[Bug 1865032] Comment bridged from LTC Bugzilla

bugproxy 1865032 at bugs.launchpad.net
Tue Dec 1 17:30:13 UTC 2020 

------- Comment From PRudo at de.ibm.com 2020-12-01 12:25 EDT-------
verified on bionic (zipl 2.3.0-build-20201124)and xenial (zipl 1.34.0-build-20201124)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1865032

Title:
  [UBUNTU] zipl/libc: Fix potential buffer overflow in printf

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools source package in Xenial:
  Fix Committed
Status in s390-tools source package in Bionic:
  Fix Committed
Status in s390-tools source package in Eoan:
  Won't Fix
Status in s390-tools source package in Focal:
  Fix Released

Bug description:
  [Impact] 
   * Crash of the zipl boot loader during boot.
   * due to printf buffer overflow in zipl/libc implementation

  [Test Case]
   * Use printf to print a string with >81 characters
     (exact number depends  on the stack layout/compiler used).

  [Where problems could occur]
   * regressions in zipl could break the booting on IBM Z, in certain scenarios
   * the package is only available on s390x and thus could only affect IBM Z machines

  [Other Info]
   * Patches provided by IBM
   * In addition to the 4 commit IDs from the original description, I needed to include part of another upstream commit, to add the "memmove()" function. This was taken from: https://github.com/ibm-s390-tools/s390-tools/commit/e764f460c457ab2a6000acb5f2eb7169866ce192

  === Original Description ===
  Description:   zipl/libc: Fix potential buffer overflow in printf
  Symptom:       Crash of the zipl boot loader during boot.
  Problem:       The zipl boot loaders have their own minimalistic libc
                 implementation. In it printf and sprintf use vsprintf for string
                 formatting. Per definition vsprintf assumes that the buffer it
                 writes to is large enough to contain the formatted string and
                 performs no size checks. This is problematic for the boot
                 loaders because the buffer they use are often allocated on the
                 stack. Thus even small changes to the string format can
                 potentially cause buffer overflows on the stack.

  Solution:      Implement vsnprintf and make use of it.

  Reproduction:  Use printf to print a string with >81 characters (exact number
                 depends on the stack layout/compiler used).

  Upstream commit(s) for s390-tools:
  6fe9e6c55c69c14971dca55551009f5060418aae
  8874b908254c47c8a6fd7a1aca2c7371c11035c4
  f7430027b41d5ad6220e962a179c2a5213330a44
  36fed0e6c6590631c4ce1707c8fe3c3397bcce4d

  Problem was introduced with version 1.24. Therefore these patches need
  to be applied to all distros in service.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1865032/+subscriptions

More information about the foundations-bugs mailing list