!17 Fix-CVE-2020-7039-and-CVE-2020-8068

Merge pull request !17 from FangYing/fix-CVE-2020-7039-and-CVE-2020-8608

qemu.spec

@@ -43,6 +43,10 @@ Patch0030: nbd-fix-uninitialized-variable-warning.patch
 Patch0031: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch
 Patch0032: block-fix-memleaks-in-bdrv_refresh_filename.patch
 Patch0033: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
+Patch0034: tcp_emu-Fix-oob-access.patch
+Patch0035: slirp-use-correct-size-while-emulating-IRC-commands.patch
+Patch0036: slirp-use-correct-size-while-emulating-commands.patch
+Patch0037: tcp_emu-fix-unsafe-snprintf-usages.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -376,10 +380,15 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Wed Mar 11 2020 backport from qemu upstream
+- tcp_emu: Fix oob access
+- slirp: use correct size while emulating IRC commands
+- slirp: use correct size while emulating commands
+- tcp_emu: fix unsafe snprintf() usages
+
 * Mon Mar 9 2020 backport from qemu upstream
 - iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
 
-
 * Thu Feb  6 2020 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
 - spec: remove fno-inline option for configure
 

slirp-use-correct-size-while-emulating-IRC-commands.patch

@@ -0,0 +1,52 @@
+From 882149fd8401f8ff667ea384bb68008354fd110f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 11 Mar 2020 18:19:36 +0800
+Subject: [PATCH] slirp: use correct size while emulating IRC commands
+
+While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+'m->m_size' to write DCC commands via snprintf(3). This may
+lead to OOB write access, because 'bptr' points somewhere in
+the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+size to avoid OOB access.
+Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+---
+ slirp/src/tcp_subr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index 4608942f..2053b11b 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, m->m_size,
++                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "DCC CHAT chat %lu %u%c\n",
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), 1);
+@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, m->m_size,
++                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "DCC SEND %s %lu %u %u%c\n", buff,
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), n1, 1);
+@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, m->m_size,
++                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "DCC MOVE %s %lu %u %u%c\n", buff,
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), n1, 1);
+-- 
+2.21.1 (Apple Git-122.3)
+

slirp-use-correct-size-while-emulating-commands.patch

@@ -0,0 +1,51 @@
+From 66e2f47a01ffcaafe11acae0a191efd1805f86c6 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 11 Mar 2020 18:27:22 +0800
+Subject: [PATCH] slirp: use correct size while emulating commands
+
+While emulating services in tcp_emu(), it uses 'mbuf' size
+'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+size to avoid possible OOB access.
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+---
+ slirp/src/tcp_subr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index 2053b11b..e898fd03 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, m->m_size - m->m_len,
++                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 			return 1;
+@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-			m->m_len += snprintf(bptr, m->m_size - m->m_len,
++			m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                              "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 
+@@ -766,8 +766,8 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ 		    (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ 		                     htons(lport), SS_FACCEPTONCE)) != NULL)
+-                    m->m_len = snprintf(m->m_data, m->m_size, "%d",
+-                                        ntohs(so->so_fport)) + 1;
++                    m->m_len = snprintf(m->m_data, M_ROOM(m),
++					"%d", ntohs(so->so_fport)) + 1;
+ 		return 1;
+ 
+ 	 case EMU_IRC:
+-- 
+2.21.1 (Apple Git-122.3)
+

tcp_emu-Fix-oob-access.patch

@@ -0,0 +1,38 @@
+From 0f7224535cdfec549cd43a5ae4ccde936f50ee95 Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Wed, 11 Mar 2020 17:33:46 +0800
+Subject: [PATCH] tcp_emu: Fix oob access
+
+The main loop only checks for one available byte, while we sometimes
+need two bytes.
+---
+ slirp/src/tcp_subr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index fde9207b..4608942f 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -895,6 +895,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				break;
+ 
+ 			 case 5:
++				if (bptr == m->m_data + m->m_len - 1)
++					return 1; /* We need two bytes */
++
+ 				/*
+ 				 * The difference between versions 1.0 and
+ 				 * 2.0 is here. For future versions of
+@@ -910,6 +913,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				/* This is the field containing the port
+ 				 * number that RA-player is listening to.
+ 				 */
++				if (bptr == m->m_data + m->m_len - 1)
++					return 1; /* We need two bytes */
++
+ 				lport = (((uint8_t*)bptr)[0] << 8)
+ 				+ ((uint8_t *)bptr)[1];
+ 				if (lport < 6970)
+-- 
+2.21.1 (Apple Git-122.3)
+

tcp_emu-fix-unsafe-snprintf-usages.patch

@@ -0,0 +1,94 @@
+From 1db8bcc0ec91bb4374b3ffdd03da3c4ede381fb5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 11 Mar 2020 18:52:07 +0800
+Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Various calls to snprintf() assume that snprintf() returns "only" the
+number of bytes written (excluding terminating NUL).
+
+https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
+
+"Upon successful completion, the snprintf() function shall return the
+number of bytes that would be written to s had n been sufficiently
+large excluding the terminating null byte."
+
+Before patch ce131029, if there isn't enough room in "m_data" for the
+"DCC ..." message, we overflow "m_data".
+
+After the patch, if there isn't enough room for the same, we don't
+overflow "m_data", but we set "m_len" out-of-bounds. The next time an
+access is bounded by "m_len", we'll have a buffer overflow then.
+
+Use slirp_fmt*() to fix potential OOB memory access.
+Reported-by: default avatarLaszlo Ersek <lersek@redhat.com>
+Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
+---
+ slirp/src/tcp_subr.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index e898fd03..88dadc76 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
++                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 			return 1;
+@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-			m->m_len += snprintf(bptr, M_FREEROOM(m),
++			m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 
+@@ -766,7 +766,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ 		    (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ 		                     htons(lport), SS_FACCEPTONCE)) != NULL)
+-                    m->m_len = snprintf(m->m_data, M_ROOM(m),
++                    m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
+ 					"%d", ntohs(so->so_fport)) + 1;
+ 		return 1;
+ 
+@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
++                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "DCC CHAT chat %lu %u%c\n",
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), 1);
+@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
++                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "DCC SEND %s %lu %u %u%c\n", buff,
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), n1, 1);
+@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
++                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "DCC MOVE %s %lu %u %u%c\n", buff,
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), n1, 1);
+-- 
+2.21.1 (Apple Git-122.3)
+