Gitiles
Code Review Sign In
review.sourcearcade.org / flashprog / c1099d8f7ecdc18278a91ed545dc5e224a29ec54
commitc1099d8f7ecdc18278a91ed545dc5e224a29ec54[log] [tgz]
authorCarl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>Sun Mar 13 17:36:49 2016 +0000
committerCarl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>Sun Mar 13 17:36:49 2016 +0000
tree256397cb2fdd75f385eae063502253f1985956ae
parent8b6690ccbd9cf5f81aa2dc1a2095e75af172f819 [diff]
Fix fscanf format string security bug in layout.c

An internal security audit of the flashrom project by
Carl-Daniel Hailfinger found a buffer overflow bug present in all
flashrom versions since the year 2005.
This bug was independently found and reported to flashrom.org by
Cosmin Gorgovan a few days ago. 

A buffer on the stack and a buffer on the heap are affected by the
overflow caused by an incorrect fscanf format string.
The buffer overflow can only be triggered if the optional layout feature
is used and if the user manually specifies a specially crafted layout
file on the command line. Command line parsing and flash image handling
do not trigger the buggy code path.
Most usage of flashrom does not involve layout files.

The fix in this commit (changed fscanf format string) can be applied to
layout.c of all past flashrom versions.

Corresponding to flashrom svn r1953.

Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
Acked-by: Stefan Tauner <stefan.tauner@alumni.tuwien.ac.at>
1 file changed
tree: 256397cb2fdd75f385eae063502253f1985956ae
  1. Documentation/
  2. util/
  3. 82802ab.c
  4. amd_imc.c
  5. archtest.c
  6. at45db.c
  7. atahpt.c
  8. atapromise.c
  9. atavia.c
  10. bitbang_spi.c
  11. board_enable.c
  12. buspirate_spi.c
  13. cbtable.c
  14. ch341a_spi.c
  15. chipdrivers.h
  16. chipset_enable.c
  17. cli_classic.c
  18. cli_common.c
  19. cli_output.c
  20. COPYING
  21. coreboot_tables.h
  22. dediprog.c
  23. dmi.c
  24. drkaiser.c
  25. dummyflasher.c
  26. en29lv640b.c
  27. flash.h
  28. flashchips.c
  29. flashchips.h
  30. flashrom.8.tmpl
  31. flashrom.c
  32. ft2232_spi.c
  33. gfxnvidia.c
  34. helpers.c
  35. hwaccess.c
  36. hwaccess.h
  37. ich_descriptors.c
  38. ich_descriptors.h
  39. ichspi.c
  40. internal.c
  41. it8212.c
  42. it85spi.c
  43. it87spi.c
  44. jedec.c
  45. layout.c
  46. linux_spi.c
  47. Makefile
  48. mcp6x_spi.c
  49. mstarddc_spi.c
  50. nic3com.c
  51. nicintel.c
  52. nicintel_eeprom.c
  53. nicintel_spi.c
  54. nicnatsemi.c
  55. nicrealtek.c
  56. ogp_spi.c
  57. opaque.c
  58. os.h
  59. pcidev.c
  60. physmap.c
  61. pickit2_spi.c
  62. platform.h
  63. pony_spi.c
  64. print.c
  65. print_wiki.c
  66. processor_enable.c
  67. programmer.c
  68. programmer.h
  69. rayer_spi.c
  70. README
  71. satamv.c
  72. satasii.c
  73. sb600spi.c
  74. serial.c
  75. serprog.c
  76. serprog.h
  77. sfdp.c
  78. spi.c
  79. spi.h
  80. spi25.c
  81. spi25_statusreg.c
  82. sst28sf040.c
  83. sst49lfxxxc.c
  84. sst_fwhub.c
  85. stm50.c
  86. udelay.c
  87. usbblaster_spi.c
  88. w29ee011.c
  89. w39.c
  90. wbsio_spi.c