rpms / slirp4netns

Clone
Source Code
GIT

Blame SOURCES/slirp4netns-CVE-2020-7039.patch

c7-extras c8-beta-stream-1.0 c8-beta-stream-2.0 c8-beta-stream-3.0 c8-beta-stream-4.0 c8-beta-stream-rhel8 c8-stream-1.0 c8-stream-2.0 c8-stream-3.0 c8-stream-4.0 c8-stream-rhel8 c8s-stream-1.0 c8s-stream-2.0 c8s-stream-3.0 c8s-stream-4.0 c8s-stream-rhel8 c9 c9-beta c9-beta-stream-latest
  1.   c8s-stream-2.0
  2.   SOURCES
  3.   slirp4netns-CVE-2020-7039.patch
Blob History Raw
d1b17d 
From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
d1b17d 
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
d1b17d 
Date: Wed, 8 Jan 2020 00:58:48 +0100
d1b17d 
Subject: [PATCH] tcp_emu: Fix oob access
d1b17d
d1b17d 
The main loop only checks for one available byte, while we sometimes
d1b17d 
need two bytes.
d1b17d
d1b17d 
2.24.1
d1b17d
d1b17d 
From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
d1b17d 
From: Prasad J Pandit <pjp@fedoraproject.org>
d1b17d 
Date: Thu, 9 Jan 2020 15:12:28 +0530
d1b17d 
Subject: [PATCH] slirp: use correct size while emulating commands
d1b17d
d1b17d 
While emulating services in tcp_emu(), it uses 'mbuf' size
d1b17d 
'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
d1b17d 
size to avoid possible OOB access.
d1b17d
d1b17d 
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
d1b17d 
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
d1b17d 
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
d1b17d
d1b17d 
2.24.1
d1b17d
d1b17d 
From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
d1b17d 
From: Prasad J Pandit <pjp@fedoraproject.org>
d1b17d 
Date: Thu, 9 Jan 2020 15:12:27 +0530
d1b17d 
Subject: [PATCH] slirp: use correct size while emulating IRC commands
d1b17d
d1b17d 
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
d1b17d 
'm->m_size' to write DCC commands via snprintf(3). This may
d1b17d 
lead to OOB write access, because 'bptr' points somewhere in
d1b17d 
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
d1b17d 
size to avoid OOB access.
d1b17d
d1b17d 
Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
d1b17d 
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
d1b17d 
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
d1b17d 
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
d1b17d
d1b17d 
---
d1b17d 
 CHANGELOG.md   | 1 +
d1b17d 
 src/tcp_subr.c | 7 +++++++
d1b17d 
 2 files changed, 8 insertions(+)
d1b17d
d1b17d 
diff -up ./slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c.CVE-2020-7039 ./slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c
d1b17d 
--- slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c.CVE-2020-7039	2020-01-16 11:13:43.472696979 +0100
d1b17d 
+++ slirp4netns-21fdece2737dc24ffa3f01a341b8a6854f8b13b4/vendor/libslirp/src/tcp_subr.c	2020-01-16 11:13:43.474697002 +0100
d1b17d 
@@ -692,7 +692,7 @@ int tcp_emu(struct socket *so, struct mb
d1b17d 
             n4 = (laddr & 0xff);
d1b17d
d1b17d 
             m->m_len = bptr - m->m_data; /* Adjust length */
d1b17d 
-            m->m_len += snprintf(bptr, m->m_size - m->m_len,
d1b17d 
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
d1b17d 
                                  "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
d1b17d 
                                  n5, n6, x == 7 ? buff : "");
d1b17d 
             return 1;
d1b17d 
@@ -727,8 +727,7 @@ int tcp_emu(struct socket *so, struct mb
d1b17d 
             n4 = (laddr & 0xff);
d1b17d
d1b17d 
             m->m_len = bptr - m->m_data; /* Adjust length */
d1b17d 
-            m->m_len +=
d1b17d 
-                snprintf(bptr, m->m_size - m->m_len,
d1b17d 
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
d1b17d 
                          "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
d1b17d 
                          n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
d1b17d
d1b17d 
@@ -754,8 +753,8 @@ int tcp_emu(struct socket *so, struct mb
d1b17d 
         if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
d1b17d 
             (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
d1b17d 
                              htons(lport), SS_FACCEPTONCE)) != NULL)
d1b17d 
-            m->m_len =
d1b17d 
-                snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
d1b17d 
+            m->m_len = snprintf(m->m_data, M_ROOM(m),
d1b17d 
+                                "%d", ntohs(so->so_fport)) + 1;
d1b17d 
         return 1;
d1b17d
d1b17d 
     case EMU_IRC:
d1b17d 
@@ -774,7 +773,8 @@ int tcp_emu(struct socket *so, struct mb
d1b17d 
                 return 1;
d1b17d 
             }
d1b17d 
             m->m_len = bptr - m->m_data; /* Adjust length */
d1b17d 
-            m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
d1b17d 
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
d1b17d 
+                                 "DCC CHAT chat %lu %u%c\n",
d1b17d 
                                  (unsigned long)ntohl(so->so_faddr.s_addr),
d1b17d 
                                  ntohs(so->so_fport), 1);
d1b17d 
         } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
d1b17d 
@@ -784,8 +784,8 @@ int tcp_emu(struct socket *so, struct mb
d1b17d 
                 return 1;
d1b17d 
             }
d1b17d 
             m->m_len = bptr - m->m_data; /* Adjust length */
d1b17d 
-            m->m_len +=
d1b17d 
-                snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
d1b17d 
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
d1b17d 
+                         "DCC SEND %s %lu %u %u%c\n", buff,
d1b17d 
                          (unsigned long)ntohl(so->so_faddr.s_addr),
d1b17d 
                          ntohs(so->so_fport), n1, 1);
d1b17d 
         } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
d1b17d 
@@ -795,8 +795,8 @@ int tcp_emu(struct socket *so, struct mb
d1b17d 
                 return 1;
d1b17d 
             }
d1b17d 
             m->m_len = bptr - m->m_data; /* Adjust length */
d1b17d 
-            m->m_len +=
d1b17d 
-                snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
d1b17d 
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
d1b17d 
+                         "DCC MOVE %s %lu %u %u%c\n", buff,
d1b17d 
                          (unsigned long)ntohl(so->so_faddr.s_addr),
d1b17d 
                          ntohs(so->so_fport), n1, 1);
d1b17d 
         }
d1b17d 
@@ -882,6 +882,9 @@ int tcp_emu(struct socket *so, struct mb
d1b17d 
                 break;
d1b17d
d1b17d 
             case 5:
d1b17d 
+                if (bptr == m->m_data + m->m_len - 1)
d1b17d 
+                        return 1; /* We need two bytes */
d1b17d 
+
d1b17d 
                 /*
d1b17d 
                  * The difference between versions 1.0 and
d1b17d 
                  * 2.0 is here. For future versions of
d1b17d 
@@ -897,6 +900,10 @@ int tcp_emu(struct socket *so, struct mb
d1b17d 
                 /* This is the field containing the port
d1b17d 
                  * number that RA-player is listening to.
d1b17d 
                  */
d1b17d 
+
d1b17d 
+                if (bptr == m->m_data + m->m_len - 1)
d1b17d 
+                        return 1; /* We need two bytes */
d1b17d 
+
d1b17d 
                 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
d1b17d 
                 if (lport < 6970)
d1b17d 
                     lport += 256; /* don't know why */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation