gnu/packages/patches/qemu-CVE-2020-7039.patch

   1 Fix CVE-2020-7039:
   2
   3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039
   4
   5 Patches copied from upstream dependency repository:
   6
   7 https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
   8 https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
   9 https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
  10
  11 From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
  12 From: Samuel Thibault <samuel.thibault@ens-lyon.org>
  13 Date: Wed, 8 Jan 2020 00:58:48 +0100
  14 Subject: [PATCH] tcp_emu: Fix oob access
  15
  16 The main loop only checks for one available byte, while we sometimes
  17 need two bytes.
  18 ---
  19  CHANGELOG.md   | 1 +
  20  src/tcp_subr.c | 7 +++++++
  21  2 files changed, 8 insertions(+)
  22
  23 #diff --git a/CHANGELOG.md b/CHANGELOG.md
  24 #index 00d0ce2..5cf94a8 100644
  25 #--- a/CHANGELOG.md
  26 #+++ b/CHANGELOG.md
  27 #@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  28 # ### Fixed
  29 #
  30 #  - ncsi: fix checksum OOB memory access
  31 #+ - `tcp_emu()`: fix OOB accesses
  32 #
  33 # ## [4.1.0] - 2019-12-02
  34 #
  35 diff --git a/src/tcp_subr.c b/src/tcp_subr.c
  36 index 382aa38..9c1bdec 100644
  37 --- a/slirp/src/tcp_subr.c
  38 +++ b/slirp/src/tcp_subr.c
  39 @@ -871,6 +871,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
  40                  break;
  41
  42              case 5:
  43 +                if (bptr == m->m_data + m->m_len - 1)
  44 +                        return 1; /* We need two bytes */
  45 +
  46                  /*
  47                   * The difference between versions 1.0 and
  48                   * 2.0 is here. For future versions of
  49 @@ -886,6 +889,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
  50                  /* This is the field containing the port
  51                   * number that RA-player is listening to.
  52                   */
  53 +
  54 +                if (bptr == m->m_data + m->m_len - 1)
  55 +                        return 1; /* We need two bytes */
  56 +
  57                  lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
  58                  if (lport < 6970)
  59                      lport += 256; /* don't know why */
  60 --
  61 2.24.1
  62
  63 From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
  64 From: Prasad J Pandit <pjp@fedoraproject.org>
  65 Date: Thu, 9 Jan 2020 15:12:27 +0530
  66 Subject: [PATCH] slirp: use correct size while emulating IRC commands
  67
  68 While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
  69 'm->m_size' to write DCC commands via snprintf(3). This may
  70 lead to OOB write access, because 'bptr' points somewhere in
  71 the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
  72 size to avoid OOB access.
  73
  74 Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
  75 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
  76 Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
  77 Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
  78 ---
  79  src/tcp_subr.c | 11 ++++++-----
  80  1 file changed, 6 insertions(+), 5 deletions(-)
  81
  82 diff --git a/src/tcp_subr.c b/src/tcp_subr.c
  83 index 9c1bdec..ee7a938 100644
  84 --- a/slirp/src/tcp_subr.c
  85 +++ b/slirp/src/tcp_subr.c
  86 @@ -763,7 +763,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
  87                  return 1;
  88              }
  89              m->m_len = bptr - m->m_data; /* Adjust length */
  90 -            m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
  91 +            m->m_len += snprintf(bptr, M_FREEROOM(m),
  92 +                                 "DCC CHAT chat %lu %u%c\n",
  93                                   (unsigned long)ntohl(so->so_faddr.s_addr),
  94                                   ntohs(so->so_fport), 1);
  95          } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
  96 @@ -773,8 +774,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
  97                  return 1;
  98              }
  99              m->m_len = bptr - m->m_data; /* Adjust length */
 100 -            m->m_len +=
 101 -                snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
 102 +            m->m_len += snprintf(bptr, M_FREEROOM(m),
 103 +                         "DCC SEND %s %lu %u %u%c\n", buff,
 104                           (unsigned long)ntohl(so->so_faddr.s_addr),
 105                           ntohs(so->so_fport), n1, 1);
 106          } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
 107 @@ -784,8 +785,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
 108                  return 1;
 109              }
 110              m->m_len = bptr - m->m_data; /* Adjust length */
 111 -            m->m_len +=
 112 -                snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
 113 +            m->m_len += snprintf(bptr, M_FREEROOM(m),
 114 +                         "DCC MOVE %s %lu %u %u%c\n", buff,
 115                           (unsigned long)ntohl(so->so_faddr.s_addr),
 116                           ntohs(so->so_fport), n1, 1);
 117          }
 118 --
 119 2.24.1
 120
 121 From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
 122 From: Prasad J Pandit <pjp@fedoraproject.org>
 123 Date: Thu, 9 Jan 2020 15:12:28 +0530
 124 Subject: [PATCH] slirp: use correct size while emulating commands
 125
 126 While emulating services in tcp_emu(), it uses 'mbuf' size
 127 'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
 128 size to avoid possible OOB access.
 129
 130 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 131 Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
 132 Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
 133 ---
 134  src/tcp_subr.c | 9 ++++-----
 135  1 file changed, 4 insertions(+), 5 deletions(-)
 136
 137 diff --git a/src/tcp_subr.c b/src/tcp_subr.c
 138 index ee7a938..177dfd2 100644
 139 --- a/slirp/src/tcp_subr.c
 140 +++ b/slirp/src/tcp_subr.c
 141 @@ -681,7 +681,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
 142              n4 = (laddr & 0xff);
 143
 144              m->m_len = bptr - m->m_data; /* Adjust length */
 145 -            m->m_len += snprintf(bptr, m->m_size - m->m_len,
 146 +            m->m_len += snprintf(bptr, M_FREEROOM(m),
 147                                   "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
 148                                   n5, n6, x == 7 ? buff : "");
 149              return 1;
 150 @@ -716,8 +716,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
 151              n4 = (laddr & 0xff);
 152
 153              m->m_len = bptr - m->m_data; /* Adjust length */
 154 -            m->m_len +=
 155 -                snprintf(bptr, m->m_size - m->m_len,
 156 +            m->m_len += snprintf(bptr, M_FREEROOM(m),
 157                           "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
 158                           n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
 159
 160 @@ -743,8 +742,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
 161          if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
 162              (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
 163                               htons(lport), SS_FACCEPTONCE)) != NULL)
 164 -            m->m_len =
 165 -                snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
 166 +            m->m_len = snprintf(m->m_data, M_ROOM(m),
 167 +                                "%d", ntohs(so->so_fport)) + 1;
 168          return 1;
 169
 170      case EMU_IRC:
 171 --
 172 2.24.1
 173