 @@
+Fix out of bound write issues where sprintf writes across both
+name and ext fields and drops the final null terminator outside the struct
+
+Upstream-Status: Inappropriate [licensing]
+We're tracking an old release of dosfstools due to licensing issues.
+
+diff --git a/dosfsck/check.c b/dosfsck/check.c
+index e8c13bb..91177d3 100644
+--- a/dosfsck/check.c
++++ b/dosfsck/check.c
+@@ -58,6 +58,13 @@ static DOS_FILE *root;
+     }\
+   } while(0)
+
++static void de_printf(DIR_ENT *de, const char *pattern, int curr_num)
++{
++    char buffer[12];
++    sprintf(buffer, pattern, curr_num);
++    memcpy(de->name, buffer, 8);
++    memcpy(de->ext, buffer + 8, 3);
++}
+
+ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ {
+@@ -110,7 +117,8 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ }
+ memset(de,0,sizeof(DIR_ENT));
+ while (1) {
+-    sprintf(de->name,pattern,curr_num);
++    de_printf(de, pattern, curr_num);
++
+     clu_num = fs->root_cluster;
+     i = 0;
+     offset2 = cluster_start(fs,clu_num);
+@@ -150,7 +158,7 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ offset = fs->root_start+next_free*sizeof(DIR_ENT);
+ memset(de,0,sizeof(DIR_ENT));
+ while (1) {
+-    sprintf(de->name,pattern,curr_num);
++    de_printf(de, pattern, curr_num);
+     for (scan = 0; scan < fs->root_entries; scan++)
+ if (scan != next_free &&
+     !strncmp(root[scan].name,de->name,MSDOS_NAME))
+@@ -311,8 +319,8 @@ static void auto_rename(DOS_FILE *file)
+     first = file->parent ? file->parent->first : root;
+     number = 0;
+     while (1) {
+-sprintf(file->dir_ent.name,"FSCK%04d",number);
+-strncpy(file->dir_ent.ext,"REN",3);
++de_printf(&file->dir_ent, "FSCK%04dREN", number);
++
+ for (walk = first; walk; walk = walk->next)
+     if (walk != file && !strncmp(walk->dir_ent.name,file->dir_ent.
+       name,MSDOS_NAME)) break;
diff --git a/recipes-devtools/dosfstools/dosfstools_2.11.bb b/recipes-devtools/dosfstools/dosfstools_2.11.bb
index dd543b1..37c2181 100644
--- a/recipes-devtools/dosfstools/dosfstools_2.11.bb
+++ b/recipes-devtools/dosfstools/dosfstools_2.11.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://pkgs.fedoraproject.org/repo/pkgs/${BPN}/${BP}.src.tar.gz/407d4
            file://nofat32_autoselect.patch \
            file://fix_populated_dosfs_creation.patch \
            file://0001-Include-fcntl.h-for-getting-loff_t-definition.patch \
+   file://fixing-out-of-bound-writes.patch \
 "

 SRC_URI[md5sum] = "407d405ade410f7597d364ab5dc8c9f6"
--
2.17.1



The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege under applicable law.

The views expressed in this email are not necessarily the views of Centrica plc or its subsidiaries, and the company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.

Additional regulatory disclosures may be found here: https://www.centrica.com/privacy-cookies-and-legal-disclaimer#email

PH Jones is a trading name of British Gas Social Housing Limited. British Gas Social Housing Limited (company no: 01026007), British Gas Trading Limited (company no: 03078711), British Gas Services Limited (company no: 3141243), British Gas Insurance Limited (company no: 06608316), British Gas New Heating Limited (company no: 06723244), British Gas Services (Commercial) Limited (company no: 07385984) and Centrica Energy (Trading) Limited (company no: 02877397) are all wholly owned subsidiaries of Centrica plc (company no: 3033654). Each company is registered in England and Wales with a registered office at Millstream, Maidenhead Road, Windsor, Berkshire SL4 5GD.

British Gas Insurance Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. British Gas Services Limited and Centrica Energy (Trading) Limited are authorised and regulated by the Financial Conduct Authority. British Gas Trading Limited is an appointed representative of British Gas Services Limited which is authorised and regulated by the Financial Conduct Authority.

More information about the yocto mailing list