diff options
author | Shan Hai <shan.hai@windriver.com> | 2014-07-28 01:18:50 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-07-29 09:58:26 +0100 |
commit | 0685207d43b1bb7ad8be21e14c0f543070c9efcf (patch) | |
tree | c66eee58ae44cc42b33ed363440bebdd60425db4 /meta | |
parent | c6a57f7f4c8502d8d401db4d872738f680cfc637 (diff) | |
download | poky-0685207d43b1bb7ad8be21e14c0f543070c9efcf.tar.gz |
pulseaudio: fix CVE-2014-3970
The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module
in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of
service (assertion failure and abort) via an empty UDP packet.
Fix it by picking a patch from pulseaudio upstream code.
(From OE-Core rev: f9d7407e54f1fa3d3a316a5bbb8b80665e6f03fd)
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch | 52 | ||||
-rw-r--r-- | meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb | 4 |
2 files changed, 55 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch new file mode 100644 index 0000000000..d5f33dc42e --- /dev/null +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream | ||
4 | |||
5 | rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) | ||
6 | |||
7 | On FIONREAD returning 0 bytes, we cannot return success, as the caller | ||
8 | (rtpoll_work_cb in module-rtp-recv.c) would then try to | ||
9 | pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger | ||
10 | an assertion. | ||
11 | |||
12 | Also we have to read out the possible empty packet from the socket, so | ||
13 | that the kernel doesn't tell us again and again about it. | ||
14 | |||
15 | Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com> | ||
16 | |||
17 | diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c | ||
18 | index 9195493..c45981e 100644 | ||
19 | --- a/src/modules/rtp/rtp.c | ||
20 | +++ b/src/modules/rtp/rtp.c | ||
21 | @@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct | ||
22 | goto fail; | ||
23 | } | ||
24 | |||
25 | - if (size <= 0) | ||
26 | - return 0; | ||
27 | + if (size <= 0) { | ||
28 | + /* size can be 0 due to any of the following reasons: | ||
29 | + * | ||
30 | + * 1. Somebody sent us a perfectly valid zero-length UDP packet. | ||
31 | + * 2. Somebody sent us a UDP packet with a bad CRC. | ||
32 | + * | ||
33 | + * It is unknown whether size can actually be less than zero. | ||
34 | + * | ||
35 | + * In the first case, the packet has to be read out, otherwise the | ||
36 | + * kernel will tell us again and again about it, thus preventing | ||
37 | + * reception of any further packets. So let's just read it out | ||
38 | + * now and discard it later, when comparing the number of bytes | ||
39 | + * received (0) with the number of bytes wanted (1, see below). | ||
40 | + * | ||
41 | + * In the second case, recvmsg() will fail, thus allowing us to | ||
42 | + * return the error. | ||
43 | + * | ||
44 | + * Just to avoid passing zero-sized memchunks and NULL pointers to | ||
45 | + * recvmsg(), let's force allocation of at least one byte by setting | ||
46 | + * size to 1. | ||
47 | + */ | ||
48 | + size = 1; | ||
49 | + } | ||
50 | |||
51 | if (c->memchunk.length < (unsigned) size) { | ||
52 | size_t l; | ||
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb index 8d8c421179..99f0ef3a46 100644 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb | |||
@@ -2,7 +2,9 @@ require pulseaudio.inc | |||
2 | 2 | ||
3 | SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \ | 3 | SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \ |
4 | file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \ | 4 | file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \ |
5 | file://volatiles.04_pulse" | 5 | file://volatiles.04_pulse \ |
6 | file://CVE-2014-3970.patch \ | ||
7 | " | ||
6 | SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e" | 8 | SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e" |
7 | SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939" | 9 | SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939" |
8 | 10 | ||