Blob Blame History Raw
From e369a9b4b08e9373c814c05328b366c938284eb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kai=20L=C3=BCke?= <kailueke@riseup.net>
Date: Tue, 18 Sep 2018 13:12:14 +0200
Subject: [PATCH] Fix string format vulnerability

If the message in g_log_structured itself
contained format sequences like %d or %n they
were applied again, leading to leaked stack contents
and possibly memory corruption. It can be triggered
e.g. by a volume label containing format sequences.

Print the message argument itself into a "%s" string
to avoid intepreting format sequences.

https://github.com/storaged-project/udisks/issues/578
---
 src/udiskslogging.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/udiskslogging.c b/src/udiskslogging.c
index ab49fcbf4..47a3af23a 100644
--- a/src/udiskslogging.c
+++ b/src/udiskslogging.c
@@ -60,7 +60,7 @@ udisks_log (UDisksLogLevel     level,
 
 #if GLIB_CHECK_VERSION(2, 50, 0)
   g_log_structured ("udisks", (GLogLevelFlags) level,
-                    "MESSAGE", message, "THREAD_ID", "%d", (gint) syscall (SYS_gettid),
+                    "MESSAGE", "%s", message, "THREAD_ID", "%d", (gint) syscall (SYS_gettid),
                     "CODE_FUNC", function, "CODE_FILE", location);
 #else
   g_log ("udisks", level, "[%d]: %s [%s, %s()]", (gint) syscall (SYS_gettid), message, location, function);