mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH] systemd: add systemd-resolved security patches
Date: Wed,  5 Jul 2017 15:41:58 +0200	[thread overview]
Message-ID: <20170705134158.8763-1-clemens.gruber@pqgruber.com> (raw)

Backported from upstream. Contains a fix for CVE-2017-9445.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
 .../systemd-233/0101-resolved-nullptr-bugfix.patch | 23 +++++++++++
 ...ed-simplify-alloc-size-calc-CVE-2017-9445.patch | 47 ++++++++++++++++++++++
 ...do-not-allocate-packets-with-minimum-size.patch | 44 ++++++++++++++++++++
 patches/systemd-233/series                         |  5 ++-
 4 files changed, 118 insertions(+), 1 deletion(-)
 create mode 100644 patches/systemd-233/0101-resolved-nullptr-bugfix.patch
 create mode 100644 patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch
 create mode 100644 patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch

diff --git a/patches/systemd-233/0101-resolved-nullptr-bugfix.patch b/patches/systemd-233/0101-resolved-nullptr-bugfix.patch
new file mode 100644
index 000000000..008771b8a
--- /dev/null
+++ b/patches/systemd-233/0101-resolved-nullptr-bugfix.patch
@@ -0,0 +1,23 @@
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 24 May 2017 08:56:48 +0300
+Subject: [PATCH] resolved: bugfix of null pointer p->question dereferencing (#6020)
+
+See https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
+---
+ src/resolve/resolved-dns-packet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 652970284e..240ee448f4 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -2269,6 +2269,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {
+         if (r < 0)
+                 return r;
+ 
++        if (!p->question)
++                return 0;
++
+         if (p->question->n_keys != 1)
+                 return 0;
+ 
diff --git a/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch b/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch
new file mode 100644
index 000000000..444d8c005
--- /dev/null
+++ b/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch
@@ -0,0 +1,47 @@
+From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
+Date: Sun, 18 Jun 2017 16:07:57 -0400
+Subject: [PATCH] resolved: simplify alloc size calculation
+
+The allocation size was calculated in a complicated way, and for values
+close to the page size we would actually allocate less than requested.
+
+Reported by Chris Coulson <chris.coulson@canonical.com>.
+
+CVE-2017-9445
+---
+ src/resolve/resolved-dns-packet.c | 8 +-------
+ src/resolve/resolved-dns-packet.h | 2 --
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 240ee448f4..821b66e266 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
+ 
+         assert(ret);
+ 
+-        if (mtu <= UDP_PACKET_HEADER_SIZE)
+-                a = DNS_PACKET_SIZE_START;
+-        else
+-                a = mtu - UDP_PACKET_HEADER_SIZE;
+-
+-        if (a < DNS_PACKET_HEADER_SIZE)
+-                a = DNS_PACKET_HEADER_SIZE;
++        a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
+ 
+         /* round up to next page size */
+         a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
+diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
+index 2c92392e4d..3abcaf8cf3 100644
+--- a/src/resolve/resolved-dns-packet.h
++++ b/src/resolve/resolved-dns-packet.h
+@@ -66,8 +66,6 @@ struct DnsPacketHeader {
+ /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */
+ #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096
+ 
+-#define DNS_PACKET_SIZE_START 512
+-
+ struct DnsPacket {
+         int n_ref;
+         DnsProtocol protocol;
diff --git a/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch b/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch
new file mode 100644
index 000000000..e7a3ca218
--- /dev/null
+++ b/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch
@@ -0,0 +1,44 @@
+From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
+Date: Tue, 27 Jun 2017 14:20:00 -0400
+Subject: [PATCH] resolved: do not allocate packets with minimum size
+
+dns_packet_new() is sometimes called with mtu == 0, and in that case we should
+allocate more than the absolute minimum (which is the dns packet header size),
+otherwise we have to resize immediately again after appending the first data to
+the packet.
+
+This partially reverts the previous commit.
+---
+ src/resolve/resolved-dns-packet.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 821b66e266..d1f0f760a4 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -28,6 +28,9 @@
+ 
+ #define EDNS0_OPT_DO (1<<15)
+ 
++#define DNS_PACKET_SIZE_START 512
++assert_cc(DNS_PACKET_SIZE_START > UDP_PACKET_HEADER_SIZE)
++
+ typedef struct DnsPacketRewinder {
+         DnsPacket *packet;
+         size_t saved_rindex;
+@@ -47,7 +50,14 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
+ 
+         assert(ret);
+ 
+-        a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
++        /* When dns_packet_new() is called with mtu == 0, allocate more than the
++         * absolute minimum (which is the dns packet header size), to avoid
++         * resizing immediately again after appending the first data to the packet.
++         */
++        if (mtu < UDP_PACKET_HEADER_SIZE)
++                a = DNS_PACKET_SIZE_START;
++        else
++                a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
+ 
+         /* round up to next page size */
+         a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
diff --git a/patches/systemd-233/series b/patches/systemd-233/series
index 2f3aa9542..383f6b7a9 100644
--- a/patches/systemd-233/series
+++ b/patches/systemd-233/series
@@ -15,4 +15,7 @@
 0012-missing-define-PR_SET_MM.patch
 #tag:upstream --start-number 100
 0100-nss-resolve-drop-the-internal-fallback.patch
-# aeeb8c856cfb6320185a980e3f2b37ec  - git-ptx-patches magic
+0101-resolved-nullptr-bugfix.patch
+0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch
+0103-resolved-do-not-allocate-packets-with-minimum-size.patch
+# 0a64b15822c13fe6cb3238c014ea9934  - git-ptx-patches magic
-- 
2.13.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

                 reply	other threads:[~2017-07-05 13:43 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170705134158.8763-1-clemens.gruber@pqgruber.com \
    --to=clemens.gruber@pqgruber.com \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox