diff --git a/SOURCES/linuxptp-cve-2021-3570.patch b/SOURCES/linuxptp-cve-2021-3570.patch new file mode 100644 index 0000000..f166e77 --- /dev/null +++ b/SOURCES/linuxptp-cve-2021-3570.patch @@ -0,0 +1,94 @@ +From 4b05d4b5d70c1ba76d95f94f1f4821c4b715fefe Mon Sep 17 00:00:00 2001 +From: Richard Cochran +Date: Sat, 17 Apr 2021 15:15:18 -0700 +Subject: [PATCH 2/2] Validate the messageLength field of incoming messages. + +The PTP messageLength field is redundant because the length of a PTP +message is precisely determined by the message type and the appended +TLVs. The current implementation validates the sizes of both the main +message (according to the fixed header length and fixed length by +type) and the TLVs (by using the 'L' of the TLV). + +However, when forwarding a message, the messageLength field is used. +If a message arrives with a messageLength field larger than the actual +message size, the code will read and possibly write data beyond the +allocated buffer. + +Fix the issue by validating the field on ingress. This prevents +reading and sending data past the message buffer when forwarding a +management message or other messages when operating as a transparent +clock, and it also prevents a memory corruption in msg_post_recv() +after forwarding a management message. + +Reported-by: Miroslav Lichvar +Signed-off-by: Richard Cochran +--- + msg.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/msg.c b/msg.c +index dcb397c..c2d358b 100644 +--- a/msg.c ++++ b/msg.c +@@ -184,7 +184,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len) + { + uint8_t *ptr = msg_suffix(msg); + struct tlv_extra *extra; +- int err; ++ int err, suffix_len = 0; + + if (!ptr) + return 0; +@@ -202,12 +202,14 @@ static int suffix_post_recv(struct ptp_message *msg, int len) + tlv_extra_recycle(extra); + return -EBADMSG; + } ++ suffix_len += sizeof(struct TLV); + len -= sizeof(struct TLV); + ptr += sizeof(struct TLV); + if (extra->tlv->length > len) { + tlv_extra_recycle(extra); + return -EBADMSG; + } ++ suffix_len += extra->tlv->length; + len -= extra->tlv->length; + ptr += extra->tlv->length; + err = tlv_post_recv(extra); +@@ -217,7 +219,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len) + } + msg_tlv_attach(msg, extra); + } +- return 0; ++ return suffix_len; + } + + static void suffix_pre_send(struct ptp_message *msg) +@@ -335,7 +337,7 @@ void msg_get(struct ptp_message *m) + + int msg_post_recv(struct ptp_message *m, int cnt) + { +- int pdulen, type, err; ++ int err, pdulen, suffix_len, type; + + if (cnt < sizeof(struct ptp_header)) + return -EBADMSG; +@@ -420,9 +422,13 @@ int msg_post_recv(struct ptp_message *m, int cnt) + break; + } + +- err = suffix_post_recv(m, cnt - pdulen); +- if (err) +- return err; ++ suffix_len = suffix_post_recv(m, cnt - pdulen); ++ if (suffix_len < 0) { ++ return suffix_len; ++ } ++ if (pdulen + suffix_len != m->header.messageLength) { ++ return -EBADMSG; ++ } + + return 0; + } +-- +2.20.1 + diff --git a/SPECS/linuxptp.spec b/SPECS/linuxptp.spec index 3f91582..17c0d47 100644 --- a/SPECS/linuxptp.spec +++ b/SPECS/linuxptp.spec @@ -3,7 +3,7 @@ %global clknetsim_ver 8b4842 Name: linuxptp Version: 2.0 -Release: 2%{?dist} +Release: 2%{?dist}.1 Summary: PTP implementation for Linux Group: System Environment/Base @@ -34,6 +34,8 @@ Patch5: linuxptp-team.patch Patch6: linuxptp-addreq.patch # don't leak memory when allocation fails Patch7: linuxptp-msgput.patch +# validate length of forwarded messages +Patch8: linuxptp-cve-2021-3570.patch BuildRequires: kernel-headers > 3.10.0-1002 BuildRequires: systemd-units @@ -58,6 +60,7 @@ Supporting legacy APIs and other platforms is not a goal. %patch5 -p1 -b .team %patch6 -p1 -b .addreq %patch7 -p1 -b .msgput +%patch8 -p1 -b .cve-2021-3570 mv linuxptp-testsuite-%{testsuite_ver}* testsuite mv clknetsim-%{clknetsim_ver}* testsuite/clknetsim @@ -117,6 +120,9 @@ PATH=..:$PATH ./run %{_mandir}/man8/*.8* %changelog +* Thu Jun 24 2021 Miroslav Lichvar 2.0-2.el7_9.1 +- validate length of forwarded messages (CVE-2021-3570) + * Tue Mar 26 2019 Miroslav Lichvar 2.0-2 - fix comparing of unicast addresses - don't leak memory when allocation fails