1From a9bd3dec9fde03327a4a2c69dad1036bf9632e20 Mon Sep 17 00:00:00 2001 2From: Chris Liddell <chris.liddell@artifex.com> 3Date: Tue, 7 Sep 2021 20:36:12 +0100 4Subject: [PATCH] Bug 704342: Include device specifier strings in access 5 validation 6 7for the "%pipe%", %handle%" and %printer% io devices. 8 9We previously validated only the part after the "%pipe%" Postscript device 10specifier, but this proved insufficient. 11 12This rebuilds the original file name string, and validates it complete. The 13slight complication for "%pipe%" is it can be reached implicitly using 14"|" so we have to check both prefixes. 15 16Addresses CVE-2021-3781 17 18Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 19--- 20 base/gdevpipe.c | 22 +++++++++++++++- 21 base/gp_mshdl.c | 11 +++++++- 22 base/gp_msprn.c | 10 ++++++- 23 base/gp_os2pr.c | 13 +++++++++- 24 base/gslibctx.c | 69 ++++++++++--------------------------------------- 25 5 files changed, 65 insertions(+), 60 deletions(-) 26 27diff --git a/base/gdevpipe.c b/base/gdevpipe.c 28index 96d71f5d8..5bdc485be 100644 29--- a/base/gdevpipe.c 30+++ b/base/gdevpipe.c 31@@ -72,8 +72,28 @@ pipe_fopen(gx_io_device * iodev, const char *fname, const char *access, 32 #else 33 gs_lib_ctx_t *ctx = mem->gs_lib_ctx; 34 gs_fs_list_t *fs = ctx->core->fs; 35+ /* The pipe device can be reached in two ways, explicltly with %pipe% 36+ or implicitly with "|", so we have to check for both 37+ */ 38+ char f[gp_file_name_sizeof]; 39+ const char *pipestr = "|"; 40+ const size_t pipestrlen = strlen(pipestr); 41+ const size_t preflen = strlen(iodev->dname); 42+ const size_t nlen = strlen(fname); 43+ int code1; 44+ 45+ if (preflen + nlen >= gp_file_name_sizeof) 46+ return_error(gs_error_invalidaccess); 47+ 48+ memcpy(f, iodev->dname, preflen); 49+ memcpy(f + preflen, fname, nlen + 1); 50+ 51+ code1 = gp_validate_path(mem, f, access); 52+ 53+ memcpy(f, pipestr, pipestrlen); 54+ memcpy(f + pipestrlen, fname, nlen + 1); 55 56- if (gp_validate_path(mem, fname, access) != 0) 57+ if (code1 != 0 && gp_validate_path(mem, f, access) != 0 ) 58 return gs_error_invalidfileaccess; 59 60 /* 61diff --git a/base/gp_mshdl.c b/base/gp_mshdl.c 62index 2b964ed74..8d87ceadc 100644 63--- a/base/gp_mshdl.c 64+++ b/base/gp_mshdl.c 65@@ -95,8 +95,17 @@ mswin_handle_fopen(gx_io_device * iodev, const char *fname, const char *access, 66 long hfile; /* Correct for Win32, may be wrong for Win64 */ 67 gs_lib_ctx_t *ctx = mem->gs_lib_ctx; 68 gs_fs_list_t *fs = ctx->core->fs; 69+ char f[gp_file_name_sizeof]; 70+ const size_t preflen = strlen(iodev->dname); 71+ const size_t nlen = strlen(fname); 72 73- if (gp_validate_path(mem, fname, access) != 0) 74+ if (preflen + nlen >= gp_file_name_sizeof) 75+ return_error(gs_error_invalidaccess); 76+ 77+ memcpy(f, iodev->dname, preflen); 78+ memcpy(f + preflen, fname, nlen + 1); 79+ 80+ if (gp_validate_path(mem, f, access) != 0) 81 return gs_error_invalidfileaccess; 82 83 /* First we try the open_handle method. */ 84diff --git a/base/gp_msprn.c b/base/gp_msprn.c 85index ed4827968..746a974f7 100644 86--- a/base/gp_msprn.c 87+++ b/base/gp_msprn.c 88@@ -168,8 +168,16 @@ mswin_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, 89 uintptr_t *ptid = &((tid_t *)(iodev->state))->tid; 90 gs_lib_ctx_t *ctx = mem->gs_lib_ctx; 91 gs_fs_list_t *fs = ctx->core->fs; 92+ const size_t preflen = strlen(iodev->dname); 93+ const size_t nlen = strlen(fname); 94 95- if (gp_validate_path(mem, fname, access) != 0) 96+ if (preflen + nlen >= gp_file_name_sizeof) 97+ return_error(gs_error_invalidaccess); 98+ 99+ memcpy(pname, iodev->dname, preflen); 100+ memcpy(pname + preflen, fname, nlen + 1); 101+ 102+ if (gp_validate_path(mem, pname, access) != 0) 103 return gs_error_invalidfileaccess; 104 105 /* First we try the open_printer method. */ 106diff --git a/base/gp_os2pr.c b/base/gp_os2pr.c 107index f852c71fc..ba54cde66 100644 108--- a/base/gp_os2pr.c 109+++ b/base/gp_os2pr.c 110@@ -107,9 +107,20 @@ os2_printer_fopen(gx_io_device * iodev, const char *fname, const char *access, 111 FILE ** pfile, char *rfname, uint rnamelen) 112 { 113 os2_printer_t *pr = (os2_printer_t *)iodev->state; 114- char driver_name[256]; 115+ char driver_name[gp_file_name_sizeof]; 116 gs_lib_ctx_t *ctx = mem->gs_lib_ctx; 117 gs_fs_list_t *fs = ctx->core->fs; 118+ const size_t preflen = strlen(iodev->dname); 119+ const int size_t = strlen(fname); 120+ 121+ if (preflen + nlen >= gp_file_name_sizeof) 122+ return_error(gs_error_invalidaccess); 123+ 124+ memcpy(driver_name, iodev->dname, preflen); 125+ memcpy(driver_name + preflen, fname, nlen + 1); 126+ 127+ if (gp_validate_path(mem, driver_name, access) != 0) 128+ return gs_error_invalidfileaccess; 129 130 /* First we try the open_printer method. */ 131 /* Note that the loop condition here ensures we don't 132diff --git a/base/gslibctx.c b/base/gslibctx.c 133index 6dfed6cd5..318039fad 100644 134--- a/base/gslibctx.c 135+++ b/base/gslibctx.c 136@@ -655,82 +655,39 @@ rewrite_percent_specifiers(char *s) 137 int 138 gs_add_outputfile_control_path(gs_memory_t *mem, const char *fname) 139 { 140- char *fp, f[gp_file_name_sizeof]; 141- const int pipe = 124; /* ASCII code for '|' */ 142- const int len = strlen(fname); 143- int i, code; 144+ char f[gp_file_name_sizeof]; 145+ int code; 146 147 /* Be sure the string copy will fit */ 148- if (len >= gp_file_name_sizeof) 149+ if (strlen(fname) >= gp_file_name_sizeof) 150 return gs_error_rangecheck; 151 strcpy(f, fname); 152- fp = f; 153 /* Try to rewrite any %d (or similar) in the string */ 154 rewrite_percent_specifiers(f); 155- for (i = 0; i < len; i++) { 156- if (f[i] == pipe) { 157- fp = &f[i + 1]; 158- /* Because we potentially have to check file permissions at two levels 159- for the output file (gx_device_open_output_file and the low level 160- fopen API, if we're using a pipe, we have to add both the full string, 161- (including the '|', and just the command to which we pipe - since at 162- the pipe_fopen(), the leading '|' has been stripped. 163- */ 164- code = gs_add_control_path(mem, gs_permit_file_writing, f); 165- if (code < 0) 166- return code; 167- code = gs_add_control_path(mem, gs_permit_file_control, f); 168- if (code < 0) 169- return code; 170- break; 171- } 172- if (!IS_WHITESPACE(f[i])) 173- break; 174- } 175- code = gs_add_control_path(mem, gs_permit_file_control, fp); 176+ 177+ code = gs_add_control_path(mem, gs_permit_file_control, f); 178 if (code < 0) 179 return code; 180- return gs_add_control_path(mem, gs_permit_file_writing, fp); 181+ return gs_add_control_path(mem, gs_permit_file_writing, f); 182 } 183 184 int 185 gs_remove_outputfile_control_path(gs_memory_t *mem, const char *fname) 186 { 187- char *fp, f[gp_file_name_sizeof]; 188- const int pipe = 124; /* ASCII code for '|' */ 189- const int len = strlen(fname); 190- int i, code; 191+ char f[gp_file_name_sizeof]; 192+ int code; 193 194 /* Be sure the string copy will fit */ 195- if (len >= gp_file_name_sizeof) 196+ if (strlen(fname) >= gp_file_name_sizeof) 197 return gs_error_rangecheck; 198 strcpy(f, fname); 199- fp = f; 200 /* Try to rewrite any %d (or similar) in the string */ 201- for (i = 0; i < len; i++) { 202- if (f[i] == pipe) { 203- fp = &f[i + 1]; 204- /* Because we potentially have to check file permissions at two levels 205- for the output file (gx_device_open_output_file and the low level 206- fopen API, if we're using a pipe, we have to add both the full string, 207- (including the '|', and just the command to which we pipe - since at 208- the pipe_fopen(), the leading '|' has been stripped. 209- */ 210- code = gs_remove_control_path(mem, gs_permit_file_writing, f); 211- if (code < 0) 212- return code; 213- code = gs_remove_control_path(mem, gs_permit_file_control, f); 214- if (code < 0) 215- return code; 216- break; 217- } 218- if (!IS_WHITESPACE(f[i])) 219- break; 220- } 221- code = gs_remove_control_path(mem, gs_permit_file_control, fp); 222+ rewrite_percent_specifiers(f); 223+ 224+ code = gs_remove_control_path(mem, gs_permit_file_control, f); 225 if (code < 0) 226 return code; 227- return gs_remove_control_path(mem, gs_permit_file_writing, fp); 228+ return gs_remove_control_path(mem, gs_permit_file_writing, f); 229 } 230 231 int 232-- 2332.20.1 234 235