import CS iputils-20210202-14.el9

2025-09-15 12:05:03 +00:00 · 2025-09-15 12:05:03 +00:00 · 1cc904e040
commit 1cc904e040
parent efc90e9db1
4 changed files with 314 additions and 1 deletions
--- a/SOURCES/013-ping-Fix-signed-64-bit-integer-overflow-in-RTT-calcu.patch
+++ b/SOURCES/013-ping-Fix-signed-64-bit-integer-overflow-in-RTT-calcu.patch
@ -0,0 +1,138 @@
+From bbfda58c590a7f5f98653fcefcfd3d3255a0c98c Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Mon, 5 May 2025 23:55:57 +0200
+Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation
+
+Crafted ICMP Echo Reply packet can cause signed integer overflow in
+
+1) triptime calculation:
+triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+
+2) tsum2 increment which uses triptime
+rts->tsum2 += (double)((long long)triptime * (long long)triptime);
+
+3) final tmvar:
+tmvar = (rts->tsum2 / total) - (tmavg * tmavg)
+
+    $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
+    $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer"
+    $ meson setup .. -Db_sanitize=address,undefined
+    $ ninja
+    $ ./ping/ping -c2 127.0.0.1
+
+    PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
+    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms
+    ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int'
+    ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int'
+    ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int'
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures
+    ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int'
+    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms
+
+    --- 127.0.0.1 ping statistics ---
+    2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms
+    ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int'
+    rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms
+
+To fix the overflow check allowed ranges of struct timeval members:
+* tv_sec <0, LONG_MAX/1000000>
+* tv_usec <0, 999999>
+
+Fix includes 2 new error messages (needs translation).
+Also existing message "time of day goes back ..." needed to be modified
+as it now prints tv->tv_sec which is a second (needs translation update).
+
+After fix:
+
+    $ ./ping/ping -c2 127.0.0.1
+    64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms
+    ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us
+    ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
+    ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us
+    ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us
+    ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures
+    24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated)
+    64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms
+
+    --- 127.0.0.1 ping statistics ---
+    2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms
+    rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms
+
+Fixes: https://github.com/iputils/iputils/issues/584
+Fixes: CVE-2025-47268
+Link: https://github.com/Zephkek/ping-rtt-overflow/
+Co-developed-by: Cyril Hrubis <chrubis@suse.cz>
+Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
+Reviewed-by: Noah Meyerhans <noahm@debian.org>
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+(cherry picked from commit 070cfacd7348386173231fb16fad4983d4e6ae40)
+Signed-off-by: Jan Macku <jamacku@redhat.com>
+---
+ iputils_common.h   |  3 +++
+ ping/ping_common.c | 22 +++++++++++++++++++---
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/iputils_common.h b/iputils_common.h
+index 26e8f7c..d3070cb 100644
+--- a/iputils_common.h
+++ b/iputils_common.h
+@@ -10,6 +10,9 @@
+ 	  !!__builtin_types_compatible_p(__typeof__(arr), \
+ 					 __typeof__(&arr[0]))])) * 0)
+ 
+/* 1000001 = 1000000 tv_sec + 1 tv_usec */
+#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
+
+ #ifdef __GNUC__
+ # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m)))
+ #else
+diff --git a/ping/ping_common.c b/ping/ping_common.c
+index 0336259..1c8916f 100644
+--- a/ping/ping_common.c
+++ b/ping/ping_common.c
+@@ -728,16 +728,32 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen,
+ 
+ restamp:
+ 		tvsub(tv, &tmp_tv);
+-		triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+-		if (triptime < 0) {
+-			error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime);
+
+		if (tv->tv_usec >= 1000000) {
+			error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
+			tv->tv_usec = 999999;
+		}
+
+		if (tv->tv_usec < 0) {
+			error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec);
+			tv->tv_usec = 0;
+		}
+
+		if (tv->tv_sec > TV_SEC_MAX_VAL) {
+			error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec);
+			triptime = 0;
+		} else if (tv->tv_sec < 0) {
+			error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec);
+ 			triptime = 0;
+ 			if (!rts->opt_latency) {
+ 				gettimeofday(tv, NULL);
+ 				rts->opt_latency = 1;
+ 				goto restamp;
+ 			}
+		} else {
+			triptime = tv->tv_sec * 1000000 + tv->tv_usec;
+ 		}
+
+ 		if (!csfailed) {
+ 			rts->tsum += triptime;
+ 			rts->tsum2 += (double)((long long)triptime * (long long)triptime);
+-- 
+2.49.0
+
--- a/SOURCES/014-ping-Make-ping_rts-struct-static.patch
+++ b/SOURCES/014-ping-Make-ping_rts-struct-static.patch
@ -0,0 +1,38 @@
+From 68bdc8e127f1f02aa742b324d1cf3c89d251e13b Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Tue, 20 Sep 2022 22:23:44 +0200
+Subject: [PATCH] ping: Make ping_rts struct static
+
+This allows accessing global_rts->exiting in sigexit() signal handler
+after main() has exited. Problem occurred on aarch64, which occasionally
+delivered signal after main() has exited, which causes segfault.
+
+Fixes: b3a41a6 ("ping: move global variables to runtime config structure")
+Fixes: https://github.com/iputils/iputils/issues/423
+Closes: https://github.com/iputils/iputils/pull/425
+
+Reported-by: linzhanglong
+Suggested-by: Cyril Hrubis <chrubis@suse.cz>
+Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+(cherry picked from commit 7861af993bf47fccaf37c5659d66c09832844ae3)
+---
+ ping/ping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ping/ping.c b/ping/ping.c
+index ff7e742..19913e6 100644
+--- a/ping/ping.c
+++ b/ping/ping.c
+@@ -263,7 +263,7 @@ main(int argc, char **argv)
+ 	socket_st sock6 = { .fd = -1 };
+ 	char *target;
+ 	char *outpack_fill = NULL;
+-	struct ping_rts rts = {
+	static struct ping_rts rts = {
+ 		.interval = 1000,
+ 		.preload = 1,
+ 		.lingertime = MAXWAIT * 1000,
+-- 
+2.49.0
+
--- a/SOURCES/015-arping-Fix-exit-code-if-receive-more-replies-than-se.patch
+++ b/SOURCES/015-arping-Fix-exit-code-if-receive-more-replies-than-se.patch
@ -0,0 +1,125 @@
+From 475ac9971a1808b7a9876f738f734834ed9a291e Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Tue, 28 May 2024 10:58:59 +0200
+Subject: [PATCH] arping: Fix exit code if receive more replies than sent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ARP protocol, unlike ICMP protocol, has no way to link REQUEST and REPLY
+together (detect to which sender belongs the response). E.g. running
+more arping instances currently causes failure due receiving more
+replies than sent probes:
+
+    # ./builddir/arping -c2 -I eth0 192.168.255.1 -w10 &
+    # ./builddir/arping -c2 -I eth0 192.168.255.1 -w10 &
+    ARPING 192.168.255.1 from 192.168.255.133 eth0
+    ARPING 192.168.255.1 from 192.168.255.133 eth0
+    Unicast reply from 192.168.255.1 [50:EB:F6:87:9D:D0]  1.722ms
+    Unicast reply from 192.168.255.1 [50:EB:F6:87:9D:D0]  1.726ms
+    Unicast reply from 192.168.255.1 [50:EB:F6:87:9D:D0]  1.910ms
+    Unicast reply from 192.168.255.1 [50:EB:F6:87:9D:D0]  1.915ms
+    Sent 1 probes (1 broadcast(s))
+    Sent 1 probes (1 broadcast(s))
+    Received 2 response(s)
+    Received 2 response(s)
+    [ ENTER ]
+    [1]-  Exit 1                  ./builddir/arping -c2 -I eth0 192.168.255.1 -w10
+    [2]+  Exit 1                  ./builddir/arping -c2 -I eth0 192.168.255.1 -w10
+
+84ca65c (fix for 67e070d) introduced this regression.
+
+Later e594ca5 introduced more precise timing - before arping sent 2
+probes instead of 1 with -w1.
+
+Then 854873b unified behavior with ping, i.e. using -w (deadline)
+*without* -c (count) exit 0 if at least one reply arrived (backwards
+incompatibility, also now incompatible with busybox). But that still
+kept problematic using -w with -c on multiple instances / replies.
+
+Fixing the problem by adding a special condition.
+
+Also, when at it, move all exit code evaluation into finish() (before
+it was in finish() but also event_loop()). This improves code introduced
+in 67e070d.
+
+Fixes: 84ca65c ("arping: fix sent vs received packages return value")
+Fixes: https://github.com/iputils/iputils/issues/538
+Closes: https://github.com/iputils/iputils/pull/546
+Reported-by: Mingyang Liu <papillon@yeah.net>
+Tested-by: Mingyang Liu <papillon@yeah.net>
+Reviewed-by: Clemens Famulla-Conrad <cfamullaconrad@suse.com>
+Reviewed-by: <Michał Sieroń michalwsieron@gmail.com>
+Tested-by: <Michał Sieroń michalwsieron@gmail.com>
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+(cherry picked from commit b589819d820a037c3492b2766eabc0c5bc011de7)
+---
+ arping.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index 6f94e90..8b4f54e 100644
+--- a/arping.c
+++ b/arping.c
+@@ -297,11 +297,18 @@ static int finish(struct run_state *ctl)
+ 		printf("\n");
+ 		fflush(stdout);
+ 	}
+
+	/* arping exit code evaluation */
+ 	if (ctl->dad)
+-		return (!!ctl->received);
+		return !!ctl->received;
+
+ 	if (ctl->unsolicited)
+ 		return 0;
+-	return (!ctl->received);
+
+	if (ctl->timeout && ctl->count > 0 && !ctl->quit_on_reply)
+		return !(ctl->count <= ctl->received);
+
+	return !ctl->received;
+ }
+ 
+ static void print_hex(unsigned char *p, int len)
+@@ -665,7 +672,7 @@ static void find_broadcast_address(struct run_state *ctl)
+ 
+ static int event_loop(struct run_state *ctl)
+ {
+-	int exit_loop = 0, rc = 0;
+	int exit_loop = 0;
+ 	ssize_t s;
+ 	enum {
+ 		POLLFD_SIGNAL = 0,
+@@ -806,7 +813,7 @@ static int event_loop(struct run_state *ctl)
+ 					      (struct sockaddr *)&from, &addr_len)) < 0) {
+ 					error(0, errno, "recvfrom");
+ 					if (errno == ENETDOWN)
+-						rc = 2;
+						return 2;
+ 					continue;
+ 				}
+ 				if (recv_pack
+@@ -822,17 +829,8 @@ static int event_loop(struct run_state *ctl)
+ 	close(sfd);
+ 	close(tfd);
+ 	freeifaddrs(ctl->ifa0);
+-	rc |= finish(ctl);
+-	if (ctl->unsolicited)
+-		/* nothing */;
+-	else if (ctl->dad && ctl->quit_on_reply)
+-		/* Duplicate address detection mode return value */
+-		rc |= !(ctl->brd_sent != ctl->received);
+-	else if (ctl->timeout && !(ctl->count > 0))
+-		rc |= !(ctl->received > 0);
+-	else
+-		rc |= (ctl->sent != ctl->received);
+-	return rc;
+
+	return finish(ctl);
+ }
+ 
+ int main(int argc, char **argv)
+-- 
+2.49.0
+
--- a/SPECS/iputils.spec
+++ b/SPECS/iputils.spec
@ -3,7 +3,7 @@
 Summary: Network monitoring tools including ping
 Name: iputils
 Version: 20210202
-Release: 11%{?dist}
+Release: 14%{?dist}
 # some parts are under the original BSD (ping.c)
 # some are under GPLv2+ (tracepath.c)
 License: BSD and GPLv2+
@ -31,6 +31,9 @@ Patch009: 009-ping-Print-reply-with-wrong-source-with-warning.patch
 Patch010: 010-ping-Fix-socket-error-reporting.patch
 Patch011: 011-ping-Fix-ping6-binding-to-VRF-and-address.patch
 Patch012: 012-ping6-Avoid-binding-to-non-VRF.patch
+Patch013: 013-ping-Fix-signed-64-bit-integer-overflow-in-RTT-calcu.patch
+Patch014: 014-ping-Make-ping_rts-struct-static.patch
+Patch015: 015-arping-Fix-exit-code-if-receive-more-replies-than-se.patch

 # Downstream-only patches
 Patch100: 100-iputils-ifenslave.patch
@ -141,6 +144,15 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 %attr(644,root,root) %{_mandir}/man8/ninfod.8.gz

 %changelog
+* Fri Jun 20 2025 Jan Macku <jamacku@redhat.com> - 20210202-14
+- arping: Fix exit code if receive more replies than sent (RHEL-98281)
+
+* Thu Jun 19 2025 Jan Macku <jamacku@redhat.com> - 20210202-13
+- Fix ping hangs under ASan on aarch64 (RHEL-96871)
+
+* Tue Jun 03 2025 Jan Macku <jamacku@redhat.com> - 20210202-12
+- Fix CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping (RHEL-94334)
+
 * Fri Sep 06 2024 Jan Macku <jamacku@redhat.com> - 20210202-11
 - ping: Fix ping6 binding to VRF and address (RHEL-57734)