From 3aa5e48ec3df8b66ac0787dafe99755b3d5ca1a3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 04:50:36 -0500 Subject: [PATCH] import libslirp-4.4.0-1.module+el8.5.0+12582+56d94c81 --- .gitignore | 2 +- .libslirp.metadata | 2 +- SOURCES/0001-Add-mtod_check.patch | 54 ++++ ...1-Fix-DHCP-broken-in-libslirp-v4.6.0.patch | 30 +++ ...or-specific-area-to-input-packet-mem.patch | 161 +++++++++++ ...-bootp-check-bootp_input-buffer-size.patch | 36 +++ ...04-upd6-check-udp6_input-buffer-size.patch | 36 +++ ...05-tftp-check-tftp_input-buffer-size.patch | 37 +++ ...06-tftp-introduce-a-header-structure.patch | 249 ++++++++++++++++++ ...0007-udp-check-upd_input-buffer-size.patch | 36 +++ SPECS/libslirp.spec | 18 +- 11 files changed, 657 insertions(+), 4 deletions(-) create mode 100644 SOURCES/0001-Add-mtod_check.patch create mode 100644 SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch create mode 100644 SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch create mode 100644 SOURCES/0003-bootp-check-bootp_input-buffer-size.patch create mode 100644 SOURCES/0004-upd6-check-udp6_input-buffer-size.patch create mode 100644 SOURCES/0005-tftp-check-tftp_input-buffer-size.patch create mode 100644 SOURCES/0006-tftp-introduce-a-header-structure.patch create mode 100644 SOURCES/0007-udp-check-upd_input-buffer-size.patch diff --git a/.gitignore b/.gitignore index dcc78ed..1513c20 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libslirp-4.3.1.tar.xz +SOURCES/libslirp-4.4.0.tar.xz diff --git a/.libslirp.metadata b/.libslirp.metadata index f3b9b0e..4d02929 100644 --- a/.libslirp.metadata +++ b/.libslirp.metadata @@ -1 +1 @@ -f69c50c264a465bde6fe0cd6b577e2f1c0b20ece SOURCES/libslirp-4.3.1.tar.xz +5ef4ed055299eab0703d4c49da552fdb61357f13 SOURCES/libslirp-4.4.0.tar.xz diff --git a/SOURCES/0001-Add-mtod_check.patch b/SOURCES/0001-Add-mtod_check.patch new file mode 100644 index 0000000..fbdead1 --- /dev/null +++ b/SOURCES/0001-Add-mtod_check.patch @@ -0,0 +1,54 @@ +From 87f5d0c70bdb46d467d32e3c3a8d7a472c97e148 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 15:58:25 +0400 +Subject: [PATCH 1/7] Add mtod_check() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recent security issues demonstrate the lack of safety care when casting +a mbuf to a particular structure type. At least, it should check that +the buffer is large enough. The following patches will make use of this +function. + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17) +--- + src/mbuf.c | 11 +++++++++++ + src/mbuf.h | 1 + + 2 files changed, 12 insertions(+) + +diff --git a/src/mbuf.c b/src/mbuf.c +index 54ec721..cb2e971 100644 +--- a/src/mbuf.c ++++ b/src/mbuf.c +@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat) + + return (struct mbuf *)0; + } ++ ++void *mtod_check(struct mbuf *m, size_t len) ++{ ++ if (m->m_len >= len) { ++ return m->m_data; ++ } ++ ++ DEBUG_ERROR("mtod failed"); ++ ++ return NULL; ++} +diff --git a/src/mbuf.h b/src/mbuf.h +index 546e785..2015e32 100644 +--- a/src/mbuf.h ++++ b/src/mbuf.h +@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); + void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); ++void *mtod_check(struct mbuf *, size_t len); + + static inline void ifs_init(struct mbuf *ifm) + { +-- +2.29.0 + diff --git a/SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch b/SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch new file mode 100644 index 0000000..bd4e685 --- /dev/null +++ b/SOURCES/0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch @@ -0,0 +1,30 @@ +From c9f314f6e315a5518432761fea864196a290f799 Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Thu, 17 Jun 2021 18:01:32 +0900 +Subject: [PATCH] Fix "DHCP broken in libslirp v4.6.0" + +Fix issue 48 + +Signed-off-by: Akihiro Suda +--- + src/bootp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/bootp.c b/src/bootp.c +index cafa1eb..0a35873 100644 +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -359,7 +359,9 @@ static void bootp_reply(Slirp *slirp, + + daddr.sin_addr.s_addr = 0xffffffffu; + +- m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr); ++ assert ((q - rbp->bp_vend + 1) <= DHCP_OPT_LEN); ++ ++ m->m_len = sizeof(struct bootp_t) + (q - rbp->bp_vend + 1) - sizeof(struct ip) - sizeof(struct udphdr); + udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY); + } + +-- +2.29.0 + diff --git a/SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch b/SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch new file mode 100644 index 0000000..88e5ba0 --- /dev/null +++ b/SOURCES/0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch @@ -0,0 +1,161 @@ +From f0d4faae8258385338bc1ec252250454346b7ef7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 19:25:28 +0400 +Subject: [PATCH 2/7] bootp: limit vendor-specific area to input packet memory + buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field +from the structure, to help with the following patch checking for +minimal header size. Modify the bootp_reply() function to take the +buffer boundaries and avoiding potential buffer overflow. + +Related to CVE-2021-3592. + +https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit f13cad45b25d92760bb0ad67bec0300a4d7d5275) +--- + src/bootp.c | 26 +++++++++++++++----------- + src/bootp.h | 2 +- + src/mbuf.c | 5 +++++ + src/mbuf.h | 1 + + 4 files changed, 22 insertions(+), 12 deletions(-) + +diff --git a/src/bootp.c b/src/bootp.c +index 46e9681..e0db8d1 100644 +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -92,21 +92,22 @@ found: + return bc; + } + +-static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, ++static void dhcp_decode(const struct bootp_t *bp, ++ const uint8_t *bp_end, ++ int *pmsg_type, + struct in_addr *preq_addr) + { +- const uint8_t *p, *p_end; ++ const uint8_t *p; + int len, tag; + + *pmsg_type = 0; + preq_addr->s_addr = htonl(0L); + + p = bp->bp_vend; +- p_end = p + DHCP_OPT_LEN; + if (memcmp(p, rfc1533_cookie, 4) != 0) + return; + p += 4; +- while (p < p_end) { ++ while (p < bp_end) { + tag = p[0]; + if (tag == RFC1533_PAD) { + p++; +@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + break; + } else { + p++; +- if (p >= p_end) ++ if (p >= bp_end) + break; + len = *p++; +- if (p + len > p_end) { ++ if (p + len > bp_end) { + break; + } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); +@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + } + } + +-static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) ++static void bootp_reply(Slirp *slirp, ++ const struct bootp_t *bp, ++ const uint8_t *bp_end) + { + BOOTPClient *bc = NULL; + struct mbuf *m; +@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + uint8_t client_ethaddr[ETH_ALEN]; + + /* extract exact DHCP msg type */ +- dhcp_decode(bp, &dhcp_msg_type, &preq_addr); ++ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr); + DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type); + if (preq_addr.s_addr != htonl(0L)) + DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr)); +@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + return; + } + m->m_data += IF_MAXLINKHDR; ++ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN); + rbp = (struct bootp_t *)m->m_data; + m->m_data += sizeof(struct udpiphdr); +- memset(rbp, 0, sizeof(struct bootp_t)); ++ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN); + + if (dhcp_msg_type == DHCPDISCOVER) { + if (preq_addr.s_addr != htonl(0L)) { +@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) + rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */ + + q = rbp->bp_vend; +- end = (uint8_t *)&rbp[1]; ++ end = rbp->bp_vend + DHCP_OPT_LEN; + memcpy(q, rfc1533_cookie, 4); + q += 4; + +@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m) + struct bootp_t *bp = mtod(m, struct bootp_t *); + + if (bp->bp_op == BOOTP_REQUEST) { +- bootp_reply(m->slirp, bp); ++ bootp_reply(m->slirp, bp, m_end(m)); + } + } +diff --git a/src/bootp.h b/src/bootp.h +index a57fa51..31ce5fd 100644 +--- a/src/bootp.h ++++ b/src/bootp.h +@@ -114,7 +114,7 @@ struct bootp_t { + uint8_t bp_hwaddr[16]; + uint8_t bp_sname[64]; + char bp_file[128]; +- uint8_t bp_vend[DHCP_OPT_LEN]; ++ uint8_t bp_vend[]; + }; + + typedef struct { +diff --git a/src/mbuf.c b/src/mbuf.c +index cb2e971..0c1a530 100644 +--- a/src/mbuf.c ++++ b/src/mbuf.c +@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len) + + return NULL; + } ++ ++void *m_end(struct mbuf *m) ++{ ++ return m->m_data + m->m_len; ++} +diff --git a/src/mbuf.h b/src/mbuf.h +index 2015e32..a9752a3 100644 +--- a/src/mbuf.h ++++ b/src/mbuf.h +@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int); + int m_copy(struct mbuf *, struct mbuf *, int, int); + struct mbuf *dtom(Slirp *, void *); + void *mtod_check(struct mbuf *, size_t len); ++void *m_end(struct mbuf *); + + static inline void ifs_init(struct mbuf *ifm) + { +-- +2.29.0 + diff --git a/SOURCES/0003-bootp-check-bootp_input-buffer-size.patch b/SOURCES/0003-bootp-check-bootp_input-buffer-size.patch new file mode 100644 index 0000000..c97cb12 --- /dev/null +++ b/SOURCES/0003-bootp-check-bootp_input-buffer-size.patch @@ -0,0 +1,36 @@ +From 0f017f39a390d8fa4ae817f45fbf71a0c8332860 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:15:14 +0400 +Subject: [PATCH 3/7] bootp: check bootp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3592 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 2eca0838eee1da96204545e22cdaed860d9d7c6c) +--- + src/bootp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bootp.c b/src/bootp.c +index e0db8d1..cafa1eb 100644 +--- a/src/bootp.c ++++ b/src/bootp.c +@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp, + + void bootp_input(struct mbuf *m) + { +- struct bootp_t *bp = mtod(m, struct bootp_t *); ++ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t)); + +- if (bp->bp_op == BOOTP_REQUEST) { ++ if (bp && bp->bp_op == BOOTP_REQUEST) { + bootp_reply(m->slirp, bp, m_end(m)); + } + } +-- +2.29.0 + diff --git a/SOURCES/0004-upd6-check-udp6_input-buffer-size.patch b/SOURCES/0004-upd6-check-udp6_input-buffer-size.patch new file mode 100644 index 0000000..a832f6b --- /dev/null +++ b/SOURCES/0004-upd6-check-udp6_input-buffer-size.patch @@ -0,0 +1,36 @@ +From 30feadb676a0792036a0f64309235c5767e2ee76 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:32:55 +0400 +Subject: [PATCH 4/7] upd6: check udp6_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3593 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit de71c15de66ba9350bf62c45b05f8fbff166517b) +--- + src/udp6.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/udp6.c b/src/udp6.c +index fdd8089..236b962 100644 +--- a/src/udp6.c ++++ b/src/udp6.c +@@ -29,7 +29,10 @@ void udp6_input(struct mbuf *m) + ip = mtod(m, struct ip6 *); + m->m_len -= iphlen; + m->m_data += iphlen; +- uh = mtod(m, struct udphdr *); ++ uh = mtod_check(m, sizeof(struct udphdr)); ++ if (uh == NULL) { ++ goto bad; ++ } + m->m_len += iphlen; + m->m_data -= iphlen; + +-- +2.29.0 + diff --git a/SOURCES/0005-tftp-check-tftp_input-buffer-size.patch b/SOURCES/0005-tftp-check-tftp_input-buffer-size.patch new file mode 100644 index 0000000..1d879cc --- /dev/null +++ b/SOURCES/0005-tftp-check-tftp_input-buffer-size.patch @@ -0,0 +1,37 @@ +From 31aaf902aa6ba31ab8f41543b2d4da8c01f3b861 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:34:30 +0400 +Subject: [PATCH 5/7] tftp: check tftp_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3595 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 3f17948137155f025f7809fdc38576d5d2451c3d) +--- + src/tftp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/tftp.c b/src/tftp.c +index c6950ee..e06911d 100644 +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +- struct tftp_t *tp = (struct tftp_t *)m->m_data; ++ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ ++ if (tp == NULL) { ++ return; ++ } + + switch (ntohs(tp->tp_op)) { + case TFTP_RRQ: +-- +2.29.0 + diff --git a/SOURCES/0006-tftp-introduce-a-header-structure.patch b/SOURCES/0006-tftp-introduce-a-header-structure.patch new file mode 100644 index 0000000..f163137 --- /dev/null +++ b/SOURCES/0006-tftp-introduce-a-header-structure.patch @@ -0,0 +1,249 @@ +From c8665ebbdadb72f7c2cb74b9704f68704c13653b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 20:01:20 +0400 +Subject: [PATCH 6/7] tftp: introduce a header structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of using a composed structure and potentially reading past the +incoming buffer, use a different structure for the header. + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 990163cf3ac86b7875559f49602c4d76f46f6f30) +--- + src/tftp.c | 60 ++++++++++++++++++++++++++++-------------------------- + src/tftp.h | 6 +++++- + 2 files changed, 36 insertions(+), 30 deletions(-) + +diff --git a/src/tftp.c b/src/tftp.c +index e06911d..a19c889 100644 +--- a/src/tftp.c ++++ b/src/tftp.c +@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt) + } + + static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -75,7 +75,7 @@ found: + memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas)); + spt->fd = -1; + spt->block_size = 512; +- spt->client_port = tp->udp.uh_sport; ++ spt->client_port = hdr->udp.uh_sport; + spt->slirp = slirp; + + tftp_session_update(spt); +@@ -84,7 +84,7 @@ found: + } + + static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp) ++ struct tftphdr *hdr) + { + struct tftp_session *spt; + int k; +@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, + + if (tftp_session_in_use(spt)) { + if (sockaddr_equal(&spt->client_addr, srcsas)) { +- if (spt->client_port == tp->udp.uh_sport) { ++ if (spt->client_port == hdr->udp.uh_sport) { + return k; + } + } +@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt, + } + + static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m, +- struct tftp_t *recv_tp) ++ struct tftphdr *hdr) + { + if (spt->client_addr.ss_family == AF_INET6) { + struct sockaddr_in6 sa6, da6; + + sa6.sin6_addr = spt->slirp->vhost_addr6; +- sa6.sin6_port = recv_tp->udp.uh_dport; ++ sa6.sin6_port = hdr->udp.uh_dport; + da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr; + da6.sin6_port = spt->client_port; + +@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m, + struct sockaddr_in sa4, da4; + + sa4.sin_addr = spt->slirp->vhost_addr; +- sa4.sin_port = recv_tp->udp.uh_dport; ++ sa4.sin_port = hdr->udp.uh_dport; + da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr; + da4.sin_port = spt->client_port; + +@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[], + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_OACK); ++ tp->hdr.tp_op = htons(TFTP_OACK); + for (i = 0; i < nb; i++) { + n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]); + n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]); + } + +- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n; +- tftp_udp_output(spt, m, recv_tp); ++ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n; ++ tftp_udp_output(spt, m, &recv_tp->hdr); + + return 0; + } +@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode, + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_ERROR); ++ tp->hdr.tp_op = htons(TFTP_ERROR); + tp->x.tp_error.tp_error_code = htons(errorcode); + slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), + msg); + + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 + + strlen(msg) - sizeof(struct udphdr); +- tftp_udp_output(spt, m, recv_tp); ++ tftp_udp_output(spt, m, &recv_tp->hdr); + + out: + tftp_session_terminate(spt); + } + + static void tftp_send_next_block(struct tftp_session *spt, +- struct tftp_t *recv_tp) ++ struct tftphdr *hdr) + { + struct mbuf *m; + struct tftp_t *tp; +@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt, + + tp = tftp_prep_mbuf_data(spt, m); + +- tp->tp_op = htons(TFTP_DATA); ++ tp->hdr.tp_op = htons(TFTP_DATA); + tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff); + + nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf, +@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt, + + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) - + sizeof(struct udphdr); +- tftp_udp_output(spt, m, recv_tp); ++ tftp_udp_output(spt, m, hdr); + + if (nobytes == spt->block_size) { + tftp_session_update(spt); +@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, + int nb_options = 0; + + /* check if a session already exists and if so terminate it */ +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, &tp->hdr); + if (s >= 0) { + tftp_session_terminate(&slirp->tftp_sessions[s]); + } + +- s = tftp_session_allocate(slirp, srcsas, tp); ++ s = tftp_session_allocate(slirp, srcsas, &tp->hdr); + + if (s < 0) { + return; +@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, + } + + spt->block_nr = 0; +- tftp_send_next_block(spt, tp); ++ tftp_send_next_block(spt, &tp->hdr); + } + + static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp, int pktlen) ++ struct tftphdr *hdr) + { + int s; + +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, hdr); + + if (s < 0) { + return; + } + +- tftp_send_next_block(&slirp->tftp_sessions[s], tp); ++ tftp_send_next_block(&slirp->tftp_sessions[s], hdr); + } + + static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, +- struct tftp_t *tp, int pktlen) ++ struct tftphdr *hdr) + { + int s; + +- s = tftp_session_find(slirp, srcsas, tp); ++ s = tftp_session_find(slirp, srcsas, hdr); + + if (s < 0) { + return; +@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, + + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) + { +- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); ++ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr)); + +- if (tp == NULL) { ++ if (hdr == NULL) { + return; + } + +- switch (ntohs(tp->tp_op)) { ++ switch (ntohs(hdr->tp_op)) { + case TFTP_RRQ: +- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_rrq(m->slirp, srcsas, ++ mtod(m, struct tftp_t *), ++ m->m_len); + break; + + case TFTP_ACK: +- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_ack(m->slirp, srcsas, hdr); + break; + + case TFTP_ERROR: +- tftp_handle_error(m->slirp, srcsas, tp, m->m_len); ++ tftp_handle_error(m->slirp, srcsas, hdr); + break; + } + } +diff --git a/src/tftp.h b/src/tftp.h +index 6d75478..cafab03 100644 +--- a/src/tftp.h ++++ b/src/tftp.h +@@ -20,9 +20,13 @@ + #define TFTP_FILENAME_MAX 512 + #define TFTP_BLOCKSIZE_MAX 1428 + +-struct tftp_t { ++struct tftphdr { + struct udphdr udp; + uint16_t tp_op; ++} SLIRP_PACKED; ++ ++struct tftp_t { ++ struct tftphdr hdr; + union { + struct { + uint16_t tp_block_nr; +-- +2.29.0 + diff --git a/SOURCES/0007-udp-check-upd_input-buffer-size.patch b/SOURCES/0007-udp-check-upd_input-buffer-size.patch new file mode 100644 index 0000000..7fc155d --- /dev/null +++ b/SOURCES/0007-udp-check-upd_input-buffer-size.patch @@ -0,0 +1,36 @@ +From ca41f7eaa58d3f63a3df58d812b3cec32343ab6a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 4 Jun 2021 16:40:23 +0400 +Subject: [PATCH 7/7] udp: check upd_input buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CVE-2021-3594 +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 + +Signed-off-by: Marc-André Lureau +(cherry picked from commit 74572be49247c8c5feae7c6e0b50c4f569ca9824) +--- + src/udp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/udp.c b/src/udp.c +index 050cee4..e4578aa 100644 +--- a/src/udp.c ++++ b/src/udp.c +@@ -94,7 +94,10 @@ void udp_input(register struct mbuf *m, int iphlen) + /* + * Get IP and UDP header together in first mbuf. + */ +- ip = mtod(m, struct ip *); ++ ip = mtod_check(m, iphlen + sizeof(struct udphdr)); ++ if (ip == NULL) { ++ goto bad; ++ } + uh = (struct udphdr *)((char *)ip + iphlen); + + /* +-- +2.29.0 + diff --git a/SPECS/libslirp.spec b/SPECS/libslirp.spec index 2651587..93ddc04 100644 --- a/SPECS/libslirp.spec +++ b/SPECS/libslirp.spec @@ -1,12 +1,22 @@ Name: libslirp -Version: 4.3.1 +Version: 4.4.0 Release: 1%{?dist} Summary: A general purpose TCP-IP emulator # check the SPDX tags in source files for details License: BSD and MIT URL: https://gitlab.freedesktop.org/slirp/%{name} -Source0: https://elmarco.fedorapeople.org/libslirp-%{version}.tar.xz +Source0: %{url}/-/archive/v%{version}/%{name}-%{version}.tar.xz +Patch0001: 0001-Add-mtod_check.patch +Patch0002: 0002-bootp-limit-vendor-specific-area-to-input-packet-mem.patch +Patch0003: 0003-bootp-check-bootp_input-buffer-size.patch +Patch0004: 0004-upd6-check-udp6_input-buffer-size.patch +Patch0005: 0005-tftp-check-tftp_input-buffer-size.patch +Patch0006: 0006-tftp-introduce-a-header-structure.patch +Patch0007: 0007-udp-check-upd_input-buffer-size.patch +Patch0008: 0001-Fix-DHCP-broken-in-libslirp-v4.6.0.patch + + BuildRequires: git-core BuildRequires: meson BuildRequires: gcc @@ -51,6 +61,10 @@ developing applications that use %{name}. %changelog +* Mon Jun 28 2021 Jindrich Novy - 4.4.0-1 +- Fix CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 out-of-bounds access +- Related: #1934415 + * Thu Jul 30 2020 Jindrich Novy - 4.3.1-1 - update to https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.3.1 - Related: #1821193