From 209f42fd3a5f4357e22fb72f1597a6868566aabd Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Sat, 21 Oct 2017 21:12:59 +0200 Subject: [PATCH] musl: add upstream security fix for CVE-2017-15650 >From the upstream announcement: http://www.openwall.com/lists/oss-security/2017/10/19/5 Felix Wilhelm has discovered a flaw in the dns response parsing for musl libc 1.1.16 that leads to overflow of a stack-based buffer. Earlier versions are also affected. When an application makes a request via getaddrinfo for both IPv4 and IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the nameservers configured in resolv.conf can reply to both the A and AAAA queries with A results. Since A records are smaller than AAAA records, it's possible to fit more addresses than the precomputed bound, and a buffer overflow occurs. Signed-off-by: Peter Korsgaard --- ...allback-enforce-MAXADDRS-to-preclude.patch | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch diff --git a/package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch b/package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch new file mode 100644 index 0000000000..c6b5ef26b4 --- /dev/null +++ b/package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch @@ -0,0 +1,35 @@ +From 45ca5d3fcb6f874bf5ba55d0e9651cef68515395 Mon Sep 17 00:00:00 2001 +From: Rich Felker +Date: Wed, 18 Oct 2017 14:50:03 -0400 +Subject: [PATCH] in dns parsing callback, enforce MAXADDRS to preclude + overflow + +MAXADDRS was chosen not to need enforcement, but the logic used to +compute it assumes the answers received match the RR types of the +queries. specifically, it assumes that only one replu contains A +record answers. if the replies to both the A and the AAAA query have +their answer sections filled with A records, MAXADDRS can be exceeded +and clobber the stack of the calling function. + +this bug was found and reported by Felix Wilhelm. + +Signed-off-by: Peter Korsgaard +--- + src/network/lookup_name.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c +index 066be4d5..209c20f0 100644 +--- a/src/network/lookup_name.c ++++ b/src/network/lookup_name.c +@@ -111,6 +111,7 @@ static int dns_parse_callback(void *c, int rr, const void *data, int len, const + { + char tmp[256]; + struct dpc_ctx *ctx = c; ++ if (ctx->cnt >= MAXADDRS) return -1; + switch (rr) { + case RR_A: + if (len != 4) return -1; +-- +2.11.0 +