fix CVE-2020-13164

2020-07-21 20:41:59 +08:00 · 2020-07-21 20:41:59 +08:00 · a421a4d8a2
commit a421a4d8a2
parent d0380ec01f
3 changed files with 179 additions and 1 deletions
--- a/CVE-2020-13164.patch
+++ b/CVE-2020-13164.patch
@ -0,0 +1,115 @@
+From e6e98eab8e5e0bbc982cfdc808f2469d7cab6c5a Mon Sep 17 00:00:00 2001
+From: Gerald Combs <gerald@wireshark.org>
+Date: Tue, 14 Apr 2020 17:10:44 -0700
+Subject: [PATCH] NFS: Add filesystem cycle detection.
+
+Detect cycles and large depths when snooping full names.
+
+Bug: 16476
+Change-Id: I4cddf3d6e6c58d1d382a3ea3b3ed09644562c352
+Reviewed-on: https://code.wireshark.org/review/36847
+Reviewed-by: Gerald Combs <gerald@wireshark.org>
+Petri-Dish: Gerald Combs <gerald@wireshark.org>
+Tested-by: Petri Dish Buildbot
+Reviewed-by: Anders Broman <a.broman58@gmail.com>
+(cherry picked from commit fc6763989c7a7c4e4b0522b12b955e5a285d388a)
+Reviewed-on: https://code.wireshark.org/review/36855
+---
+ epan/dissectors/packet-nfs.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c
+index 715ee82..60aff65 100644
+--- a/epan/dissectors/packet-nfs.c
+++ b/epan/dissectors/packet-nfs.c
+@@ -20,6 +20,7 @@
+ #include <epan/prefs.h>
+ #include <epan/exceptions.h>
+ #include <epan/expert.h>
+#include <epan/proto_data.h>
+ #include <epan/to_str.h>
+ #include <epan/decode_as.h>
+ #include <epan/crc16-tvb.h>
+@@ -899,6 +900,7 @@ static expert_field ei_nfs_not_vnx_file = EI_INIT;
+ static expert_field ei_protocol_violation = EI_INIT;
+ static expert_field ei_nfs_too_many_bitmaps = EI_INIT;
+ static expert_field ei_nfs4_stateid_deprecated = EI_INIT;
+static expert_field ei_nfs_file_system_cycle = EI_INIT;
+ 
+ static const true_false_string tfs_read_write = { "Read", "Write" };
+ 
+@@ -936,6 +938,7 @@ typedef struct nfs_name_snoop {
+ 	unsigned char *parent;
+ 	int	       full_name_len;
+ 	char	      *full_name;
+	gboolean       fs_cycle;
+ } nfs_name_snoop_t;
+ 
+ typedef struct nfs_name_snoop_key {
+@@ -1199,9 +1202,10 @@ nfs_name_snoop_add_fh(int xid, tvbuff_t *tvb, int fh_offset, int fh_length)
+ 	g_hash_table_replace(nfs_name_snoop_matched, key, nns);
+ }
+ 
+#define NFS_MAX_FS_DEPTH 100
+ 
+ static void
+-nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos)
+nfs_full_name_snoop(packet_info *pinfo, nfs_name_snoop_t *nns, int *len, char **name, char **pos)
+ {
+ 	nfs_name_snoop_t     *parent_nns = NULL;
+ 	nfs_name_snoop_key_t  key;
+@@ -1230,13 +1234,22 @@ nfs_full_name_snoop(nfs_name_snoop_t *nns, int *len, char **name, char **pos)
+ 	parent_nns = (nfs_name_snoop_t *)g_hash_table_lookup(nfs_name_snoop_matched, &key);
+ 
+ 	if (parent_nns) {
+-		nfs_full_name_snoop(parent_nns, len, name, pos);
+		unsigned fs_depth = GPOINTER_TO_UINT(p_get_proto_data(pinfo->pool, pinfo, proto_nfs, 0));
+		if (++fs_depth >= NFS_MAX_FS_DEPTH) {
+			nns->fs_cycle = TRUE;
+			return;
+		}
+		p_add_proto_data(pinfo->pool, pinfo, proto_nfs, 0, GUINT_TO_POINTER(fs_depth));
+
+		nfs_full_name_snoop(pinfo, parent_nns, len, name, pos);
+ 		if (*name) {
+ 			/* make sure components are '/' separated */
+ 			*pos += g_snprintf(*pos, (*len+1) - (gulong)(*pos-*name), "%s%s",
+ 					   ((*pos)[-1] != '/')?"/":"", nns->name);
+ 			DISSECTOR_ASSERT((*pos-*name) <= *len);
+ 		}
+		fs_depth--;
+		p_add_proto_data(pinfo->pool, pinfo, proto_nfs, 0, GUINT_TO_POINTER(fs_depth));
+ 		return;
+ 	}
+ 
+@@ -1278,7 +1291,7 @@ nfs_name_snoop_fh(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int fh_of
+ 				char *name = NULL, *pos = NULL;
+ 				int len = 0;
+ 
+-				nfs_full_name_snoop(nns, &len, &name, &pos);
+				nfs_full_name_snoop(pinfo, nns, &len, &name, &pos);
+ 				if (name) {
+ 					nns->full_name = name;
+ 					nns->full_name_len = len;
+@@ -1330,6 +1343,10 @@ nfs_name_snoop_fh(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int fh_of
+ 			}
+ 			PROTO_ITEM_SET_GENERATED(fh_item);
+ 		}
+
+		if (nns->fs_cycle) {
+			proto_tree_add_expert(tree, pinfo, &ei_nfs_file_system_cycle, tvb, 0, 0);
+		}
+ 	}
+ }
+ 
+@@ -14236,6 +14253,7 @@ proto_register_nfs(void)
+ 			"Per RFCs 3530 and 5661 an attribute mask is required but was not provided.", EXPFILL }},
+ 		{ &ei_nfs_too_many_bitmaps, { "nfs.too_many_bitmaps", PI_PROTOCOL, PI_NOTE, "Too many bitmap array items", EXPFILL }},
+ 		{ &ei_nfs4_stateid_deprecated, { "nfs.stateid.deprecated", PI_PROTOCOL, PI_WARN, "State ID deprecated in CLOSE responses [RFC7530 16.2.5]", EXPFILL }},
+		{ &ei_nfs_file_system_cycle, { "nfs.file_system_cycle", PI_PROTOCOL, PI_WARN, "Possible file system cycle detected", EXPFILL }},
+ 	};
+ 
+ 	module_t *nfs_module;
+-- 
+2.7.4
+
--- a/fix-hash-table-key-memory-corruption.patch
+++ b/fix-hash-table-key-memory-corruption.patch
@ -0,0 +1,55 @@
+From bbc327f73b2afb1d21c138d9e838c671e2378ab8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tomasz=20Mo=C5=84?= <desowin@gmail.com>
+Date: Sun, 25 Aug 2019 20:28:47 +0200
+Subject: [PATCH] NFS: Fix hash table key memory corruption
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When the same (as determined by key_equal_func) key gets added to the
+GHashTable, old value gets freed and replaced with the new one. This is
+fine for hash tables where the key validity is not tightly coupled to
+the actual data.
+
+In the nfs_name_snoop_matched hash table the key becomes invalid once
+the value gets destroyed (because it shares the data pointed to by fh,
+which gets freed once the value is destroyed).
+
+A problematic capture includes packets such that the matching fh gets
+added twice to the nfs_name_snoop_matched hash table. Prior to this
+change the hash table would end up in a state where the new value is
+associated with the old key (which contains pointer to already freed
+memory). According to the nfs_name_snoop_matched_equal(), the old key
+was equal to the key intended for new value *at the time* of insertion.
+
+This change fixes the bug by using g_hash_table_replace() which does
+update the key in case it already exists in the GHashTable.
+
+Bug: 16017
+Bug: 16019
+Change-Id: Ib3943f1e27e82c05d9abaa1e436554b37a98488e
+Reviewed-on: https://code.wireshark.org/review/34360
+Reviewed-by: Michael Mann <mmann78@netscape.net>
+Petri-Dish: Michael Mann <mmann78@netscape.net>
+Tested-by: Petri Dish Buildbot
+Reviewed-by: Anders Broman <a.broman58@gmail.com>
+(cherry picked from commit efe2926a66d3d7187a260226678daeb2aa6e4832)
+Reviewed-on: https://code.wireshark.org/review/34362
+Reviewed-by: Tomasz Moń <desowin@gmail.com>
+---
+ epan/dissectors/packet-nfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/epan/dissectors/packet-nfs.c b/epan/dissectors/packet-nfs.c
+index 489d61afc5..715ee8294b 100644
+--- a/epan/dissectors/packet-nfs.c
+++ b/epan/dissectors/packet-nfs.c
+@@ -1196,7 +1196,7 @@ nfs_name_snoop_add_fh(int xid, tvbuff_t *tvb, int fh_offset, int fh_length)
+ 	key->fh = nns->fh;
+ 
+ 	g_hash_table_steal(nfs_name_snoop_unmatched, GINT_TO_POINTER(xid));
+-	g_hash_table_insert(nfs_name_snoop_matched, key, nns);
+	g_hash_table_replace(nfs_name_snoop_matched, key, nns);
+ }
+ 
+ 
--- a/wireshark.spec
+++ b/wireshark.spec
@ -1,6 +1,6 @@
 Name:           wireshark
 Version:        2.6.2
-Release:        7
+Release:        8
 Epoch:          1
 Summary:        Network traffic analyzer
 License:        GPL+
@ -37,6 +37,8 @@ Patch6022:      CVE-2019-5716.patch
 Patch6023:      CVE-2019-5717.patch
 Patch6024:      CVE-2019-5719.patch
 Patch6025:      CVE-2020-11647.patch
+Patch6026:      fix-hash-table-key-memory-corruption.patch
+Patch6027:      CVE-2020-13164.patch

 Requires(pre):  shadow-utils
 Requires(post): systemd-udev
@ -143,6 +145,12 @@ getent group usbmon >/dev/null || groupadd -r usbmon
 %{_mandir}/man?/*

 %changelog
+* Tue Jul 21 2020 wangyue <wangyue92@huawei.com> - 2.6.2-8
+- Type:cves
+- ID: CVE-2020-13164
+- SUG:restart
+- DESC: fix CVE-2020-13164
+
 * Wed May 13 2020 huanghaitao <huanghaitao8@huawei.com> - 2.6.2-7
 - Type:cves
 - ID: CVE-2020-11647