From patchwork Mon Jan 10 10:40:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: tim174 X-Patchwork-Id: 2014 Return-Path: Delivered-To: patchwork@archlinux.org Received: from mail.archlinux.org [95.216.189.61] by patchwork.archlinux.org with IMAP (fetchmail-6.4.26) for (single-drop); Mon, 10 Jan 2022 10:40:18 +0000 (UTC) Received: from mail.archlinux.org by mail.archlinux.org with LMTP id 2PXZFhIN3GEMfAAAK+/4rw (envelope-from ) for ; Mon, 10 Jan 2022 10:40:18 +0000 Received: from lists.archlinux.org (lists.archlinux.org [95.217.236.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.archlinux.org (Postfix) with ESMTPS id 261E5C0F19B; Mon, 10 Jan 2022 10:40:17 +0000 (UTC) Received: from lists.archlinux.org (localhost [IPv6:::1]) by lists.archlinux.org (Postfix) with ESMTP id EAF4AB97AA8; Mon, 10 Jan 2022 10:40:16 +0000 (UTC) X-Original-To: pacman-dev@lists.archlinux.org Delivered-To: pacman-dev@lists.archlinux.org Received: from mail-40130.protonmail.ch (mail-40130.protonmail.ch [185.70.40.130]) by lists.archlinux.org (Postfix) with ESMTPS id 9822DB97A94 for ; Mon, 10 Jan 2022 10:40:14 +0000 (UTC) Date: Mon, 10 Jan 2022 10:40:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail2; t=1641811213; bh=22rXHx4a1DkoO5taWkYgYk053EzKB/btFbJuX/bUk+8=; h=Date:To:From:Reply-To:Subject:Message-ID:From:To:Cc; b=bH72pyevC1XwvfVDbIgQ02eJDgm70y9Nr0g2WBag1ZGViLvQLhhXkWBdjwDwiZQjD Sk4iq/h5Q7DIe57nmxIPGT38Og6cv6kWR3tKPIAiRm/X7BftxY5OackhnmzlrRhETc S4w/3gEnxC1R8nUyM3kTo4E+sKuxwssKQHxC8zQOaJ+9VVoy55QGG9q281qILMdqJ5 e9EaXgccGl/SrNkyRTziEc4By0pFVpVeCCxFhqcvUGbuhmcvfo8ULfydAkzN7OAf0T c933pzrhox2J1TsfTFvyjQ1FlLLWZxrrjwVvLwBsg7+FQP9Zw48UcJTzS9K1g7dbQW MtzMi7+dyESnQ== To: "pacman-dev@lists.archlinux.org" From: tim174 Subject: [PATCH] Fix buffer overflow for 'Include' parameter in pacman.conf Message-ID: MIME-Version: 1.0 X-Spam-Status: No, score=-0.7 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-BeenThere: pacman-dev@lists.archlinux.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: Discussion list for pacman development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: tim174 Errors-To: pacman-dev-bounces@lists.archlinux.org Sender: "pacman-dev" Authentication-Results: mail.archlinux.org; dkim=pass header.d=protonmail.com header.s=protonmail2 header.b=bH72pyev; dmarc=pass (policy=quarantine) header.from=protonmail.com; spf=pass (mail.archlinux.org: domain of pacman-dev-bounces@lists.archlinux.org designates 95.217.236.249 as permitted sender) smtp.mailfrom=pacman-dev-bounces@lists.archlinux.org X-Rspamd-Queue-Id: 261E5C0F19B X-Spamd-Result: default: False [-1.91 / 15.00]; DMARC_POLICY_ALLOW(-0.50)[protonmail.com,quarantine]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[95.217.236.249:from]; MAILLIST(-0.20)[mailman]; R_DKIM_ALLOW(-0.20)[protonmail.com:s=protonmail2]; R_SPF_ALLOW(-0.20)[+ip4:95.217.236.249:c]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; NEURAL_HAM(-0.00)[-0.993]; FROM_HAS_DN(0.00)[]; FREEMAIL_REPLYTO(0.00)[protonmail.com]; PREVIOUSLY_DELIVERED(0.00)[pacman-dev@lists.archlinux.org]; REPLYTO_EQ_FROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; HAS_REPLYTO(0.00)[tim174@protonmail.com]; FROM_NEQ_ENVFROM(0.00)[tim174@protonmail.com,pacman-dev-bounces@lists.archlinux.org]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[protonmail.com:+]; RCVD_COUNT_THREE(0.00)[3]; FREEMAIL_FROM(0.00)[protonmail.com]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:95.217.0.0/16, country:DE]; RCVD_TLS_LAST(0.00)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; FORGED_SENDER_MAILLIST(0.00)[] X-Rspamd-Server: mail.archlinux.org If the 'Include' parameter in the config file is set to a long string (for example 3000x '/') the pacman config parser will crash when calling glob in conf.c with this value. If the string is shorter than approx. 3000 symbols the normal error message is printed and the segfault does not occur. I was able to reproduce this on my own system and on the official Arch Linux iso image. The PATH_MAX variable is too large to prevent this bug, hence the new variable GLOB_LIMIT with a security buffer of 1000 since I don't know how persistent this limit is across systems. Its origin is unclear to me and I am not sure if it is a fixed value. This is why I would appreciate any help to make this a sustainable patch. Thanks Tim Signed-off-by: Tim --- src/pacman/conf.c | 10 ++++++++++ 1 file changed, 10 insertions(+) -- 2.34.1 diff --git a/src/pacman/conf.c b/src/pacman/conf.c index f9edf75b..d8222752 100644 --- a/src/pacman/conf.c +++ b/src/pacman/conf.c @@ -65,6 +65,9 @@ config_t *config = NULL; #define BOLDWHITE "\033[1;37m" #define GREY46 "\033[38;5;243m" +/* limit for glob input variable */ +#define GLOB_LIMIT 2000 + void enable_colors(int colors) { colstr_t *colstr = &config->colstr; @@ -1042,6 +1045,13 @@ static int process_include(const char *value, void *data, return 1; } + if(strlen(value) > GLOB_LIMIT) { + pm_printf(ALPM_LOG_ERROR, + ("config file %s, line %d, directive '%s': value too long\n"), + file, linenum, "Include"); + return 1; + } + if(section->depth >= config_max_recursion) { pm_printf(ALPM_LOG_ERROR, _("config parsing exceeded max recursion depth of %d.\n"),