Heap overflow in get_rootdev

[enriktigasna]

Vulnerable code:

char *get_rootdev()
{
#if defined(_WIN32) || defined(WITH_ANDROID)
    return NULL;
#else
    struct stat sb;
    int fd, ret;
    char buf[PATH_MAX + 1];
    char *uevent, *ptr;
    char *rootdev;

    if (stat("/", &sb) == -1)
        return NULL;

    snprintf(buf, PATH_MAX, "/sys/dev/block/%u:%u/uevent",
        major(sb.st_dev), minor(sb.st_dev));

    fd = open(buf, O_RDONLY);

    if (fd < 0)
        return NULL;

    ret = lseek(fd, (off_t)0, SEEK_END);
    (void)lseek(fd, (off_t)0, SEEK_SET);

    if (ret == -1) {
        close(fd);
        return NULL;
    }

    uevent = malloc(ret + 1);
    ASSERT(uevent);

    uevent[ret] = '\0';

    ret = read(fd, uevent, ret);
    close(fd);

    ptr = strstr(uevent, "DEVNAME");
    if (!ptr)
        goto out_free;

    ret = sscanf(ptr, "DEVNAME=%s\n", buf);
...

When in f2fs, it checks for if a device is mounted, it reaches this code. This code opens the file /sys/dev/block/%u:%u/uevent, and unsafely reads into ptr, which is the size of how much is left from the file after DEVNAME. If you construct it so that DEVNAME is at the end of the file, then it will not allocate enough for the buffer, and it will be overflown.

This can be exploited if an attacker can corrupt headers of a mounted system, or write arbitrary files into this directory in for example a non-FHS compliant system. Under certain conditions this can lead to arbitrary code execution or control of dynamic allocation.

Affected files:

• src/f2fs/libf2fs.c