Backported from upstream. Contains a fix for CVE-2017-9445. Signed-off-by: Clemens Gruber <clemens.gru...@pqgruber.com> --- .../systemd-233/0101-resolved-nullptr-bugfix.patch | 23 +++++++++++ ...ed-simplify-alloc-size-calc-CVE-2017-9445.patch | 47 ++++++++++++++++++++++ ...do-not-allocate-packets-with-minimum-size.patch | 44 ++++++++++++++++++++ patches/systemd-233/series | 5 ++- 4 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 patches/systemd-233/0101-resolved-nullptr-bugfix.patch create mode 100644 patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch create mode 100644 patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch
diff --git a/patches/systemd-233/0101-resolved-nullptr-bugfix.patch b/patches/systemd-233/0101-resolved-nullptr-bugfix.patch new file mode 100644 index 000000000..008771b8a --- /dev/null +++ b/patches/systemd-233/0101-resolved-nullptr-bugfix.patch @@ -0,0 +1,23 @@ +From: Evgeny Vereshchagin <evv...@ya.ru> +Date: Wed, 24 May 2017 08:56:48 +0300 +Subject: [PATCH] resolved: bugfix of null pointer p->question dereferencing (#6020) + +See https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396 +--- + src/resolve/resolved-dns-packet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 652970284e..240ee448f4 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -2269,6 +2269,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) { + if (r < 0) + return r; + ++ if (!p->question) ++ return 0; ++ + if (p->question->n_keys != 1) + return 0; + diff --git a/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch b/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch new file mode 100644 index 000000000..444d8c005 --- /dev/null +++ b/patches/systemd-233/0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch @@ -0,0 +1,47 @@ +From: Zbigniew Jedrzejewski-Szmek <zbys...@in.waw.pl> +Date: Sun, 18 Jun 2017 16:07:57 -0400 +Subject: [PATCH] resolved: simplify alloc size calculation + +The allocation size was calculated in a complicated way, and for values +close to the page size we would actually allocate less than requested. + +Reported by Chris Coulson <chris.coul...@canonical.com>. + +CVE-2017-9445 +--- + src/resolve/resolved-dns-packet.c | 8 +------- + src/resolve/resolved-dns-packet.h | 2 -- + 2 files changed, 1 insertion(+), 9 deletions(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 240ee448f4..821b66e266 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { + + assert(ret); + +- if (mtu <= UDP_PACKET_HEADER_SIZE) +- a = DNS_PACKET_SIZE_START; +- else +- a = mtu - UDP_PACKET_HEADER_SIZE; +- +- if (a < DNS_PACKET_HEADER_SIZE) +- a = DNS_PACKET_HEADER_SIZE; ++ a = MAX(mtu, DNS_PACKET_HEADER_SIZE); + + /* round up to next page size */ + a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); +diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h +index 2c92392e4d..3abcaf8cf3 100644 +--- a/src/resolve/resolved-dns-packet.h ++++ b/src/resolve/resolved-dns-packet.h +@@ -66,8 +66,6 @@ struct DnsPacketHeader { + /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */ + #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096 + +-#define DNS_PACKET_SIZE_START 512 +- + struct DnsPacket { + int n_ref; + DnsProtocol protocol; diff --git a/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch b/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch new file mode 100644 index 000000000..e7a3ca218 --- /dev/null +++ b/patches/systemd-233/0103-resolved-do-not-allocate-packets-with-minimum-size.patch @@ -0,0 +1,44 @@ +From: Zbigniew Jedrzejewski-Szmek <zbys...@in.waw.pl> +Date: Tue, 27 Jun 2017 14:20:00 -0400 +Subject: [PATCH] resolved: do not allocate packets with minimum size + +dns_packet_new() is sometimes called with mtu == 0, and in that case we should +allocate more than the absolute minimum (which is the dns packet header size), +otherwise we have to resize immediately again after appending the first data to +the packet. + +This partially reverts the previous commit. +--- + src/resolve/resolved-dns-packet.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 821b66e266..d1f0f760a4 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -28,6 +28,9 @@ + + #define EDNS0_OPT_DO (1<<15) + ++#define DNS_PACKET_SIZE_START 512 ++assert_cc(DNS_PACKET_SIZE_START > UDP_PACKET_HEADER_SIZE) ++ + typedef struct DnsPacketRewinder { + DnsPacket *packet; + size_t saved_rindex; +@@ -47,7 +50,14 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { + + assert(ret); + +- a = MAX(mtu, DNS_PACKET_HEADER_SIZE); ++ /* When dns_packet_new() is called with mtu == 0, allocate more than the ++ * absolute minimum (which is the dns packet header size), to avoid ++ * resizing immediately again after appending the first data to the packet. ++ */ ++ if (mtu < UDP_PACKET_HEADER_SIZE) ++ a = DNS_PACKET_SIZE_START; ++ else ++ a = MAX(mtu, DNS_PACKET_HEADER_SIZE); + + /* round up to next page size */ + a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); diff --git a/patches/systemd-233/series b/patches/systemd-233/series index 2f3aa9542..383f6b7a9 100644 --- a/patches/systemd-233/series +++ b/patches/systemd-233/series @@ -15,4 +15,7 @@ 0012-missing-define-PR_SET_MM.patch #tag:upstream --start-number 100 0100-nss-resolve-drop-the-internal-fallback.patch -# aeeb8c856cfb6320185a980e3f2b37ec - git-ptx-patches magic +0101-resolved-nullptr-bugfix.patch +0102-resolved-simplify-alloc-size-calc-CVE-2017-9445.patch +0103-resolved-do-not-allocate-packets-with-minimum-size.patch +# 0a64b15822c13fe6cb3238c014ea9934 - git-ptx-patches magic -- 2.13.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de
