packages/ntp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-26555

Browse Source
This commit is contained in:
chengyechun 2023-05-24 10:07:09 +08:00
parent cba31317d0
commit 0c1d93ac25
3 changed files with 259 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
View File

@ -1,47 +1,167 @@
From 562c0cc96b42afce4eeef8da8ac315f03e2e99df Mon Sep 17 00:00:00 2001
From: Miroslva Lichvar <mlichvar@redhat.com>
Date: Thu, 20 Apr 2023 08:27:41 PM GMT+0800
From ebd64fcbd4f3858b6986ff1a048e3467d96841ab Mon Sep 17 00:00:00 2001
From: Harlen Stenn <stenn@ntp.org>
Date: Sat, 13 May 2023 05:23:33 UTC
Subject: [PATCH] mstolfp:make sure the buffer has enough room for the input extra characters
Reference:https://build.opensuse.org/package/view_file/openSUSE:Factory/ntp/ntp-CVE-2023-26551.patch?expand=1
Conflict:NA
Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch
CVE-2023-26552, CVE-2023-26553 and CVE-2023-26554 are marked identical to CVE-2023-26551
https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1#issuecomment-1507034339
CVE-2023-26552, CVE-2023-26553, and CVE-2023-26554 are marked identical to CVE-2023-26551
https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1
---
libntp/mstolfp.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
include/ntp_fp.h | 4 +-
libntp/mstolfp.c | 109 +++++++++++++++-------------------------
2 files changed, 42 insertions(+), 71 deletions(-)
diff --git a/include/ntp_fp.h b/include/ntp_fp.h
index afd1f82..fe6e390 100644
--- a/include/ntp_fp.h
+++ b/include/ntp_fp.h
@@ -195,9 +195,9 @@ typedef u_int32 u_fp;
do { \
int32 add_f = (int32)(f); \
if (add_f >= 0) \
- M_ADD((r_i), (r_f), 0, (uint32)( add_f)); \
+ M_ADD((r_i), (r_f), 0, (u_int32)( add_f)); \
else \
- M_SUB((r_i), (r_f), 0, (uint32)(-add_f)); \
+ M_SUB((r_i), (r_f), 0, (u_int32)(-add_f)); \
} while(0)
#define M_ISNEG(v_i) /* v < 0 */ \
diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c
index 3dfc4ef..a8defa2 100644
index 3dfc4ef..a428d17 100644
--- a/libntp/mstolfp.c
+++ b/libntp/mstolfp.c
@@ -14,7 +14,7 @@ mstolfp(
@@ -14,86 +14,57 @@ mstolfp(
l_fp *lfp
)
{
- register const char *cp;
+ register const char *cp, *end;
register char *bp;
register const char *cpdec;
char buf[100];
@@ -42,6 +42,15 @@ mstolfp(
if (*cp != '.' && !isdigit((unsigned char)*cp))
return 0;
+ /*
+ * Make sure the buffer has enough room for the input string and the
+ * extra characters, in the worst case replacing "." with "0.000"
+ */
+ end = cp;
+ while (isdigit((unsigned char)*end) || *end == '.')
+ end++;
+ if (end - cp + 4 >= sizeof (buf) - (bp - buf))
+ return 0;
- register char *bp;
- register const char *cpdec;
- char buf[100];
+ int ch, neg = 0;
+ u_int32 q, r;
/*
* Search forward for the decimal point or the end of the string.
* We understand numbers of the form:
*
* [spaces][-|+][digits][.][digits][spaces|\n|\0]
*
- * This is one enormous hack. Since I didn't feel like
- * rewriting the decoding routine for milliseconds, what
- * is essentially done here is to make a copy of the string
- * with the decimal moved over three places so the seconds
- * decoding routine can be used.
+ * This is kinda hack. We use 'atolfp' to do the basic parsing
+ * (after some initial checks) and then divide the result by
+ * 1000. The original implementation avoided that by
+ * hacking up the input string to move the decimal point, but
+ * that needed string manipulations prone to buffer overruns.
+ * To avoid that trouble we do the conversion first and adjust
+ * the result.
*/
- bp = buf;
- cp = str;
- while (isspace((unsigned char)*cp))
- cp++;
-
- if (*cp == '-' || *cp == '+') {
- *bp++ = *cp++;
- }
-
- if (*cp != '.' && !isdigit((unsigned char)*cp))
- return 0;
-
-
- /*
- * Search forward for the decimal point or the end of the string.
- */
- cpdec = cp;
- while (isdigit((unsigned char)*cpdec))
- cpdec++;
- /*
- * Found something. If we have more than three digits copy the
- * excess over, else insert a leading 0.
- */
- if ((cpdec - cp) > 3) {
- do {
- *bp++ = (char)*cp++;
- } while ((cpdec - cp) > 3);
- } else {
- *bp++ = '0';
+ while (isspace(ch = *(const unsigned char*)str))
+ ++str;
+ switch (ch) {
+ case '-': neg = TRUE;
+ case '+': ++str;
+ default : break;
}
- /*
- * Stick the decimal in. If we've got less than three digits in
- * front of the millisecond decimal we insert the appropriate number
- * of zeros.
- */
- *bp++ = '.';
- if ((cpdec - cp) < 3) {
- size_t i = 3 - (cpdec - cp);
- do {
- *bp++ = '0';
- } while (--i > 0);
- }
+ if (!isdigit(ch = *(const unsigned char*)str) && (ch != '.'))
+ return 0;
+ if (!atolfp(str, lfp))
+ return 0;
- /*
- * Copy the remainder up to the millisecond decimal. If cpdec
- * is pointing at a decimal point, copy in the trailing number too.
+ /* now do a chained/overlapping division by 1000 to get from
+ * seconds to msec. 1000 is small enough to go with temporary
+ * 32bit accus for Q and R.
*/
- while (cp < cpdec)
- *bp++ = (char)*cp++;
-
- if (*cp == '.') {
- cp++;
- while (isdigit((unsigned char)*cp))
- *bp++ = (char)*cp++;
- }
- *bp = '\0';
+ q = lfp->l_ui / 1000u;
+ r = lfp->l_ui - (q * 1000u);
+ lfp->l_ui = q;
- /*
- * Check to make sure the string is properly terminated. If
- * so, give the buffer to the decoding routine.
- */
- if (*cp != '\0' && !isspace((unsigned char)*cp))
- return 0;
- return atolfp(buf, lfp);
+ r = (r << 16) | (lfp->l_uf >> 16);
+ q = r / 1000u;
+ r = ((r - q * 1000) << 16) | (lfp->l_uf & 0x0FFFFu);
+ lfp->l_uf = q << 16;
+ q = r / 1000;
+ lfp->l_uf |= q;
+ r -= q * 1000u;
+
+ /* fix sign */
+ if (neg)
+ L_NEG(lfp);
+ /* round */
+ if (r >= 500)
+ L_ADDF(lfp, (neg ? -1 : 1));
+ return 1;
}
--
2.27.0
2.33.0

102
backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch Normal file
View File

@ -0,0 +1,102 @@
From 1e6893546c526c0961930b6b60a6aba42692dba9 Mon Sep 17 00:00:00 2001
From: Harlan Stenn <stenn@ntp.org>
Date: Sat, 13 May 2023 05:23:33 UTC
Subject: [PATCH] refclock_palisade:fix an out-of-bounds write in praecis_parse
Conflict:NA
Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch
---
ntpd/refclock_palisade.c | 50 ++++++++++++++++++++++++++++++++++------
1 file changed, 43 insertions(+), 7 deletions(-)
diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c
index cb68255..66bfbc8 100644
--- a/ntpd/refclock_palisade.c
+++ b/ntpd/refclock_palisade.c
@@ -1225,9 +1225,9 @@ palisade_poll (
return; /* using synchronous packet input */
if(up->type == CLK_PRAECIS) {
- if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0)
+ if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) {
msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit);
- else {
+ } else {
praecis_msg = 1;
return;
}
@@ -1249,20 +1249,53 @@ praecis_parse (
pp = peer->procptr;
- memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length);
+ if (p + rbufp->recv_length >= sizeof buf) {
+ struct palisade_unit *up;
+ up = pp->unitptr;
+
+ /*
+ * We COULD see if there is a \r\n in the incoming
+ * buffer before it overflows, and then process the
+ * current line.
+ *
+ * Similarly, if we already have a hunk of data that
+ * we're now flushing, that will cause the line of
+ * data we're in the process of collecting to be garbage.
+ *
+ * Since we now check for this overflow and log when it
+ * happens, we're now in a better place to easily see
+ * what's going on and perhaps better choices can be made.
+ */
+
+ /* Do we need to log the size of the overflow? */
+ msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow",
+ up->unit);
+
+ p = 0;
+ praecis_msg = 0;
+
+ refclock_report(peer, CEVNT_BADREPLY);
+
+ return;
+ }
+
+ memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length);
p += rbufp->recv_length;
- if(buf[p-2] == '\r' && buf[p-1] == '\n') {
+ if ( p >= 2
+ && buf[p-2] == '\r'
+ && buf[p-1] == '\n') {
buf[p-2] = '\0';
record_clock_stats(&peer->srcadr, buf);
p = 0;
praecis_msg = 0;
- if (HW_poll(pp) < 0)
+ if (HW_poll(pp) < 0) {
refclock_report(peer, CEVNT_FAULT);
-
+ }
}
+ return;
}
static void
@@ -1407,7 +1440,10 @@ HW_poll (
/* Edge trigger */
if (up->type == CLK_ACUTIME)
- write (pp->io.fd, "", 1);
+ if (write (pp->io.fd, "", 1) != 1)
+ msyslog(LOG_WARNING,
+ "Palisade(%d) HW_poll: failed to send trigger: %m",
+ up->unit);
if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) {
#ifdef DEBUG
--
2.33.0

9
ntp.spec
View File

@ -2,7 +2,7 @@
Name: ntp
Version: 4.2.8p15
Release: 9
Release: 10
Summary: A protocol designed to synchronize the clocks of computers over a network
License: MIT and BSD and BSD with advertising
URL: https://www.ntp.org/
@ -28,6 +28,7 @@ Patch5: Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
Patch6: fix-MD5-manpage.patch
Patch7: modify-DSA-key-generation-parameters-base-on-openssl3.patch
Patch8: backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
Patch9: backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch
BuildRequires: libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel
BuildRequires: autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser
@ -210,6 +211,12 @@ make check
%{_mandir}/man8/*.8*
%changelog
* Wed May 24 2023 chengyechun <chengyechun1@huawei.com> - 4.2.8p15-10
- Type:CVE
- ID:CVE-2023-26551,CVE-2023-26552,CVE-2023-26553,CVE-2023-26554,CVE-2023-26555
- SUG:NA
- DESC:change the patch of CVE-2023-26551 and fix CVE-2023-26555
* Fri May 12 2023 chengyechun <chengyechun1@huawei.com> - 4.2.8p15-9
- Type:bugfix
- ID:NA