From 09595bfb06f755ce04f06315449be5531cd7610a Mon Sep 17 00:00:00 2001 From: Choice Date: Fri, 17 Apr 2020 19:30:31 +0800 Subject: [PATCH 1/5] ntp:slove fuzz test problem reason:slove fuzz test problem --- ...nitialized-value-in-receive-function.patch | 83 +++++++++++++++++++ ...should-bail-earlier-on-short-packets.patch | 50 +++++++++++ 2 files changed, 133 insertions(+) create mode 100644 backport-Use-of-uninitialized-value-in-receive-function.patch create mode 100644 backport-process_control-should-bail-earlier-on-short-packets.patch diff --git a/backport-Use-of-uninitialized-value-in-receive-function.patch b/backport-Use-of-uninitialized-value-in-receive-function.patch new file mode 100644 index 0000000..4d1c3f3 --- /dev/null +++ b/backport-Use-of-uninitialized-value-in-receive-function.patch @@ -0,0 +1,83 @@ +From 21cb57ce25f11df0890946e3173fe0c25d932809 Mon Sep 17 00:00:00 2001 +From: wangli +Date: Wed, 15 Apr 2020 07:03:00 +0800 +Subject: [PATCH] Use-of-uninitialized-value in receive function + +--- + ntpd/ntp_proto.c | 43 ++++++++++++++++++++++++++++--------------- + 1 file changed, 28 insertions(+), 15 deletions(-) + +diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c +index eb66351..baffe1b 100644 +--- a/ntpd/ntp_proto.c ++++ b/ntpd/ntp_proto.c +@@ -640,31 +640,20 @@ receive( + */ + /* + * Bogus port check is before anything, since it probably +- * reveals a clogging attack. ++ * reveals a clogging attack. Likewise the mimimum packet size ++ * of 2 bytes (for mode 6/7) must be checked first. + */ + sys_received++; +- if (0 == SRCPORT(&rbufp->recv_srcadr)) { ++ if (0 == SRCPORT(&rbufp->recv_srcadr) || rbufp->recv_length < 2) { + sys_badlength++; +- return; /* bogus port */ ++ return; /* bogus port / length */ + } + restrictions(&rbufp->recv_srcadr, &r4a); + restrict_mask = r4a.rflags; + + pkt = &rbufp->recv_pkt; + hisversion = PKT_VERSION(pkt->li_vn_mode); +- hisleap = PKT_LEAP(pkt->li_vn_mode); + hismode = (int)PKT_MODE(pkt->li_vn_mode); +- hisstratum = PKT_TO_STRATUM(pkt->stratum); +- DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s restrict %s org %#010x.%08x xmt %#010x.%08x\n", +- current_time, stoa(&rbufp->dstadr->sin), +- stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode, +- build_iflags(rbufp->dstadr->flags), +- build_rflags(restrict_mask), +- ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf), +- ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf))); +- +- /* See basic mode and broadcast checks, below */ +- INSIST(0 != hisstratum); + + if (restrict_mask & RES_IGNORE) { + DPRINTF(2, ("receive: drop: RES_IGNORE\n")); +@@ -696,6 +685,30 @@ receive( + return; /* no time serve */ + } + ++ ++ /* If we arrive here, we should have a standard NTP packet. We ++ * check that the minimum size is available and fetch some more ++ * items from the packet once we can be sure they are indeed ++ * there. ++ */ ++ if (rbufp->recv_length < LEN_PKT_NOMAC) { ++ sys_badlength++; ++ return; /* bogus length */ ++ } ++ ++ hisleap = PKT_LEAP(pkt->li_vn_mode); ++ hisstratum = PKT_TO_STRATUM(pkt->stratum); ++ INSIST(0 != hisstratum); /* paranoia check PKT_TO_STRATUM result */ ++ ++ DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s " ++ "restrict %s org %#010x.%08x xmt %#010x.%08x\n", ++ current_time, stoa(&rbufp->dstadr->sin), ++ stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode, ++ build_iflags(rbufp->dstadr->flags), ++ build_rflags(restrict_mask), ++ ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf), ++ ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf))); ++ + /* + * This is for testing. If restricted drop ten percent of + * surviving packets. +-- +2.23.0 + diff --git a/backport-process_control-should-bail-earlier-on-short-packets.patch b/backport-process_control-should-bail-earlier-on-short-packets.patch new file mode 100644 index 0000000..de7c6b3 --- /dev/null +++ b/backport-process_control-should-bail-earlier-on-short-packets.patch @@ -0,0 +1,50 @@ +From 4cd04668f0e28927b7efb39e0699719813f66f51 Mon Sep 17 00:00:00 2001 +From: wangli +Date: Wed, 15 Apr 2020 06:40:22 +0800 +Subject: [PATCH] process_control() should bail earlier on short packets + +--- + ntpd/ntp_control.c | 19 +- + 1 files changed, 21 insertions(+), 28 deletions(-) + create mode 100644 ntpd/ntp_control.c.orig + +diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c +index 48cd908..5984c8c 100644 +--- a/ntpd/ntp_control.c ++++ b/ntpd/ntp_control.c +@@ -1187,15 +1187,21 @@ process_control( + pkt = (struct ntp_control *)&rbufp->recv_pkt; + + /* +- * If the length is less than required for the header, or +- * it is a response or a fragment, ignore this. ++ * If the length is less than required for the header, ++ * ignore it. + */ +- if (rbufp->recv_length < (int)CTL_HEADER_LEN +- || (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op ++ if (rbufp->recv_length < (int)CTL_HEADER_LEN) { ++ DPRINTF(1, ("Short control packet\n")); ++ numctltooshort++; ++ return; ++ } ++ ++ /* ++ * If this packet is a response or a fragment, ignore it. ++ */ ++ if ( (CTL_RESPONSE | CTL_MORE | CTL_ERROR) & pkt->r_m_e_op + || pkt->offset != 0) { + DPRINTF(1, ("invalid format in control packet\n")); +- if (rbufp->recv_length < (int)CTL_HEADER_LEN) +- numctltooshort++; + if (CTL_RESPONSE & pkt->r_m_e_op) + numctlinputresp++; + if (CTL_MORE & pkt->r_m_e_op) +@@ -1206,6 +1212,7 @@ process_control( + numctlbadoffset++; + return; + } ++ + res_version = PKT_VERSION(pkt->li_vn_mode); + if (res_version > NTP_VERSION || res_version < NTP_OLDVERSION) { + DPRINTF(1, ("unknown version %d in control packet\n", -- Gitee From 0be62bbf152a5824550ea18556d19b2a66b92d78 Mon Sep 17 00:00:00 2001 From: Choice Date: Fri, 17 Apr 2020 19:31:57 +0800 Subject: [PATCH 2/5] update ntp.spec. ntp:slove fuzz test problem --- ntp.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ntp.spec b/ntp.spec index f7e2c1f..a66d0aa 100644 --- a/ntp.spec +++ b/ntp.spec @@ -2,7 +2,7 @@ Name: ntp Version: 4.2.8p13 -Release: 5 +Release: 6 Summary: A protocol designed to synchronize the clocks of computers over a network License: MIT and BSD and BSD with advertising URL: https://www.ntp.org/ @@ -28,6 +28,9 @@ Patch9001: bugfix-fix-autokey-condition-error.patch Patch9002: bugfix-fix-ifindex-length.patch Patch9003: revert-ntpd-fix-autokey-condition-error.patch +Patch6001: backport-Use-of-uninitialized-value-in-receive-function.patch +Patch6002: backport-process_control-should-bail-earlier-on-short-packets.patch + BuildRequires: libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel BuildRequires: autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser Requires(pre): shadow-utils @@ -209,6 +212,12 @@ make check %{_mandir}/man8/*.8* %changelog +* Tue Apr 14 2020 wangli - 4.2.8p13-6 +- Type:security +- ID:NA +- SUG:NA +- DESC: solve fuzz test problem + * Thu Mar 12 2020 openEuler Buildteam - 4.2.8p13-5 - Type:bugfix - Id:NA -- Gitee From 4351ba11fe1d52a23cf62e222e59bdf72e9c009f Mon Sep 17 00:00:00 2001 From: Choice Date: Fri, 17 Apr 2020 19:36:44 +0800 Subject: [PATCH 3/5] update backport-Use-of-uninitialized-value-in-receive-function.patch. --- backport-Use-of-uninitialized-value-in-receive-function.patch | 2 -- 1 file changed, 2 deletions(-) diff --git a/backport-Use-of-uninitialized-value-in-receive-function.patch b/backport-Use-of-uninitialized-value-in-receive-function.patch index 4d1c3f3..f4c820f 100644 --- a/backport-Use-of-uninitialized-value-in-receive-function.patch +++ b/backport-Use-of-uninitialized-value-in-receive-function.patch @@ -1,5 +1,3 @@ -From 21cb57ce25f11df0890946e3173fe0c25d932809 Mon Sep 17 00:00:00 2001 -From: wangli Date: Wed, 15 Apr 2020 07:03:00 +0800 Subject: [PATCH] Use-of-uninitialized-value in receive function -- Gitee From 140092416a456ec710aab19ea9e736612eeffe43 Mon Sep 17 00:00:00 2001 From: Choice Date: Fri, 17 Apr 2020 19:37:36 +0800 Subject: [PATCH 4/5] update backport-process_control-should-bail-earlier-on-short-packets.patch. --- ...-process_control-should-bail-earlier-on-short-packets.patch | 3 --- 1 file changed, 3 deletions(-) diff --git a/backport-process_control-should-bail-earlier-on-short-packets.patch b/backport-process_control-should-bail-earlier-on-short-packets.patch index de7c6b3..4f1404e 100644 --- a/backport-process_control-should-bail-earlier-on-short-packets.patch +++ b/backport-process_control-should-bail-earlier-on-short-packets.patch @@ -1,6 +1,3 @@ -From 4cd04668f0e28927b7efb39e0699719813f66f51 Mon Sep 17 00:00:00 2001 -From: wangli -Date: Wed, 15 Apr 2020 06:40:22 +0800 Subject: [PATCH] process_control() should bail earlier on short packets --- -- Gitee From 335671e99899ec9f74968d687770057ed5dd63c8 Mon Sep 17 00:00:00 2001 From: Choice Date: Fri, 17 Apr 2020 19:37:58 +0800 Subject: [PATCH 5/5] update backport-Use-of-uninitialized-value-in-receive-function.patch. --- backport-Use-of-uninitialized-value-in-receive-function.patch | 1 - 1 file changed, 1 deletion(-) diff --git a/backport-Use-of-uninitialized-value-in-receive-function.patch b/backport-Use-of-uninitialized-value-in-receive-function.patch index f4c820f..a78aec2 100644 --- a/backport-Use-of-uninitialized-value-in-receive-function.patch +++ b/backport-Use-of-uninitialized-value-in-receive-function.patch @@ -1,4 +1,3 @@ -Date: Wed, 15 Apr 2020 07:03:00 +0800 Subject: [PATCH] Use-of-uninitialized-value in receive function --- -- Gitee