diff --git a/qemu.spec b/qemu.spec index ac97cd1fc638df9abb2bdfb035d2dc94ef2fd04d..80f353832c1bedfcb54ee0b89ea23197bc081aef 100644 --- a/qemu.spec +++ b/qemu.spec @@ -43,6 +43,10 @@ Patch0030: nbd-fix-uninitialized-variable-warning.patch Patch0031: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch Patch0032: block-fix-memleaks-in-bdrv_refresh_filename.patch Patch0033: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch +Patch0034: tcp_emu-Fix-oob-access.patch +Patch0035: slirp-use-correct-size-while-emulating-IRC-commands.patch +Patch0036: slirp-use-correct-size-while-emulating-commands.patch +Patch0037: tcp_emu-fix-unsafe-snprintf-usages.patch BuildRequires: flex BuildRequires: bison @@ -376,10 +380,15 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Mar 11 2020 backport from qemu upstream +- tcp_emu: Fix oob access +- slirp: use correct size while emulating IRC commands +- slirp: use correct size while emulating commands +- tcp_emu: fix unsafe snprintf() usages + * Mon Mar 9 2020 backport from qemu upstream - iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) - * Thu Feb 6 2020 Huawei Technologies Co., Ltd. - spec: remove fno-inline option for configure diff --git a/slirp-use-correct-size-while-emulating-IRC-commands.patch b/slirp-use-correct-size-while-emulating-IRC-commands.patch new file mode 100644 index 0000000000000000000000000000000000000000..4503688dd1502c85f7a8e0fee1e5a36bcca838b2 --- /dev/null +++ b/slirp-use-correct-size-while-emulating-IRC-commands.patch @@ -0,0 +1,52 @@ +From 882149fd8401f8ff667ea384bb68008354fd110f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 11 Mar 2020 18:19:36 +0800 +Subject: [PATCH] slirp: use correct size while emulating IRC commands + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. +Reported-by: default avatarVishnu Dev TJ +Signed-off-by: default avatarPrasad J Pandit +Reviewed-by: Samuel Thibault's avatarSamuel Thibault +Message-Id: <20200109094228.79764-2-ppandit@redhat.com> +--- + slirp/src/tcp_subr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index 4608942f..2053b11b 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); +@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +-- +2.21.1 (Apple Git-122.3) + diff --git a/slirp-use-correct-size-while-emulating-commands.patch b/slirp-use-correct-size-while-emulating-commands.patch new file mode 100644 index 0000000000000000000000000000000000000000..76507a4d82f3c769540cf34294d855242ac0737f --- /dev/null +++ b/slirp-use-correct-size-while-emulating-commands.patch @@ -0,0 +1,51 @@ +From 66e2f47a01ffcaafe11acae0a191efd1805f86c6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 11 Mar 2020 18:27:22 +0800 +Subject: [PATCH] slirp: use correct size while emulating commands + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. +Signed-off-by: default avatarPrasad J Pandit +Signed-off-by: Samuel Thibault's avatarSamuel Thibault +Message-Id: <20200109094228.79764-3-ppandit@redhat.com> +--- + slirp/src/tcp_subr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index 2053b11b..e898fd03 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + return 1; +@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + +@@ -766,8 +766,8 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, m->m_size, "%d", +- ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; + + case EMU_IRC: +-- +2.21.1 (Apple Git-122.3) + diff --git a/tcp_emu-Fix-oob-access.patch b/tcp_emu-Fix-oob-access.patch new file mode 100644 index 0000000000000000000000000000000000000000..5182f54363d585efd23f0a5c236d0e9c5153215e --- /dev/null +++ b/tcp_emu-Fix-oob-access.patch @@ -0,0 +1,38 @@ +From 0f7224535cdfec549cd43a5ae4ccde936f50ee95 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Wed, 11 Mar 2020 17:33:46 +0800 +Subject: [PATCH] tcp_emu: Fix oob access + +The main loop only checks for one available byte, while we sometimes +need two bytes. +--- + slirp/src/tcp_subr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index fde9207b..4608942f 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -895,6 +895,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -910,6 +913,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((uint8_t*)bptr)[0] << 8) + + ((uint8_t *)bptr)[1]; + if (lport < 6970) +-- +2.21.1 (Apple Git-122.3) + diff --git a/tcp_emu-fix-unsafe-snprintf-usages.patch b/tcp_emu-fix-unsafe-snprintf-usages.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc13154ca1449831d6a91dbacc27234af4caf0e5 --- /dev/null +++ b/tcp_emu-fix-unsafe-snprintf-usages.patch @@ -0,0 +1,94 @@ +From 1db8bcc0ec91bb4374b3ffdd03da3c4ede381fb5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 11 Mar 2020 18:52:07 +0800 +Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Various calls to snprintf() assume that snprintf() returns "only" the +number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Before patch ce131029, if there isn't enough room in "m_data" for the +"DCC ..." message, we overflow "m_data". + +After the patch, if there isn't enough room for the same, we don't +overflow "m_data", but we set "m_len" out-of-bounds. The next time an +access is bounded by "m_len", we'll have a buffer overflow then. + +Use slirp_fmt*() to fix potential OOB memory access. +Reported-by: default avatarLaszlo Ersek +Signed-off-by: default avatarMarc-André Lureau +Reviewed-by: Samuel Thibault's avatarSamuel Thibault +Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> +--- + slirp/src/tcp_subr.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index e898fd03..88dadc76 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + return 1; +@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + +@@ -766,7 +766,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, M_ROOM(m), ++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), + "%d", ntohs(so->so_fport)) + 1; + return 1; + +@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), + "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); +@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), + "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), + "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +-- +2.21.1 (Apple Git-122.3) +