diff mbox

[v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket

Message ID 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
State New
Headers show

Commit Message

Petr Matousek Sept. 18, 2014, 6:35 a.m. UTC 
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
---
v1 -> v2
  * change the check so that it's consistent with the rest of the code

 slirp/udp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jan Kiszka Sept. 18, 2014, 6:43 a.m. UTC | #1 
On 2014-09-18 08:35, Petr Matousek wrote:
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> 
> Fix this by checking that the socket is not just a socket stub.
> 
> This is CVE-2014-3640.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> Reported-by: Stephane Duverger <stephane.duverger@eads.net>
> ---
> v1 -> v2
>   * change the check so that it's consistent with the rest of the code
> 
>  slirp/udp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
>  	 * Locate pcb for datagram.
>  	 */
>  	so = slirp->udp_last_so;
> -	if (so->so_lport != uh->uh_sport ||
> +	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
>  	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
>  		struct socket *tmp;
>  
> 

Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>

Thanks,
Jan
Michael S. Tsirkin Sept. 18, 2014, 7:06 a.m. UTC | #2 
On Thu, Sep 18, 2014 at 08:35:37AM +0200, Petr Matousek wrote:
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> 
> Fix this by checking that the socket is not just a socket stub.
> 
> This is CVE-2014-3640.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> Reported-by: Stephane Duverger <stephane.duverger@eads.net>

Reviewed-by: Michael S. Tsirkin <mst@redhat.com>

> ---
> v1 -> v2
>   * change the check so that it's consistent with the rest of the code
> 
>  slirp/udp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
>  	 * Locate pcb for datagram.
>  	 */
>  	so = slirp->udp_last_so;
> -	if (so->so_lport != uh->uh_sport ||
> +	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
>  	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
>  		struct socket *tmp;
>  
> -- 
> 1.9.3
Michael Roth Sept. 23, 2014, 3:25 p.m. UTC | #3 
Quoting Petr Matousek (2014-09-18 01:35:37)
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> 
> Fix this by checking that the socket is not just a socket stub.
> 
> This is CVE-2014-3640.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> Reported-by: Stephane Duverger <stephane.duverger@eads.net>

Ping. Looking to pull this in for 2.1.2. Release is "asap"

> ---
> v1 -> v2
>   * change the check so that it's consistent with the rest of the code
> 
>  slirp/udp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
>          * Locate pcb for datagram.
>          */
>         so = slirp->udp_last_so;
> -       if (so->so_lport != uh->uh_sport ||
> +       if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
>             so->so_laddr.s_addr != ip->ip_src.s_addr) {
>                 struct socket *tmp;
> 
> -- 
> 1.9.3
Michael Tokarev Sept. 23, 2014, 4:50 p.m. UTC | #4 
18.09.2014 10:35, Petr Matousek wrote:
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> 
> Fix this by checking that the socket is not just a socket stub.
> 
> This is CVE-2014-3640.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> Reported-by: Stephane Duverger <stephane.duverger@eads.net>

Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>

slirp->udb initially is a dummy element of the list which initially
points to itself and never gets used (and slirp->udp_last_so initially
points to it too).

Thanks,

/mjt

>  slirp/udp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
>  	 * Locate pcb for datagram.
>  	 */
>  	so = slirp->udp_last_so;
> -	if (so->so_lport != uh->uh_sport ||
> +	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
>  	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
>  		struct socket *tmp;
>  
>
Peter Maydell Sept. 24, 2014, 10:40 a.m. UTC | #5 
On 23 September 2014 09:50, Michael Tokarev <mjt@tls.msk.ru> wrote:
> 18.09.2014 10:35, Petr Matousek wrote:
>> When guest sends udp packet with source port and source addr 0,
>> uninitialized socket is picked up when looking for matching and already
>> created udp sockets, and later passed to sosendto() where NULL pointer
>> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
>>
>> Fix this by checking that the socket is not just a socket stub.
>>
>> This is CVE-2014-3640.
>>
>> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
>> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
>> Reported-by: Stephane Duverger <stephane.duverger@eads.net>
>
> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>

Applied to master, thanks.

-- PMM
diff mbox

Patch

diff --git a/slirp/udp.c b/slirp/udp.c
index 8cc6cb6..f77e00f 100644
--- a/slirp/udp.c
+++ b/slirp/udp.c
@@ -152,7 +152,7 @@  udp_input(register struct mbuf *m, int iphlen)
 	 * Locate pcb for datagram.
 	 */
 	so = slirp->udp_last_so;
-	if (so->so_lport != uh->uh_sport ||
+	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
 	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
 		struct socket *tmp;