c/pve-qemu-qoup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

slirp: re-add security patches

Browse Source 
the first two patches were mistakenly left out during the 4.2 qemu
rebase.

also adds another patch for issue CVE-2019-14378 (heap-based BOF)

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
This commit is contained in:
Oguz Bektas 2020-03-12 13:21:41 +01:00 committed by Thomas Lamprecht
parent 20505f521e
commit 1be32c854f
4 changed files with 310 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
debian/patches/security/0001-util-add-slirp_fmt-helpers.patch vendored Normal file
View File

@ -0,0 +1,126 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Mon, 27 Jan 2020 10:24:09 +0100
Subject: [PATCH 1/2] util: add slirp_fmt() helpers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Various calls to snprintf() in libslirp assume that snprintf() returns
"only" the number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Introduce slirp_fmt() that handles several pathological cases the
way libslirp usually expect:
- treat error as fatal (instead of silently returning -1)
- fmt0() will always \0 end
- return the number of bytes actually written (instead of what would
have been written, which would usually result in OOB later), including
the ending \0 for fmt0()
- warn if truncation happened (instead of ignoring)
Other less common cases can still be handled with strcpy/snprintf() etc.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
slirp/src/util.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
slirp/src/util.h | 3 +++
2 files changed, 65 insertions(+)
diff --git a/slirp/src/util.c b/slirp/src/util.c
index e596087..e3b6257 100644
--- a/slirp/src/util.c
+++ b/slirp/src/util.c
@@ -364,3 +364,65 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str)
}
*q = '\0';
}
+
+static int slirp_vsnprintf(char *str, size_t size,
+ const char *format, va_list args)
+{
+ int rv = vsnprintf(str, size, format, args);
+
+ if (rv < 0) {
+ g_error("vsnprintf() failed: %s", g_strerror(errno));
+ }
+
+ return rv;
+}
+
+/*
+ * A snprintf()-like function that:
+ * - returns the number of bytes written (excluding optional \0-ending)
+ * - dies on error
+ * - warn on truncation
+ */
+int slirp_fmt(char *str, size_t size, const char *format, ...)
+{
+ va_list args;
+ int rv;
+
+ va_start(args, format);
+ rv = slirp_vsnprintf(str, size, format, args);
+ va_end(args);
+
+ if (rv > size) {
+ g_critical("vsnprintf() truncation");
+ }
+
+ return MIN(rv, size);
+}
+
+/*
+ * A snprintf()-like function that:
+ * - always \0-end (unless size == 0)
+ * - returns the number of bytes actually written, including \0 ending
+ * - dies on error
+ * - warn on truncation
+ */
+int slirp_fmt0(char *str, size_t size, const char *format, ...)
+{
+ va_list args;
+ int rv;
+
+ va_start(args, format);
+ rv = slirp_vsnprintf(str, size, format, args);
+ va_end(args);
+
+ if (rv >= size) {
+ g_critical("vsnprintf() truncation");
+ if (size > 0)
+ str[size - 1] = '\0';
+ rv = size;
+ } else {
+ rv += 1; /* include \0 */
+ }
+
+ return rv;
+}
diff --git a/slirp/src/util.h b/slirp/src/util.h
index 3c6223c..0558dfc 100644
--- a/slirp/src/util.h
+++ b/slirp/src/util.h
@@ -177,4 +177,7 @@ static inline int slirp_socket_set_fast_reuse(int fd)
void slirp_pstrcpy(char *buf, int buf_size, const char *str);
+int slirp_fmt(char *str, size_t size, const char *format, ...);
+int slirp_fmt0(char *str, size_t size, const char *format, ...);
+
#endif
--
2.20.1

135
debian/patches/security/0002-tcp_emu-fix-unsafe-snprintf-usages.patch vendored Normal file
View File

@ -0,0 +1,135 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Mon, 27 Jan 2020 10:24:14 +0100
Subject: [PATCH 2/2] tcp_emu: fix unsafe snprintf() usages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Various calls to snprintf() assume that snprintf() returns "only" the
number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Before patch ce131029, if there isn't enough room in "m_data" for the
"DCC ..." message, we overflow "m_data".
After the patch, if there isn't enough room for the same, we don't
overflow "m_data", but we set "m_len" out-of-bounds. The next time an
access is bounded by "m_len", we'll have a buffer overflow then.
Use slirp_fmt*() to fix potential OOB memory access.
Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
slirp/src/tcp_subr.c | 44 +++++++++++++++++++++-----------------------
1 file changed, 21 insertions(+), 23 deletions(-)
diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
index d6dd133..93b3488 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -655,8 +655,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
NTOHS(n1);
NTOHS(n2);
m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
- assert(m->m_len < M_ROOM(m));
+ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
} else {
*eol = '\r';
}
@@ -696,9 +695,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size - m->m_len,
- "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
- n5, n6, x == 7 ? buff : "");
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
return 1;
} else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
/*
@@ -731,11 +730,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len +=
- snprintf(bptr, m->m_size - m->m_len,
- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
- n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
-
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
return 1;
}
@@ -758,8 +755,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
- m->m_len =
- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
+ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
+ "%d", ntohs(so->so_fport));
return 1;
case EMU_IRC:
@@ -778,9 +775,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
&n1) == 4) {
if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr),
@@ -788,10 +786,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len +=
- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), n1, 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC SEND %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
&n1) == 4) {
if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr),
@@ -799,10 +797,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len +=
- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), n1, 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC MOVE %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
}
return 1;
--
2.20.1

46
debian/patches/security/0003-ip_reass-Fix-use-after-free.patch vendored Normal file
View File

@ -0,0 +1,46 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Mon, 26 Aug 2019 00:55:03 +0200
Subject: [PATCH] ip_reass: Fix use after free
Using ip_deq after m_free might read pointers from an allocation reuse.
This would be difficult to exploit, but that is still related with
CVE-2019-14378 which generates fragmented IP packets that would trigger this
issue and at least produce a DoS.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit c59279437eda91841b9d26079c70b8a540d41204)
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
src/ip_input.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
index 8c75d91..c07d7d4 100644
--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
*/
while (q != (struct ipasfrag *)&fp->frag_link &&
ip->ip_off + ip->ip_len > q->ipf_off) {
+ struct ipasfrag *prev;
i = (ip->ip_off + ip->ip_len) - q->ipf_off;
if (i < q->ipf_len) {
q->ipf_len -= i;
@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
m_adj(dtom(slirp, q), i);
break;
}
+ prev = q;
q = q->ipf_next;
- m_free(dtom(slirp, q->ipf_prev));
- ip_deq(q->ipf_prev);
+ ip_deq(prev);
+ m_free(dtom(slirp, prev));
}
insert:
--
2.20.1

3
debian/patches/series vendored
View File

@ -30,3 +30,6 @@ pve/0030-PVE-Backup-add-backup-dump-block-driver.patch
pve/0031-PVE-Backup-proxmox-backup-patches-for-qemu.patch
pve/0032-PVE-Backup-pbs-restore-new-command-to-restore-from-p.patch
pve/0033-PVE-Backup-aquire-aio_context-before-calling-backup_.patch
security/0001-util-add-slirp_fmt-helpers.patch
security/0002-tcp_emu-fix-unsafe-snprintf-usages.patch
security/0003-ip_reass-Fix-use-after-free.patch