Message ID | 20140918063537.GX9321@dhcp-25-225.brq.redhat.com |
---|---|
State | New |
Headers | show |
On 2014-09-18 08:35, Petr Matousek wrote: > When guest sends udp packet with source port and source addr 0, > uninitialized socket is picked up when looking for matching and already > created udp sockets, and later passed to sosendto() where NULL pointer > dereference is hit during so->slirp->vnetwork_mask.s_addr access. > > Fix this by checking that the socket is not just a socket stub. > > This is CVE-2014-3640. > > Signed-off-by: Petr Matousek <pmatouse@redhat.com> > Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> > Reported-by: Stephane Duverger <stephane.duverger@eads.net> > --- > v1 -> v2 > * change the check so that it's consistent with the rest of the code > > slirp/udp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/slirp/udp.c b/slirp/udp.c > index 8cc6cb6..f77e00f 100644 > --- a/slirp/udp.c > +++ b/slirp/udp.c > @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) > * Locate pcb for datagram. > */ > so = slirp->udp_last_so; > - if (so->so_lport != uh->uh_sport || > + if (so == &slirp->udb || so->so_lport != uh->uh_sport || > so->so_laddr.s_addr != ip->ip_src.s_addr) { > struct socket *tmp; > > Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> Thanks, Jan
On Thu, Sep 18, 2014 at 08:35:37AM +0200, Petr Matousek wrote: > When guest sends udp packet with source port and source addr 0, > uninitialized socket is picked up when looking for matching and already > created udp sockets, and later passed to sosendto() where NULL pointer > dereference is hit during so->slirp->vnetwork_mask.s_addr access. > > Fix this by checking that the socket is not just a socket stub. > > This is CVE-2014-3640. > > Signed-off-by: Petr Matousek <pmatouse@redhat.com> > Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> > Reported-by: Stephane Duverger <stephane.duverger@eads.net> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> > --- > v1 -> v2 > * change the check so that it's consistent with the rest of the code > > slirp/udp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/slirp/udp.c b/slirp/udp.c > index 8cc6cb6..f77e00f 100644 > --- a/slirp/udp.c > +++ b/slirp/udp.c > @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) > * Locate pcb for datagram. > */ > so = slirp->udp_last_so; > - if (so->so_lport != uh->uh_sport || > + if (so == &slirp->udb || so->so_lport != uh->uh_sport || > so->so_laddr.s_addr != ip->ip_src.s_addr) { > struct socket *tmp; > > -- > 1.9.3
Quoting Petr Matousek (2014-09-18 01:35:37) > When guest sends udp packet with source port and source addr 0, > uninitialized socket is picked up when looking for matching and already > created udp sockets, and later passed to sosendto() where NULL pointer > dereference is hit during so->slirp->vnetwork_mask.s_addr access. > > Fix this by checking that the socket is not just a socket stub. > > This is CVE-2014-3640. > > Signed-off-by: Petr Matousek <pmatouse@redhat.com> > Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> > Reported-by: Stephane Duverger <stephane.duverger@eads.net> Ping. Looking to pull this in for 2.1.2. Release is "asap" > --- > v1 -> v2 > * change the check so that it's consistent with the rest of the code > > slirp/udp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/slirp/udp.c b/slirp/udp.c > index 8cc6cb6..f77e00f 100644 > --- a/slirp/udp.c > +++ b/slirp/udp.c > @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) > * Locate pcb for datagram. > */ > so = slirp->udp_last_so; > - if (so->so_lport != uh->uh_sport || > + if (so == &slirp->udb || so->so_lport != uh->uh_sport || > so->so_laddr.s_addr != ip->ip_src.s_addr) { > struct socket *tmp; > > -- > 1.9.3
18.09.2014 10:35, Petr Matousek wrote: > When guest sends udp packet with source port and source addr 0, > uninitialized socket is picked up when looking for matching and already > created udp sockets, and later passed to sosendto() where NULL pointer > dereference is hit during so->slirp->vnetwork_mask.s_addr access. > > Fix this by checking that the socket is not just a socket stub. > > This is CVE-2014-3640. > > Signed-off-by: Petr Matousek <pmatouse@redhat.com> > Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> > Reported-by: Stephane Duverger <stephane.duverger@eads.net> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> slirp->udb initially is a dummy element of the list which initially points to itself and never gets used (and slirp->udp_last_so initially points to it too). Thanks, /mjt > slirp/udp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/slirp/udp.c b/slirp/udp.c > index 8cc6cb6..f77e00f 100644 > --- a/slirp/udp.c > +++ b/slirp/udp.c > @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) > * Locate pcb for datagram. > */ > so = slirp->udp_last_so; > - if (so->so_lport != uh->uh_sport || > + if (so == &slirp->udb || so->so_lport != uh->uh_sport || > so->so_laddr.s_addr != ip->ip_src.s_addr) { > struct socket *tmp; > >
On 23 September 2014 09:50, Michael Tokarev <mjt@tls.msk.ru> wrote: > 18.09.2014 10:35, Petr Matousek wrote: >> When guest sends udp packet with source port and source addr 0, >> uninitialized socket is picked up when looking for matching and already >> created udp sockets, and later passed to sosendto() where NULL pointer >> dereference is hit during so->slirp->vnetwork_mask.s_addr access. >> >> Fix this by checking that the socket is not just a socket stub. >> >> This is CVE-2014-3640. >> >> Signed-off-by: Petr Matousek <pmatouse@redhat.com> >> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> >> Reported-by: Stephane Duverger <stephane.duverger@eads.net> > > Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Applied to master, thanks. -- PMM
diff --git a/slirp/udp.c b/slirp/udp.c index 8cc6cb6..f77e00f 100644 --- a/slirp/udp.c +++ b/slirp/udp.c @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) * Locate pcb for datagram. */ so = slirp->udp_last_so; - if (so->so_lport != uh->uh_sport || + if (so == &slirp->udb || so->so_lport != uh->uh_sport || so->so_laddr.s_addr != ip->ip_src.s_addr) { struct socket *tmp;
When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access. Fix this by checking that the socket is not just a socket stub. This is CVE-2014-3640. Signed-off-by: Petr Matousek <pmatouse@redhat.com> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> Reported-by: Stephane Duverger <stephane.duverger@eads.net> --- v1 -> v2 * change the check so that it's consistent with the rest of the code slirp/udp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)