rpms / slirp4netns

Clone
Source Code
GIT

Blame SOURCES/slirp4netns-CVE-2020-7039.patch

c7-extras c8-beta-stream-1.0 c8-beta-stream-2.0 c8-beta-stream-3.0 c8-beta-stream-4.0 c8-beta-stream-rhel8 c8-stream-1.0 c8-stream-2.0 c8-stream-3.0 c8-stream-4.0 c8-stream-rhel8 c8s-stream-1.0 c8s-stream-2.0 c8s-stream-3.0 c8s-stream-4.0 c8s-stream-rhel8 c9 c9-beta c9-beta-stream-latest
  1.   82861ef6d0e6849ce4dc9966f3b3e2fe148c59a2
  2.   SOURCES
  3.   slirp4netns-CVE-2020-7039.patch
Blob History Raw
82861e 
From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
82861e 
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
82861e 
Date: Wed, 8 Jan 2020 00:58:48 +0100
82861e 
Subject: [PATCH] tcp_emu: Fix oob access
82861e
82861e 
The main loop only checks for one available byte, while we sometimes
82861e 
need two bytes.
82861e
82861e 
2.24.1
82861e
82861e 
From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
82861e 
From: Prasad J Pandit <pjp@fedoraproject.org>
82861e 
Date: Thu, 9 Jan 2020 15:12:28 +0530
82861e 
Subject: [PATCH] slirp: use correct size while emulating commands
82861e
82861e 
While emulating services in tcp_emu(), it uses 'mbuf' size
82861e 
'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
82861e 
size to avoid possible OOB access.
82861e
82861e 
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
82861e 
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
82861e 
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
82861e
82861e 
2.24.1
82861e
82861e 
From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
82861e 
From: Prasad J Pandit <pjp@fedoraproject.org>
82861e 
Date: Thu, 9 Jan 2020 15:12:27 +0530
82861e 
Subject: [PATCH] slirp: use correct size while emulating IRC commands
82861e
82861e 
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
82861e 
'm->m_size' to write DCC commands via snprintf(3). This may
82861e 
lead to OOB write access, because 'bptr' points somewhere in
82861e 
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
82861e 
size to avoid OOB access.
82861e
82861e 
Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
82861e 
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
82861e 
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
82861e 
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
82861e
82861e 
---
82861e 
 CHANGELOG.md   | 1 +
82861e 
 src/tcp_subr.c | 7 +++++++
82861e 
 2 files changed, 8 insertions(+)
82861e
82861e 
diff -up slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c.CVE-2020-7039 slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c
82861e 
--- slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c.CVE-2020-7039	2020-01-16 11:13:39.558653385 +0100
82861e 
+++ slirp4netns-c4e1bc5a5e6987f3a352ca524f13320a2d483398/qemu/slirp/tcp_subr.c	2020-01-16 14:23:54.027184429 +0100
82861e 
@@ -704,7 +704,7 @@ tcp_emu(struct socket *so, struct mbuf *
82861e 
 			n4 =  (laddr & 0xff);
82861e
82861e 
 			m->m_len = bptr - m->m_data; /* Adjust length */
82861e 
-                        m->m_len += snprintf(bptr, m->m_size - m->m_len,
82861e 
+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
82861e 
                                              "ORT %d,%d,%d,%d,%d,%d\r\n%s",
82861e 
                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
82861e 
 			return 1;
82861e 
@@ -737,7 +737,7 @@ tcp_emu(struct socket *so, struct mbuf *
82861e 
 			n4 =  (laddr & 0xff);
82861e
82861e 
 			m->m_len = bptr - m->m_data; /* Adjust length */
82861e 
-			m->m_len += snprintf(bptr, m->m_size - m->m_len,
82861e 
+			m->m_len += snprintf(bptr, M_FREEROOM(m),
82861e 
                                              "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
82861e 
                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
82861e
82861e 
@@ -763,7 +763,7 @@ tcp_emu(struct socket *so, struct mbuf *
82861e 
 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
82861e 
 		    (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
82861e 
 		                     htons(lport), SS_FACCEPTONCE)) != NULL)
82861e 
-                    m->m_len = snprintf(m->m_data, m->m_size, "%d",
82861e 
+                    m->m_len = snprintf(m->m_data, M_ROOM(m), "%d",
82861e 
                                         ntohs(so->so_fport)) + 1;
82861e 
 		return 1;
82861e
82861e 
@@ -783,7 +783,7 @@ tcp_emu(struct socket *so, struct mbuf *
82861e 
 				return 1;
82861e 
 			}
82861e 
 			m->m_len = bptr - m->m_data; /* Adjust length */
82861e 
-                        m->m_len += snprintf(bptr, m->m_size,
82861e 
+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
82861e 
                                              "DCC CHAT chat %lu %u%c\n",
82861e 
                                              (unsigned long)ntohl(so->so_faddr.s_addr),
82861e 
                                              ntohs(so->so_fport), 1);
82861e 
@@ -794,7 +794,7 @@ tcp_emu(struct socket *so, struct mbuf *
82861e 
 				return 1;
82861e 
 			}
82861e 
 			m->m_len = bptr - m->m_data; /* Adjust length */
82861e 
-                        m->m_len += snprintf(bptr, m->m_size,
82861e 
+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
82861e 
                                              "DCC SEND %s %lu %u %u%c\n", buff,
82861e 
                                              (unsigned long)ntohl(so->so_faddr.s_addr),
82861e 
                                              ntohs(so->so_fport), n1, 1);
82861e 
@@ -805,7 +805,7 @@ tcp_emu(struct socket *so, struct mbuf *
82861e 
 				return 1;
82861e 
 			}
82861e 
 			m->m_len = bptr - m->m_data; /* Adjust length */
82861e 
-                        m->m_len += snprintf(bptr, m->m_size,
82861e 
+                        m->m_len += snprintf(bptr, M_FREEROOM(m),
82861e 
                                              "DCC MOVE %s %lu %u %u%c\n", buff,
82861e 
                                              (unsigned long)ntohl(so->so_faddr.s_addr),
82861e 
                                              ntohs(so->so_fport), n1, 1);
82861e 
@@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *
82861e 
 				break;
82861e
82861e 
 			 case 5:
82861e 
+				if (bptr == m->m_data + m->m_len - 1)
82861e 
+				    return 1; /* We need two bytes */
82861e 
+
82861e 
 				/*
82861e 
 				 * The difference between versions 1.0 and
82861e 
 				 * 2.0 is here. For future versions of
82861e 
@@ -907,6 +910,9 @@ tcp_emu(struct socket *so, struct mbuf *
82861e 
 				/* This is the field containing the port
82861e 
 				 * number that RA-player is listening to.
82861e 
 				 */
82861e 
+				if (bptr == m->m_data + m->m_len - 1)
82861e 
+				    return 1; /* We need two bytes */
82861e 
+
82861e 
 				lport = (((u_char*)bptr)[0] << 8)
82861e 
 				+ ((u_char *)bptr)[1];
82861e 
 				if (lport < 6970)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation