Bug 1513837

Summary: Potential arbitrary code execution bug found by Coverity scan
Product: Red Hat Enterprise Linux 7 Reporter: Dhiru Kholia <dkholia>
Component: genwqe-toolsAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Erico Nunes <ernunes>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.4CC: ernunes, lmiksik, than
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: genwqe-tools-4.0.18-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 15:44:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dhiru Kholia 2017-11-16 04:58:50 UTC 
Upstream bug -> https://github.com/ibm-genwqe/genwqe-user/issues/156. The following information is a copy of this upstream report.

I ran Coverity against the genwqe-tools package in RHEL 7.4. This corresponds to upstream "v4.0.18.tar.gz".

In particular the finding below is a bit troubling,

Error: TAINTED_STRING (CWE-20):
genwqe-user-4.0.18/lib/software.c:597: tainted_string_return_content: "getenv" returns tainted string content.
genwqe-user-4.0.18/lib/software.c:597: var_assign: Assigning: "zlib_path" = "getenv("ZLIB_PATH")", which taints "zlib_path".
genwqe-user-4.0.18/lib/software.c:603: tainted_string: Passing tainted string "zlib_path" to "dlopen", which cannot accept tainted data.
#  601|   		sw_trace("Loading software zlib \"%s\"\n", zlib_path);
#  602|   		dlerror();
#  603|-> 		handle = dlopen(zlib_path, RTLD_LAZY);
#  604|   		if (handle != NULL)
#  605|   			goto load_syms;
Coverity is saying that this particular code can allow arbitrary code execution in certain circumstances.

The code in the affected function ("zedc_sw_init") is trying to find the right libz.so.1 on the system.

According to a comment before this function,

/**
 * RHEL7.2:
 *   $ ldconfig -p | grep libz.so.1 | cut -d' ' -f4 | head -n1
 *   /lib64/libz.so.1
 * ...
 * Intel with RHEL6.7:
 *   $ ldconfig -p | grep libz.so.1 | cut -d' ' -f4 | head -n1
 *   /lib64/libz.so.1

... the path to libz.so.1 seems to be fixed on various RHEL versions. So would it be possible for downstream consumers (e.g. RHEL) of this package to simplify this code, and remove the zlib_path" = "getenv("ZLIB_PATH") functionality safely? Can this removal be done in the upstream code?

If there is any possibility (now and in the future) that the zedc_sw_init code could be run with system level privileges, we need to harden this particular code now.

I have been informed that genwqe_peek and genwqe_poke tools need to be run as root because both tools read and write specific registers.
Comment 3 Dhiru Kholia 2017-11-20 10:19:15 UTC 
I am setting NEEDINFO on Erico Nunes (ernunes) instead of me.

Erico, can we please get qa_ack for this security hardening bug?
Comment 7 Dhiru Kholia 2017-11-29 09:21:03 UTC 
Here is the upstream patch for this issue,

https://github.com/ibm-genwqe/genwqe-user/commit/f4a0a7c39ea94c3a2


If you have any comments about this upstream fix, please add them to https://github.com/ibm-genwqe/genwqe-user/issues/156 page.


Thanks for handling this bug so quickly. Great work!
Comment 9 Erico Nunes 2018-02-27 13:52:21 UTC 
Verified on genwqe-tools-4.0.18-6.el7. With the older version it attempted to load the library specified in ZLIB_PATH, now it doesn't attempt that anymore with the installed package.

# rpm -q genwqe-tools
genwqe-tools-4.0.18-3.el7.ppc64le
# ZLIB_TRACE=0xffffffff ZLIB_PATH=/tmp/test.so genwqe_gunzip
### _init: BUILD=4.0.18 ZLIB_TRACE=ffffffff ZLIB_INFLATE_IMPL=1 ZLIB_DEFLATE_IMPL=1 ZLIB_INFLATE_THRESHOLD=16384
sss Loading software zlib "/tmp/test.so"
sss Loading software zlib "/usr/lib64/libz.so"
sss   ZLIB_VERSION=1.2.7 (header) zlibVersion()=1.2.7 (code)
sss /usr/lib64/libz.so: undefined symbol: inflateGetDictionary
gzip: Output must not be a terminal!
Called with:
  ARGV[0]: "genwqe_gunzip"
Info: deflateInit: 0
Info: deflate: 0 sw: 0 hw: 0
Info: deflateEnd: 0
Info: inflateInit: 0
Info: inflate: 0 sw: 0 hw: 0
Info: inflateEnd: 0
sss Closing software zlib
# yum install -y -q genwqe-tools
# rpm -q genwqe-tools
genwqe-tools-4.0.18-6.el7.ppc64le
# ZLIB_TRACE=0xffffffff ZLIB_PATH=/tmp/test.so genwqe_gunzip
### _init: BUILD=4.0.18 ZLIB_TRACE=ffffffff ZLIB_INFLATE_IMPL=1 ZLIB_DEFLATE_IMPL=1 ZLIB_INFLATE_THRESHOLD=16384
sss Loading software zlib "/usr/lib64/libz.so"
sss   ZLIB_VERSION=1.2.7 (header) zlibVersion()=1.2.7 (code)
sss /usr/lib64/libz.so: undefined symbol: inflateGetDictionary
gzip: Output must not be a terminal!
Called with:
  ARGV[0]: "genwqe_gunzip"
Info: deflateInit: 0
Info: deflate: 0 sw: 0 hw: 0
Info: deflateEnd: 0
Info: inflateInit: 0
Info: inflate: 0 sw: 0 hw: 0
Info: inflateEnd: 0
sss Closing software zlib
Comment 12 errata-xmlrpc 2018-04-10 15:44:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0869