From fb21ed7696051e4b23031ad7e7ca35a9b4753cab Mon Sep 17 00:00:00 2001 From: Ying Fang Date: Wed, 11 Mar 2020 19:12:43 +0800 Subject: [PATCH] slirp: Fix libslirp CVE-2020-7039 Picked from libslirp upstream: tcp_emu: Fix oob access https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 slirp: use correct size while emulating IRC commands https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 slirp: use correct size while emulating commands https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Signed-off-by: Ying Fang --- qemu.spec | 9 +++- ...ct-size-while-emulating-IRC-commands.patch | 52 +++++++++++++++++++ ...orrect-size-while-emulating-commands.patch | 51 ++++++++++++++++++ tcp_emu-Fix-oob-access.patch | 38 ++++++++++++++ 4 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 slirp-use-correct-size-while-emulating-IRC-commands.patch create mode 100644 slirp-use-correct-size-while-emulating-commands.patch create mode 100644 tcp_emu-Fix-oob-access.patch diff --git a/qemu.spec b/qemu.spec index ac97cd1..2277e37 100644 --- a/qemu.spec +++ b/qemu.spec @@ -43,6 +43,9 @@ Patch0030: nbd-fix-uninitialized-variable-warning.patch Patch0031: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch Patch0032: block-fix-memleaks-in-bdrv_refresh_filename.patch Patch0033: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch +Patch0034: tcp_emu-Fix-oob-access.patch +Patch0035: slirp-use-correct-size-while-emulating-IRC-commands.patch +Patch0036: slirp-use-correct-size-while-emulating-commands.patch BuildRequires: flex BuildRequires: bison @@ -376,10 +379,14 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Mar 11 2020 backport from qemu upstream +- tcp_emu: Fix oob access +- slirp: use correct size while emulating IRC commands +- slirp: use correct size while emulating commands + * Mon Mar 9 2020 backport from qemu upstream - iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) - * Thu Feb 6 2020 Huawei Technologies Co., Ltd. - spec: remove fno-inline option for configure diff --git a/slirp-use-correct-size-while-emulating-IRC-commands.patch b/slirp-use-correct-size-while-emulating-IRC-commands.patch new file mode 100644 index 0000000..4503688 --- /dev/null +++ b/slirp-use-correct-size-while-emulating-IRC-commands.patch @@ -0,0 +1,52 @@ +From 882149fd8401f8ff667ea384bb68008354fd110f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 11 Mar 2020 18:19:36 +0800 +Subject: [PATCH] slirp: use correct size while emulating IRC commands + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. +Reported-by: default avatarVishnu Dev TJ +Signed-off-by: default avatarPrasad J Pandit +Reviewed-by: Samuel Thibault's avatarSamuel Thibault +Message-Id: <20200109094228.79764-2-ppandit@redhat.com> +--- + slirp/src/tcp_subr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index 4608942f..2053b11b 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); +@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +-- +2.21.1 (Apple Git-122.3) + diff --git a/slirp-use-correct-size-while-emulating-commands.patch b/slirp-use-correct-size-while-emulating-commands.patch new file mode 100644 index 0000000..76507a4 --- /dev/null +++ b/slirp-use-correct-size-while-emulating-commands.patch @@ -0,0 +1,51 @@ +From 66e2f47a01ffcaafe11acae0a191efd1805f86c6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 11 Mar 2020 18:27:22 +0800 +Subject: [PATCH] slirp: use correct size while emulating commands + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. +Signed-off-by: default avatarPrasad J Pandit +Signed-off-by: Samuel Thibault's avatarSamuel Thibault +Message-Id: <20200109094228.79764-3-ppandit@redhat.com> +--- + slirp/src/tcp_subr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index 2053b11b..e898fd03 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + return 1; +@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + +@@ -766,8 +766,8 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, m->m_size, "%d", +- ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; + + case EMU_IRC: +-- +2.21.1 (Apple Git-122.3) + diff --git a/tcp_emu-Fix-oob-access.patch b/tcp_emu-Fix-oob-access.patch new file mode 100644 index 0000000..5182f54 --- /dev/null +++ b/tcp_emu-Fix-oob-access.patch @@ -0,0 +1,38 @@ +From 0f7224535cdfec549cd43a5ae4ccde936f50ee95 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Wed, 11 Mar 2020 17:33:46 +0800 +Subject: [PATCH] tcp_emu: Fix oob access + +The main loop only checks for one available byte, while we sometimes +need two bytes. +--- + slirp/src/tcp_subr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index fde9207b..4608942f 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -895,6 +895,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -910,6 +913,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((uint8_t*)bptr)[0] << 8) + + ((uint8_t *)bptr)[1]; + if (lport < 6970) +-- +2.21.1 (Apple Git-122.3) +