[yaboot] Truncate memcpy() in extract_vendor_options()

Tony Breeds tbreeds at fedoraproject.org
Wed Aug 31 05:30:50 UTC 2011 

commit fe26fbee331b59ac551f29491ed8ae07bc46d449
Author: Tony Breeds <tony at bakeyournoodle.com>
Date:   Thu Aug 11 10:48:02 2011 +1000

    Truncate memcpy() in extract_vendor_options()
    
    Backport patch from 1.3.17-rc1 which will stop stack smash.
    
    Signed-off-by: Tony Breeds <tony at bakeyournoodle.com>

 yaboot-1.3.14-dhcp_truncate.patch |   17 +++++++++++++++++
 yaboot.spec                       |   10 +++++++++-
 2 files changed, 26 insertions(+), 1 deletions(-)
---
diff --git a/yaboot-1.3.14-dhcp_truncate.patch b/yaboot-1.3.14-dhcp_truncate.patch
new file mode 100644
index 0000000..749408a
--- /dev/null
+++ b/yaboot-1.3.14-dhcp_truncate.patch
@@ -0,0 +1,17 @@
+diff -ru yaboot-1.3.16.orig/second/file.c yaboot-1.3.16/second/file.c
+--- yaboot-1.3.16.orig/second/file.c	2011-08-11 10:32:58.654006637 +1000
++++ yaboot-1.3.16/second/file.c	2011-08-11 10:34:04.877846737 +1000
+@@ -223,7 +223,12 @@
+                continue;
+ 
+           len = options[i++];
+-          memcpy(&value, &options[i], len);
++          /* Clamp the maxium length of the memcpy() to the right size for
++           * value. */
++          if (len > sizeof(value))
++               memcpy(&value, &options[i], sizeof(value));
++          else
++               memcpy(&value, &options[i], len);
+ 
+ #if DEBUG
+ {
diff --git a/yaboot.spec b/yaboot.spec
index f39fd03..865ede0 100644
--- a/yaboot.spec
+++ b/yaboot.spec
@@ -1,7 +1,7 @@
 Summary: Linux bootloader for Power Macintosh "New World" computers.
 Name: yaboot
 Version: 1.3.16
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: http://yaboot.ozlabs.org/releases/yaboot-%{version}.tar.gz
@@ -53,6 +53,10 @@ Patch44: yaboot-1.3.14-256-RMA.patch
 # Create dummy instance of posix_memalign for e3fsprogs
 Patch45: yaboot-1.3.16-memalign.patch
 
+# Truncate memcpy() in extract_vendor_options()
+# https://bugzilla.redhat.com/show_bug.cgi?id=729684
+Patch46: yaboot-1.3.14-dhcp_truncate.patch
+
 URL: http://yaboot.ozlabs.org/
 BuildRoot: %{_tmppath}/%{name}-root
 Obsoletes: ybin
@@ -104,6 +108,7 @@ yaboot can also bootload IBM pSeries machines.
 %patch43 -p1 -b .prom_getchars
 %patch44 -p1 -b .256-RMA
 %patch45 -p1 -b .posix
+%patch46 -p1 -b .dhcppad
 
 %build
 make VERSIONEXTRA='\ (Red Hat %version-%release)' DEBUG=1
@@ -144,6 +149,9 @@ rm -rf $RPM_BUILD_ROOT
 %ghost %config(noreplace) %{_sysconfdir}/yaboot.conf
 
 %changelog
+* Thu Aug 11 2011 Tony Breeds <tony at bakeyournoodle.com> - 1.3.16-4
+- truncate memcpy() extract_vendor_options() to avoid clobbering the stack. (closes 729684)
+
 * Tue Apr 12 2011 Tony Breeds <tony at bakeyournoodle.com> - 1.3.16-3
 - Add fix for failing to link against posix_memalign() (closes 689415)

More information about the scm-commits mailing list