From fc56bc51ea79b613d64b0389bf7b4877d3e45cbb Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Fri, 22 Sep 2017 11:39:48 +0200 Subject: systemd: CVE-2017-9445 Out-of-bounds write in systemd-resolved due to allocating too small buffer in dns_packet_new References: https://bugzilla.redhat.com/attachment.cgi?id=1290017 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445 Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- recipes-core/systemd/systemd/CVE-2017-9445.patch | 56 ++++++++++++++++++++++++ recipes-core/systemd/systemd_%.bbappend | 6 +++ 2 files changed, 62 insertions(+) create mode 100644 recipes-core/systemd/systemd/CVE-2017-9445.patch create mode 100644 recipes-core/systemd/systemd_%.bbappend (limited to 'recipes-core') diff --git a/recipes-core/systemd/systemd/CVE-2017-9445.patch b/recipes-core/systemd/systemd/CVE-2017-9445.patch new file mode 100644 index 0000000..031901d --- /dev/null +++ b/recipes-core/systemd/systemd/CVE-2017-9445.patch @@ -0,0 +1,56 @@ +From db848813bae4d28c524b3b6a7dad135e426659ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 18 Jun 2017 16:07:57 -0400 +Subject: [PATCH] resolved: simplify alloc size calculation + +The allocation size was calculated in a complicated way, and for values +close to the page size we would actually allocate less than requested. + +Reported by Chris Coulson . + +CVE-2017-9445 + +CVE: CVE-2017-8872 +Upstream-Status: Backport + +Signed-off-by: Sona Sarmadi +--- + src/resolve/resolved-dns-packet.c | 8 +------- + src/resolve/resolved-dns-packet.h | 2 -- + 2 files changed, 1 insertion(+), 9 deletions(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 240ee44..821b66e 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { + + assert(ret); + +- if (mtu <= UDP_PACKET_HEADER_SIZE) +- a = DNS_PACKET_SIZE_START; +- else +- a = mtu - UDP_PACKET_HEADER_SIZE; +- +- if (a < DNS_PACKET_HEADER_SIZE) +- a = DNS_PACKET_HEADER_SIZE; ++ a = MAX(mtu, DNS_PACKET_HEADER_SIZE); + + /* round up to next page size */ + a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); +diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h +index 2c92392..3abcaf8 100644 +--- a/src/resolve/resolved-dns-packet.h ++++ b/src/resolve/resolved-dns-packet.h +@@ -66,8 +66,6 @@ struct DnsPacketHeader { + /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */ + #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096 + +-#define DNS_PACKET_SIZE_START 512 +- + struct DnsPacket { + int n_ref; + DnsProtocol protocol; +-- +1.9.1 + diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 0000000..e07dbe1 --- /dev/null +++ b/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,6 @@ +# look for files in the layer first +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://CVE-2017-9445.patch \ + " + -- cgit v1.2.3-54-g00ecf