From: Sakib Sajal <sakib.sajal@windriver.com>
To: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [hardknott][PATCH 3/8] qemu: CVE-2021-3595
Date: Thu, 13 Jan 2022 19:18:17 -0500 [thread overview]
Message-ID: <cfcc8dd3-b2ec-348e-47a6-c5db732360cc@windriver.com> (raw)
In-Reply-To: <16C9FA5A611A7940.25962@lists.openembedded.org>
[-- Attachment #1: Type: text/plain, Size: 12931 bytes --]
Please disregard this set of patches, somehow it failed to send the
first 2 and one in the middle. sending a V3.
Sorry for inconvenience
On 2022-01-13 7:06 p.m., Sakib Sajal wrote:
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 2 +
> .../qemu/qemu/CVE-2021-3595_1.patch | 41 +++
> .../qemu/qemu/CVE-2021-3595_2.patch | 253 ++++++++++++++++++
> 3 files changed, 296 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 6b544a4344..811bdff426 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -74,6 +74,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://CVE-2021-3592_2.patch \
> file://CVE-2021-3592_3.patch \
> file://CVE-2021-3593.patch \
> + file://CVE-2021-3595_1.patch \
> + file://CVE-2021-3595_2.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
> new file mode 100644
> index 0000000000..aefaff01cf
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_1.patch
> @@ -0,0 +1,41 @@
> +From 6b62a09d6c264cb84f560a418beb027f47bc5069 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
> +Date: Fri, 4 Jun 2021 16:34:30 +0400
> +Subject: [PATCH 05/12] tftp: check tftp_input buffer size
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Fixes: CVE-2021-3595
> +Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
> +
> +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-3595
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + slirp/src/tftp.c | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
> +index c6950ee10..e06911d42 100644
> +--- a/slirp/src/tftp.c
> ++++ b/slirp/src/tftp.c
> +@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
> +
> + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
> + {
> +- struct tftp_t *tp = (struct tftp_t *)m->m_data;
> ++ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
> ++
> ++ if (tp == NULL) {
> ++ return;
> ++ }
> +
> + switch (ntohs(tp->tp_op)) {
> + case TFTP_RRQ:
> +--
> +2.31.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
> new file mode 100644
> index 0000000000..1ffa6ca988
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3595_2.patch
> @@ -0,0 +1,253 @@
> +From d71caef98e331268519578fc0437e2ac02586940 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
> +Date: Fri, 4 Jun 2021 20:01:20 +0400
> +Subject: [PATCH 06/12] tftp: introduce a header structure
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Instead of using a composed structure and potentially reading past the
> +incoming buffer, use a different structure for the header.
> +
> +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-3595
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + slirp/src/tftp.c | 60 +++++++++++++++++++++++++-----------------------
> + slirp/src/tftp.h | 6 ++++-
> + 2 files changed, 36 insertions(+), 30 deletions(-)
> +
> +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
> +index e06911d42..a19c889d3 100644
> +--- a/slirp/src/tftp.c
> ++++ b/slirp/src/tftp.c
> +@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt)
> + }
> +
> + static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
> +- struct tftp_t *tp)
> ++ struct tftphdr *hdr)
> + {
> + struct tftp_session *spt;
> + int k;
> +@@ -75,7 +75,7 @@ found:
> + memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
> + spt->fd = -1;
> + spt->block_size = 512;
> +- spt->client_port = tp->udp.uh_sport;
> ++ spt->client_port = hdr->udp.uh_sport;
> + spt->slirp = slirp;
> +
> + tftp_session_update(spt);
> +@@ -84,7 +84,7 @@ found:
> + }
> +
> + static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
> +- struct tftp_t *tp)
> ++ struct tftphdr *hdr)
> + {
> + struct tftp_session *spt;
> + int k;
> +@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
> +
> + if (tftp_session_in_use(spt)) {
> + if (sockaddr_equal(&spt->client_addr, srcsas)) {
> +- if (spt->client_port == tp->udp.uh_sport) {
> ++ if (spt->client_port == hdr->udp.uh_sport) {
> + return k;
> + }
> + }
> +@@ -148,13 +148,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
> + }
> +
> + static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
> +- struct tftp_t *recv_tp)
> ++ struct tftphdr *hdr)
> + {
> + if (spt->client_addr.ss_family == AF_INET6) {
> + struct sockaddr_in6 sa6, da6;
> +
> + sa6.sin6_addr = spt->slirp->vhost_addr6;
> +- sa6.sin6_port = recv_tp->udp.uh_dport;
> ++ sa6.sin6_port = hdr->udp.uh_dport;
> + da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
> + da6.sin6_port = spt->client_port;
> +
> +@@ -163,7 +163,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
> + struct sockaddr_in sa4, da4;
> +
> + sa4.sin_addr = spt->slirp->vhost_addr;
> +- sa4.sin_port = recv_tp->udp.uh_dport;
> ++ sa4.sin_port = hdr->udp.uh_dport;
> + da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
> + da4.sin_port = spt->client_port;
> +
> +@@ -185,14 +185,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
> +
> + tp = tftp_prep_mbuf_data(spt, m);
> +
> +- tp->tp_op = htons(TFTP_OACK);
> ++ tp->hdr.tp_op = htons(TFTP_OACK);
> + for (i = 0; i < nb; i++) {
> + n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
> + n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
> + }
> +
> +- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n;
> +- tftp_udp_output(spt, m, recv_tp);
> ++ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
> ++ tftp_udp_output(spt, m, &recv_tp->hdr);
> +
> + return 0;
> + }
> +@@ -213,21 +213,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
> +
> + tp = tftp_prep_mbuf_data(spt, m);
> +
> +- tp->tp_op = htons(TFTP_ERROR);
> ++ tp->hdr.tp_op = htons(TFTP_ERROR);
> + tp->x.tp_error.tp_error_code = htons(errorcode);
> + slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
> + msg);
> +
> + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
> + strlen(msg) - sizeof(struct udphdr);
> +- tftp_udp_output(spt, m, recv_tp);
> ++ tftp_udp_output(spt, m, &recv_tp->hdr);
> +
> + out:
> + tftp_session_terminate(spt);
> + }
> +
> + static void tftp_send_next_block(struct tftp_session *spt,
> +- struct tftp_t *recv_tp)
> ++ struct tftphdr *hdr)
> + {
> + struct mbuf *m;
> + struct tftp_t *tp;
> +@@ -241,7 +241,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
> +
> + tp = tftp_prep_mbuf_data(spt, m);
> +
> +- tp->tp_op = htons(TFTP_DATA);
> ++ tp->hdr.tp_op = htons(TFTP_DATA);
> + tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
> +
> + nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
> +@@ -259,7 +259,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
> +
> + m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
> + sizeof(struct udphdr);
> +- tftp_udp_output(spt, m, recv_tp);
> ++ tftp_udp_output(spt, m, hdr);
> +
> + if (nobytes == spt->block_size) {
> + tftp_session_update(spt);
> +@@ -282,12 +282,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
> + int nb_options = 0;
> +
> + /* check if a session already exists and if so terminate it */
> +- s = tftp_session_find(slirp, srcsas, tp);
> ++ s = tftp_session_find(slirp, srcsas, &tp->hdr);
> + if (s >= 0) {
> + tftp_session_terminate(&slirp->tftp_sessions[s]);
> + }
> +
> +- s = tftp_session_allocate(slirp, srcsas, tp);
> ++ s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
> +
> + if (s < 0) {
> + return;
> +@@ -413,29 +413,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
> + }
> +
> + spt->block_nr = 0;
> +- tftp_send_next_block(spt, tp);
> ++ tftp_send_next_block(spt, &tp->hdr);
> + }
> +
> + static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
> +- struct tftp_t *tp, int pktlen)
> ++ struct tftphdr *hdr)
> + {
> + int s;
> +
> +- s = tftp_session_find(slirp, srcsas, tp);
> ++ s = tftp_session_find(slirp, srcsas, hdr);
> +
> + if (s < 0) {
> + return;
> + }
> +
> +- tftp_send_next_block(&slirp->tftp_sessions[s], tp);
> ++ tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
> + }
> +
> + static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
> +- struct tftp_t *tp, int pktlen)
> ++ struct tftphdr *hdr)
> + {
> + int s;
> +
> +- s = tftp_session_find(slirp, srcsas, tp);
> ++ s = tftp_session_find(slirp, srcsas, hdr);
> +
> + if (s < 0) {
> + return;
> +@@ -446,23 +446,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
> +
> + void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
> + {
> +- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
> ++ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
> +
> +- if (tp == NULL) {
> ++ if (hdr == NULL) {
> + return;
> + }
> +
> +- switch (ntohs(tp->tp_op)) {
> ++ switch (ntohs(hdr->tp_op)) {
> + case TFTP_RRQ:
> +- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
> ++ tftp_handle_rrq(m->slirp, srcsas,
> ++ mtod(m, struct tftp_t *),
> ++ m->m_len);
> + break;
> +
> + case TFTP_ACK:
> +- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
> ++ tftp_handle_ack(m->slirp, srcsas, hdr);
> + break;
> +
> + case TFTP_ERROR:
> +- tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
> ++ tftp_handle_error(m->slirp, srcsas, hdr);
> + break;
> + }
> + }
> +diff --git a/slirp/src/tftp.h b/slirp/src/tftp.h
> +index 6d75478e8..cafab03f2 100644
> +--- a/slirp/src/tftp.h
> ++++ b/slirp/src/tftp.h
> +@@ -20,9 +20,13 @@
> + #define TFTP_FILENAME_MAX 512
> + #define TFTP_BLOCKSIZE_MAX 1428
> +
> +-struct tftp_t {
> ++struct tftphdr {
> + struct udphdr udp;
> + uint16_t tp_op;
> ++} SLIRP_PACKED;
> ++
> ++struct tftp_t {
> ++ struct tftphdr hdr;
> + union {
> + struct {
> + uint16_t tp_block_nr;
> +--
> +2.31.1
> +
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#160547): https://lists.openembedded.org/g/openembedded-core/message/160547
> Mute This Topic: https://lists.openembedded.org/mt/88410487/4422444
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakib.sajal@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
[-- Attachment #2: Type: text/html, Size: 14510 bytes --]
prev parent reply other threads:[~2022-01-14 0:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220114000641.33969-1-sakib.sajal@windriver.com>
2022-01-14 0:06 ` [hardknott][PATCH 3/8] qemu: CVE-2021-3595 Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 4/8] qemu: CVE-2021-3594 Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 6/8] qemu: CVE-2021-3748 Sakib Sajal
2022-01-14 0:06 ` [hardknott][PATCH 8/8] qemu: CVE-2021-20196 Sakib Sajal
[not found] ` <16C9FA5A611A7940.25962@lists.openembedded.org>
2022-01-14 0:18 ` Sakib Sajal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cfcc8dd3-b2ec-348e-47a6-c5db732360cc@windriver.com \
--to=sakib.sajal@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.