From: Nicolas Schier <nicolas@fjasle.eu>
To: Masahiro Yamada <masahiroy@kernel.org>,
linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org
Cc: "Nicolas Schier" <nicolas@fjasle.eu>,
"Thomas Kühnel" <thomas.kuehnel@avm.de>
Subject: [PATCH v2] initramfs: Check timestamp to prevent broken cpio archive
Date: Tue, 12 Oct 2021 18:52:34 +0000 [thread overview]
Message-ID: <20211012185234.3295982-1-nicolas@fjasle.eu> (raw)
Cpio format reserves 8 bytes for an ASCII representation of a time_t timestamp.
While 2106-02-07 06:28:15 UTC (time_t = 0xffffffff) is still some years in the
future, a poorly chosen date string for KBUILD_BUILD_TIMESTAMP, converted into
seconds since the epoch, might lead to exceeded cpio timestamp limits that
result in a broken cpio archive. Add timestamp checks to prevent overrun of
the 8-byte cpio header field.
My colleague Thomas Kühnel discovered the behaviour, when we accidentally fed
SOURCE_DATE_EPOCH to KBUILD_BUILD_TIMESTAMP as is: some timestamps (e.g.
1607420928 = 2021-12-08 10:48:48) will be interpreted by `date` as a valid date
specification of science fictional times (here: year 160742). Even though this
is bad input for KBUILD_BUILD_TIMESTAMP, it should not break the initramfs
cpio format.
Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
Cc: Thomas Kühnel <thomas.kuehnel@avm.de>
---
usr/gen_init_cpio.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
--
Changes v1 to v2:
* add timezone name (UTC) to specific time stamps
* fix typo: results -> result
diff --git a/usr/gen_init_cpio.c b/usr/gen_init_cpio.c
index 03b21189d58b..584ea45cff70 100644
--- a/usr/gen_init_cpio.c
+++ b/usr/gen_init_cpio.c
@@ -320,6 +320,12 @@ static int cpio_mkfile(const char *name, const char *location,
goto error;
}
+ if (buf.st_mtime > 0xffffffff) {
+ fprintf(stderr, "%s: Timestamp exceeds maximum cpio timestamp, clipping.\n",
+ location);
+ buf.st_mtime = 0xffffffff;
+ }
+
filebuf = malloc(buf.st_size);
if (!filebuf) {
fprintf (stderr, "out of memory\n");
@@ -551,6 +557,17 @@ int main (int argc, char *argv[])
}
}
+ /*
+ * Timestamps after 2106-02-07 06:28:15 UTC have an ascii hex time_t
+ * representation that exceeds 8 chars and breaks the cpio header
+ * specification.
+ */
+ if (default_mtime > 0xffffffff) {
+ fprintf(stderr, "ERROR: Timestamp 0x%08x too large for cpio format\n",
+ default_mtime);
+ exit(1);
+ }
+
if (argc - optind != 1) {
usage(argv[0]);
exit(1);
--
2.30.1
next reply other threads:[~2021-10-12 18:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-12 18:52 Nicolas Schier [this message]
2021-10-12 19:59 ` [PATCH v2] initramfs: Check timestamp to prevent broken cpio archive Nicolas Schier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211012185234.3295982-1-nicolas@fjasle.eu \
--to=nicolas@fjasle.eu \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=thomas.kuehnel@avm.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.