[Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket
@ 2014-09-18  6:35 Petr Matousek
  2014-09-18  6:43 ` Jan Kiszka
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Petr Matousek @ 2014-09-18  6:35 UTC (permalink / raw)
  To: qemu-devel; +Cc: Jan Kiszka, qemu-stable, Michael S. Tsirkin

When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.

Fix this by checking that the socket is not just a socket stub.

This is CVE-2014-3640.

Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
---
v1 -> v2
  * change the check so that it's consistent with the rest of the code

 slirp/udp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/slirp/udp.c b/slirp/udp.c
index 8cc6cb6..f77e00f 100644
--- a/slirp/udp.c
+++ b/slirp/udp.c
@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
 	 * Locate pcb for datagram.
 	 */
 	so = slirp->udp_last_so;
-	if (so->so_lport != uh->uh_sport ||
+	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
 	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
 		struct socket *tmp;
 
-- 
1.9.3

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket
  2014-09-18  6:35 [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket Petr Matousek
@ 2014-09-18  6:43 ` Jan Kiszka
  2014-09-18  7:06 ` Michael S. Tsirkin
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Jan Kiszka @ 2014-09-18  6:43 UTC (permalink / raw)
  To: Petr Matousek, qemu-devel; +Cc: qemu-stable, Michael S. Tsirkin

On 2014-09-18 08:35, Petr Matousek wrote:
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> 
> Fix this by checking that the socket is not just a socket stub.
> 
> This is CVE-2014-3640.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> Reported-by: Stephane Duverger <stephane.duverger@eads.net>
> ---
> v1 -> v2
>   * change the check so that it's consistent with the rest of the code
> 
>  slirp/udp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
>  	 * Locate pcb for datagram.
>  	 */
>  	so = slirp->udp_last_so;
> -	if (so->so_lport != uh->uh_sport ||
> +	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
>  	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
>  		struct socket *tmp;
>  
> 

Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>

Thanks,
Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SES-DE
Corporate Competence Center Embedded Linux

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket
  2014-09-18  6:35 [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket Petr Matousek
  2014-09-18  6:43 ` Jan Kiszka
@ 2014-09-18  7:06 ` Michael S. Tsirkin
  2014-09-23 15:25 ` [Qemu-devel] [Qemu-stable] " Michael Roth
  2014-09-23 16:50 ` [Qemu-devel] " Michael Tokarev
  3 siblings, 0 replies; 6+ messages in thread
From: Michael S. Tsirkin @ 2014-09-18  7:06 UTC (permalink / raw)
  To: Petr Matousek; +Cc: Jan Kiszka, qemu-devel, qemu-stable

On Thu, Sep 18, 2014 at 08:35:37AM +0200, Petr Matousek wrote:
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> 
> Fix this by checking that the socket is not just a socket stub.
> 
> This is CVE-2014-3640.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> Reported-by: Stephane Duverger <stephane.duverger@eads.net>

Reviewed-by: Michael S. Tsirkin <mst@redhat.com>

> ---
> v1 -> v2
>   * change the check so that it's consistent with the rest of the code
> 
>  slirp/udp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
>  	 * Locate pcb for datagram.
>  	 */
>  	so = slirp->udp_last_so;
> -	if (so->so_lport != uh->uh_sport ||
> +	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
>  	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
>  		struct socket *tmp;
>  
> -- 
> 1.9.3

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [Qemu-stable] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket
  2014-09-18  6:35 [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket Petr Matousek
  2014-09-18  6:43 ` Jan Kiszka
  2014-09-18  7:06 ` Michael S. Tsirkin
@ 2014-09-23 15:25 ` Michael Roth
  2014-09-23 16:50 ` [Qemu-devel] " Michael Tokarev
  3 siblings, 0 replies; 6+ messages in thread
From: Michael Roth @ 2014-09-23 15:25 UTC (permalink / raw)
  To: Petr Matousek, qemu-devel; +Cc: Jan Kiszka, qemu-stable, Michael S. Tsirkin

Quoting Petr Matousek (2014-09-18 01:35:37)
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> 
> Fix this by checking that the socket is not just a socket stub.
> 
> This is CVE-2014-3640.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> Reported-by: Stephane Duverger <stephane.duverger@eads.net>

Ping. Looking to pull this in for 2.1.2. Release is "asap"

> ---
> v1 -> v2
>   * change the check so that it's consistent with the rest of the code
> 
>  slirp/udp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
>          * Locate pcb for datagram.
>          */
>         so = slirp->udp_last_so;
> -       if (so->so_lport != uh->uh_sport ||
> +       if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
>             so->so_laddr.s_addr != ip->ip_src.s_addr) {
>                 struct socket *tmp;
> 
> -- 
> 1.9.3

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket
  2014-09-18  6:35 [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket Petr Matousek
                   ` (2 preceding siblings ...)
  2014-09-23 15:25 ` [Qemu-devel] [Qemu-stable] " Michael Roth
@ 2014-09-23 16:50 ` Michael Tokarev
  2014-09-24 10:40   ` Peter Maydell
  3 siblings, 1 reply; 6+ messages in thread
From: Michael Tokarev @ 2014-09-23 16:50 UTC (permalink / raw)
  To: Petr Matousek, qemu-devel; +Cc: Jan Kiszka, qemu-stable, Michael S. Tsirkin

18.09.2014 10:35, Petr Matousek wrote:
> When guest sends udp packet with source port and source addr 0,
> uninitialized socket is picked up when looking for matching and already
> created udp sockets, and later passed to sosendto() where NULL pointer
> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
> 
> Fix this by checking that the socket is not just a socket stub.
> 
> This is CVE-2014-3640.
> 
> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
> Reported-by: Stephane Duverger <stephane.duverger@eads.net>

Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>

slirp->udb initially is a dummy element of the list which initially
points to itself and never gets used (and slirp->udp_last_so initially
points to it too).

Thanks,

/mjt

>  slirp/udp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/slirp/udp.c b/slirp/udp.c
> index 8cc6cb6..f77e00f 100644
> --- a/slirp/udp.c
> +++ b/slirp/udp.c
> @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen)
>  	 * Locate pcb for datagram.
>  	 */
>  	so = slirp->udp_last_so;
> -	if (so->so_lport != uh->uh_sport ||
> +	if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
>  	    so->so_laddr.s_addr != ip->ip_src.s_addr) {
>  		struct socket *tmp;
>  
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket
  2014-09-23 16:50 ` [Qemu-devel] " Michael Tokarev
@ 2014-09-24 10:40   ` Peter Maydell
  0 siblings, 0 replies; 6+ messages in thread
From: Peter Maydell @ 2014-09-24 10:40 UTC (permalink / raw)
  To: Michael Tokarev
  Cc: Jan Kiszka, Michael S. Tsirkin, Petr Matousek, QEMU Developers,
	qemu-stable

On 23 September 2014 09:50, Michael Tokarev <mjt@tls.msk.ru> wrote:
> 18.09.2014 10:35, Petr Matousek wrote:
>> When guest sends udp packet with source port and source addr 0,
>> uninitialized socket is picked up when looking for matching and already
>> created udp sockets, and later passed to sosendto() where NULL pointer
>> dereference is hit during so->slirp->vnetwork_mask.s_addr access.
>>
>> Fix this by checking that the socket is not just a socket stub.
>>
>> This is CVE-2014-3640.
>>
>> Signed-off-by: Petr Matousek <pmatouse@redhat.com>
>> Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
>> Reported-by: Stephane Duverger <stephane.duverger@eads.net>
>
> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>

Applied to master, thanks.

-- PMM

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-09-24 10:41 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-18  6:35 [Qemu-devel] [PATCH v2] slirp: udp: fix NULL pointer dereference because of uninitialized socket Petr Matousek
2014-09-18  6:43 ` Jan Kiszka
2014-09-18  7:06 ` Michael S. Tsirkin
2014-09-23 15:25 ` [Qemu-devel] [Qemu-stable] " Michael Roth
2014-09-23 16:50 ` [Qemu-devel] " Michael Tokarev
2014-09-24 10:40   ` Peter Maydell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).