Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.2:Ports
fontconfig
fontconfig-CVE-2016-5384.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fontconfig-CVE-2016-5384.patch of Package fontconfig
commit 7a4a5bd7897d216f0794ca9dbce0a4a5c9d14940 Author: Tobias Stoeckmann <tobias at stoeckmann.org> Date: Sat Jun 25 19:18:53 2016 +0200 Properly validate offsets in cache files. The cache files are insufficiently validated. Even though the magic number at the beginning of the file as well as time stamps are checked, it is not verified if contained offsets are in legal ranges or are even pointers. The lack of validation allows an attacker to trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. Due to the conversion from offsets into pointers through macros, this even allows to circumvent ASLR protections. This attack vector allows privilege escalation when used with setuid binaries like fbterm. A user can create ~/.fonts or any other system-defined user-private font directory, run fc-cache and adjust cache files in ~/.cache/fontconfig. The execution of setuid binaries will scan these files and therefore are prone to attacks. If it's not about code execution, an endless loop can be created by letting linked lists become circular linked lists. This patch verifies that: - The file is not larger than the maximum addressable space, which basically only affects 32 bit systems. This allows out of boundary access into unallocated memory. - Offsets are always positive or zero - Offsets do not point outside file boundaries - No pointers are allowed in cache files, every "pointer or offset" field must be an offset or NULL - Iterating linked lists must not take longer than the amount of elements specified. A violation of this rule can break a possible endless loop. If one or more of these points are violated, the cache is recreated. This is current behaviour. Even though this patch fixes many issues, the use of mmap() shall be forbidden in setuid binaries. It is impossible to guarantee with these checks that a malicious user does not change cache files after verification. This should be handled in a different patch. Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org> Index: fontconfig-2.11.1/src/fccache.c =================================================================== --- fontconfig-2.11.1.orig/src/fccache.c 2014-03-05 10:23:58.000000000 +0100 +++ fontconfig-2.11.1/src/fccache.c 2016-08-11 14:29:56.494675068 +0200 @@ -27,6 +27,7 @@ #include <fcntl.h> #include <dirent.h> #include <string.h> +#include <limits.h> #include <sys/types.h> #include <sys/stat.h> #include <assert.h> @@ -545,6 +546,82 @@ FcCacheTimeValid (FcCache *cache, struct return cache->checksum == (int) dir_stat->st_mtime; } +static FcBool +FcCacheOffsetsValid (FcCache *cache) +{ + char *base = (char *)cache; + char *end = base + cache->size; + intptr_t *dirs; + FcFontSet *fs; + int i, j; + + if (cache->dir < 0 || cache->dir > cache->size - sizeof (intptr_t) || + memchr (base + cache->dir, '\0', cache->size - cache->dir) == NULL) + return FcFalse; + + if (cache->dirs < 0 || cache->dirs >= cache->size || + cache->dirs_count < 0 || + cache->dirs_count > (cache->size - cache->dirs) / sizeof (intptr_t)) + return FcFalse; + + dirs = FcCacheDirs (cache); + if (dirs) + { + for (i = 0; i < cache->dirs_count; i++) + { + FcChar8 *dir; + + if (dirs[i] < 0 || + dirs[i] > end - (char *) dirs - sizeof (intptr_t)) + return FcFalse; + + dir = FcOffsetToPtr (dirs, dirs[i], FcChar8); + if (memchr (dir, '\0', end - (char *) dir) == NULL) + return FcFalse; + } + } + + if (cache->set < 0 || cache->set > cache->size - sizeof (FcFontSet)) + return FcFalse; + + fs = FcCacheSet (cache); + if (fs) + { + if (fs->nfont > (end - (char *) fs) / sizeof (FcPattern)) + return FcFalse; + + if (fs->fonts != 0 && !FcIsEncodedOffset(fs->fonts)) + return FcFalse; + + for (i = 0; i < fs->nfont; i++) + { + FcPattern *font = FcFontSetFont (fs, i); + FcPatternElt *e; + FcValueListPtr l; + + if ((char *) font < base || + (char *) font > end - sizeof (FcFontSet) || + font->elts_offset < 0 || + font->elts_offset > end - (char *) font || + font->num > (end - (char *) font - font->elts_offset) / sizeof (FcPatternElt)) + return FcFalse; + + + e = FcPatternElts(font); + if (e->values != 0 && !FcIsEncodedOffset(e->values)) + return FcFalse; + + for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l)) + if (l->next != NULL && !FcIsEncodedOffset(l->next)) + break; + if (j < 0) + return FcFalse; + } + } + + return FcTrue; +} + /* * Map a cache file into memory */ @@ -554,7 +631,8 @@ FcDirCacheMapFd (int fd, struct stat *fd FcCache *cache; FcBool allocated = FcFalse; - if (fd_stat->st_size < (int) sizeof (FcCache)) + if (fd_stat->st_size > INTPTR_MAX || + fd_stat->st_size < (int) sizeof (FcCache)) return NULL; cache = FcCacheFindByStat (fd_stat); if (cache) @@ -611,6 +689,7 @@ FcDirCacheMapFd (int fd, struct stat *fd cache->version < FC_CACHE_CONTENT_VERSION || cache->size != (intptr_t) fd_stat->st_size || !FcCacheTimeValid (cache, dir_stat) || + !FcCacheOffsetsValid (cache) || !FcCacheInsert (cache, fd_stat)) { if (allocated)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor