RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1513837 - Potential arbitrary code execution bug found by Coverity scan
Summary: Potential arbitrary code execution bug found by Coverity scan
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: genwqe-tools
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: rc
: ---
Assignee: Than Ngo
QA Contact: Erico Nunes
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-16 04:58 UTC by Dhiru Kholia
Modified: 2018-04-10 15:45 UTC (History)
3 users (show)

Fixed In Version: genwqe-tools-4.0.18-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 15:44:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0869 0 None None None 2018-04-10 15:45:24 UTC

Description Dhiru Kholia 2017-11-16 04:58:50 UTC 
Upstream bug -> https://github.com/ibm-genwqe/genwqe-user/issues/156. The following information is a copy of this upstream report.

I ran Coverity against the genwqe-tools package in RHEL 7.4. This corresponds to upstream "v4.0.18.tar.gz".

In particular the finding below is a bit troubling,

Error: TAINTED_STRING (CWE-20):
genwqe-user-4.0.18/lib/software.c:597: tainted_string_return_content: "getenv" returns tainted string content.
genwqe-user-4.0.18/lib/software.c:597: var_assign: Assigning: "zlib_path" = "getenv("ZLIB_PATH")", which taints "zlib_path".
genwqe-user-4.0.18/lib/software.c:603: tainted_string: Passing tainted string "zlib_path" to "dlopen", which cannot accept tainted data.
#  601|   		sw_trace("Loading software zlib \"%s\"\n", zlib_path);
#  602|   		dlerror();
#  603|-> 		handle = dlopen(zlib_path, RTLD_LAZY);
#  604|   		if (handle != NULL)
#  605|   			goto load_syms;
Coverity is saying that this particular code can allow arbitrary code execution in certain circumstances.

The code in the affected function ("zedc_sw_init") is trying to find the right libz.so.1 on the system.

According to a comment before this function,

/**
 * RHEL7.2:
 *   $ ldconfig -p | grep libz.so.1 | cut -d' ' -f4 | head -n1
 *   /lib64/libz.so.1
 * ...
 * Intel with RHEL6.7:
 *   $ ldconfig -p | grep libz.so.1 | cut -d' ' -f4 | head -n1
 *   /lib64/libz.so.1

... the path to libz.so.1 seems to be fixed on various RHEL versions. So would it be possible for downstream consumers (e.g. RHEL) of this package to simplify this code, and remove the zlib_path" = "getenv("ZLIB_PATH") functionality safely? Can this removal be done in the upstream code?

If there is any possibility (now and in the future) that the zedc_sw_init code could be run with system level privileges, we need to harden this particular code now.

I have been informed that genwqe_peek and genwqe_poke tools need to be run as root because both tools read and write specific registers.
Comment 3 Dhiru Kholia 2017-11-20 10:19:15 UTC 
I am setting NEEDINFO on Erico Nunes (ernunes) instead of me.

Erico, can we please get qa_ack for this security hardening bug?
Comment 7 Dhiru Kholia 2017-11-29 09:21:03 UTC 
Here is the upstream patch for this issue,

https://github.com/ibm-genwqe/genwqe-user/commit/f4a0a7c39ea94c3a2


If you have any comments about this upstream fix, please add them to https://github.com/ibm-genwqe/genwqe-user/issues/156 page.


Thanks for handling this bug so quickly. Great work!
Comment 9 Erico Nunes 2018-02-27 13:52:21 UTC 
Verified on genwqe-tools-4.0.18-6.el7. With the older version it attempted to load the library specified in ZLIB_PATH, now it doesn't attempt that anymore with the installed package.

# rpm -q genwqe-tools
genwqe-tools-4.0.18-3.el7.ppc64le
# ZLIB_TRACE=0xffffffff ZLIB_PATH=/tmp/test.so genwqe_gunzip
### _init: BUILD=4.0.18 ZLIB_TRACE=ffffffff ZLIB_INFLATE_IMPL=1 ZLIB_DEFLATE_IMPL=1 ZLIB_INFLATE_THRESHOLD=16384
sss Loading software zlib "/tmp/test.so"
sss Loading software zlib "/usr/lib64/libz.so"
sss   ZLIB_VERSION=1.2.7 (header) zlibVersion()=1.2.7 (code)
sss /usr/lib64/libz.so: undefined symbol: inflateGetDictionary
gzip: Output must not be a terminal!
Called with:
  ARGV[0]: "genwqe_gunzip"
Info: deflateInit: 0
Info: deflate: 0 sw: 0 hw: 0
Info: deflateEnd: 0
Info: inflateInit: 0
Info: inflate: 0 sw: 0 hw: 0
Info: inflateEnd: 0
sss Closing software zlib
# yum install -y -q genwqe-tools
# rpm -q genwqe-tools
genwqe-tools-4.0.18-6.el7.ppc64le
# ZLIB_TRACE=0xffffffff ZLIB_PATH=/tmp/test.so genwqe_gunzip
### _init: BUILD=4.0.18 ZLIB_TRACE=ffffffff ZLIB_INFLATE_IMPL=1 ZLIB_DEFLATE_IMPL=1 ZLIB_INFLATE_THRESHOLD=16384
sss Loading software zlib "/usr/lib64/libz.so"
sss   ZLIB_VERSION=1.2.7 (header) zlibVersion()=1.2.7 (code)
sss /usr/lib64/libz.so: undefined symbol: inflateGetDictionary
gzip: Output must not be a terminal!
Called with:
  ARGV[0]: "genwqe_gunzip"
Info: deflateInit: 0
Info: deflate: 0 sw: 0 hw: 0
Info: deflateEnd: 0
Info: inflateInit: 0
Info: inflate: 0 sw: 0 hw: 0
Info: inflateEnd: 0
sss Closing software zlib
Comment 12 errata-xmlrpc 2018-04-10 15:44:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0869
Note You need to log in before you can comment on or make changes to this bug.