New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malformed filesystem labels allows for a string format vulnerability #578
Comments
|
With |
If the message in g_log_structured itself contained format sequences like %d or %n they were applied again, leading to leaked stack contents and possibly memory corruption. It can be triggered e.g. by a volume label containing format sequences. Print the message argument itself into a "%s" string to avoid intepreting format sequences. storaged-project#578
|
To get UDisks to run correctly again after injecting a %n or something else that causes it to abort you'll have to remove the appropriate entry from |
|
Merge looks good, thanks for the quick fix. |
Thanks for reporting this! |
|
CVE-2018-17336 was assigned to this issue. |
Wooohooo, my first CVE! |
If the message in g_log_structured itself contained format sequences like %d or %n they were applied again, leading to leaked stack contents and possibly memory corruption. It can be triggered e.g. by a volume label containing format sequences. Print the message argument itself into a "%s" string to avoid intepreting format sequences. #578
If the message in g_log_structured itself contained format sequences like %d or %n they were applied again, leading to leaked stack contents and possibly memory corruption. It can be triggered e.g. by a volume label containing format sequences. Print the message argument itself into a "%s" string to avoid intepreting format sequences. #578
A malformed file system label can trigger a string format vulnerability in udisks.
For example:
Crashes udisks2, and since the %n modifier allows for arbitrary memory manipulation this could pose a security risk, as udisksd runs root.
The text was updated successfully, but these errors were encountered: