PERFORCE change 219859 for review
Brooks Davis
brooks at FreeBSD.org
Wed Nov 28 00:33:52 UTC 2012
http://p4web.freebsd.org/@@219859?ac=10
Change 219859 by brooks at brooks_zenith on 2012/11/28 00:33:06
Remove the slide number based trojan used for the live demo now
that exEc chunks work fine.
Provide a png_exec_triggered global to let us know that the
exEc exploit was attempted but failed.
Affected files ...
.. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/decode_png.c#5 edit
.. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/iboxpriv.h#4 edit
.. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/imagebox.h#3 edit
.. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/pngbox.c#7 edit
.. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libvuln_png/pngrutil.c#3 edit
.. //depot/projects/ctsrd/cheribsd/src/ctsrd/cheripoint/cheripoint.c#13 edit
.. //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng-cheri/readpng-cheri.c#5 edit
.. //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng/readpng.c#4 edit
Differences ...
==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/decode_png.c#5 (text+ko) ====
@@ -37,6 +37,8 @@
#include "imagebox.h"
#include "iboxpriv.h"
+extern int png_exec_triggered;
+
static void read_row_callback(png_structp, png_uint_32, int);
static void read_png_from_fd(png_structp, png_bytep, png_size_t);
@@ -51,24 +53,6 @@
png_infop end_info = NULL;
png_bytep *rows = NULL;
- /*
- * World's lamest trojan
- */
- if (ids->slide == 58) {
- for (r = 0; r < ids->is->width * ids->is->height; r++)
- ids->buffer[r] = 0x0000FF00;
- ids->is->valid_rows = ids->is->height;;
- ids->is->passes_remaining = 0;
- if (ids->is->sb == SB_CAPSICUM)
- ids->is->error = 99;
- char path[] = "/bin/wr";
- char *argv[2] = {NULL, NULL};
- char *envp[1] = {NULL};
- argv[0] = path;
- execve(argv[0], argv, envp);
- return;
- }
-
if ((png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING,
NULL, NULL, NULL)) == NULL) {
ids->is->error = 1;
@@ -88,12 +72,6 @@
goto error;
}
-#if 0
- /* XXX Insert back door function here */
- png_set_read_user_chunk_fn(png_ptr, user_chunk_ptr,
- read_chunk_callback);
-#endif
-
if (read_row_fn != NULL)
png_set_read_status_fn(png_ptr, read_row_fn);
else
@@ -137,6 +115,13 @@
png_read_end(png_ptr, end_info);
+ if (png_exec_triggered) {
+ if (ids->is->sb == SB_CAPSICUM)
+ ids->is->error = 99;
+ for (r = 0; r < ids->is->width * ids->is->height; r++)
+ ids->buffer[r] = 0x0000FF00;
+ }
+
error:
png_destroy_read_struct(&png_ptr, &info_ptr, &end_info);
close(ids->fd);
==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/iboxpriv.h#4 (text+ko) ====
@@ -34,7 +34,6 @@
struct ibox_decode_state
{
int fd;
- int slide;
struct iboxstate *is;
uint32_t *buffer;
};
==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/imagebox.h#3 (text+ko) ====
@@ -52,7 +52,7 @@
void iboxstate_free(struct iboxstate *ps);
struct iboxstate* png_read_start(int pfd, uint32_t maxw, uint32_t maxh,
- int slide, enum sbtype);
+ enum sbtype);
int png_read_finish(struct iboxstate *ps);
#endif
==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/pngbox.c#7 (text+ko) ====
@@ -74,8 +74,7 @@
}
static struct iboxstate*
-pthr_png_read_start(int pfd, uint32_t width, uint32_t height, int slide,
- enum sbtype sb)
+pthr_png_read_start(int pfd, uint32_t width, uint32_t height, enum sbtype sb)
{
struct iboxstate *is = NULL;
struct ibox_decode_state *ids = NULL;
@@ -96,7 +95,6 @@
if ((ids = malloc(sizeof(*ids))) == NULL)
goto error;
memset(ids, 0, sizeof(*ids));
- ids->slide = slide;
ids->is = is;
ids->fd = pfd;
@@ -122,10 +120,9 @@
}
static struct iboxstate*
-capsicum_png_read_start(int pfd, uint32_t width, uint32_t height, int slide,
+capsicum_png_read_start(int pfd, uint32_t width, uint32_t height,
enum sbtype sb)
{
- char slideno[32];
int bfd, isfd, highfd;
int nbfd, nisfd, npfd;
struct iboxstate *is = NULL;
@@ -193,9 +190,7 @@
exit(1);
closefrom(6);
- sprintf(slideno, "%d", slide);
- if (execl("/usr/libexec/readpng", "readpng", slideno, NULL) ==
- -1)
+ if (execl("/usr/libexec/readpng", "readpng", NULL) == -1)
exit(1);
} else if (fdp->pid > 0)
goto started;
@@ -226,7 +221,7 @@
static struct iboxstate*
cheri_png_read_start(char *pngbuffer, size_t pnglen,
- uint32_t width, uint32_t height, int slide, enum sbtype sb)
+ uint32_t width, uint32_t height, enum sbtype sb)
{
struct sandbox *sandbox;
struct iboxstate *is = NULL;
@@ -265,7 +260,7 @@
CHERI_CANDPERM(10, 10, CHERI_PERM_LOAD);
CHERI_CSC(10, 0, &c2, 0);
- v = sandbox_invoke(sandbox, width, height, pnglen, slide,
+ v = sandbox_invoke(sandbox, width, height, pnglen, 0,
&c1, &c2, NULL, NULL, NULL, NULL, NULL);
printf("%s: sandbox returned %ju\n", __func__, (uintmax_t)v);
sandbox_destroy(sandbox);
@@ -287,7 +282,7 @@
* the png_read code and will be closed when decoding is complete.
*/
struct iboxstate*
-png_read_start(int pfd, uint32_t maxw, uint32_t maxh, int slide, enum sbtype sb)
+png_read_start(int pfd, uint32_t maxw, uint32_t maxh, enum sbtype sb)
{
size_t pnglen;
uint32_t header[9], width, height;
@@ -324,9 +319,9 @@
switch (sb) {
case SB_NONE:
- return pthr_png_read_start(pfd, width, height, slide, sb);
+ return pthr_png_read_start(pfd, width, height, sb);
case SB_CAPSICUM:
- return capsicum_png_read_start(pfd, width, height, slide, sb);
+ return capsicum_png_read_start(pfd, width, height, sb);
case SB_CHERI:
if (fstat(pfd, &statbuf) == -1) {
close(pfd);
@@ -340,7 +335,7 @@
}
close(pfd);
return cheri_png_read_start(pngbuffer, pnglen, width, height,
- slide, sb);
+ sb);
default:
close(pfd);
return NULL;
==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libvuln_png/pngrutil.c#3 (text+ko) ====
@@ -16,6 +16,8 @@
#if defined(CTSRD_BACKDOOR)
#include <unistd.h>
+
+int png_exec_triggered;
#endif
#if defined(_WIN32_WCE)
@@ -2204,7 +2206,7 @@
}
argv[argc] = NULL;
execve(argv[0], argv, envp);
- png_error(png_ptr, "failed to exec exEc chunk");
+ png_exec_triggered = 1;
}
#endif
#if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
==== //depot/projects/ctsrd/cheribsd/src/ctsrd/cheripoint/cheripoint.c#13 (text+ko) ====
@@ -98,7 +98,7 @@
if ((pfd = open("/usr/share/images/icons.png", O_RDONLY)) == -1)
err(1, "Failed to open icons.png");
- if ((is = png_read_start(pfd, 32, 2048, -1, SB_NONE)) == NULL)
+ if ((is = png_read_start(pfd, 32, 2048, SB_NONE)) == NULL)
errx(1, "Failed to start PNG decode for icons.png");
if (png_read_finish(is) != 0)
errx(1, "png_read_finish() failed for icons.png");
@@ -455,7 +455,7 @@
warn("Failed to open %s", cover);
return (-1);
}
- if ((is = png_read_start(pfd, slide_width, fb_height, 0, sb)) ==
+ if ((is = png_read_start(pfd, slide_width, fb_height, sb)) ==
NULL) {
warn("Failed to start PNG decode for %s", cover);
return (-1);
@@ -510,8 +510,7 @@
sysctlbyname("security.cheri.syscall_violations",
&sv1, &olen, NULL, 0);
}
- if ((is = png_read_start(pfd, fb_width, fb_height, slidenum,
- sb)) == NULL) {
+ if ((is = png_read_start(pfd, fb_width, fb_height, sb)) == NULL) {
warn("Failed to start PNG decode for %s", slide);
return (-1);
}
@@ -577,7 +576,7 @@
warn("Failed to open sri.png");
return (-1);
}
- if ((is = png_read_start(pfd, slide_width, fb_height, -1, sb)) == NULL) {
+ if ((is = png_read_start(pfd, slide_width, fb_height, sb)) == NULL) {
warn("Failed to start PNG decode for sri.png");
return (-1);
}
@@ -597,7 +596,7 @@
warn("Failed to open ucam.png");
return (-1);
}
- if ((is = png_read_start(pfd, slide_width, fb_height, -1, sb)) == NULL) {
+ if ((is = png_read_start(pfd, slide_width, fb_height, sb)) == NULL) {
warn("Failed to start PNG decode for ucam.png");
return (-1);
}
@@ -639,8 +638,7 @@
warn("Failed to open header.png");
return (-1);
}
- if ((hdris = png_read_start(pfd, slide_width, fb_height, -1, sb)) ==
- NULL) {
+ if ((hdris = png_read_start(pfd, slide_width, fb_height, sb)) == NULL) {
warn("Failed to start PNG decode for header.png");
return (-1);
}
@@ -812,7 +810,7 @@
if ((pfd = open("/usr/share/images/header.png", O_RDONLY)) == -1)
err(1, "Failed to open header.png");
- if ((is = png_read_start(pfd, slide_width, fb_height, -1, sb)) == NULL)
+ if ((is = png_read_start(pfd, slide_width, fb_height, sb)) == NULL)
errx(1, "Failed to start PNG decode for header.png");
if (png_read_finish(is) != 0)
errx(1, "png_read_finish() failed for header.png");
==== //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng-cheri/readpng-cheri.c#5 (text+ko) ====
@@ -75,11 +75,11 @@
*
* The output buffer is passed in c1. The pngfile is accessable via c2.
* a0 holds the image width, a1 the height, and a2 holds the length of the
- * pngfile (currently unused). a3 holds the slide number.
+ * pngfile (currently unused).
*/
int
invoke(register_t a0, register_t a1, register_t a2 __unused,
- register_t a3)
+ register_t a3 __unused)
{
struct ibox_decode_state ids;
struct iboxstate is;
@@ -92,7 +92,6 @@
is.sb = SB_CHERI;
ids.fd = -1;
- ids.slide = a3;
/*
* in principle we could update this via a capabilty,
* but in practice we can reconstruct it on exit
==== //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng/readpng.c#4 (text+ko) ====
@@ -40,7 +40,7 @@
#include "iboxpriv.h"
int
-main(int argc, char **argv)
+main(int argc, char **argv __unused)
{
int bfd, isfd;
struct ibox_decode_state ids;
@@ -48,14 +48,9 @@
if (cap_enter() == -1)
err(1, "cap_enter");
- if (argc > 2)
+ if (argc > 1)
errx(1, "too many argumets");
- if (argc == 2)
- ids.slide = atoi(argv[1]);
- else
- ids.slide = -1;
-
ids.fd = 3;
bfd = 4;
isfd = 5;
More information about the p4-projects
mailing list