[rocko] libnl: protect against buffer overflow (CVE-2017-0553)

Message ID 20180516233046.10217-1-ross.burton@intel.com
State New
Headers show
Series
  • [rocko] libnl: protect against buffer overflow (CVE-2017-0553)
Related show

Commit Message

Ross Burton May 16, 2018, 11:30 p.m.
Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/recipes-support/libnl/libnl/overflow.patch | 39 +++++++++++++++++++++++++
 meta/recipes-support/libnl/libnl_3.2.29.bb      |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-support/libnl/libnl/overflow.patch

-- 
2.11.0

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Andre McCurdy May 17, 2018, 12:44 a.m. | #1
On Wed, May 16, 2018 at 4:30 PM, Ross Burton <ross.burton@intel.com> wrote:

Looks like a duplicate of:

  http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150743.html

?

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-support/libnl/libnl/overflow.patch | 39 +++++++++++++++++++++++++

>  meta/recipes-support/libnl/libnl_3.2.29.bb      |  1 +

>  2 files changed, 40 insertions(+)

>  create mode 100644 meta/recipes-support/libnl/libnl/overflow.patch

>

> diff --git a/meta/recipes-support/libnl/libnl/overflow.patch b/meta/recipes-support/libnl/libnl/overflow.patch

> new file mode 100644

> index 00000000000..777fac3ea1a

> --- /dev/null

> +++ b/meta/recipes-support/libnl/libnl/overflow.patch

> @@ -0,0 +1,39 @@

> +CVE: CVE-2017-0553

> +Upstream-Status: Backport

> +Signed-off-by: Ross Burton <ross.burton@intel.com>

> +

> +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001

> +From: Thomas Haller <thaller@redhat.com>

> +Date: Mon, 6 Feb 2017 22:23:52 +0100

> +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()

> +

> +In general, libnl functions are not robust against calling with

> +invalid arguments. Thus, never call libnl functions with invalid

> +arguments. In case of nlmsg_reserve() this means never provide

> +a @len argument that causes overflow.

> +

> +Still, add an additional safeguard to avoid exploiting such bugs.

> +

> +Assume that @pad is a trusted, small integer.

> +Assume that n->nm_size is a valid number of allocated bytes (and thus

> +much smaller then SIZE_T_MAX).

> +Assume, that @len may be set to an untrusted value. Then the patch

> +avoids an integer overflow resulting in reserving too few bytes.

> +---

> + lib/msg.c | 3 +++

> + 1 file changed, 3 insertions(+)

> +

> +diff --git a/lib/msg.c b/lib/msg.c

> +index 9af3f3a0..3e27d4e0 100644

> +--- a/lib/msg.c

> ++++ b/lib/msg.c

> +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)

> +       size_t nlmsg_len = n->nm_nlh->nlmsg_len;

> +       size_t tlen;

> +

> ++      if (len > n->nm_size)

> ++              return NULL;

> ++

> +       tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;

> +

> +       if ((tlen + nlmsg_len) > n->nm_size)

> \ No newline at end of file

> diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb

> index 7d4839ba506..746fd3d4153 100644

> --- a/meta/recipes-support/libnl/libnl_3.2.29.bb

> +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb

> @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native"

>  SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \

>             file://fix-pktloc_syntax_h-race.patch \

>             file://fix-pc-file.patch \

> +           file://overflow.patch \

>  "

>  UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"

>

> --

> 2.11.0

>

> --

> _______________________________________________

> Openembedded-core mailing list

> Openembedded-core@lists.openembedded.org

> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton May 17, 2018, 8:03 a.m. | #2
Certainly does, sorry about that!

Ross

On 17 May 2018 at 01:44, Andre McCurdy <armccurdy@gmail.com> wrote:
> On Wed, May 16, 2018 at 4:30 PM, Ross Burton <ross.burton@intel.com> wrote:

>

> Looks like a duplicate of:

>

>   http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150743.html

>

> ?

>

>> Signed-off-by: Ross Burton <ross.burton@intel.com>

>> ---

>>  meta/recipes-support/libnl/libnl/overflow.patch | 39 +++++++++++++++++++++++++

>>  meta/recipes-support/libnl/libnl_3.2.29.bb      |  1 +

>>  2 files changed, 40 insertions(+)

>>  create mode 100644 meta/recipes-support/libnl/libnl/overflow.patch

>>

>> diff --git a/meta/recipes-support/libnl/libnl/overflow.patch b/meta/recipes-support/libnl/libnl/overflow.patch

>> new file mode 100644

>> index 00000000000..777fac3ea1a

>> --- /dev/null

>> +++ b/meta/recipes-support/libnl/libnl/overflow.patch

>> @@ -0,0 +1,39 @@

>> +CVE: CVE-2017-0553

>> +Upstream-Status: Backport

>> +Signed-off-by: Ross Burton <ross.burton@intel.com>

>> +

>> +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001

>> +From: Thomas Haller <thaller@redhat.com>

>> +Date: Mon, 6 Feb 2017 22:23:52 +0100

>> +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()

>> +

>> +In general, libnl functions are not robust against calling with

>> +invalid arguments. Thus, never call libnl functions with invalid

>> +arguments. In case of nlmsg_reserve() this means never provide

>> +a @len argument that causes overflow.

>> +

>> +Still, add an additional safeguard to avoid exploiting such bugs.

>> +

>> +Assume that @pad is a trusted, small integer.

>> +Assume that n->nm_size is a valid number of allocated bytes (and thus

>> +much smaller then SIZE_T_MAX).

>> +Assume, that @len may be set to an untrusted value. Then the patch

>> +avoids an integer overflow resulting in reserving too few bytes.

>> +---

>> + lib/msg.c | 3 +++

>> + 1 file changed, 3 insertions(+)

>> +

>> +diff --git a/lib/msg.c b/lib/msg.c

>> +index 9af3f3a0..3e27d4e0 100644

>> +--- a/lib/msg.c

>> ++++ b/lib/msg.c

>> +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)

>> +       size_t nlmsg_len = n->nm_nlh->nlmsg_len;

>> +       size_t tlen;

>> +

>> ++      if (len > n->nm_size)

>> ++              return NULL;

>> ++

>> +       tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;

>> +

>> +       if ((tlen + nlmsg_len) > n->nm_size)

>> \ No newline at end of file

>> diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb

>> index 7d4839ba506..746fd3d4153 100644

>> --- a/meta/recipes-support/libnl/libnl_3.2.29.bb

>> +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb

>> @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native"

>>  SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \

>>             file://fix-pktloc_syntax_h-race.patch \

>>             file://fix-pc-file.patch \

>> +           file://overflow.patch \

>>  "

>>  UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"

>>

>> --

>> 2.11.0

>>

>> --

>> _______________________________________________

>> Openembedded-core mailing list

>> Openembedded-core@lists.openembedded.org

>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Patch

diff --git a/meta/recipes-support/libnl/libnl/overflow.patch b/meta/recipes-support/libnl/libnl/overflow.patch
new file mode 100644
index 00000000000..777fac3ea1a
--- /dev/null
+++ b/meta/recipes-support/libnl/libnl/overflow.patch
@@ -0,0 +1,39 @@ 
+CVE: CVE-2017-0553
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 6 Feb 2017 22:23:52 +0100
+Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
+
+In general, libnl functions are not robust against calling with
+invalid arguments. Thus, never call libnl functions with invalid
+arguments. In case of nlmsg_reserve() this means never provide
+a @len argument that causes overflow.
+
+Still, add an additional safeguard to avoid exploiting such bugs.
+
+Assume that @pad is a trusted, small integer.
+Assume that n->nm_size is a valid number of allocated bytes (and thus
+much smaller then SIZE_T_MAX).
+Assume, that @len may be set to an untrusted value. Then the patch
+avoids an integer overflow resulting in reserving too few bytes.
+---
+ lib/msg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/msg.c b/lib/msg.c
+index 9af3f3a0..3e27d4e0 100644
+--- a/lib/msg.c
++++ b/lib/msg.c
+@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
+ 	size_t nlmsg_len = n->nm_nlh->nlmsg_len;
+ 	size_t tlen;
+ 
++	if (len > n->nm_size)
++		return NULL;
++
+ 	tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
+ 
+ 	if ((tlen + nlmsg_len) > n->nm_size)
\ No newline at end of file
diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb
index 7d4839ba506..746fd3d4153 100644
--- a/meta/recipes-support/libnl/libnl_3.2.29.bb
+++ b/meta/recipes-support/libnl/libnl_3.2.29.bb
@@ -12,6 +12,7 @@  DEPENDS = "flex-native bison-native"
 SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \
            file://fix-pktloc_syntax_h-race.patch \
            file://fix-pc-file.patch \
+           file://overflow.patch \
 "
 UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"