pulseaudio: fix CVE-2014-3970

The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of service (assertion failure and abort) via an empty UDP packet. Fix it by picking a patch from pulseaudio upstream code. (From OE-Core rev: f9d7407e54f1fa3d3a316a5bbb8b80665e6f03fd) (From OE-Core rev: cf008bce23e897d1c3a51805af839af9241271df) Signed-off-by: Shan Hai <shan.hai@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Shan Hai <shan.hai@windriver.com> 2014-07-28 01:18:50 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-10 15:06:05 +0100
commit: 4b1b58074959f5d6ecc8dc0a8fedeb5ae7e8c528 (patch)
tree: 969b776c11cd91627d83cb0f1717637592fc6d9e
parent: 65ed47e597609be3c740e383ca6c5a740fa7760a (diff)
download: poky-4b1b58074959f5d6ecc8dc0a8fedeb5ae7e8c528.tar.gz
2 files changed, 55 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch
new file mode 100644
index 0000000000..d5f33dc42e
--- /dev/null
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch
@@ -0,0 +1,52 @@
+Upstream-Status: Backport
+commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream
+rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
+On FIONREAD returning 0 bytes, we cannot return success, as the caller
+(rtpoll_work_cb in module-rtp-recv.c) would then try to
+pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
+an assertion.
+Also we have to read out the possible empty packet from the socket, so
+that the kernel doesn't tell us again and again about it.
+Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
+diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
+index 9195493..c45981e 100644
+--- a/src/modules/rtp/rtp.c
+++ b/src/modules/rtp/rtp.c
+@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
+         goto fail;
+     }
+ 
+-    if (size <= 0)
+-        return 0;
+    if (size <= 0) {
+        /* size can be 0 due to any of the following reasons:
+         *
+         * 1. Somebody sent us a perfectly valid zero-length UDP packet.
+         * 2. Somebody sent us a UDP packet with a bad CRC.
+         *
+         * It is unknown whether size can actually be less than zero.
+         *
+         * In the first case, the packet has to be read out, otherwise the
+         * kernel will tell us again and again about it, thus preventing
+         * reception of any further packets. So let's just read it out
+         * now and discard it later, when comparing the number of bytes
+         * received (0) with the number of bytes wanted (1, see below).
+         *
+         * In the second case, recvmsg() will fail, thus allowing us to
+         * return the error.
+         *
+         * Just to avoid passing zero-sized memchunks and NULL pointers to
+         * recvmsg(), let's force allocation of at least one byte by setting
+         * size to 1.
+         */
+        size = 1;
+    }
+ 
+     if (c->memchunk.length < (unsigned) size) {
+         size_t l;
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb
index 8d8c421179..99f0ef3a46 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb
@@ -2,7 +2,9 @@ require pulseaudio.inc
 SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \
           file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \
-           file://volatiles.04_pulse"
+           file://volatiles.04_pulse \
+           file://CVE-2014-3970.patch \
+"
 SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e"
 SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939"
author	Shan Hai <shan.hai@windriver.com>	2014-07-28 01:18:50 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-10 15:06:05 +0100
commit	4b1b58074959f5d6ecc8dc0a8fedeb5ae7e8c528 (patch)
tree	969b776c11cd91627d83cb0f1717637592fc6d9e
parent	65ed47e597609be3c740e383ca6c5a740fa7760a (diff)
download	poky-4b1b58074959f5d6ecc8dc0a8fedeb5ae7e8c528.tar.gz

diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch new file mode 100644 index 0000000000..d5f33dc42e --- /dev/null +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch
@@ -0,0 +1,52 @@
		1	Upstream-Status: Backport
		2
		3	commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream
		4
		5	rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
		6
		7	On FIONREAD returning 0 bytes, we cannot return success, as the caller
		8	(rtpoll_work_cb in module-rtp-recv.c) would then try to
		9	pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
		10	an assertion.
		11
		12	Also we have to read out the possible empty packet from the socket, so
		13	that the kernel doesn't tell us again and again about it.
		14
		15	Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
		16
		17	diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
		18	index 9195493..c45981e 100644
		19	--- a/src/modules/rtp/rtp.c
		20	+++ b/src/modules/rtp/rtp.c
		21	@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context c, pa_memchunk chunk, pa_mempool *pool, struct
		22	goto fail;
		23	}
		24
		25	- if (size <= 0)
		26	- return 0;
		27	+ if (size <= 0) {
		28	+ /* size can be 0 due to any of the following reasons:
		29	+ *
		30	+ * 1. Somebody sent us a perfectly valid zero-length UDP packet.
		31	+ * 2. Somebody sent us a UDP packet with a bad CRC.
		32	+ *
		33	+ * It is unknown whether size can actually be less than zero.
		34	+ *
		35	+ * In the first case, the packet has to be read out, otherwise the
		36	+ * kernel will tell us again and again about it, thus preventing
		37	+ * reception of any further packets. So let's just read it out
		38	+ * now and discard it later, when comparing the number of bytes
		39	+ * received (0) with the number of bytes wanted (1, see below).
		40	+ *
		41	+ * In the second case, recvmsg() will fail, thus allowing us to
		42	+ * return the error.
		43	+ *
		44	+ * Just to avoid passing zero-sized memchunks and NULL pointers to
		45	+ * recvmsg(), let's force allocation of at least one byte by setting
		46	+ * size to 1.
		47	+ */
		48	+ size = 1;
		49	+ }
		50
		51	if (c->memchunk.length < (unsigned) size) {
		52	size_t l;


diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb index 8d8c421179..99f0ef3a46 100644 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb
@@ -2,7 +2,9 @@ require pulseaudio.inc
2		2
3	SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \	3	SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \
4	file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \	4	file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \
5	file://volatiles.04_pulse"	5	file://volatiles.04_pulse \
		6	file://CVE-2014-3970.patch \
		7	"
6	SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e"	8	SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e"
7	SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939"	9	SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939"
8		10