summary refs log tree commit diff
path: root/gnu/packages/patches/qemu-CVE-2020-7039.patch
blob: ffebda68abc9d800cca8421273ace6eb5db81d7f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
Fix CVE-2020-7039:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039

Patches copied from upstream dependency repository:

https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80

From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 8 Jan 2020 00:58:48 +0100
Subject: [PATCH] tcp_emu: Fix oob access

The main loop only checks for one available byte, while we sometimes
need two bytes.
---
 CHANGELOG.md   | 1 +
 src/tcp_subr.c | 7 +++++++
 2 files changed, 8 insertions(+)

#diff --git a/CHANGELOG.md b/CHANGELOG.md
#index 00d0ce2..5cf94a8 100644
#--- a/CHANGELOG.md
#+++ b/CHANGELOG.md
#@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
# ### Fixed
# 
#  - ncsi: fix checksum OOB memory access
#+ - `tcp_emu()`: fix OOB accesses
# 
# ## [4.1.0] - 2019-12-02
# 
diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index 382aa38..9c1bdec 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -871,6 +871,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
                 break;
 
             case 5:
+                if (bptr == m->m_data + m->m_len - 1)
+                        return 1; /* We need two bytes */
+
                 /*
                  * The difference between versions 1.0 and
                  * 2.0 is here. For future versions of
@@ -886,6 +889,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
                 /* This is the field containing the port
                  * number that RA-player is listening to.
                  */
+
+                if (bptr == m->m_data + m->m_len - 1)
+                        return 1; /* We need two bytes */
+
                 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
                 if (lport < 6970)
                     lport += 256; /* don't know why */
-- 
2.24.1

From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 9 Jan 2020 15:12:27 +0530
Subject: [PATCH] slirp: use correct size while emulating IRC commands

While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
'm->m_size' to write DCC commands via snprintf(3). This may
lead to OOB write access, because 'bptr' points somewhere in
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
size to avoid OOB access.

Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
---
 src/tcp_subr.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index 9c1bdec..ee7a938 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -763,7 +763,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
                 return 1;
             }
             m->m_len = bptr - m->m_data; /* Adjust length */
-            m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                                 "DCC CHAT chat %lu %u%c\n",
                                  (unsigned long)ntohl(so->so_faddr.s_addr),
                                  ntohs(so->so_fport), 1);
         } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
@@ -773,8 +774,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
                 return 1;
             }
             m->m_len = bptr - m->m_data; /* Adjust length */
-            m->m_len +=
-                snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                         "DCC SEND %s %lu %u %u%c\n", buff,
                          (unsigned long)ntohl(so->so_faddr.s_addr),
                          ntohs(so->so_fport), n1, 1);
         } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
@@ -784,8 +785,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
                 return 1;
             }
             m->m_len = bptr - m->m_data; /* Adjust length */
-            m->m_len +=
-                snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
+                         "DCC MOVE %s %lu %u %u%c\n", buff,
                          (unsigned long)ntohl(so->so_faddr.s_addr),
                          ntohs(so->so_fport), n1, 1);
         }
-- 
2.24.1

From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 9 Jan 2020 15:12:28 +0530
Subject: [PATCH] slirp: use correct size while emulating commands

While emulating services in tcp_emu(), it uses 'mbuf' size
'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
size to avoid possible OOB access.

Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
---
 src/tcp_subr.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index ee7a938..177dfd2 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -681,7 +681,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             n4 = (laddr & 0xff);
 
             m->m_len = bptr - m->m_data; /* Adjust length */
-            m->m_len += snprintf(bptr, m->m_size - m->m_len,
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
                                  "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
                                  n5, n6, x == 7 ? buff : "");
             return 1;
@@ -716,8 +716,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
             n4 = (laddr & 0xff);
 
             m->m_len = bptr - m->m_data; /* Adjust length */
-            m->m_len +=
-                snprintf(bptr, m->m_size - m->m_len,
+            m->m_len += snprintf(bptr, M_FREEROOM(m),
                          "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
                          n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
 
@@ -743,8 +742,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
         if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
             (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
                              htons(lport), SS_FACCEPTONCE)) != NULL)
-            m->m_len =
-                snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
+            m->m_len = snprintf(m->m_data, M_ROOM(m),
+                                "%d", ntohs(so->so_fport)) + 1;
         return 1;
 
     case EMU_IRC:
-- 
2.24.1