import linuxptp-2.0-5.el8_4.1
This commit is contained in:
parent
5b0daa12de
commit
9deacb1901
94
SOURCES/linuxptp-cve-2021-3570.patch
Normal file
94
SOURCES/linuxptp-cve-2021-3570.patch
Normal file
@ -0,0 +1,94 @@
|
||||
From 4b05d4b5d70c1ba76d95f94f1f4821c4b715fefe Mon Sep 17 00:00:00 2001
|
||||
From: Richard Cochran <richardcochran@gmail.com>
|
||||
Date: Sat, 17 Apr 2021 15:15:18 -0700
|
||||
Subject: [PATCH 2/2] Validate the messageLength field of incoming messages.
|
||||
|
||||
The PTP messageLength field is redundant because the length of a PTP
|
||||
message is precisely determined by the message type and the appended
|
||||
TLVs. The current implementation validates the sizes of both the main
|
||||
message (according to the fixed header length and fixed length by
|
||||
type) and the TLVs (by using the 'L' of the TLV).
|
||||
|
||||
However, when forwarding a message, the messageLength field is used.
|
||||
If a message arrives with a messageLength field larger than the actual
|
||||
message size, the code will read and possibly write data beyond the
|
||||
allocated buffer.
|
||||
|
||||
Fix the issue by validating the field on ingress. This prevents
|
||||
reading and sending data past the message buffer when forwarding a
|
||||
management message or other messages when operating as a transparent
|
||||
clock, and it also prevents a memory corruption in msg_post_recv()
|
||||
after forwarding a management message.
|
||||
|
||||
Reported-by: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
|
||||
---
|
||||
msg.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/msg.c b/msg.c
|
||||
index dcb397c..c2d358b 100644
|
||||
--- a/msg.c
|
||||
+++ b/msg.c
|
||||
@@ -184,7 +184,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
|
||||
{
|
||||
uint8_t *ptr = msg_suffix(msg);
|
||||
struct tlv_extra *extra;
|
||||
- int err;
|
||||
+ int err, suffix_len = 0;
|
||||
|
||||
if (!ptr)
|
||||
return 0;
|
||||
@@ -202,12 +202,14 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
|
||||
tlv_extra_recycle(extra);
|
||||
return -EBADMSG;
|
||||
}
|
||||
+ suffix_len += sizeof(struct TLV);
|
||||
len -= sizeof(struct TLV);
|
||||
ptr += sizeof(struct TLV);
|
||||
if (extra->tlv->length > len) {
|
||||
tlv_extra_recycle(extra);
|
||||
return -EBADMSG;
|
||||
}
|
||||
+ suffix_len += extra->tlv->length;
|
||||
len -= extra->tlv->length;
|
||||
ptr += extra->tlv->length;
|
||||
err = tlv_post_recv(extra);
|
||||
@@ -217,7 +219,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
|
||||
}
|
||||
msg_tlv_attach(msg, extra);
|
||||
}
|
||||
- return 0;
|
||||
+ return suffix_len;
|
||||
}
|
||||
|
||||
static void suffix_pre_send(struct ptp_message *msg)
|
||||
@@ -335,7 +337,7 @@ void msg_get(struct ptp_message *m)
|
||||
|
||||
int msg_post_recv(struct ptp_message *m, int cnt)
|
||||
{
|
||||
- int pdulen, type, err;
|
||||
+ int err, pdulen, suffix_len, type;
|
||||
|
||||
if (cnt < sizeof(struct ptp_header))
|
||||
return -EBADMSG;
|
||||
@@ -420,9 +422,13 @@ int msg_post_recv(struct ptp_message *m, int cnt)
|
||||
break;
|
||||
}
|
||||
|
||||
- err = suffix_post_recv(m, cnt - pdulen);
|
||||
- if (err)
|
||||
- return err;
|
||||
+ suffix_len = suffix_post_recv(m, cnt - pdulen);
|
||||
+ if (suffix_len < 0) {
|
||||
+ return suffix_len;
|
||||
+ }
|
||||
+ if (pdulen + suffix_len != m->header.messageLength) {
|
||||
+ return -EBADMSG;
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
Name: linuxptp
|
||||
Version: 2.0
|
||||
Release: 5%{?dist}
|
||||
Release: 5%{?dist}.1
|
||||
Summary: PTP implementation for Linux
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -39,6 +39,8 @@ Patch7: linuxptp-msgput.patch
|
||||
Patch8: linuxptp-hwtsfilter.patch
|
||||
# fix handling of zero-length messages
|
||||
Patch9: linuxptp-zerolength.patch
|
||||
# validate length of forwarded messages
|
||||
Patch10: linuxptp-cve-2021-3570.patch
|
||||
|
||||
BuildRequires: kernel-headers > 4.18.0-87
|
||||
BuildRequires: systemd
|
||||
@ -63,6 +65,7 @@ Supporting legacy APIs and other platforms is not a goal.
|
||||
%patch7 -p1 -b .msgput
|
||||
%patch8 -p1 -b .hwtsfilter
|
||||
%patch9 -p1 -b .zerolength
|
||||
%patch10 -p1 -b .cve-2021-3570
|
||||
mv linuxptp-testsuite-%{testsuite_ver}* testsuite
|
||||
mv clknetsim-%{clknetsim_ver}* testsuite/clknetsim
|
||||
|
||||
@ -122,6 +125,9 @@ PATH=..:$PATH ./run
|
||||
%{_mandir}/man8/*.8*
|
||||
|
||||
%changelog
|
||||
* Thu Jun 24 2021 Miroslav Lichvar <mlichvar@redhat.com> 2.0-5.el8_4.1
|
||||
- validate length of forwarded messages (CVE-2021-3570)
|
||||
|
||||
* Mon Apr 27 2020 Miroslav Lichvar <mlichvar@redhat.com> 2.0-5
|
||||
- fix sample timestamps when synchronizing PHC to system clock (#1787376)
|
||||
- fix handling of zero-length messages (#1827275)
|
||||
|
Loading…
Reference in New Issue
Block a user