Specifically validate region tag on header import
authorPanu Matilainen <pmatilai@redhat.com>
Thu, 19 Jan 2012 06:25:15 +0000 (08:25 +0200)
committerPanu Matilainen <pmatilai@redhat.com>
Tue, 3 Apr 2012 12:45:46 +0000 (15:45 +0300)
- Region tags need to have very specific content, the generic
  header tag checks are not sufficient to ensure sanity. Verify
  the tag is one of the known region tags and that the entry has
  expected type and count.
- Fixes the first half of CVE-2012-0060

lib/header.c

index 023c6e3..f7d3ade 100644 (file)
@@ -828,10 +828,13 @@ Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags)
 
        entry->info.type = htonl(pe->type);
        entry->info.count = htonl(pe->count);
+       entry->info.tag = htonl(pe->tag);
 
-       if (hdrchkType(entry->info.type))
+       if (!ENTRY_IS_REGION(entry))
+           goto errxit;
+       if (entry->info.type != REGION_TAG_TYPE)
            goto errxit;
-       if (hdrchkTags(entry->info.count))
+       if (entry->info.count != REGION_TAG_COUNT)
            goto errxit;
 
        {   int off = ntohl(pe->offset);
@@ -847,7 +850,6 @@ Header headerImport(void * blob, unsigned int bsize, headerImportFlags flags)
                ril = rdl/sizeof(*pe);
                if (hdrchkTags(ril) || hdrchkData(rdl))
                    goto errxit;
-               entry->info.tag = htonl(pe->tag);
            } else {
                ril = il;
                rdl = (ril * sizeof(struct entryInfo_s));