[pve-devel] [PATCH v2 corosync-pve 1/3] fix CVE-2018-1084: DoS via malformed packet

Fri, 13 Apr 2018 02:11:03 -0700 

Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
---
 ...09-totemcrypto-Check-length-of-the-packet.patch | 53 ++++++++++++++++++++++
 patches/series                                     |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 patches/0009-totemcrypto-Check-length-of-the-packet.patch

diff --git a/patches/0009-totemcrypto-Check-length-of-the-packet.patch 
b/patches/0009-totemcrypto-Check-length-of-the-packet.patch
new file mode 100644
index 0000000..42650b8
--- /dev/null
+++ b/patches/0009-totemcrypto-Check-length-of-the-packet.patch
@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jan Friesse <jfrie...@redhat.com>
+Date: Mon, 19 Mar 2018 16:59:41 +0100
+Subject: [PATCH] totemcrypto: Check length of the packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Packet has to be longer than crypto_config_header and hash_len,
+otherwise unallocated memory is passed into calculate_nss_hash function,
+what may result in crash.
+
+Signed-off-by: Jan Friesse <jfrie...@redhat.com>
+Reviewed-by: Raphael Sanchez Prudencio <rasan...@redhat.com>
+Reviewed-by: Christine Caulfield <ccaul...@redhat.com>
+(cherry picked from commit fc1d5418533c1faf21616b282c2559bed7d361c4)
+Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com>
+---
+ exec/totemcrypto.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c
+index a97ba62f..bf30ffc2 100644
+--- a/exec/totemcrypto.c
++++ b/exec/totemcrypto.c
+@@ -627,6 +627,11 @@ static int authenticate_nss_2_3 (
+               unsigned char   tmp_hash[hash_len[instance->crypto_hash_type]];
+               int             datalen = *buf_len - 
hash_len[instance->crypto_hash_type];
+ 
++              if (*buf_len <= hash_len[instance->crypto_hash_type]) {
++                      log_printf(instance->log_level_security, "Received 
message is too short...  ignoring");
++                      return -1;
++              }
++
+               if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) {
+                       return -1;
+               }
+@@ -736,6 +741,12 @@ int crypto_authenticate_and_decrypt (struct 
crypto_instance *instance,
+ {
+       struct crypto_config_header *cch = (struct crypto_config_header *)buf;
+ 
++      if (*buf_len <= sizeof(struct crypto_config_header)) {
++              log_printf(instance->log_level_security, "Received message is 
too short...  ignoring");
++
++              return (-1);
++      }
++
+       if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) {
+               log_printf(instance->log_level_security,
+                          "Incoming packet has different crypto type. 
Rejecting");
+-- 
+2.14.2
+
diff --git a/patches/series b/patches/series
index b6afd80..501b4f4 100644
--- a/patches/series
+++ b/patches/series
@@ -6,3 +6,4 @@
 0006-add-libcorosync4-pve-transitional-package.patch
 0007-only-start-corosync.service-if-conf-exists.patch
 0008-remove-unecessary-and-problematic-corosync-qdevice.i.patch
+0009-totemcrypto-Check-length-of-the-packet.patch
-- 
2.14.2


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to