Patchwork [Security,Announcement] fscanf format string security bug in flashrom layout code

login
register
about
Submitter Carl-Daniel Hailfinger
Date 2016-03-13 17:29:02
Message ID <56E5A35E.9040608@gmx.net>
Download mbox | patch
Permalink /patch/4427/
State New
Headers show

Comments

Carl-Daniel Hailfinger - 2016-03-13 17:29:02
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

An internal security audit of the flashrom project by
Carl-Daniel Hailfinger found a buffer overflow bug present in all
flashrom versions since the year 2005.
This bug was independently found and reported to flashrom.org by
Cosmin Gorgovan a few days ago.

A buffer on the stack and a buffer on the heap are affected by the
overflow caused by an incorrect fscanf format string.
The buffer overflow can only be triggered if the optional layout feature
is used and if the user manually specifies a specially crafted layout
file on the command line. Command line parsing and flash image handling
do not trigger the buggy code path.
Most usage of flashrom does not involve layout files.

The fix in this commit (changed fscanf format string) can be applied to
layout.c of all past flashrom versions.

Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
Acked-by: Stefan Tauner <stefan.tauner@alumni.tuwien.ac.at>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iD8DBQFW5aNeRdNMz2eF/AERAootAJ4q5RtwHTXk7nSPu/1usG3y3pnVPACgzBbQ
uxn/opeqC3Kh2F1PE2lVcUU=
=z/7t
-----END PGP SIGNATURE-----
Carl-Daniel Hailfinger - 2016-03-13 17:38:21
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

On 13.03.2016 18:29, Carl-Daniel Hailfinger wrote:
> An internal security audit of the flashrom project by
> Carl-Daniel Hailfinger found a buffer overflow bug present in all
> flashrom versions since the year 2005.
> This bug was independently found and reported to flashrom.org by
> Cosmin Gorgovan a few days ago.
> 
> A buffer on the stack and a buffer on the heap are affected by the
> overflow caused by an incorrect fscanf format string.
> The buffer overflow can only be triggered if the optional layout feature
> is used and if the user manually specifies a specially crafted layout
> file on the command line. Command line parsing and flash image handling
> do not trigger the buggy code path.
> Most usage of flashrom does not involve layout files.
> 
> The fix in this commit (changed fscanf format string) can be applied to
> layout.c of all past flashrom versions.
> 
> Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
> Acked-by: Stefan Tauner <stefan.tauner@alumni.tuwien.ac.at>

Committed in r1953.

Regards,
Carl-Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iD8DBQFW5aWNRdNMz2eF/AERAgYrAJ0SzPNjYPs7skeFg4/ko0H6z3S2WwCeJ+aL
MXdaNHOr5u0W6XFqmoTW2Uo=
=Q91L
-----END PGP SIGNATURE-----

Patch

Index: flashrom-parserbugs_simple/layout.c
===================================================================
--- flashrom-parserbugs_simple/layout.c	(revision 1952)
+++ flashrom-parserbugs_simple/layout.c	(working copy)
@@ -68,7 +68,7 @@ 
 			(void)fclose(romlayout);
 			return 1;
 		}
-		if (2 != fscanf(romlayout, "%s %s\n", tempstr, rom_entries[num_rom_entries].name))
+		if (2 != fscanf(romlayout, "%255s %255s\n", tempstr, rom_entries[num_rom_entries].name))
 			continue;
 #if 0
 		// fscanf does not like arbitrary comments like that :( later