Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1513837 - Potential arbitrary code execution bug found by Coverity scan
Summary: Potential arbitrary code execution bug found by Coverity scan
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: genwqe-tools
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: rc
: ---
Assignee: Ngo Than
QA Contact: Erico Nunes
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-16 04:58 UTC by Dhiru Kholia
Modified: 2018-04-10 15:45 UTC (History)
3 users (show)

Fixed In Version: genwqe-tools-4.0.18-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 15:44:39 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0869 None None None 2018-04-10 15:45:24 UTC

Description Dhiru Kholia 2017-11-16 04:58:50 UTC
Upstream bug -> https://github.com/ibm-genwqe/genwqe-user/issues/156. The following information is a copy of this upstream report.

I ran Coverity against the genwqe-tools package in RHEL 7.4. This corresponds to upstream "v4.0.18.tar.gz".

In particular the finding below is a bit troubling,

Error: TAINTED_STRING (CWE-20):
genwqe-user-4.0.18/lib/software.c:597: tainted_string_return_content: "getenv" returns tainted string content.
genwqe-user-4.0.18/lib/software.c:597: var_assign: Assigning: "zlib_path" = "getenv("ZLIB_PATH")", which taints "zlib_path".
genwqe-user-4.0.18/lib/software.c:603: tainted_string: Passing tainted string "zlib_path" to "dlopen", which cannot accept tainted data.
#  601|   		sw_trace("Loading software zlib \"%s\"\n", zlib_path);
#  602|   		dlerror();
#  603|-> 		handle = dlopen(zlib_path, RTLD_LAZY);
#  604|   		if (handle != NULL)
#  605|   			goto load_syms;
Coverity is saying that this particular code can allow arbitrary code execution in certain circumstances.

The code in the affected function ("zedc_sw_init") is trying to find the right libz.so.1 on the system.

According to a comment before this function,

/**
 * RHEL7.2:
 *   $ ldconfig -p | grep libz.so.1 | cut -d' ' -f4 | head -n1
 *   /lib64/libz.so.1
 * ...
 * Intel with RHEL6.7:
 *   $ ldconfig -p | grep libz.so.1 | cut -d' ' -f4 | head -n1
 *   /lib64/libz.so.1

... the path to libz.so.1 seems to be fixed on various RHEL versions. So would it be possible for downstream consumers (e.g. RHEL) of this package to simplify this code, and remove the zlib_path" = "getenv("ZLIB_PATH") functionality safely? Can this removal be done in the upstream code?

If there is any possibility (now and in the future) that the zedc_sw_init code could be run with system level privileges, we need to harden this particular code now.

I have been informed that genwqe_peek and genwqe_poke tools need to be run as root because both tools read and write specific registers.

Comment 3 Dhiru Kholia 2017-11-20 10:19:15 UTC
I am setting NEEDINFO on Erico Nunes (ernunes@redhat.com) instead of me.

Erico, can we please get qa_ack for this security hardening bug?

Comment 7 Dhiru Kholia 2017-11-29 09:21:03 UTC
Here is the upstream patch for this issue,

https://github.com/ibm-genwqe/genwqe-user/commit/f4a0a7c39ea94c3a2


If you have any comments about this upstream fix, please add them to https://github.com/ibm-genwqe/genwqe-user/issues/156 page.


Thanks for handling this bug so quickly. Great work!

Comment 9 Erico Nunes 2018-02-27 13:52:21 UTC
Verified on genwqe-tools-4.0.18-6.el7. With the older version it attempted to load the library specified in ZLIB_PATH, now it doesn't attempt that anymore with the installed package.

# rpm -q genwqe-tools
genwqe-tools-4.0.18-3.el7.ppc64le
# ZLIB_TRACE=0xffffffff ZLIB_PATH=/tmp/test.so genwqe_gunzip
### _init: BUILD=4.0.18 ZLIB_TRACE=ffffffff ZLIB_INFLATE_IMPL=1 ZLIB_DEFLATE_IMPL=1 ZLIB_INFLATE_THRESHOLD=16384
sss Loading software zlib "/tmp/test.so"
sss Loading software zlib "/usr/lib64/libz.so"
sss   ZLIB_VERSION=1.2.7 (header) zlibVersion()=1.2.7 (code)
sss /usr/lib64/libz.so: undefined symbol: inflateGetDictionary
gzip: Output must not be a terminal!
Called with:
  ARGV[0]: "genwqe_gunzip"
Info: deflateInit: 0
Info: deflate: 0 sw: 0 hw: 0
Info: deflateEnd: 0
Info: inflateInit: 0
Info: inflate: 0 sw: 0 hw: 0
Info: inflateEnd: 0
sss Closing software zlib
# yum install -y -q genwqe-tools
# rpm -q genwqe-tools
genwqe-tools-4.0.18-6.el7.ppc64le
# ZLIB_TRACE=0xffffffff ZLIB_PATH=/tmp/test.so genwqe_gunzip
### _init: BUILD=4.0.18 ZLIB_TRACE=ffffffff ZLIB_INFLATE_IMPL=1 ZLIB_DEFLATE_IMPL=1 ZLIB_INFLATE_THRESHOLD=16384
sss Loading software zlib "/usr/lib64/libz.so"
sss   ZLIB_VERSION=1.2.7 (header) zlibVersion()=1.2.7 (code)
sss /usr/lib64/libz.so: undefined symbol: inflateGetDictionary
gzip: Output must not be a terminal!
Called with:
  ARGV[0]: "genwqe_gunzip"
Info: deflateInit: 0
Info: deflate: 0 sw: 0 hw: 0
Info: deflateEnd: 0
Info: inflateInit: 0
Info: inflate: 0 sw: 0 hw: 0
Info: inflateEnd: 0
sss Closing software zlib

Comment 12 errata-xmlrpc 2018-04-10 15:44:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0869


Note You need to log in before you can comment on or make changes to this bug.