slirp: Fix libslirp CVE-2020-8608

Picked from libslirp upstream: tcp_emu: fix unsafe snprintf() usages 68ccb8021a Signed-off-by: Ying Fang <fangying1@huawei.com>
2020-03-11 19:20:36 +08:00 · 2020-03-11 19:20:36 +08:00 · 9b341be807
commit 9b341be807
parent fb21ed7696
2 changed files with 96 additions and 0 deletions
--- a/qemu.spec
+++ b/qemu.spec
@ -46,6 +46,7 @@ Patch0033: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
 Patch0034: tcp_emu-Fix-oob-access.patch
 Patch0035: slirp-use-correct-size-while-emulating-IRC-commands.patch
 Patch0036: slirp-use-correct-size-while-emulating-commands.patch
+Patch0037: tcp_emu-fix-unsafe-snprintf-usages.patch

 BuildRequires: flex
 BuildRequires: bison
@ -383,6 +384,7 @@ getent passwd qemu >/dev/null || \
 - tcp_emu: Fix oob access
 - slirp: use correct size while emulating IRC commands
 - slirp: use correct size while emulating commands
+- tcp_emu: fix unsafe snprintf() usages

 * Mon Mar 9 2020 backport from qemu upstream
 - iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
--- a/tcp_emu-fix-unsafe-snprintf-usages.patch
+++ b/tcp_emu-fix-unsafe-snprintf-usages.patch
@ -0,0 +1,94 @@
+From 1db8bcc0ec91bb4374b3ffdd03da3c4ede381fb5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Wed, 11 Mar 2020 18:52:07 +0800
+Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Various calls to snprintf() assume that snprintf() returns "only" the
+number of bytes written (excluding terminating NUL).
+
+https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
+
+"Upon successful completion, the snprintf() function shall return the
+number of bytes that would be written to s had n been sufficiently
+large excluding the terminating null byte."
+
+Before patch ce131029, if there isn't enough room in "m_data" for the
+"DCC ..." message, we overflow "m_data".
+
+After the patch, if there isn't enough room for the same, we don't
+overflow "m_data", but we set "m_len" out-of-bounds. The next time an
+access is bounded by "m_len", we'll have a buffer overflow then.
+
+Use slirp_fmt*() to fix potential OOB memory access.
+Reported-by: default avatarLaszlo Ersek <lersek@redhat.com>
+Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
+---
+ slirp/src/tcp_subr.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index e898fd03..88dadc76 100644
+--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
+@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 			return 1;
+@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			n4 =  (laddr & 0xff);
+ 
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-			m->m_len += snprintf(bptr, M_FREEROOM(m),
+			m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+                                              n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ 
+@@ -766,7 +766,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 		if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ 		    (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ 		                     htons(lport), SS_FACCEPTONCE)) != NULL)
+-                    m->m_len = snprintf(m->m_data, M_ROOM(m),
+                    m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
+ 					"%d", ntohs(so->so_fport)) + 1;
+ 		return 1;
+ 
+@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "DCC CHAT chat %lu %u%c\n",
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), 1);
+@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "DCC SEND %s %lu %u %u%c\n", buff,
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), n1, 1);
+@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 				return 1;
+ 			}
+ 			m->m_len = bptr - m->m_data; /* Adjust length */
+-                        m->m_len += snprintf(bptr, M_FREEROOM(m),
+                        m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+                                              "DCC MOVE %s %lu %u %u%c\n", buff,
+                                              (unsigned long)ntohl(so->so_faddr.s_addr),
+                                              ntohs(so->so_fport), n1, 1);
+-- 
+2.21.1 (Apple Git-122.3)
+