From: Samuel Thibault <samuel.thibault@gnu.org>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: slirp@lists.freedesktop.org, Petr Matousek <pmatouse@redhat.com>,
qemu-devel@nongnu.org, Vishnu Dev TJ <vishnudevtj@gmail.com>,
qemu-stable@nongnu.org, Prasad J Pandit <ppandit@redhat.com>
Subject: Re: [Qemu-devel] [Slirp] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload
Date: Mon, 26 Aug 2019 00:54:03 +0200 [thread overview]
Message-ID: <20190825225403.vwg2fhfff6i7gnwd@function> (raw)
In-Reply-To: <14216968-a066-6abf-1952-3cff3aa3eee3@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 487 bytes --]
Hello,
Philippe Mathieu-Daudé, le ven. 23 août 2019 17:15:32 +0200, a ecrit:
> > Did you make your test with commit 126c04acbabd ("Fix heap overflow in
> > ip_reass on big packet input") applied?
>
> Yes, unfortunately it doesn't fix the issue.
Ok.
Could you try the attached patch? There was a use-after-free. Without
it, I can indeed crash qemu with the given exploit. With it I don't
seem to be able to crash it (trying in a loop for several minutes).
Samuel
[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 828 bytes --]
diff --git a/src/ip_input.c b/src/ip_input.c
index 7364ce0..aa514ae 100644
--- a/src/ip_input.c
+++ b/src/ip_input.c
@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
*/
while (q != (struct ipasfrag *)&fp->frag_link &&
ip->ip_off + ip->ip_len > q->ipf_off) {
+ struct ipasfrag *prev;
i = (ip->ip_off + ip->ip_len) - q->ipf_off;
if (i < q->ipf_len) {
q->ipf_len -= i;
@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
m_adj(dtom(slirp, q), i);
break;
}
+ prev = q;
q = q->ipf_next;
- m_free(dtom(slirp, q->ipf_prev));
- ip_deq(q->ipf_prev);
+ ip_deq(prev);
+ m_free(dtom(slirp, prev));
}
insert:
next prev parent reply other threads:[~2019-08-25 22:55 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-22 14:41 [Qemu-devel] [PATCH 0/2] slirp: Fix heap buffer overflow during packet reassembly (CVE-2019-14378) Philippe Mathieu-Daudé
2019-08-22 14:41 ` [Qemu-devel] [PATCH 1/2] Do not reassemble fragments pointing outside of the original payload Philippe Mathieu-Daudé
2019-08-22 18:33 ` [Qemu-devel] [Slirp] " Samuel Thibault
2019-08-23 15:15 ` Philippe Mathieu-Daudé
2019-08-25 22:54 ` Samuel Thibault [this message]
2019-08-29 11:13 ` P J P
2019-08-29 15:43 ` Philippe Mathieu-Daudé
2019-08-29 15:53 ` Philippe Mathieu-Daudé
2019-08-29 16:00 ` Philippe Mathieu-Daudé
2019-08-22 14:41 ` [Qemu-devel] [RFC PATCH 2/2] Delay crash when mbufs are corrupted Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190825225403.vwg2fhfff6i7gnwd@function \
--to=samuel.thibault@gnu.org \
--cc=philmd@redhat.com \
--cc=pmatouse@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=slirp@lists.freedesktop.org \
--cc=vishnudevtj@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).