Ubuntu
s390-tools package

[UBUNTU] zipl/libc: Fix potential buffer overflow in printf

Bug #1865032 reported by bugproxy
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Canonical Foundations Team
s390-tools (Ubuntu)
Fix Released
High
Skipper Bug Screeners
Xenial
Fix Released
High
Unassigned
Bionic
Fix Released
High
Unassigned
Eoan
Won't Fix
High
Unassigned
Focal
Fix Released
High
Skipper Bug Screeners

Bug Description

[Impact]
 * Crash of the zipl boot loader during boot.
 * due to printf buffer overflow in zipl/libc implementation

[Test Case]
 * Use printf to print a string with >81 characters
   (exact number depends on the stack layout/compiler used).

[Where problems could occur]
 * regressions in zipl could break the booting on IBM Z, in certain scenarios
 * the package is only available on s390x and thus could only affect IBM Z machines

[Other Info]
 * Patches provided by IBM
 * In addition to the 4 commit IDs from the original description, I needed to include part of another upstream commit, to add the "memmove()" function. This was taken from: https://github.com/ibm-s390-tools/s390-tools/commit/e764f460c457ab2a6000acb5f2eb7169866ce192

=== Original Description ===
Description: zipl/libc: Fix potential buffer overflow in printf
Symptom: Crash of the zipl boot loader during boot.
Problem: The zipl boot loaders have their own minimalistic libc
               implementation. In it printf and sprintf use vsprintf for string
               formatting. Per definition vsprintf assumes that the buffer it
               writes to is large enough to contain the formatted string and
               performs no size checks. This is problematic for the boot
               loaders because the buffer they use are often allocated on the
               stack. Thus even small changes to the string format can
               potentially cause buffer overflows on the stack.

Solution: Implement vsnprintf and make use of it.

Reproduction: Use printf to print a string with >81 characters (exact number
               depends on the stack layout/compiler used).

Upstream commit(s) for s390-tools:
6fe9e6c55c69c14971dca55551009f5060418aae
8874b908254c47c8a6fd7a1aca2c7371c11035c4
f7430027b41d5ad6220e962a179c2a5213330a44
36fed0e6c6590631c4ce1707c8fe3c3397bcce4d

Problem was introduced with version 1.24. Therefore these patches need to be applied to all distros in service.

See original description

Related branches

~slyon/ubuntu/+source/s390-tools:slyon/xenial-SRUs
Julian Andres Klode (community): Approve
git-ubuntu developers: Pending requested
Diff: 763 lines (+717/-0)
7 files modified
debian/changelog (+17/-0)
debian/patches/0024-zipl-libc-Introduce-vsnprintf.patch (+302/-0)
debian/patches/0025-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch (+46/-0)
debian/patches/0026-zipl-libc-Replace-sprintf-with-snprintf.patch (+224/-0)
debian/patches/0027-zipl-libc-Indicate-truncated-lines-in-printf-with.patch (+69/-0)
debian/patches/0028-zipl-boot-libc-add-memmove-function.patch (+54/-0)
debian/patches/series (+5/-0)
~slyon/ubuntu/+source/s390-tools:slyon/bionic-SRUs
Dimitri John Ledkov: Pending requested
Diff: 763 lines (+717/-0)
7 files modified
debian/changelog (+17/-0)
debian/patches/0029-zipl-libc-Introduce-vsnprintf.patch (+302/-0)
debian/patches/0030-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch (+46/-0)
debian/patches/0031-zipl-libc-Replace-sprintf-with-snprintf.patch (+224/-0)
debian/patches/0032-zipl-libc-Indicate-truncated-lines-in-printf-with.patch (+69/-0)
debian/patches/0033-zipl-boot-libc-add-memmove-function.patch (+54/-0)
debian/patches/series (+5/-0)
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-184097 severity-high targetmilestone-inin2004
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Heinz-Werner Seeck (heinz-werner-seeck)
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Is there a CVE identifier allocated for this? Do we need allocate one?

information type: Public → Private Security
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-03-11 08:14 EDT-------
(In reply to comment #7)
> Is there a CVE identifier allocated for this? Do we need allocate one?

There's no CVE number associated with this bug.

In my opinion it is not necessary to have one as you have to be root to trigger the bug. And even in this scenario the bug can only be used to crash the boot loader. So in worst case it can be used to DOS the system _after_ the attacker already gained full control over it.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I am thinking more of elevating beyond root, and doing things that HMC should be preventing.

For example, if HMC is enforcing secureboot and the user has no access in HMC to disable that, can this bug open up an opportunity to load and execute unsigned stage3 zipl code, or for example load an unsigned kernel which HMC should be prohibiting?

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-03-12 06:21 EDT-------
(In reply to comment #9)
> I am thinking more of elevating beyond root, and doing things that HMC
> should be preventing.
>
> For example, if HMC is enforcing secureboot and the user has no access in
> HMC to disable that, can this bug open up an opportunity to load and execute
> unsigned stage3 zipl code, or for example load an unsigned kernel which HMC
> should be prohibiting?

The way I see it the bug should no allow execution of unsigned code. Here's why:

1) The stack is located above the code in memory
-> a buffer overflow can only overwrite the stack and any data "behind" the loader

2) For the loader _not_ to crash %r14 (return address) on the stack has to contain a valid absolute address
-> the MSBs of %r14 must be zero, otherwise it would point behind the memory present in the system and the loader would crash with an program check
-> partial overwrites of %r14 don't work on s390 as they would overwrite the MSB (big endian)

3) All but one prints are hard coded. The one exception is when the menu is printed (i.e. the titles set in zipl.conf). In that case the data is interpreted as string. Thus any zero byte would be interpreted as end of string which is in conflict with 2).

Please let me know if you find a flaw in the logic

Dimitri John Ledkov (xnox)
information type: Private Security → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.12.0-0ubuntu3

---------------
s390-tools (2.12.0-0ubuntu3) focal; urgency=medium

  * Update patch series to master tip:
    - PVM / genprotimg LP: #1834534, FFe LP: #1866866
    - zipl/libc: Fix potential buffer overflow LP: #1865032
    - zipl: Fix secureboot documentation LP: #1864654
    - Many other smaller bugfixes

 -- Dimitri John Ledkov <email address hidden> Fri, 20 Mar 2020 12:08:13 +0000

Changed in s390-tools (Ubuntu Focal):
status: New → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Revision history for this message
Frank Heimes (fheimes) wrote :

Changing the Eoan entry to Invalid, since Eoan reached it's EOL:
https://lists.ubuntu.com/archives/ubuntu-announce/2020-July/000258.html

Changed in s390-tools (Ubuntu Eoan):
status: New → Invalid
Frank Heimes (fheimes)
Changed in s390-tools (Ubuntu Eoan):
status: Invalid → Won't Fix
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-10-27 07:54 EDT-------
Fix Released with focal, at least to be integrated into bionic....

Matthieu Clemenceau (mclemenceau)
tags: added: fr-883
Lukas Märdian (slyon)
Changed in s390-tools (Ubuntu Bionic):
status: New → In Progress
Lukas Märdian (slyon)
description: updated
Lukas Märdian (slyon)
Changed in s390-tools (Ubuntu Xenial):
status: New → In Progress
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted s390-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.3.0-0ubuntu3.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Changed in s390-tools (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/1.34.0-0ubuntu8.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Mathew Hodson (mhodson)
Changed in s390-tools (Ubuntu):
importance: Undecided → High
Changed in s390-tools (Ubuntu Xenial):
importance: Undecided → High
Changed in s390-tools (Ubuntu Bionic):
importance: Undecided → High
Changed in s390-tools (Ubuntu Eoan):
importance: Undecided → High
Changed in s390-tools (Ubuntu Focal):
importance: Undecided → High
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-12-01 12:25 EDT-------
verified on bionic (zipl 2.3.0-build-20201124)and xenial (zipl 1.34.0-build-20201124)

Revision history for this message
Frank Heimes (fheimes) wrote :

Thx for the verification, I'm adjusting the tags accordingly ...

tags: added: verification-done verification-done-bionic verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-xenial
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 1.34.0-0ubuntu8.11

---------------
s390-tools (1.34.0-0ubuntu8.11) xenial; urgency=medium

  * Cherry-pick zipl/libc fixes for potential buffer overflow (LP: #1865032)
    - debian/patches/0033-zipl-boot-libc-add-memmove-function.patch:
      Prerequisite for the other 4 patches, taken as part of upstream commit
      e764f460c457ab2a6000acb5f2eb7169866ce192
    - debian/patches/0029-zipl-libc-Introduce-vsnprintf.patch:
      6fe9e6c55c69c14971dca55551009f5060418aae
    - d/p/0030-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch:
      8874b908254c47c8a6fd7a1aca2c7371c11035c4
    - debian/patches/0031-zipl-libc-Replace-sprintf-with-snprintf.patch:
      f7430027b41d5ad6220e962a179c2a5213330a44
    - d/p/0032-zipl-libc-Indicate-truncated-lines-in-printf-with.patch:
      36fed0e6c6590631c4ce1707c8fe3c3397bcce4d

 -- Lukas Märdian <email address hidden> Fri, 20 Nov 2020 15:27:08 +0100

Changed in s390-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.3.0-0ubuntu3.6

---------------
s390-tools (2.3.0-0ubuntu3.6) bionic; urgency=medium

  * Cherry-pick zipl/libc fixes for potential buffer overflow (LP: #1865032)
    - debian/patches/0033-zipl-boot-libc-add-memmove-function.patch:
      Prerequisite for the other 4 patches, taken as part of upstream commit
      e764f460c457ab2a6000acb5f2eb7169866ce192
    - debian/patches/0029-zipl-libc-Introduce-vsnprintf.patch:
      6fe9e6c55c69c14971dca55551009f5060418aae
    - d/p/0030-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch:
      8874b908254c47c8a6fd7a1aca2c7371c11035c4
    - debian/patches/0031-zipl-libc-Replace-sprintf-with-snprintf.patch:
      f7430027b41d5ad6220e962a179c2a5213330a44
    - d/p/0032-zipl-libc-Indicate-truncated-lines-in-printf-with.patch:
      36fed0e6c6590631c4ce1707c8fe3c3397bcce4d

 -- Lukas Märdian <email address hidden> Tue, 17 Nov 2020 15:54:11 +0100

Changed in s390-tools (Ubuntu Bionic):
status: Fix Committed → Fix Released
Dimitri John Ledkov (xnox)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-12-02 03:32 EDT-------
IBM Bugzilla status->closed, Fix Released by all requested distros

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.