[OE-core] [PATCH][rocko] libnl: protect against buffer overflow (CVE-2017-0553)
Burton, Ross
ross.burton at intel.com
Thu May 17 08:03:20 UTC 2018
Certainly does, sorry about that!
Ross
On 17 May 2018 at 01:44, Andre McCurdy <armccurdy at gmail.com> wrote:
> On Wed, May 16, 2018 at 4:30 PM, Ross Burton <ross.burton at intel.com> wrote:
>
> Looks like a duplicate of:
>
> http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150743.html
>
> ?
>
>> Signed-off-by: Ross Burton <ross.burton at intel.com>
>> ---
>> meta/recipes-support/libnl/libnl/overflow.patch | 39 +++++++++++++++++++++++++
>> meta/recipes-support/libnl/libnl_3.2.29.bb | 1 +
>> 2 files changed, 40 insertions(+)
>> create mode 100644 meta/recipes-support/libnl/libnl/overflow.patch
>>
>> diff --git a/meta/recipes-support/libnl/libnl/overflow.patch b/meta/recipes-support/libnl/libnl/overflow.patch
>> new file mode 100644
>> index 00000000000..777fac3ea1a
>> --- /dev/null
>> +++ b/meta/recipes-support/libnl/libnl/overflow.patch
>> @@ -0,0 +1,39 @@
>> +CVE: CVE-2017-0553
>> +Upstream-Status: Backport
>> +Signed-off-by: Ross Burton <ross.burton at intel.com>
>> +
>> +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
>> +From: Thomas Haller <thaller at redhat.com>
>> +Date: Mon, 6 Feb 2017 22:23:52 +0100
>> +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
>> +
>> +In general, libnl functions are not robust against calling with
>> +invalid arguments. Thus, never call libnl functions with invalid
>> +arguments. In case of nlmsg_reserve() this means never provide
>> +a @len argument that causes overflow.
>> +
>> +Still, add an additional safeguard to avoid exploiting such bugs.
>> +
>> +Assume that @pad is a trusted, small integer.
>> +Assume that n->nm_size is a valid number of allocated bytes (and thus
>> +much smaller then SIZE_T_MAX).
>> +Assume, that @len may be set to an untrusted value. Then the patch
>> +avoids an integer overflow resulting in reserving too few bytes.
>> +---
>> + lib/msg.c | 3 +++
>> + 1 file changed, 3 insertions(+)
>> +
>> +diff --git a/lib/msg.c b/lib/msg.c
>> +index 9af3f3a0..3e27d4e0 100644
>> +--- a/lib/msg.c
>> ++++ b/lib/msg.c
>> +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
>> + size_t nlmsg_len = n->nm_nlh->nlmsg_len;
>> + size_t tlen;
>> +
>> ++ if (len > n->nm_size)
>> ++ return NULL;
>> ++
>> + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
>> +
>> + if ((tlen + nlmsg_len) > n->nm_size)
>> \ No newline at end of file
>> diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb
>> index 7d4839ba506..746fd3d4153 100644
>> --- a/meta/recipes-support/libnl/libnl_3.2.29.bb
>> +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb
>> @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native"
>> SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \
>> file://fix-pktloc_syntax_h-race.patch \
>> file://fix-pc-file.patch \
>> + file://overflow.patch \
>> "
>> UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"
>>
>> --
>> 2.11.0
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core at lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list