Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 148 additions & 0 deletions SPECS/util-linux/CVE-2026-13595.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
From c0286d95b1bfff0fd79f9b4c2e4ea017a2adf010 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 7 May 2026 12:50:48 +0200
Subject: [PATCH] libblkid: fix use-after-free in nested partition probing

The partitions list stores partitions in a contiguous array grown by
reallocarray(). When the array is reallocated to a new address, all
existing blkid_partition pointers (tab->parent, ls->next_parent, local
parent variables in nested probers) become dangling.

Fix this by changing the storage from an array of structs to an array
of pointers, where each partition is individually allocated via
calloc(). This makes all blkid_partition pointers stable across
reallocations -- only the pointer array itself may move, which is
harmless since no code caches pointers into the pointer array.

This eliminates the need for callers to re-fetch parent pointers after
every blkid_partlist_add_partition() call.

Reported-by: Thai Duong <thaidn@gmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
(cherry picked from commit c0186f14fbdb02f64c8e0ba701ce727ea764ff4c)
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/util-linux/util-linux/commit/132d9c8aa15a8efd0a23d8ca7ed8b98f365e84fa.patch
---
libblkid/src/partitions/partitions.c | 34 +++++++++++++++++-----------
1 file changed, 21 insertions(+), 13 deletions(-)

diff --git a/libblkid/src/partitions/partitions.c b/libblkid/src/partitions/partitions.c
index e096cf8..506786c 100644
--- a/libblkid/src/partitions/partitions.c
+++ b/libblkid/src/partitions/partitions.c
@@ -197,7 +197,7 @@ struct blkid_struct_partlist {

int nparts; /* number of partitions */
int nparts_max; /* max.number of partitions */
- blkid_partition parts; /* array of partitions */
+ blkid_partition *parts; /* array of pointers to partitions */

struct list_head l_tabs; /* list of partition tables */
};
@@ -356,13 +356,16 @@ static void reset_partlist(blkid_partlist ls)
free_parttables(ls);

if (ls->next_partno) {
- /* already initialized - reset */
- int tmp_nparts = ls->nparts_max;
- blkid_partition tmp_parts = ls->parts;
+ /* already initialized - free individually allocated partitions */
+ int i, tmp_nparts_max = ls->nparts_max;
+ blkid_partition *tmp_parts = ls->parts;
+
+ for (i = 0; i < ls->nparts; i++)
+ free(ls->parts[i]);

memset(ls, 0, sizeof(struct blkid_struct_partlist));

- ls->nparts_max = tmp_nparts;
+ ls->nparts_max = tmp_nparts_max;
ls->parts = tmp_parts;
}

@@ -397,6 +400,7 @@ static void partitions_free_data(blkid_probe pr __attribute__((__unused__)),
void *data)
{
blkid_partlist ls = (blkid_partlist) data;
+ int i;

if (!ls)
return;
@@ -404,6 +408,8 @@ static void partitions_free_data(blkid_probe pr __attribute__((__unused__)),
free_parttables(ls);

/* deallocate partitions and partlist */
+ for (i = 0; i < ls->nparts; i++)
+ free(ls->parts[i]);
free(ls->parts);
free(ls);
}
@@ -437,15 +443,17 @@ static blkid_partition new_partition(blkid_partlist ls, blkid_parttable tab)
* generic Linux machine -- let start with 32 partitions.
*/
void *tmp = reallocarray(ls->parts, ls->nparts_max + 32,
- sizeof(struct blkid_struct_partition));
+ sizeof(blkid_partition));
if (!tmp)
return NULL;
ls->parts = tmp;
ls->nparts_max += 32;
}

- par = &ls->parts[ls->nparts++];
- memset(par, 0, sizeof(struct blkid_struct_partition));
+ par = calloc(1, sizeof(struct blkid_struct_partition));
+ if (!par)
+ return NULL;
+ ls->parts[ls->nparts++] = par;

ref_parttable(tab);
par->tab = tab;
@@ -850,7 +858,7 @@ int blkid_probe_is_covered_by_pt(blkid_probe pr,

/* check if the partition table fits into the device */
for (i = 0; i < nparts; i++) {
- blkid_partition par = &ls->parts[i];
+ blkid_partition par = ls->parts[i];

if (par->start + par->size > (pr->size >> 9)) {
DBG(LOWPROBE, ul_debug("partition #%d overflows "
@@ -862,7 +870,7 @@ int blkid_probe_is_covered_by_pt(blkid_probe pr,

/* check if the requested area is covered by PT */
for (i = 0; i < nparts; i++) {
- blkid_partition par = &ls->parts[i];
+ blkid_partition par = ls->parts[i];

if (start >= par->start && end <= par->start + par->size) {
rc = 1;
@@ -961,7 +969,7 @@ blkid_partition blkid_partlist_get_partition(blkid_partlist ls, int n)
if (n < 0 || n >= ls->nparts)
return NULL;

- return &ls->parts[n];
+ return ls->parts[n];
}

blkid_partition blkid_partlist_get_partition_by_start(blkid_partlist ls, uint64_t start)
@@ -1073,7 +1081,7 @@ blkid_partition blkid_partlist_devno_to_partition(blkid_partlist ls, dev_t devno
* and an entry in partition table.
*/
for (i = 0; i < ls->nparts; i++) {
- blkid_partition par = &ls->parts[i];
+ blkid_partition par = ls->parts[i];

if (partno != blkid_partition_get_partno(par))
continue;
@@ -1089,7 +1097,7 @@ blkid_partition blkid_partlist_devno_to_partition(blkid_partlist ls, dev_t devno
DBG(LOWPROBE, ul_debug("searching by offset/size"));

for (i = 0; i < ls->nparts; i++) {
- blkid_partition par = &ls->parts[i];
+ blkid_partition par = ls->parts[i];

if ((uint64_t)blkid_partition_get_start(par) == start &&
(uint64_t)blkid_partition_get_size(par) == size)
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/util-linux/util-linux.spec
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
Summary: Utilities for file systems, consoles, partitions, and messages
Name: util-linux
Version: 2.40.2
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv2+
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -19,6 +19,7 @@ Source4: su-l
Patch0: CVE-2025-14104.patch
Patch1: CVE-2026-27456.patch
Patch2: CVE-2026-3184.patch
Patch3: CVE-2026-13595.patch
BuildRequires: audit-devel
BuildRequires: libcap-ng-devel
BuildRequires: libselinux-devel
Expand Down Expand Up @@ -174,6 +175,9 @@ rm -rf %{buildroot}/lib/systemd/system
%{_mandir}/man3/*

%changelog
* Wed Jul 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.40.2-5
- Patch for CVE-2026-13595

* Wed Apr 08 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.40.2-4
- Patch for CVE-2026-3184, CVE-2026-27456

Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/pkggen_core_aarch64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.aarch64.rpm
patch-2.7.6-9.azl3.aarch64.rpm
libcap-ng-0.8.4-1.azl3.aarch64.rpm
libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm
util-linux-2.40.2-4.azl3.aarch64.rpm
util-linux-devel-2.40.2-4.azl3.aarch64.rpm
util-linux-libs-2.40.2-4.azl3.aarch64.rpm
util-linux-2.40.2-5.azl3.aarch64.rpm
util-linux-devel-2.40.2-5.azl3.aarch64.rpm
util-linux-libs-2.40.2-5.azl3.aarch64.rpm
tar-1.35-2.azl3.aarch64.rpm
xz-5.4.4-3.azl3.aarch64.rpm
xz-devel-5.4.4-3.azl3.aarch64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/pkggen_core_x86_64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,9 @@ make-4.4.1-2.azl3.x86_64.rpm
patch-2.7.6-9.azl3.x86_64.rpm
libcap-ng-0.8.4-1.azl3.x86_64.rpm
libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm
util-linux-2.40.2-4.azl3.x86_64.rpm
util-linux-devel-2.40.2-4.azl3.x86_64.rpm
util-linux-libs-2.40.2-4.azl3.x86_64.rpm
util-linux-2.40.2-5.azl3.x86_64.rpm
util-linux-devel-2.40.2-5.azl3.x86_64.rpm
util-linux-libs-2.40.2-5.azl3.x86_64.rpm
tar-1.35-2.azl3.x86_64.rpm
xz-5.4.4-3.azl3.x86_64.rpm
xz-devel-5.4.4-3.azl3.x86_64.rpm
Expand Down
12 changes: 6 additions & 6 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -542,7 +542,7 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm
python3-gpg-1.23.2-2.azl3.aarch64.rpm
python3-jinja2-3.1.2-3.azl3.noarch.rpm
python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
python3-libmount-2.40.2-4.azl3.aarch64.rpm
python3-libmount-2.40.2-5.azl3.aarch64.rpm
python3-libs-3.12.9-13.azl3.aarch64.rpm
python3-libxml2-2.11.5-10.azl3.aarch64.rpm
python3-lxml-4.9.3-2.azl3.aarch64.rpm
Expand Down Expand Up @@ -599,11 +599,11 @@ texinfo-7.0.3-1.azl3.aarch64.rpm
texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm
unzip-6.0-22.azl3.aarch64.rpm
unzip-debuginfo-6.0-22.azl3.aarch64.rpm
util-linux-2.40.2-4.azl3.aarch64.rpm
util-linux-debuginfo-2.40.2-4.azl3.aarch64.rpm
util-linux-devel-2.40.2-4.azl3.aarch64.rpm
util-linux-lang-2.40.2-4.azl3.aarch64.rpm
util-linux-libs-2.40.2-4.azl3.aarch64.rpm
util-linux-2.40.2-5.azl3.aarch64.rpm
util-linux-debuginfo-2.40.2-5.azl3.aarch64.rpm
util-linux-devel-2.40.2-5.azl3.aarch64.rpm
util-linux-lang-2.40.2-5.azl3.aarch64.rpm
util-linux-libs-2.40.2-5.azl3.aarch64.rpm
which-2.21-8.azl3.aarch64.rpm
which-debuginfo-2.21-8.azl3.aarch64.rpm
xz-5.4.4-3.azl3.aarch64.rpm
Expand Down
12 changes: 6 additions & 6 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -550,7 +550,7 @@ python3-flit-core-3.9.0-1.azl3.noarch.rpm
python3-gpg-1.23.2-2.azl3.x86_64.rpm
python3-jinja2-3.1.2-3.azl3.noarch.rpm
python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
python3-libmount-2.40.2-4.azl3.x86_64.rpm
python3-libmount-2.40.2-5.azl3.x86_64.rpm
python3-libs-3.12.9-13.azl3.x86_64.rpm
python3-libxml2-2.11.5-10.azl3.x86_64.rpm
python3-lxml-4.9.3-2.azl3.x86_64.rpm
Expand Down Expand Up @@ -607,11 +607,11 @@ texinfo-7.0.3-1.azl3.x86_64.rpm
texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm
unzip-6.0-22.azl3.x86_64.rpm
unzip-debuginfo-6.0-22.azl3.x86_64.rpm
util-linux-2.40.2-4.azl3.x86_64.rpm
util-linux-debuginfo-2.40.2-4.azl3.x86_64.rpm
util-linux-devel-2.40.2-4.azl3.x86_64.rpm
util-linux-lang-2.40.2-4.azl3.x86_64.rpm
util-linux-libs-2.40.2-4.azl3.x86_64.rpm
util-linux-2.40.2-5.azl3.x86_64.rpm
util-linux-debuginfo-2.40.2-5.azl3.x86_64.rpm
util-linux-devel-2.40.2-5.azl3.x86_64.rpm
util-linux-lang-2.40.2-5.azl3.x86_64.rpm
util-linux-libs-2.40.2-5.azl3.x86_64.rpm
which-2.21-8.azl3.x86_64.rpm
which-debuginfo-2.21-8.azl3.x86_64.rpm
xz-5.4.4-3.azl3.x86_64.rpm
Expand Down
Loading