Fix CVE-2025-48964 iputils: iputils integer overflow
Resolves: RHEL-115832
This commit is contained in:
Jan Macku
parent
8c7039051d
commit
f7eb8095a3
99
002-ping-Fix-moving-average-rtt-calculation.patch
Normal file
99
002-ping-Fix-moving-average-rtt-calculation.patch
Normal file
@ -0,0 +1,99 @@
|
||||
From 645a14f7b4afcdbd3043e66d3032ffad5b0856e2 Mon Sep 17 00:00:00 2001
|
||||
From: Cyril Hrubis <metan@ucw.cz>
|
||||
Date: Fri, 16 May 2025 17:57:10 +0200
|
||||
Subject: [PATCH] ping: Fix moving average rtt calculation
|
||||
|
||||
The rts->rtt counts an exponential weight moving average in a fixed
|
||||
point, that means that even if we limit the triptime to fit into a 32bit
|
||||
number the average will overflow because because fixed point needs eight
|
||||
more bits.
|
||||
|
||||
We also have to limit the triptime to 32bit number because otherwise the
|
||||
moving average may stil overflow if we manage to produce a large enough
|
||||
triptime.
|
||||
|
||||
Fixes: CVE-2025-48964
|
||||
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1243772
|
||||
Closes: https://github.com/iputils/iputils-ghsa-25fr-jw29-74f9/pull/1
|
||||
Reported-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
|
||||
Reviewed-by: Petr Vorel <pvorel@suse.cz>
|
||||
Tested-by: Petr Vorel <pvorel@suse.cz>
|
||||
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
|
||||
Reviewed-by: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
|
||||
Signed-off-by: Cyril Hrubis <metan@ucw.cz>
|
||||
(cherry picked from commit afa36390394a6e0cceba03b52b59b6d41710608c)
|
||||
---
|
||||
iputils_common.h | 2 +-
|
||||
ping/ping.h | 2 +-
|
||||
ping/ping_common.c | 8 ++++----
|
||||
3 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/iputils_common.h b/iputils_common.h
|
||||
index 829a749..1296905 100644
|
||||
--- a/iputils_common.h
|
||||
+++ b/iputils_common.h
|
||||
@@ -11,7 +11,7 @@
|
||||
__typeof__(&arr[0]))])) * 0)
|
||||
|
||||
/* 1000001 = 1000000 tv_sec + 1 tv_usec */
|
||||
-#define TV_SEC_MAX_VAL (LONG_MAX/1000001)
|
||||
+#define TV_SEC_MAX_VAL (INT32_MAX/1000001)
|
||||
|
||||
#ifdef __GNUC__
|
||||
# define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m)))
|
||||
diff --git a/ping/ping.h b/ping/ping.h
|
||||
index 48e35b7..cd5b786 100644
|
||||
--- a/ping/ping.h
|
||||
+++ b/ping/ping.h
|
||||
@@ -194,7 +194,7 @@ struct ping_rts {
|
||||
long tmax; /* maximum round trip time */
|
||||
double tsum; /* sum of all times, for doing average */
|
||||
double tsum2;
|
||||
- int rtt;
|
||||
+ uint64_t rtt; /* Exponential weight moving average calculated in fixed point */
|
||||
int rtt_addend;
|
||||
uint16_t acked;
|
||||
int pipesize;
|
||||
diff --git a/ping/ping_common.c b/ping/ping_common.c
|
||||
index 13e29f5..1c1b54b 100644
|
||||
--- a/ping/ping_common.c
|
||||
+++ b/ping/ping_common.c
|
||||
@@ -281,7 +281,7 @@ int __schedule_exit(int next)
|
||||
|
||||
static inline void update_interval(struct ping_rts *rts)
|
||||
{
|
||||
- int est = rts->rtt ? rts->rtt / 8 : rts->interval * 1000;
|
||||
+ int est = rts->rtt ? (int)(rts->rtt / 8) : rts->interval * 1000;
|
||||
|
||||
rts->interval = (est + rts->rtt_addend + 500) / 1000;
|
||||
if (rts->uid && rts->interval < MIN_USER_INTERVAL_MS)
|
||||
@@ -788,7 +788,7 @@ restamp:
|
||||
if (triptime > rts->tmax)
|
||||
rts->tmax = triptime;
|
||||
if (!rts->rtt)
|
||||
- rts->rtt = triptime * 8;
|
||||
+ rts->rtt = ((uint64_t)triptime) * 8;
|
||||
else
|
||||
rts->rtt += triptime - rts->rtt / 8;
|
||||
if (rts->opt_adaptive)
|
||||
@@ -960,7 +960,7 @@ int finish(struct ping_rts *rts)
|
||||
int ipg = (1000000 * (long long)tv.tv_sec + tv.tv_nsec / 1000) / (rts->ntransmitted - 1);
|
||||
|
||||
printf(_("%sipg/ewma %d.%03d/%d.%03d ms"),
|
||||
- comma, ipg / 1000, ipg % 1000, rts->rtt / 8000, (rts->rtt / 8) % 1000);
|
||||
+ comma, ipg / 1000, ipg % 1000, (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000));
|
||||
}
|
||||
putchar('\n');
|
||||
return (!rts->nreceived || (rts->deadline && rts->nreceived < rts->npackets));
|
||||
@@ -985,7 +985,7 @@ void status(struct ping_rts *rts)
|
||||
fprintf(stderr, _(", min/avg/ewma/max = %ld.%03ld/%lu.%03ld/%d.%03d/%ld.%03ld ms"),
|
||||
(long)rts->tmin / 1000, (long)rts->tmin % 1000,
|
||||
tavg / 1000, tavg % 1000,
|
||||
- rts->rtt / 8000, (rts->rtt / 8) % 1000, (long)rts->tmax / 1000, (long)rts->tmax % 1000);
|
||||
+ (int)(rts->rtt / 8000), (int)((rts->rtt / 8) % 1000), (long)rts->tmax / 1000, (long)rts->tmax % 1000);
|
||||
}
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
--
|
||||
2.51.0
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
Summary: Network monitoring tools including ping
|
||||
Name: iputils
|
||||
Version: 20240905
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
# some parts are under the original BSD (ping.c)
|
||||
# some are under GPLv2+ (tracepath.c)
|
||||
License: BSD-4-Clause-UC AND GPL-2.0-or-later
|
||||
@ -17,6 +17,7 @@ Source5: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
|
||||
|
||||
# Fix CVE-2025-47268
|
||||
Patch001: 001-ping-Fix-signed-64-bit-integer-overflow-in-RTT-calcu.patch
|
||||
Patch002: 002-ping-Fix-moving-average-rtt-calculation.patch
|
||||
|
||||
Patch100: 100-iputils-ifenslave.patch
|
||||
Patch101: 101-iputils-ifenslave-CWE-170.patch
|
||||
@ -88,6 +89,9 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
|
||||
%attr(644,root,root) %{_mandir}/man8/ifenslave.8*
|
||||
|
||||
%changelog
|
||||
* Mon Oct 13 2025 Jan Macku <jamacku@redhat.com> - 20240905-5
|
||||
- Fix CVE-2025-48964 iputils: iputils integer overflow (RHEL-115832)
|
||||
|
||||
* Mon Jul 28 2025 Jan Macku <jamacku@redhat.com> - 20240905-4
|
||||
- remove build dependency on openssl-devel removed in s20200821 (RHEL-103645)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user