* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638
@ 2020-10-31 16:34 Fabrice Fontaine
2020-10-31 17:20 ` Alexander Dahl
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2020-10-31 16:34 UTC (permalink / raw)
To: buildroot
receive.c in fastd before v21 allows denial of service (assertion
failure) when receiving packets with an invalid type code.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...-leak-when-receiving-invalid-packets.patch | 45 +++++++++++++++++++
package/fastd/fastd.mk | 3 ++
2 files changed, 48 insertions(+)
create mode 100644 package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
diff --git a/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
new file mode 100644
index 0000000000..f4a44fea6d
--- /dev/null
+++ b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
@@ -0,0 +1,45 @@
+From 737925113363b6130879729cdff9ccc46c33eaea Mon Sep 17 00:00:00 2001
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 19 Oct 2020 21:08:16 +0200
+Subject: [PATCH] receive: fix buffer leak when receiving invalid packets
+
+For fastd versions before v20, this was just a memory leak (which could
+still be used for DoS, as it's remotely triggerable). With the new
+buffer management of fastd v20, this will trigger an assertion failure
+instead as soon as the buffer pool is empty.
+
+[Retrieved from:
+https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/receive.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/receive.c b/src/receive.c
+index 043c9f2..6bca9f4 100644
+--- a/src/receive.c
++++ b/src/receive.c
+@@ -169,6 +169,11 @@ static inline void handle_socket_receive_known(
+
+ case PACKET_HANDSHAKE:
+ fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
++ break;
++
++ default:
++ fastd_buffer_free(buffer);
++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
+ }
+ }
+
+@@ -195,6 +200,11 @@ static inline void handle_socket_receive_unknown(
+
+ case PACKET_HANDSHAKE:
+ fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
++ break;
++
++ default:
++ fastd_buffer_free(buffer);
++ pr_debug("received packet with invalid type from unknown address %I", remote_addr);
+ }
+ }
+
diff --git a/package/fastd/fastd.mk b/package/fastd/fastd.mk
index b1261f0fa5..d556e2fbb1 100644
--- a/package/fastd/fastd.mk
+++ b/package/fastd/fastd.mk
@@ -12,6 +12,9 @@ FASTD_LICENSE_FILES = COPYRIGHT
FASTD_CONF_OPTS = -DENABLE_LIBSODIUM=ON
FASTD_DEPENDENCIES = host-bison host-pkgconf libuecc libsodium libcap
+# 0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
+FASTD_IGNORE_CVES += CVE-2020-27638
+
ifeq ($(BR2_PACKAGE_OPENSSL),y)
FASTD_CONF_OPTS += -DENABLE_OPENSSL=ON
FASTD_DEPENDENCIES += openssl
--
2.28.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638
2020-10-31 16:34 [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 Fabrice Fontaine
@ 2020-10-31 17:20 ` Alexander Dahl
2020-10-31 17:26 ` Fabrice Fontaine
2020-10-31 21:04 ` Thomas Petazzoni
2020-11-03 7:54 ` Peter Korsgaard
2 siblings, 1 reply; 5+ messages in thread
From: Alexander Dahl @ 2020-10-31 17:20 UTC (permalink / raw)
To: buildroot
Hei hei,
On Sat, Oct 31, 2020 at 05:34:20PM +0100, Fabrice Fontaine wrote:
> receive.c in fastd before v21 allows denial of service (assertion
> failure) when receiving packets with an invalid type code.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Alexander Dahl <post@lespocky.de>
Note: with v21 fastd switched from CMake to Meson. I have no
experience with Meson so far, so I might need some time for an
upgrade. If someone else wants to step in, do not hesitate.
Greets
Alex
> ---
> ...-leak-when-receiving-invalid-packets.patch | 45 +++++++++++++++++++
> package/fastd/fastd.mk | 3 ++
> 2 files changed, 48 insertions(+)
> create mode 100644 package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
>
> diff --git a/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
> new file mode 100644
> index 0000000000..f4a44fea6d
> --- /dev/null
> +++ b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
> @@ -0,0 +1,45 @@
> +From 737925113363b6130879729cdff9ccc46c33eaea Mon Sep 17 00:00:00 2001
> +From: Matthias Schiffer <mschiffer@universe-factory.net>
> +Date: Mon, 19 Oct 2020 21:08:16 +0200
> +Subject: [PATCH] receive: fix buffer leak when receiving invalid packets
> +
> +For fastd versions before v20, this was just a memory leak (which could
> +still be used for DoS, as it's remotely triggerable). With the new
> +buffer management of fastd v20, this will trigger an assertion failure
> +instead as soon as the buffer pool is empty.
> +
> +[Retrieved from:
> +https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/receive.c | 10 ++++++++++
> + 1 file changed, 10 insertions(+)
> +
> +diff --git a/src/receive.c b/src/receive.c
> +index 043c9f2..6bca9f4 100644
> +--- a/src/receive.c
> ++++ b/src/receive.c
> +@@ -169,6 +169,11 @@ static inline void handle_socket_receive_known(
> +
> + case PACKET_HANDSHAKE:
> + fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
> ++ break;
> ++
> ++ default:
> ++ fastd_buffer_free(buffer);
> ++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
> + }
> + }
> +
> +@@ -195,6 +200,11 @@ static inline void handle_socket_receive_unknown(
> +
> + case PACKET_HANDSHAKE:
> + fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
> ++ break;
> ++
> ++ default:
> ++ fastd_buffer_free(buffer);
> ++ pr_debug("received packet with invalid type from unknown address %I", remote_addr);
> + }
> + }
> +
> diff --git a/package/fastd/fastd.mk b/package/fastd/fastd.mk
> index b1261f0fa5..d556e2fbb1 100644
> --- a/package/fastd/fastd.mk
> +++ b/package/fastd/fastd.mk
> @@ -12,6 +12,9 @@ FASTD_LICENSE_FILES = COPYRIGHT
> FASTD_CONF_OPTS = -DENABLE_LIBSODIUM=ON
> FASTD_DEPENDENCIES = host-bison host-pkgconf libuecc libsodium libcap
>
> +# 0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
> +FASTD_IGNORE_CVES += CVE-2020-27638
> +
> ifeq ($(BR2_PACKAGE_OPENSSL),y)
> FASTD_CONF_OPTS += -DENABLE_OPENSSL=ON
> FASTD_DEPENDENCIES += openssl
> --
> 2.28.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN | speech censured, the first thought forbidden, the
X AGAINST | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20201031/73ed62b9/attachment.asc>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638
2020-10-31 17:20 ` Alexander Dahl
@ 2020-10-31 17:26 ` Fabrice Fontaine
0 siblings, 0 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2020-10-31 17:26 UTC (permalink / raw)
To: buildroot
Hi Alexander,
Le sam. 31 oct. 2020 ? 18:20, Alexander Dahl <post@lespocky.de> a ?crit :
>
> Hei hei,
>
> On Sat, Oct 31, 2020 at 05:34:20PM +0100, Fabrice Fontaine wrote:
> > receive.c in fastd before v21 allows denial of service (assertion
> > failure) when receiving packets with an invalid type code.
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> Acked-by: Alexander Dahl <post@lespocky.de>
>
> Note: with v21 fastd switched from CMake to Meson. I have no
> experience with Meson so far, so I might need some time for an
> upgrade. If someone else wants to step in, do not hesitate.
I prepared a patch to bump fastd to v21, I'll send it after this one is merged.
>
> Greets
> Alex
>
> > ---
> > ...-leak-when-receiving-invalid-packets.patch | 45 +++++++++++++++++++
> > package/fastd/fastd.mk | 3 ++
> > 2 files changed, 48 insertions(+)
> > create mode 100644 package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
> >
> > diff --git a/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
> > new file mode 100644
> > index 0000000000..f4a44fea6d
> > --- /dev/null
> > +++ b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
> > @@ -0,0 +1,45 @@
> > +From 737925113363b6130879729cdff9ccc46c33eaea Mon Sep 17 00:00:00 2001
> > +From: Matthias Schiffer <mschiffer@universe-factory.net>
> > +Date: Mon, 19 Oct 2020 21:08:16 +0200
> > +Subject: [PATCH] receive: fix buffer leak when receiving invalid packets
> > +
> > +For fastd versions before v20, this was just a memory leak (which could
> > +still be used for DoS, as it's remotely triggerable). With the new
> > +buffer management of fastd v20, this will trigger an assertion failure
> > +instead as soon as the buffer pool is empty.
> > +
> > +[Retrieved from:
> > +https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea]
> > +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > +---
> > + src/receive.c | 10 ++++++++++
> > + 1 file changed, 10 insertions(+)
> > +
> > +diff --git a/src/receive.c b/src/receive.c
> > +index 043c9f2..6bca9f4 100644
> > +--- a/src/receive.c
> > ++++ b/src/receive.c
> > +@@ -169,6 +169,11 @@ static inline void handle_socket_receive_known(
> > +
> > + case PACKET_HANDSHAKE:
> > + fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
> > ++ break;
> > ++
> > ++ default:
> > ++ fastd_buffer_free(buffer);
> > ++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
> > + }
> > + }
> > +
> > +@@ -195,6 +200,11 @@ static inline void handle_socket_receive_unknown(
> > +
> > + case PACKET_HANDSHAKE:
> > + fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
> > ++ break;
> > ++
> > ++ default:
> > ++ fastd_buffer_free(buffer);
> > ++ pr_debug("received packet with invalid type from unknown address %I", remote_addr);
> > + }
> > + }
> > +
> > diff --git a/package/fastd/fastd.mk b/package/fastd/fastd.mk
> > index b1261f0fa5..d556e2fbb1 100644
> > --- a/package/fastd/fastd.mk
> > +++ b/package/fastd/fastd.mk
> > @@ -12,6 +12,9 @@ FASTD_LICENSE_FILES = COPYRIGHT
> > FASTD_CONF_OPTS = -DENABLE_LIBSODIUM=ON
> > FASTD_DEPENDENCIES = host-bison host-pkgconf libuecc libsodium libcap
> >
> > +# 0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
> > +FASTD_IGNORE_CVES += CVE-2020-27638
> > +
> > ifeq ($(BR2_PACKAGE_OPENSSL),y)
> > FASTD_CONF_OPTS += -DENABLE_OPENSSL=ON
> > FASTD_DEPENDENCIES += openssl
> > --
> > 2.28.0
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
> --
> /"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
> \ / CAMPAIGN | speech censured, the first thought forbidden, the
> X AGAINST | first freedom denied, chains us all irrevocably.?
> / \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie)
Best Regards,
Fabrice
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638
2020-10-31 16:34 [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 Fabrice Fontaine
2020-10-31 17:20 ` Alexander Dahl
@ 2020-10-31 21:04 ` Thomas Petazzoni
2020-11-03 7:54 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Thomas Petazzoni @ 2020-10-31 21:04 UTC (permalink / raw)
To: buildroot
On Sat, 31 Oct 2020 17:34:20 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> receive.c in fastd before v21 allows denial of service (assertion
> failure) when receiving packets with an invalid type code.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> ...-leak-when-receiving-invalid-packets.patch | 45 +++++++++++++++++++
> package/fastd/fastd.mk | 3 ++
> 2 files changed, 48 insertions(+)
> create mode 100644 package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638
2020-10-31 16:34 [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 Fabrice Fontaine
2020-10-31 17:20 ` Alexander Dahl
2020-10-31 21:04 ` Thomas Petazzoni
@ 2020-11-03 7:54 ` Peter Korsgaard
2 siblings, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2020-11-03 7:54 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> receive.c in fastd before v21 allows denial of service (assertion
> failure) when receiving packets with an invalid type code.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2020.02.x and 2020.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-03 7:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-31 16:34 [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 Fabrice Fontaine
2020-10-31 17:20 ` Alexander Dahl
2020-10-31 17:26 ` Fabrice Fontaine
2020-10-31 21:04 ` Thomas Petazzoni
2020-11-03 7:54 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox