packages/memcached
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!12 fix CVE-2019-15026

Browse Source 
From: @wang_yue111
Reviewed-by: @zhanghua1831,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-01-07 19:36:13 +08:00 committed by Gitee
commit 0f162bf32b
2 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
CVE-2019-15026.patch Normal file
View File

@ -0,0 +1,58 @@
From 554b56687a19300a75ec24184746b5512580c819 Mon Sep 17 00:00:00 2001
Date: Fri, 6 Sep 2019 15:47:09 +0100
Subject: [PATCH] fix strncpy call to avoid ASAN violation
Ensure we're only reading to the size of the smallest buffer, since
they're both on the stack and could potentially overlap. Overlapping is
defined as ... undefined behavior. I've looked through all available
implementations of strncpy and they still only copy from the first \0
found.
We'll also never read past the end of sun_path since we _supply_
sun_path with a proper null terminator.
---
memcached.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/memcached.c b/memcached.c
index 5e170bf..eee69e9 100644
--- a/memcached.c
+++ b/memcached.c
@@ -2683,6 +2683,7 @@ static void conn_to_str(const conn *c, char *buf) {
struct sockaddr *addr = (void *)&c->request_addr;
int af;
unsigned short port = 0;
+ size_t pathlen = 0;
/* For listen ports and idle UDP ports, show listen address */
if (c->state == conn_listening ||
@@ -2724,10 +2725,27 @@ static void conn_to_str(const conn *c, char *buf) {
break;
case AF_UNIX:
+ // this strncpy call originally could piss off an address
+ // sanitizer; we supplied the size of the dest buf as a limiter,
+ // but optimized versions of strncpy could read past the end of
+ // *src while looking for a null terminator. Since buf and
+ // sun_path here are both on the stack they could even overlap,
+ // which is "undefined". In all OSS versions of strncpy I could
+ // find this has no effect; it'll still only copy until the first null
+ // terminator is found. Thus it's possible to get the OS to
+ // examine past the end of sun_path but it's unclear to me if this
+ // can cause any actual problem.
+ //
+ // We need a safe_strncpy util function but I'll punt on figuring
+ // that out for now.
+ pathlen = sizeof(((struct sockaddr_un *)addr)->sun_path);
+ if (MAXPATHLEN <= pathlen) {
+ pathlen = MAXPATHLEN - 1;
+ }
strncpy(addr_text,
((struct sockaddr_un *)addr)->sun_path,
- sizeof(addr_text) - 1);
- addr_text[sizeof(addr_text)-1] = '\0';
+ pathlen);
+ addr_text[pathlen] = '\0';
protoname = "unix";
break;
}

6
memcached.spec
View File

@ -3,7 +3,7 @@
Name: memcached Name: memcached
Version: 1.5.10 Version: 1.5.10
Release: 5 Release: 6
Epoch: 0 Epoch: 0
Summary: A high-performance, distributed memory object caching system Summary: A high-performance, distributed memory object caching system
License: BSD License: BSD
@ -14,6 +14,7 @@ Source2: memcached.sysconfig
Patch0001: memcached-unit.patch Patch0001: memcached-unit.patch
Patch6000: CVE-2019-11596.patch Patch6000: CVE-2019-11596.patch
Patch6001: CVE-2019-15026.patch
BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness) BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness)
BuildRequires: selinux-policy-devel libevent-devel BuildRequires: selinux-policy-devel libevent-devel
@ -134,6 +135,9 @@ fi
%{_mandir}/man1/memcached.1* %{_mandir}/man1/memcached.1*
%changelog %changelog
* Thu Jan 07 2021 wangyue<wangyue92@huawei.com> - 0:1.5.10-6
- fix CVE-2019-15026
* Fri Nov 06 2020 Ge Wang <wangge20@huawei.com> - 0:1.5.10-5 * Fri Nov 06 2020 Ge Wang <wangge20@huawei.com> - 0:1.5.10-5
- set help package as memcached package's install require - set help package as memcached package's install require