From 29beda72ec41070ef78456cd4df36ed14b96e779 Mon Sep 17 00:00:00 2001 From: Alex Chen Date: Mon, 14 Dec 2020 18:04:05 +0800 Subject: [PATCH] slirp: check pkt_len before reading protocol header MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' routines, ensure that pkt_len is large enough to accommodate the respective protocol headers, lest it should do an OOB access. Add check to avoid it. CVE-2020-29129 CVE-2020-29130 QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets -> https://www.openwall.com/lists/oss-security/2020/11/27/1 Reported-by: Qiuhao Li Signed-off-by: Prasad J Pandit Message-Id: <20201126135706.273950-1-ppandit@redhat.com> Reviewed-by: Marc-André Lureau (cherry-picked from 2e1dcbc0) Signed-off-by: Alex Chen --- qemu.spec | 6 +- ...t_len-before-reading-protocol-header.patch | 61 +++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 slirp-check-pkt_len-before-reading-protocol-header.patch diff --git a/qemu.spec b/qemu.spec index 6fb993ff..6cbdc1a1 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 35 +Release: 36 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -307,6 +307,7 @@ Patch0294: Bugfix-hw-acpi-Use-max_cpus-instead-of-cpus-when-bui.patch Patch0295: ati-check-x-y-display-parameter-values.patch Patch0296: net-remove-an-assert-call-in-eth_get_gso_type.patch Patch0297: json-Fix-a-memleak-in-parse_pair.patch +Patch0298: slirp-check-pkt_len-before-reading-protocol-header.patch BuildRequires: flex BuildRequires: bison @@ -653,6 +654,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Dec 11 2020 Huawei Technologies Co., Ltd +- slirp: check pkt_len before reading protocol header for fixing CVE-2020-29129 and CVE-2020-29130 + * Fri Nov 13 2020 Huawei Technologies Co., Ltd - json: Fix a memleak in parse_pair() diff --git a/slirp-check-pkt_len-before-reading-protocol-header.patch b/slirp-check-pkt_len-before-reading-protocol-header.patch new file mode 100644 index 00000000..506e31e1 --- /dev/null +++ b/slirp-check-pkt_len-before-reading-protocol-header.patch @@ -0,0 +1,61 @@ +From c2df0d478b2605da10363ab57825cdbc34caa680 Mon Sep 17 00:00:00 2001 +From: Alex Chen +Date: Mon, 14 Dec 2020 15:39:46 +0800 +Subject: [PATCH] slirp: check pkt_len before reading protocol header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' +routines, ensure that pkt_len is large enough to accommodate the +respective protocol headers, lest it should do an OOB access. +Add check to avoid it. + +CVE-2020-29129 CVE-2020-29130 + QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets + -> https://www.openwall.com/lists/oss-security/2020/11/27/1 + +Reported-by: Qiuhao Li +Signed-off-by: Prasad J Pandit +Message-Id: <20201126135706.273950-1-ppandit@redhat.com> +Reviewed-by: Marc-André Lureau +(cherry-picked from 2e1dcbc0) +Signed-off-by: Alex Chen +--- + slirp/src/ncsi.c | 4 ++++ + slirp/src/slirp.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c +index 6864b735..251c0d2b 100644 +--- a/slirp/src/ncsi.c ++++ b/slirp/src/ncsi.c +@@ -147,6 +147,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) + uint32_t checksum; + uint32_t *pchecksum; + ++ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) { ++ return; /* packet too short */ ++ } ++ + memset(ncsi_reply, 0, sizeof(ncsi_reply)); + + memset(reh->h_dest, 0xff, ETH_ALEN); +diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c +index b0194cb3..86b0f52d 100644 +--- a/slirp/src/slirp.c ++++ b/slirp/src/slirp.c +@@ -700,6 +700,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) + return; + } + ++ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) { ++ return; /* packet too short */ ++ } ++ + ar_op = ntohs(ah->ar_op); + switch (ar_op) { + case ARPOP_REQUEST: +-- +2.23.0 + -- Gitee