From a33ea192428d9c9307f1140f3e25631a6ef7657c Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Sat, 20 Jun 2020 15:02:59 -0400
Subject: [PATCH 12/12] Fix use-afte-free in ip_reass() (CVE-2020-1983)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20200620150259.3352467-2-jmaloy@redhat.com>
Patchwork-id: 97678
O-Subject: [RHEL-8.3.0 qemu-kvm PATCH 1/1] Fix use-afte-free in ip_reass() (CVE-2020-1983)
Bugzilla: 1838070
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
From: Marc-André Lureau <marcandre.lureau@redhat.com>
The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.
m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from libslirp commit 9bd6c5913271eabcb7768a58197ed3301fe19f2d)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
slirp/src/ip_input.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
index df1c846ade..0f5d522ec1 100644
--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
@@ -329,7 +329,7 @@ insert:
q = fp->frag_link.next;
m = dtom(slirp, q);
- int was_ext = m->m_flags & M_EXT;
+ int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
q = (struct ipasfrag *)q->ipf_next;
while (q != (struct ipasfrag *)&fp->frag_link) {
@@ -353,8 +353,7 @@ insert:
* the old buffer (in the mbuf), so we must point ip
* into the new buffer.
*/
- if (!was_ext && m->m_flags & M_EXT) {
- int delta = (char *)q - m->m_dat;
+ if (m->m_flags & M_EXT) {
q = (struct ipasfrag *)(m->m_ext + delta);
}
--
2.27.0