* [Buildroot] [PATCH 2017.02.x] musl: add upstream security fix for CVE-2017-15650
@ 2017-10-21 9:25 Peter Korsgaard
2017-10-21 16:29 ` Peter Korsgaard
2017-10-25 7:41 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-10-21 9:25 UTC (permalink / raw)
To: buildroot
From the upstream announcement:
http://www.openwall.com/lists/oss-security/2017/10/19/5
Felix Wilhelm has discovered a flaw in the dns response parsing for
musl libc 1.1.16 that leads to overflow of a stack-based buffer.
Earlier versions are also affected.
When an application makes a request via getaddrinfo for both IPv4 and
IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
nameservers configured in resolv.conf can reply to both the A and AAAA
queries with A results. Since A records are smaller than AAAA records,
it's possible to fit more addresses than the precomputed bound, and a
buffer overflow occurs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...ing-callback-enforce-MAXADDRS-to-preclude.patch | 35 ++++++++++++++++++++++
1 file changed, 35 insertions(+)
create mode 100644 package/musl/0002-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch
diff --git a/package/musl/0002-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch b/package/musl/0002-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch
new file mode 100644
index 0000000000..c6b5ef26b4
--- /dev/null
+++ b/package/musl/0002-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch
@@ -0,0 +1,35 @@
+From 45ca5d3fcb6f874bf5ba55d0e9651cef68515395 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 18 Oct 2017 14:50:03 -0400
+Subject: [PATCH] in dns parsing callback, enforce MAXADDRS to preclude
+ overflow
+
+MAXADDRS was chosen not to need enforcement, but the logic used to
+compute it assumes the answers received match the RR types of the
+queries. specifically, it assumes that only one replu contains A
+record answers. if the replies to both the A and the AAAA query have
+their answer sections filled with A records, MAXADDRS can be exceeded
+and clobber the stack of the calling function.
+
+this bug was found and reported by Felix Wilhelm.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/network/lookup_name.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c
+index 066be4d5..209c20f0 100644
+--- a/src/network/lookup_name.c
++++ b/src/network/lookup_name.c
+@@ -111,6 +111,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const
+ {
+ char tmp[256];
+ struct dpc_ctx *ctx = c;
++ if (ctx->cnt >= MAXADDRS) return -1;
+ switch (rr) {
+ case RR_A:
+ if (len != 4) return -1;
+--
+2.11.0
+
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 2017.02.x] musl: add upstream security fix for CVE-2017-15650
2017-10-21 9:25 [Buildroot] [PATCH 2017.02.x] musl: add upstream security fix for CVE-2017-15650 Peter Korsgaard
@ 2017-10-21 16:29 ` Peter Korsgaard
2017-10-25 7:41 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-10-21 16:29 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> From the upstream announcement:
> http://www.openwall.com/lists/oss-security/2017/10/19/5
> Felix Wilhelm has discovered a flaw in the dns response parsing for
> musl libc 1.1.16 that leads to overflow of a stack-based buffer.
> Earlier versions are also affected.
> When an application makes a request via getaddrinfo for both IPv4 and
> IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
> nameservers configured in resolv.conf can reply to both the A and AAAA
> queries with A results. Since A records are smaller than AAAA records,
> it's possible to fit more addresses than the precomputed bound, and a
> buffer overflow occurs.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 2017.02.x] musl: add upstream security fix for CVE-2017-15650
2017-10-21 9:25 [Buildroot] [PATCH 2017.02.x] musl: add upstream security fix for CVE-2017-15650 Peter Korsgaard
2017-10-21 16:29 ` Peter Korsgaard
@ 2017-10-25 7:41 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-10-25 7:41 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> From the upstream announcement:
> http://www.openwall.com/lists/oss-security/2017/10/19/5
> Felix Wilhelm has discovered a flaw in the dns response parsing for
> musl libc 1.1.16 that leads to overflow of a stack-based buffer.
> Earlier versions are also affected.
> When an application makes a request via getaddrinfo for both IPv4 and
> IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
> nameservers configured in resolv.conf can reply to both the A and AAAA
> queries with A results. Since A records are smaller than AAAA records,
> it's possible to fit more addresses than the precomputed bound, and a
> buffer overflow occurs.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-10-25 7:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-21 9:25 [Buildroot] [PATCH 2017.02.x] musl: add upstream security fix for CVE-2017-15650 Peter Korsgaard
2017-10-21 16:29 ` Peter Korsgaard
2017-10-25 7:41 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.