diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-09-22 11:39:48 +0200 |
|---|---|---|
| committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-09-26 15:37:50 +0200 |
| commit | fc56bc51ea79b613d64b0389bf7b4877d3e45cbb (patch) | |
| tree | 41c0df4486cfba8a6be40515a4be3ad90b2955f2 | |
| parent | 4c6acb2de2b9612dfae273e63348c40921ebf235 (diff) | |
| download | meta-el-common-fc56bc51ea79b613d64b0389bf7b4877d3e45cbb.tar.gz | |
systemd: CVE-2017-9445
Out-of-bounds write in systemd-resolved due to allocating too
small buffer in dns_packet_new
References:
https://bugzilla.redhat.com/attachment.cgi?id=1290017
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
| -rw-r--r-- | recipes-core/systemd/systemd/CVE-2017-9445.patch | 56 | ||||
| -rw-r--r-- | recipes-core/systemd/systemd_%.bbappend | 6 |
2 files changed, 62 insertions, 0 deletions
diff --git a/recipes-core/systemd/systemd/CVE-2017-9445.patch b/recipes-core/systemd/systemd/CVE-2017-9445.patch new file mode 100644 index 0000000..031901d --- /dev/null +++ b/recipes-core/systemd/systemd/CVE-2017-9445.patch | |||
| @@ -0,0 +1,56 @@ | |||
| 1 | From db848813bae4d28c524b3b6a7dad135e426659ce Mon Sep 17 00:00:00 2001 | ||
| 2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
| 3 | Date: Sun, 18 Jun 2017 16:07:57 -0400 | ||
| 4 | Subject: [PATCH] resolved: simplify alloc size calculation | ||
| 5 | |||
| 6 | The allocation size was calculated in a complicated way, and for values | ||
| 7 | close to the page size we would actually allocate less than requested. | ||
| 8 | |||
| 9 | Reported by Chris Coulson <chris.coulson@canonical.com>. | ||
| 10 | |||
| 11 | CVE-2017-9445 | ||
| 12 | |||
| 13 | CVE: CVE-2017-8872 | ||
| 14 | Upstream-Status: Backport | ||
| 15 | |||
| 16 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 17 | --- | ||
| 18 | src/resolve/resolved-dns-packet.c | 8 +------- | ||
| 19 | src/resolve/resolved-dns-packet.h | 2 -- | ||
| 20 | 2 files changed, 1 insertion(+), 9 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c | ||
| 23 | index 240ee44..821b66e 100644 | ||
| 24 | --- a/src/resolve/resolved-dns-packet.c | ||
| 25 | +++ b/src/resolve/resolved-dns-packet.c | ||
| 26 | @@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { | ||
| 27 | |||
| 28 | assert(ret); | ||
| 29 | |||
| 30 | - if (mtu <= UDP_PACKET_HEADER_SIZE) | ||
| 31 | - a = DNS_PACKET_SIZE_START; | ||
| 32 | - else | ||
| 33 | - a = mtu - UDP_PACKET_HEADER_SIZE; | ||
| 34 | - | ||
| 35 | - if (a < DNS_PACKET_HEADER_SIZE) | ||
| 36 | - a = DNS_PACKET_HEADER_SIZE; | ||
| 37 | + a = MAX(mtu, DNS_PACKET_HEADER_SIZE); | ||
| 38 | |||
| 39 | /* round up to next page size */ | ||
| 40 | a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); | ||
| 41 | diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h | ||
| 42 | index 2c92392..3abcaf8 100644 | ||
| 43 | --- a/src/resolve/resolved-dns-packet.h | ||
| 44 | +++ b/src/resolve/resolved-dns-packet.h | ||
| 45 | @@ -66,8 +66,6 @@ struct DnsPacketHeader { | ||
| 46 | /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */ | ||
| 47 | #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096 | ||
| 48 | |||
| 49 | -#define DNS_PACKET_SIZE_START 512 | ||
| 50 | - | ||
| 51 | struct DnsPacket { | ||
| 52 | int n_ref; | ||
| 53 | DnsProtocol protocol; | ||
| 54 | -- | ||
| 55 | 1.9.1 | ||
| 56 | |||
diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 0000000..e07dbe1 --- /dev/null +++ b/recipes-core/systemd/systemd_%.bbappend | |||
| @@ -0,0 +1,6 @@ | |||
| 1 | # look for files in the layer first | ||
| 2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
| 3 | |||
| 4 | SRC_URI += "file://CVE-2017-9445.patch \ | ||
| 5 | " | ||
| 6 | |||