* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638
@ 2020-10-31 16:34 Fabrice Fontaine
2020-10-31 17:20 ` Alexander Dahl
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Fabrice Fontaine @ 2020-10-31 16:34 UTC (permalink / raw)
To: buildroot
receive.c in fastd before v21 allows denial of service (assertion
failure) when receiving packets with an invalid type code.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...-leak-when-receiving-invalid-packets.patch | 45 +++++++++++++++++++
package/fastd/fastd.mk | 3 ++
2 files changed, 48 insertions(+)
create mode 100644 package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
diff --git a/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
new file mode 100644
index 0000000000..f4a44fea6d
--- /dev/null
+++ b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
@@ -0,0 +1,45 @@
+From 737925113363b6130879729cdff9ccc46c33eaea Mon Sep 17 00:00:00 2001
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Mon, 19 Oct 2020 21:08:16 +0200
+Subject: [PATCH] receive: fix buffer leak when receiving invalid packets
+
+For fastd versions before v20, this was just a memory leak (which could
+still be used for DoS, as it's remotely triggerable). With the new
+buffer management of fastd v20, this will trigger an assertion failure
+instead as soon as the buffer pool is empty.
+
+[Retrieved from:
+https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/receive.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/receive.c b/src/receive.c
+index 043c9f2..6bca9f4 100644
+--- a/src/receive.c
++++ b/src/receive.c
+@@ -169,6 +169,11 @@ static inline void handle_socket_receive_known(
+
+ case PACKET_HANDSHAKE:
+ fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer);
++ break;
++
++ default:
++ fastd_buffer_free(buffer);
++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr);
+ }
+ }
+
+@@ -195,6 +200,11 @@ static inline void handle_socket_receive_unknown(
+
+ case PACKET_HANDSHAKE:
+ fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer);
++ break;
++
++ default:
++ fastd_buffer_free(buffer);
++ pr_debug("received packet with invalid type from unknown address %I", remote_addr);
+ }
+ }
+
diff --git a/package/fastd/fastd.mk b/package/fastd/fastd.mk
index b1261f0fa5..d556e2fbb1 100644
--- a/package/fastd/fastd.mk
+++ b/package/fastd/fastd.mk
@@ -12,6 +12,9 @@ FASTD_LICENSE_FILES = COPYRIGHT
FASTD_CONF_OPTS = -DENABLE_LIBSODIUM=ON
FASTD_DEPENDENCIES = host-bison host-pkgconf libuecc libsodium libcap
+# 0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch
+FASTD_IGNORE_CVES += CVE-2020-27638
+
ifeq ($(BR2_PACKAGE_OPENSSL),y)
FASTD_CONF_OPTS += -DENABLE_OPENSSL=ON
FASTD_DEPENDENCIES += openssl
--
2.28.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 2020-10-31 16:34 [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 Fabrice Fontaine @ 2020-10-31 17:20 ` Alexander Dahl 2020-10-31 17:26 ` Fabrice Fontaine 2020-10-31 21:04 ` Thomas Petazzoni 2020-11-03 7:54 ` Peter Korsgaard 2 siblings, 1 reply; 5+ messages in thread From: Alexander Dahl @ 2020-10-31 17:20 UTC (permalink / raw) To: buildroot Hei hei, On Sat, Oct 31, 2020 at 05:34:20PM +0100, Fabrice Fontaine wrote: > receive.c in fastd before v21 allows denial of service (assertion > failure) when receiving packets with an invalid type code. > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Acked-by: Alexander Dahl <post@lespocky.de> Note: with v21 fastd switched from CMake to Meson. I have no experience with Meson so far, so I might need some time for an upgrade. If someone else wants to step in, do not hesitate. Greets Alex > --- > ...-leak-when-receiving-invalid-packets.patch | 45 +++++++++++++++++++ > package/fastd/fastd.mk | 3 ++ > 2 files changed, 48 insertions(+) > create mode 100644 package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch > > diff --git a/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch > new file mode 100644 > index 0000000000..f4a44fea6d > --- /dev/null > +++ b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch > @@ -0,0 +1,45 @@ > +From 737925113363b6130879729cdff9ccc46c33eaea Mon Sep 17 00:00:00 2001 > +From: Matthias Schiffer <mschiffer@universe-factory.net> > +Date: Mon, 19 Oct 2020 21:08:16 +0200 > +Subject: [PATCH] receive: fix buffer leak when receiving invalid packets > + > +For fastd versions before v20, this was just a memory leak (which could > +still be used for DoS, as it's remotely triggerable). With the new > +buffer management of fastd v20, this will trigger an assertion failure > +instead as soon as the buffer pool is empty. > + > +[Retrieved from: > +https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea] > +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > +--- > + src/receive.c | 10 ++++++++++ > + 1 file changed, 10 insertions(+) > + > +diff --git a/src/receive.c b/src/receive.c > +index 043c9f2..6bca9f4 100644 > +--- a/src/receive.c > ++++ b/src/receive.c > +@@ -169,6 +169,11 @@ static inline void handle_socket_receive_known( > + > + case PACKET_HANDSHAKE: > + fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer); > ++ break; > ++ > ++ default: > ++ fastd_buffer_free(buffer); > ++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr); > + } > + } > + > +@@ -195,6 +200,11 @@ static inline void handle_socket_receive_unknown( > + > + case PACKET_HANDSHAKE: > + fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer); > ++ break; > ++ > ++ default: > ++ fastd_buffer_free(buffer); > ++ pr_debug("received packet with invalid type from unknown address %I", remote_addr); > + } > + } > + > diff --git a/package/fastd/fastd.mk b/package/fastd/fastd.mk > index b1261f0fa5..d556e2fbb1 100644 > --- a/package/fastd/fastd.mk > +++ b/package/fastd/fastd.mk > @@ -12,6 +12,9 @@ FASTD_LICENSE_FILES = COPYRIGHT > FASTD_CONF_OPTS = -DENABLE_LIBSODIUM=ON > FASTD_DEPENDENCIES = host-bison host-pkgconf libuecc libsodium libcap > > +# 0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch > +FASTD_IGNORE_CVES += CVE-2020-27638 > + > ifeq ($(BR2_PACKAGE_OPENSSL),y) > FASTD_CONF_OPTS += -DENABLE_OPENSSL=ON > FASTD_DEPENDENCIES += openssl > -- > 2.28.0 > > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot -- /"\ ASCII RIBBON | ?With the first link, the chain is forged. The first \ / CAMPAIGN | speech censured, the first thought forbidden, the X AGAINST | first freedom denied, chains us all irrevocably.? / \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20201031/73ed62b9/attachment.asc> ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 2020-10-31 17:20 ` Alexander Dahl @ 2020-10-31 17:26 ` Fabrice Fontaine 0 siblings, 0 replies; 5+ messages in thread From: Fabrice Fontaine @ 2020-10-31 17:26 UTC (permalink / raw) To: buildroot Hi Alexander, Le sam. 31 oct. 2020 ? 18:20, Alexander Dahl <post@lespocky.de> a ?crit : > > Hei hei, > > On Sat, Oct 31, 2020 at 05:34:20PM +0100, Fabrice Fontaine wrote: > > receive.c in fastd before v21 allows denial of service (assertion > > failure) when receiving packets with an invalid type code. > > > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > > Acked-by: Alexander Dahl <post@lespocky.de> > > Note: with v21 fastd switched from CMake to Meson. I have no > experience with Meson so far, so I might need some time for an > upgrade. If someone else wants to step in, do not hesitate. I prepared a patch to bump fastd to v21, I'll send it after this one is merged. > > Greets > Alex > > > --- > > ...-leak-when-receiving-invalid-packets.patch | 45 +++++++++++++++++++ > > package/fastd/fastd.mk | 3 ++ > > 2 files changed, 48 insertions(+) > > create mode 100644 package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch > > > > diff --git a/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch > > new file mode 100644 > > index 0000000000..f4a44fea6d > > --- /dev/null > > +++ b/package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch > > @@ -0,0 +1,45 @@ > > +From 737925113363b6130879729cdff9ccc46c33eaea Mon Sep 17 00:00:00 2001 > > +From: Matthias Schiffer <mschiffer@universe-factory.net> > > +Date: Mon, 19 Oct 2020 21:08:16 +0200 > > +Subject: [PATCH] receive: fix buffer leak when receiving invalid packets > > + > > +For fastd versions before v20, this was just a memory leak (which could > > +still be used for DoS, as it's remotely triggerable). With the new > > +buffer management of fastd v20, this will trigger an assertion failure > > +instead as soon as the buffer pool is empty. > > + > > +[Retrieved from: > > +https://github.com/NeoRaider/fastd/commit/737925113363b6130879729cdff9ccc46c33eaea] > > +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > > +--- > > + src/receive.c | 10 ++++++++++ > > + 1 file changed, 10 insertions(+) > > + > > +diff --git a/src/receive.c b/src/receive.c > > +index 043c9f2..6bca9f4 100644 > > +--- a/src/receive.c > > ++++ b/src/receive.c > > +@@ -169,6 +169,11 @@ static inline void handle_socket_receive_known( > > + > > + case PACKET_HANDSHAKE: > > + fastd_handshake_handle(sock, local_addr, remote_addr, peer, buffer); > > ++ break; > > ++ > > ++ default: > > ++ fastd_buffer_free(buffer); > > ++ pr_debug("received packet with invalid type from %P[%I]", peer, remote_addr); > > + } > > + } > > + > > +@@ -195,6 +200,11 @@ static inline void handle_socket_receive_unknown( > > + > > + case PACKET_HANDSHAKE: > > + fastd_handshake_handle(sock, local_addr, remote_addr, NULL, buffer); > > ++ break; > > ++ > > ++ default: > > ++ fastd_buffer_free(buffer); > > ++ pr_debug("received packet with invalid type from unknown address %I", remote_addr); > > + } > > + } > > + > > diff --git a/package/fastd/fastd.mk b/package/fastd/fastd.mk > > index b1261f0fa5..d556e2fbb1 100644 > > --- a/package/fastd/fastd.mk > > +++ b/package/fastd/fastd.mk > > @@ -12,6 +12,9 @@ FASTD_LICENSE_FILES = COPYRIGHT > > FASTD_CONF_OPTS = -DENABLE_LIBSODIUM=ON > > FASTD_DEPENDENCIES = host-bison host-pkgconf libuecc libsodium libcap > > > > +# 0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch > > +FASTD_IGNORE_CVES += CVE-2020-27638 > > + > > ifeq ($(BR2_PACKAGE_OPENSSL),y) > > FASTD_CONF_OPTS += -DENABLE_OPENSSL=ON > > FASTD_DEPENDENCIES += openssl > > -- > > 2.28.0 > > > > _______________________________________________ > > buildroot mailing list > > buildroot at busybox.net > > http://lists.busybox.net/mailman/listinfo/buildroot > > -- > /"\ ASCII RIBBON | ?With the first link, the chain is forged. The first > \ / CAMPAIGN | speech censured, the first thought forbidden, the > X AGAINST | first freedom denied, chains us all irrevocably.? > / \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie) Best Regards, Fabrice ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 2020-10-31 16:34 [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 Fabrice Fontaine 2020-10-31 17:20 ` Alexander Dahl @ 2020-10-31 21:04 ` Thomas Petazzoni 2020-11-03 7:54 ` Peter Korsgaard 2 siblings, 0 replies; 5+ messages in thread From: Thomas Petazzoni @ 2020-10-31 21:04 UTC (permalink / raw) To: buildroot On Sat, 31 Oct 2020 17:34:20 +0100 Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > receive.c in fastd before v21 allows denial of service (assertion > failure) when receiving packets with an invalid type code. > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > --- > ...-leak-when-receiving-invalid-packets.patch | 45 +++++++++++++++++++ > package/fastd/fastd.mk | 3 ++ > 2 files changed, 48 insertions(+) > create mode 100644 package/fastd/0002-receive-fix-buffer-leak-when-receiving-invalid-packets.patch Applied to master, thanks. Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 2020-10-31 16:34 [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 Fabrice Fontaine 2020-10-31 17:20 ` Alexander Dahl 2020-10-31 21:04 ` Thomas Petazzoni @ 2020-11-03 7:54 ` Peter Korsgaard 2 siblings, 0 replies; 5+ messages in thread From: Peter Korsgaard @ 2020-11-03 7:54 UTC (permalink / raw) To: buildroot >>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > receive.c in fastd before v21 allows denial of service (assertion > failure) when receiving packets with an invalid type code. > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2020.02.x and 2020.08.x, thanks. -- Bye, Peter Korsgaard ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-03 7:54 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-10-31 16:34 [Buildroot] [PATCH 1/1] package/fastd: fix CVE-2020-27638 Fabrice Fontaine 2020-10-31 17:20 ` Alexander Dahl 2020-10-31 17:26 ` Fabrice Fontaine 2020-10-31 21:04 ` Thomas Petazzoni 2020-11-03 7:54 ` Peter Korsgaard
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox