You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by tr...@apache.org on 2015/04/25 13:50:13 UTC
svn commit: r1676014 - in /apr/apr/branches/1.6.x: ./ file_io/win32/pipe.c
Author: trawick
Date: Sat Apr 25 11:50:12 2015
New Revision: 1676014
URL: http://svn.apache.org/r1676014
Log:
Merge r1676013 from trunk:
SECURITY: CVE-2015-1829 (cve.mitre.org)
APR applications using APR named pipe support on Windows can be
vulnerable to a pipe squatting attack from a local process; the extent
of the vulnerability, when present, depends on the application.
Initial analysis and report was provided by John Hernandez of Casaba
Security via HP SSRT Security Alert.
Submitted by: ylavic
Modified:
apr/apr/branches/1.6.x/ (props changed)
apr/apr/branches/1.6.x/file_io/win32/pipe.c
Propchange: apr/apr/branches/1.6.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Apr 25 11:50:12 2015
@@ -1,4 +1,4 @@
/apr/apr/branches/1.4.x:1003369,1101301
-/apr/apr/trunk:733052,739635,741862,741866-741867,741869,741871,745763-745764,746310,747990,748080,748361,748371,748565,748888,748902,748988,749810,760443,767895,775683,782838,783398,783958,784633,784773,788588,789050,793192-793193,794118,794485,795267,799497,800627,809745,809854,810472,811455,813063,821306,829490,831641,832904,835607,888669,892028,892159,892435,892909,896382,896653,908427,910419,910597,917819,917837-917838,925965,929796,931973,951771,960665,960671,979891,983618,989450,990435,1003338,1044440,1044447,1055657,1072165,1078845,1081462,1081495,1083038,1083242,1084662,1086695,1088023,1089031,1089129,1089438,1099348,1103310,1183683,1183685-1183686,1183688,1183693,1183698,1213382,1235047,1236970,1237078,1237507,1240472,1340286,1340288,1340470,1341193,1341196,1343233,1343243,1367050,1368819,1370494,1372018,1372022,1372093,1372849,1376957,1384764,1389077,1400200,1402868,1405985,1406690,1420106,1420109,1425356,1428809,1438940,1438957-1438959,1442903,1449568,1456418,1459994,146
0179-1460180,1460241,1460399,1460405,1462738,1462813,1470186,1470348,1475509,1478905,1480067,1481262,1481265,1484271,1487796,1489517,1496407,1502804,1510354,1516261,1523384,1523479,1523484,1523505,1523521,1523604,1523613,1523615,1523844-1523845,1523853,1524014,1524031,1528797,1528809,1529488,1529495,1529515,1529521,1529668,1530786,1530800,1530988,1531554,1531768,1531884,1532022,1533104,1533111,1533979,1535027,1535157,1536744,1538171,1539374,1539389,1539455,1539603,1541054,1541061,1541486,1541655,1541666,1541744,1542601,1542779,1543033,1543056,1548575,1550907,1551650,1551659,1558905,1559382,1559873,1559975,1561040,1561260,1561265,1561321,1561347,1561356,1561361,1561394,1561555,1571894,1575509,1578420,1587045,1587063,1587543,1587545,1588878,1588937,1593611,1593614-1593615,1593680,1594684,1594708,1595549,1597797,1597803,1604590,1604596,1604598,1605104,1610854,1611023,1611107,1611110,1611117,1611120,1611125,1611184,1611193,1611466,1611515,1611517,1625173,1626564,1634615,1642159,1648830,
1664406,1664447,1664451,1664471,1664769-1664770,1664775,1664904,1664911,1664958,1666341,1666411,1666458,1666611,1667420-1667421,1667423,1667914-1667916,1671329,1671356,1671389,1671513-1671514,1671957,1672354,1672366,1672495,1672575,1675644,1675656,1675668
+/apr/apr/trunk:733052,739635,741862,741866-741867,741869,741871,745763-745764,746310,747990,748080,748361,748371,748565,748888,748902,748988,749810,760443,767895,775683,782838,783398,783958,784633,784773,788588,789050,793192-793193,794118,794485,795267,799497,800627,809745,809854,810472,811455,813063,821306,829490,831641,832904,835607,888669,892028,892159,892435,892909,896382,896653,908427,910419,910597,917819,917837-917838,925965,929796,931973,951771,960665,960671,979891,983618,989450,990435,1003338,1044440,1044447,1055657,1072165,1078845,1081462,1081495,1083038,1083242,1084662,1086695,1088023,1089031,1089129,1089438,1099348,1103310,1183683,1183685-1183686,1183688,1183693,1183698,1213382,1235047,1236970,1237078,1237507,1240472,1340286,1340288,1340470,1341193,1341196,1343233,1343243,1367050,1368819,1370494,1372018,1372022,1372093,1372849,1376957,1384764,1389077,1400200,1402868,1405985,1406690,1420106,1420109,1425356,1428809,1438940,1438957-1438959,1442903,1449568,1456418,1459994,146
0179-1460180,1460241,1460399,1460405,1462738,1462813,1470186,1470348,1475509,1478905,1480067,1481262,1481265,1484271,1487796,1489517,1496407,1502804,1510354,1516261,1523384,1523479,1523484,1523505,1523521,1523604,1523613,1523615,1523844-1523845,1523853,1524014,1524031,1528797,1528809,1529488,1529495,1529515,1529521,1529668,1530786,1530800,1530988,1531554,1531768,1531884,1532022,1533104,1533111,1533979,1535027,1535157,1536744,1538171,1539374,1539389,1539455,1539603,1541054,1541061,1541486,1541655,1541666,1541744,1542601,1542779,1543033,1543056,1548575,1550907,1551650,1551659,1558905,1559382,1559873,1559975,1561040,1561260,1561265,1561321,1561347,1561356,1561361,1561394,1561555,1571894,1575509,1578420,1587045,1587063,1587543,1587545,1588878,1588937,1593611,1593614-1593615,1593680,1594684,1594708,1595549,1597797,1597803,1604590,1604596,1604598,1605104,1610854,1611023,1611107,1611110,1611117,1611120,1611125,1611184,1611193,1611466,1611515,1611517,1625173,1626564,1634615,1642159,1648830,
1664406,1664447,1664451,1664471,1664769-1664770,1664775,1664904,1664911,1664958,1666341,1666411,1666458,1666611,1667420-1667421,1667423,1667914-1667916,1671329,1671356,1671389,1671513-1671514,1671957,1672354,1672366,1672495,1672575,1675644,1675656,1675668,1676013
/apr/apr/trunk/test/testnames.c:1460405
/httpd/httpd/trunk:1604590
Modified: apr/apr/branches/1.6.x/file_io/win32/pipe.c
URL: http://svn.apache.org/viewvc/apr/apr/branches/1.6.x/file_io/win32/pipe.c?rev=1676014&r1=1676013&r2=1676014&view=diff
==============================================================================
--- apr/apr/branches/1.6.x/file_io/win32/pipe.c (original)
+++ apr/apr/branches/1.6.x/file_io/win32/pipe.c Sat Apr 25 11:50:12 2015
@@ -18,6 +18,7 @@
#include "apr_file_io.h"
#include "apr_general.h"
#include "apr_strings.h"
+#include "apr_escape.h"
#if APR_HAVE_ERRNO_H
#include <errno.h>
#endif
@@ -82,7 +83,6 @@ APR_DECLARE(apr_status_t) apr_file_pipe_
static unsigned long id = 0;
DWORD dwPipeMode;
DWORD dwOpenMode;
- char name[50];
sa.nLength = sizeof(sa);
@@ -127,8 +127,26 @@ APR_DECLARE(apr_status_t) apr_file_pipe_
(void) apr_pollset_create(&(*out)->pollset, 1, p, 0);
#endif
if (apr_os_level >= APR_WIN_NT) {
+ char rand[8];
+ int pid = getpid();
+#define FMT_PIPE_NAME "\\\\.\\pipe\\apr-pipe-%x.%lx."
+ /* ^ ^ ^
+ * pid | |
+ * | |
+ * id |
+ * |
+ * hex-escaped rand[8] (16 bytes)
+ */
+ char name[sizeof FMT_PIPE_NAME + 2 * sizeof(pid)
+ + 2 * sizeof(id)
+ + 2 * sizeof(rand)];
+ apr_size_t pos;
+
/* Create the read end of the pipe */
dwOpenMode = PIPE_ACCESS_INBOUND;
+#ifdef FILE_FLAG_FIRST_PIPE_INSTANCE
+ dwOpenMode |= FILE_FLAG_FIRST_PIPE_INSTANCE;
+#endif
if (blocking == APR_WRITE_BLOCK /* READ_NONBLOCK */
|| blocking == APR_FULL_NONBLOCK) {
dwOpenMode |= FILE_FLAG_OVERLAPPED;
@@ -136,10 +154,11 @@ APR_DECLARE(apr_status_t) apr_file_pipe_
(*in)->pOverlapped->hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
(*in)->timeout = 0;
}
-
dwPipeMode = 0;
- sprintf(name, "\\\\.\\pipe\\apr-pipe-%u.%lu", getpid(), id++);
+ apr_generate_random_bytes(rand, sizeof rand);
+ pos = apr_snprintf(name, sizeof name, FMT_PIPE_NAME, pid, id++);
+ apr_escape_hex(name + pos, rand, sizeof rand, 0, NULL);
(*in)->filehand = CreateNamedPipe(name,
dwOpenMode,
@@ -149,6 +168,11 @@ APR_DECLARE(apr_status_t) apr_file_pipe_
65536, /* nInBufferSize, */
1, /* nDefaultTimeOut, */
&sa);
+ if ((*in)->filehand == INVALID_HANDLE_VALUE) {
+ apr_status_t rv = apr_get_os_error();
+ file_cleanup(*in);
+ return rv;
+ }
/* Create the write end of the pipe */
dwOpenMode = FILE_ATTRIBUTE_NORMAL;
@@ -167,6 +191,12 @@ APR_DECLARE(apr_status_t) apr_file_pipe_
OPEN_EXISTING, /* dwCreationDisposition */
dwOpenMode, /* Pipe attributes */
NULL); /* handle to template file */
+ if ((*out)->filehand == INVALID_HANDLE_VALUE) {
+ apr_status_t rv = apr_get_os_error();
+ file_cleanup(*out);
+ file_cleanup(*in);
+ return rv;
+ }
}
else {
/* Pipes on Win9* are blocking. Live with it. */