slirp: Fix CVE-2020-1983
upstream url:
9bd6c59132
Signed-off-by: Ying Fang <fangying1@huawei.com>
This commit is contained in:
Ying Fang
parent
e21eae0df2
commit
8f8df3ea84
44
Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
Normal file
44
Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 477c7aea5f2f9090c016c0a9813dc5901bd1b66a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
||||
Date: Fri, 24 Apr 2020 11:36:41 +0800
|
||||
Subject: [PATCH] Fix use-afte-free in ip_reass() (CVE-2020-1983)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The q pointer is updated when the mbuf data is moved from m_dat to
|
||||
m_ext.
|
||||
|
||||
m_ext buffer may also be realloc()'ed and moved during m_cat():
|
||||
q should also be updated in this case.
|
||||
|
||||
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
|
||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||
|
||||
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
|
||||
index 89ae04e0..7fdde631 100644
|
||||
--- a/slirp/src/ip_input.c
|
||||
+++ b/slirp/src/ip_input.c
|
||||
@@ -333,7 +333,7 @@ insert:
|
||||
q = fp->frag_link.next;
|
||||
m = dtom(slirp, q);
|
||||
|
||||
- int was_ext = m->m_flags & M_EXT;
|
||||
+ int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
|
||||
|
||||
q = (struct ipasfrag *) q->ipf_next;
|
||||
while (q != (struct ipasfrag*)&fp->frag_link) {
|
||||
@@ -356,8 +356,7 @@ insert:
|
||||
* then an m_ext buffer was alloced. But fp->ipq_next points to the old
|
||||
* buffer (in the mbuf), so we must point ip into the new buffer.
|
||||
*/
|
||||
- if (!was_ext && m->m_flags & M_EXT) {
|
||||
- int delta = (char *)q - m->m_dat;
|
||||
+ if (m->m_flags & M_EXT) {
|
||||
q = (struct ipasfrag *)(m->m_ext + delta);
|
||||
}
|
||||
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -63,6 +63,7 @@ Patch0050: pcie-Add-pcie-root-port-fast-plug-unplug-feature.patch
|
||||
Patch0051: pcie-Compat-with-devices-which-do-not-support-Link-W.patch
|
||||
Patch0052: aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
|
||||
Patch0053: async-use-explicit-memory-barriers.patch
|
||||
Patch0054: Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
|
||||
|
||||
BuildRequires: flex
|
||||
BuildRequires: bison
|
||||
@ -398,7 +399,10 @@ getent passwd qemu >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Apr 11 4 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
|
||||
* Fri Apr 24 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
|
||||
- Fix use-afte-free in ip_reass() (CVE-2020-1983)
|
||||
|
||||
* Sat Apr 11 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
|
||||
- aio-wait: delegate polling of main AioContext if BQL not held
|
||||
- async: use explicit memory barriers
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user