From 59c43205f13c0e61b44eb42ffbf2af6cbfd3e6c0 Mon Sep 17 00:00:00 2001 From: Zhixiong Chi Date: Thu, 4 Jan 2018 02:52:14 -0800 Subject: iscsi-initiator-utils: CVE-2017-17840 Backport CVE patches from the github upstream: https://github.com/open-iscsi/open-iscsi commit as follows: e313bd648a4c8a9526421e270eb597a5de1e0c7f b9c33683bdc0aed28ffe31c3f3d50bf5cdf519ea be58eed849f5457bb49b79e94aa6a26971ba6deb 5504053cc08df38d8d85032fa1691e363dfcfb92 85f647c4300a888bb6cbc27f33138549cab617e3 a7a96131bd2ea342f6def0e46be514baf8037ae8 59ede2cf4eee8729a4221000a5d1ecdd312a31ac https://nvd.nist.gov/vuln/detail/CVE-2017-17840 A local attacker can cause the iscsiuio server to abort or potentially execute code by sending messages with incorrect lengths, which (due to lack of checking) can lead to buffer overflows, and result in aborts (with overflow checking enabled) or code execution. The process_iscsid_broadcast function in iscsiuio/src/unix/iscsid_ipc.c does not validate the payload length before a write operation Signed-off-by: Zhixiong Chi Signed-off-by: Armin Kuster Signed-off-by: Joe MacDonald (cherry picked from commit fdd3c62df9f4cb4e263aca4ab426ae9f88b29912) Signed-off-by: Armin Kuster --- ...ck-iscsiuio-ping-data-length-for-validity.patch | 64 ++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch (limited to 'meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch') diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch new file mode 100644 index 0000000000..c63c0a8d56 --- /dev/null +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/files/0007-Check-iscsiuio-ping-data-length-for-validity.patch @@ -0,0 +1,64 @@ +From 5df60ad8b22194391af34c1a7e54776b0372ffed Mon Sep 17 00:00:00 2001 +From: Lee Duncan +Date: Fri, 15 Dec 2017 11:21:15 -0800 +Subject: [PATCH 7/7] Check iscsiuio ping data length for validity + +We do not trust that the received ping packet data length +is correct, so sanity check it. Found by Qualsys. + +CVE: CVE-2017-17840 + +Upstream-Status: Backport + +Signed-off-by: Zhixiong Chi +--- + iscsiuio/src/unix/iscsid_ipc.c | 5 +++++ + iscsiuio/src/unix/packet.c | 2 +- + iscsiuio/src/unix/packet.h | 2 ++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/iscsiuio/src/unix/iscsid_ipc.c b/iscsiuio/src/unix/iscsid_ipc.c +index 85742da..a2caacc 100644 +--- a/iscsiuio/src/unix/iscsid_ipc.c ++++ b/iscsiuio/src/unix/iscsid_ipc.c +@@ -333,6 +333,11 @@ static void *perform_ping(void *arg) + + data = (iscsid_uip_broadcast_t *)png_c->data; + datalen = data->u.ping_rec.datalen; ++ if ((datalen > STD_MTU_SIZE) || (datalen < 0)) { ++ LOG_ERR(PFX "Ping datalen invalid: %d", datalen); ++ rc = -EINVAL; ++ goto ping_done; ++ } + + memset(dst_addr, 0, sizeof(uip_ip6addr_t)); + if (nic_iface->protocol == AF_INET) { +diff --git a/iscsiuio/src/unix/packet.c b/iscsiuio/src/unix/packet.c +index ecea09b..3ce2c6b 100644 +--- a/iscsiuio/src/unix/packet.c ++++ b/iscsiuio/src/unix/packet.c +@@ -112,7 +112,7 @@ int alloc_free_queue(nic_t *nic, size_t num_of_packets) + for (i = 0; i < num_of_packets; i++) { + packet_t *pkt; + +- pkt = alloc_packet(1500, 1500); ++ pkt = alloc_packet(STD_MTU_SIZE, STD_MTU_SIZE); + if (pkt == NULL) { + goto done; + } +diff --git a/iscsiuio/src/unix/packet.h b/iscsiuio/src/unix/packet.h +index b63d688..19d1db9 100644 +--- a/iscsiuio/src/unix/packet.h ++++ b/iscsiuio/src/unix/packet.h +@@ -43,6 +43,8 @@ + + #include "nic.h" + ++#define STD_MTU_SIZE 1500 ++ + struct nic; + struct nic_interface; + +-- +1.9.1 + -- cgit 1.2.3-korg