Stack smashing vulnerability in get_rootdev #31
Description
Vulnerable code:
char *get_rootdev()
{
#if defined(_WIN32) || defined(WITH_ANDROID)
return NULL;
#else
struct stat sb;
int fd, ret;
char buf[PATH_MAX + 1];
char *uevent, *ptr;
char *rootdev;
if (stat("/", &sb) == -1)
return NULL;
snprintf(buf, PATH_MAX, "/sys/dev/block/%u:%u/uevent",
major(sb.st_dev), minor(sb.st_dev));
fd = open(buf, O_RDONLY);
if (fd < 0)
return NULL;
ret = lseek(fd, (off_t)0, SEEK_END);
(void)lseek(fd, (off_t)0, SEEK_SET);
if (ret == -1) {
close(fd);
return NULL;
}
uevent = malloc(ret + 1);
ASSERT(uevent);
uevent[ret] = '\0';
ret = read(fd, uevent, ret);
close(fd);
ptr = strstr(uevent, "DEVNAME");
if (!ptr)
goto out_free;
ret = sscanf(ptr, "DEVNAME=%s\n", buf);
...When in f2fs, it checks for if a device is mounted, it reaches this code. This code opens the file /sys/dev/block/%u:%u/uevent, and unsafely reads into buf, which is only of size PATH_MAX.
This can be exploited if an attacker can corrupt headers of a mounted system, or write arbitrary files into this directory in for example a non-FHS compliant system. Under certain conditions this can lead to arbitrary code execution.
Affected files:
-
lib/libf2fs.c