* [ptxdist] [PATCH] systemd: add systemd-resolved security patches
@ 2017-07-05 13:41 Clemens Gruber
0 siblings, 0 replies; only message in thread
From: Clemens Gruber @ 2017-07-05 13:41 UTC (permalink / raw)
To: ptxdist; +Cc: Clemens Gruber
Backported from upstream. Contains a fix for CVE-2017-9445.
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
.../systemd-233/0101-resolved-nullptr-bugfix.patch | 23 +++++++++++
...ed-simplify-alloc-size-calc-CVE-2017-9445.patch | 47 ++++++++++++++++++++++
...do-not-allocate-packets-with-minimum-size.patch | 44 ++++++++++++++++++++
patches/systemd-233/series | 5 ++-
4 files changed, 118 insertions(+), 1 deletion(-)
create mode 100644 patches/systemd-233/0101-resolved-nullptr-bugfix.patch
create mode 100644 patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch
create mode 100644 patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch
diff --git a/patches/systemd-233/0101-resolved-nullptr-bugfix.patch b/patches/systemd-233/0101-resolved-nullptr-bugfix.patch
new file mode 100644
index 000000000..008771b8a
--- /dev/null
+++ b/patches/systemd-233/0101-resolved-nullptr-bugfix.patch
@@ -0,0 +1,23 @@
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 24 May 2017 08:56:48 +0300
+Subject: [PATCH] resolved: bugfix of null pointer p->question dereferencing (#6020)
+
+See https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
+---
+ src/resolve/resolved-dns-packet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 652970284e..240ee448f4 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -2269,6 +2269,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {
+ if (r < 0)
+ return r;
+
++ if (!p->question)
++ return 0;
++
+ if (p->question->n_keys != 1)
+ return 0;
+
diff --git a/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch b/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch
new file mode 100644
index 000000000..444d8c005
--- /dev/null
+++ b/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch
@@ -0,0 +1,47 @@
+From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
+Date: Sun, 18 Jun 2017 16:07:57 -0400
+Subject: [PATCH] resolved: simplify alloc size calculation
+
+The allocation size was calculated in a complicated way, and for values
+close to the page size we would actually allocate less than requested.
+
+Reported by Chris Coulson <chris.coulson@canonical.com>.
+
+CVE-2017-9445
+---
+ src/resolve/resolved-dns-packet.c | 8 +-------
+ src/resolve/resolved-dns-packet.h | 2 --
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 240ee448f4..821b66e266 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
+
+ assert(ret);
+
+- if (mtu <= UDP_PACKET_HEADER_SIZE)
+- a = DNS_PACKET_SIZE_START;
+- else
+- a = mtu - UDP_PACKET_HEADER_SIZE;
+-
+- if (a < DNS_PACKET_HEADER_SIZE)
+- a = DNS_PACKET_HEADER_SIZE;
++ a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
+
+ /* round up to next page size */
+ a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
+diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
+index 2c92392e4d..3abcaf8cf3 100644
+--- a/src/resolve/resolved-dns-packet.h
++++ b/src/resolve/resolved-dns-packet.h
+@@ -66,8 +66,6 @@ struct DnsPacketHeader {
+ /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */
+ #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096
+
+-#define DNS_PACKET_SIZE_START 512
+-
+ struct DnsPacket {
+ int n_ref;
+ DnsProtocol protocol;
diff --git a/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch b/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch
new file mode 100644
index 000000000..e7a3ca218
--- /dev/null
+++ b/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch
@@ -0,0 +1,44 @@
+From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
+Date: Tue, 27 Jun 2017 14:20:00 -0400
+Subject: [PATCH] resolved: do not allocate packets with minimum size
+
+dns_packet_new() is sometimes called with mtu == 0, and in that case we should
+allocate more than the absolute minimum (which is the dns packet header size),
+otherwise we have to resize immediately again after appending the first data to
+the packet.
+
+This partially reverts the previous commit.
+---
+ src/resolve/resolved-dns-packet.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
+index 821b66e266..d1f0f760a4 100644
+--- a/src/resolve/resolved-dns-packet.c
++++ b/src/resolve/resolved-dns-packet.c
+@@ -28,6 +28,9 @@
+
+ #define EDNS0_OPT_DO (1<<15)
+
++#define DNS_PACKET_SIZE_START 512
++assert_cc(DNS_PACKET_SIZE_START > UDP_PACKET_HEADER_SIZE)
++
+ typedef struct DnsPacketRewinder {
+ DnsPacket *packet;
+ size_t saved_rindex;
+@@ -47,7 +50,14 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
+
+ assert(ret);
+
+- a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
++ /* When dns_packet_new() is called with mtu == 0, allocate more than the
++ * absolute minimum (which is the dns packet header size), to avoid
++ * resizing immediately again after appending the first data to the packet.
++ */
++ if (mtu < UDP_PACKET_HEADER_SIZE)
++ a = DNS_PACKET_SIZE_START;
++ else
++ a = MAX(mtu, DNS_PACKET_HEADER_SIZE);
+
+ /* round up to next page size */
+ a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
diff --git a/patches/systemd-233/series b/patches/systemd-233/series
index 2f3aa9542..383f6b7a9 100644
--- a/patches/systemd-233/series
+++ b/patches/systemd-233/series
@@ -15,4 +15,7 @@
0012-missing-define-PR_SET_MM.patch
#tag:upstream --start-number 100
0100-nss-resolve-drop-the-internal-fallback.patch
-# aeeb8c856cfb6320185a980e3f2b37ec - git-ptx-patches magic
+0101-resolved-nullptr-bugfix.patch
+0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch
+0103-resolved-do-not-allocate-packets-with-minimum-size.patch
+# 0a64b15822c13fe6cb3238c014ea9934 - git-ptx-patches magic
--
2.13.2
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-07-05 13:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-05 13:41 [ptxdist] [PATCH] systemd: add systemd-resolved security patches Clemens Gruber
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox