!54 fix CVE-2023-26551，CVE-2023-26552，CVE-2023-26553，CVE-2023-26554，CVE-2023-26555

From: @chengyechun Reviewed-by: @kircher Signed-off-by: @kircher
2023-05-24 06:52:42 +00:00 · 2023-05-24 06:52:42 +00:00 · de6163b984
commit de6163b984
parent cba31317d0 0c1d93ac25
3 changed files with 259 additions and 30 deletions
--- a/backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
+++ b/backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
@ -1,47 +1,167 @@
-From 562c0cc96b42afce4eeef8da8ac315f03e2e99df Mon Sep 17 00:00:00 2001
+From ebd64fcbd4f3858b6986ff1a048e3467d96841ab Mon Sep 17 00:00:00 2001
-From: Miroslva Lichvar <mlichvar@redhat.com>
+From: Harlen Stenn <stenn@ntp.org>
-Date: Thu, 20 Apr 2023 08:27:41 PM GMT+0800
+Date: Sat, 13 May 2023 05:23:33 UTC
 Subject: [PATCH] mstolfp:make sure the buffer has enough room for the input extra characters
 Reference:https://build.opensuse.org/package/view_file/openSUSE:Factory/ntp/ntp-CVE-2023-26551.patch?expand=1
 Conflict:NA
 Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch
-CVE-2023-26552, CVE-2023-26553 and CVE-2023-26554 are marked identical to CVE-2023-26551
+CVE-2023-26552, CVE-2023-26553, and CVE-2023-26554 are marked identical to CVE-2023-26551
-https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1#issuecomment-1507034339
+https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1
 ---
- libntp/mstolfp.c | 11 ++++++++++-
+ include/ntp_fp.h        |   4 +-
- 1 file changed, 10 insertions(+), 1 deletion(-)
+ libntp/mstolfp.c        | 109 +++++++++++++++-------------------------
 2 files changed, 42 insertions(+), 71 deletions(-)
 diff --git a/include/ntp_fp.h b/include/ntp_fp.h
 index afd1f82..fe6e390 100644
 --- a/include/ntp_fp.h
 +++ b/include/ntp_fp.h
@@ -195,9 +195,9 @@ typedef u_int32 u_fp;
 	do { \
 		int32 add_f = (int32)(f); \
 		if (add_f >= 0) \
 -			M_ADD((r_i), (r_f), 0, (uint32)( add_f)); \
 +			M_ADD((r_i), (r_f), 0, (u_int32)( add_f)); \
 		else \
 -			M_SUB((r_i), (r_f), 0, (uint32)(-add_f)); \
 +			M_SUB((r_i), (r_f), 0, (u_int32)(-add_f)); \
 	} while(0)
 #define	M_ISNEG(v_i)			/* v < 0 */ \
 diff --git a/libntp/mstolfp.c b/libntp/mstolfp.c
-index 3dfc4ef..a8defa2 100644
+index 3dfc4ef..a428d17 100644
 --- a/libntp/mstolfp.c
 +++ b/libntp/mstolfp.c
-@@ -14,7 +14,7 @@ mstolfp(
+@@ -14,86 +14,57 @@ mstolfp(
 	l_fp *lfp
 	)
 {
 -	register const char *cp;
-+	register const char *cp, *end;
+-	register char *bp;
- 	register char *bp;
+-	register const char *cpdec;
- 	register const char *cpdec;
+-	char buf[100];
- 	char buf[100];
+	int        ch, neg = 0; 
-@@ -42,6 +42,15 @@ mstolfp(
+	u_int32    q, r;
 	if (*cp != '.' && !isdigit((unsigned char)*cp))
 	    return 0;
 +    /*
 +    * Make sure the buffer has enough room for the input string and the
 +    * extra characters, in the worst case replacing "." with "0.000"
 +    */
 +    end = cp;
 +    while (isdigit((unsigned char)*end) || *end == '.')
 +        end++;
 +    if (end - cp + 4 >= sizeof (buf) - (bp - buf))
 +        return 0;
 	/*
- 	 * Search forward for the decimal point or the end of the string.
+ 	 * We understand numbers of the form:
 	 *
 	 * [spaces][-|+][digits][.][digits][spaces|\n|\0]
 	 *
 -	 * This is one enormous hack.  Since I didn't feel like
 -	 * rewriting the decoding routine for milliseconds, what
 -	 * is essentially done here is to make a copy of the string
 -	 * with the decimal moved over three places so the seconds
 -	 * decoding routine can be used.
 +	 * This is kinda hack.  We use 'atolfp' to do the basic parsing
 +	 * (after some initial checks) and then divide the result by
 +	 * 1000.  The original implementation avoided that by
 +	 * hacking up the input string to move the decimal point, but
 +	 * that needed string manipulations prone to buffer overruns.
 +	 * To avoid that trouble we do the conversion first and adjust
 +	 * the result.
 	 */
 -	bp = buf;
 -	cp = str;
 -	while (isspace((unsigned char)*cp))
 -	    cp++;
 -	
 -	if (*cp == '-' || *cp == '+') {
 -		*bp++ = *cp++;
 -	}
 -
 -	if (*cp != '.' && !isdigit((unsigned char)*cp))
 -	    return 0;
 -
 -
 -	/*
 -	 * Search forward for the decimal point or the end of the string.
 -	 */
 -	cpdec = cp;
 -	while (isdigit((unsigned char)*cpdec))
 -	    cpdec++;
 -	/*
 -	 * Found something.  If we have more than three digits copy the
 -	 * excess over, else insert a leading 0.
 -	 */
 -	if ((cpdec - cp) > 3) {
 -		do {
 -			*bp++ = (char)*cp++;
 -		} while ((cpdec - cp) > 3);
 -	} else {
 -		*bp++ = '0';
 +	while (isspace(ch = *(const unsigned char*)str))
 +		++str;
 +	switch (ch) {
 +	    case '-': neg = TRUE;
 +	    case '+': ++str;
 +	    default : break;
 	}
 -	/*
 -	 * Stick the decimal in.  If we've got less than three digits in
 -	 * front of the millisecond decimal we insert the appropriate number
 -	 * of zeros.
 -	 */
 -	*bp++ = '.';
 -	if ((cpdec - cp) < 3) {
 -		size_t i = 3 - (cpdec - cp);
 -		do {
 -			*bp++ = '0';
 -		} while (--i > 0);
 -	}
 +	if (!isdigit(ch = *(const unsigned char*)str) && (ch != '.'))
 +		return 0;
 +	if (!atolfp(str, lfp))
 +		return 0;
 -	/*
 -	 * Copy the remainder up to the millisecond decimal.  If cpdec
 -	 * is pointing at a decimal point, copy in the trailing number too.
 +	/* now do a chained/overlapping division by 1000 to get from
 +	 * seconds to msec. 1000 is small enough to go with temporary
 +	 * 32bit accus for Q and R.
 	 */
 -	while (cp < cpdec)
 -	    *bp++ = (char)*cp++;
 -	
 -	if (*cp == '.') {
 -		cp++;
 -		while (isdigit((unsigned char)*cp))
 -		    *bp++ = (char)*cp++;
 -	}
 -	*bp = '\0';
 +	q = lfp->l_ui / 1000u;
 +	r = lfp->l_ui - (q * 1000u);
 +	lfp->l_ui = q;
 -	/*
 -	 * Check to make sure the string is properly terminated.  If
 -	 * so, give the buffer to the decoding routine.
 -	 */
 -	if (*cp != '\0' && !isspace((unsigned char)*cp))
 -	    return 0;
 -	return atolfp(buf, lfp);
 +	r = (r << 16) | (lfp->l_uf >> 16);
 +	q = r / 1000u;
 +	r = ((r - q * 1000) << 16) | (lfp->l_uf & 0x0FFFFu);
 +	lfp->l_uf = q << 16;
 +	q = r / 1000;
 +	lfp->l_uf |= q;
 +	r -= q * 1000u;
 +
 +	/* fix sign */
 +	if (neg)
 +		L_NEG(lfp);
 +	/* round */
 +	if (r >= 500)
 +		L_ADDF(lfp, (neg ? -1 : 1));
 +	return 1;
 }
 -- 
-2.27.0
+2.33.0
--- a/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch
+++ b/backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch
@ -0,0 +1,102 @@
 From 1e6893546c526c0961930b6b60a6aba42692dba9 Mon Sep 17 00:00:00 2001
 From: Harlan Stenn <stenn@ntp.org>
 Date: Sat, 13 May 2023 05:23:33 UTC
 Subject: [PATCH] refclock_palisade:fix an out-of-bounds write in praecis_parse
 Conflict:NA
 Reference:https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2.8p15-3806-3807.patch
 ---
 ntpd/refclock_palisade.c | 50 ++++++++++++++++++++++++++++++++++------
 1 file changed, 43 insertions(+), 7 deletions(-)
 diff --git a/ntpd/refclock_palisade.c b/ntpd/refclock_palisade.c
 index cb68255..66bfbc8 100644
 --- a/ntpd/refclock_palisade.c
 +++ b/ntpd/refclock_palisade.c
@@ -1225,9 +1225,9 @@ palisade_poll (
 		return;  /* using synchronous packet input */
 	if(up->type == CLK_PRAECIS) {
 -		if(write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0)
 +		if (write(peer->procptr->io.fd,"SPSTAT\r\n",8) < 0) {
 			msyslog(LOG_ERR, "Palisade(%d) write: %m:",unit);
 -		else {
 +		} else {
 			praecis_msg = 1;
 			return;
 		}
@@ -1249,20 +1249,53 @@ praecis_parse (
 	pp = peer->procptr;
 -	memcpy(buf+p,rbufp->recv_space.X_recv_buffer, rbufp->recv_length);
 +	if (p + rbufp->recv_length >= sizeof buf) {
 +		struct palisade_unit *up;
 +		up = pp->unitptr;
 +
 +		/*
 +		 * We COULD see if there is a \r\n in the incoming
 +		 * buffer before it overflows, and then process the
 +		 * current line.
 +		 *
 +		 * Similarly, if we already have a hunk of data that
 +		 * we're now flushing, that will cause the line of
 +		 * data we're in the process of collecting to be garbage.
 +		 *
 +		 * Since we now check for this overflow and log when it
 +		 * happens, we're now in a better place to easily see
 +		 * what's going on and perhaps better choices can be made.
 +		 */
 +
 +		/* Do we need to log the size of the overflow? */
 +		msyslog(LOG_ERR, "Palisade(%d) praecis_parse(): input buffer overflow",
 +			up->unit);
 +
 +		p = 0;
 +		praecis_msg = 0;
 +
 +		refclock_report(peer, CEVNT_BADREPLY);
 +
 +		return;
 +	}
 +
 +	memcpy(buf+p, rbufp->recv_buffer, rbufp->recv_length);
 	p += rbufp->recv_length;
 -	if(buf[p-2] == '\r' && buf[p-1] == '\n') {
 +	if (   p >= 2
 +	    && buf[p-2] == '\r' 
 +	    && buf[p-1] == '\n') {
 		buf[p-2] = '\0';
 		record_clock_stats(&peer->srcadr, buf);
 		p = 0;
 		praecis_msg = 0;
 -		if (HW_poll(pp) < 0)
 +		if (HW_poll(pp) < 0) {
 			refclock_report(peer, CEVNT_FAULT);
 -
 +		}
 	}
 +	return;
 }
 static void
@@ -1407,7 +1440,10 @@ HW_poll (
 	/* Edge trigger */
 	if (up->type == CLK_ACUTIME)
 -		write (pp->io.fd, "", 1);
 +		if (write (pp->io.fd, "", 1) != 1)
 +			msyslog(LOG_WARNING,
 +				"Palisade(%d) HW_poll: failed to send trigger: %m",
 +				up->unit);
 	if (ioctl(pp->io.fd, TIOCMSET, &x) < 0) { 
 #ifdef DEBUG
 -- 
 2.33.0
--- a/ntp.spec
+++ b/ntp.spec
@ -2,7 +2,7 @@
 Name:                  ntp
 Version:               4.2.8p15
-Release:               9
+Release:               10
 Summary:               A protocol designed to synchronize the clocks of computers over a network
 License:               MIT and BSD and BSD with advertising
 URL:                   https://www.ntp.org/
@ -28,6 +28,7 @@ Patch5:                Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
 Patch6:                fix-MD5-manpage.patch
 Patch7:                modify-DSA-key-generation-parameters-base-on-openssl3.patch
 Patch8:                backport-CVE-2023-26551-CVE-2023-26552-CVE-2023-26553-CVE-2023-26554.patch
 Patch9:                backport-CVE-2023-26555-fix-out-write-bounds-in-praecis_parse.patch
 BuildRequires:	       libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel
 BuildRequires:         autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser
@ -210,6 +211,12 @@ make check
 %{_mandir}/man8/*.8*
 %changelog
 * Wed May 24 2023 chengyechun <chengyechun1@huawei.com> - 4.2.8p15-10
 - Type:CVE
 - ID:CVE-2023-26551,CVE-2023-26552,CVE-2023-26553,CVE-2023-26554,CVE-2023-26555
 - SUG:NA
 - DESC:change the patch of CVE-2023-26551 and fix CVE-2023-26555
 * Fri May 12 2023 chengyechun <chengyechun1@huawei.com> - 4.2.8p15-9
 - Type:bugfix
 - ID:NA