The vulnerability CVE-2019-14378 is well explained in [1]:
The bug is triggered when large IPv4 fragmented packets are
reassembled for processing.
For the NAT translation if the incoming packets are fragmented
they should be reassembled before they are edited and
re-transmitted.
This reassembly is done by the
ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) function.
ip contains the current IP packet data, fp is a link list
containing the fragmented packets.
ip_reass() does the following:
* If first fragment to arrive (fp==NULL), create a reassembly
queue and insert ip into this queue.
* Check if the fragment is overlapping with previous received
fragments, then discard it.
* If all the fragmented packets are received reassemble it.
Create header for new ip packet by modifying header of first
packet.
The bug is at the calculation of the variable delta. The code
assumes that the first fragmented packet will not be allocated in
the external buffer (m_ext). The calculation q - m->dat is valid
when the packet data is inside mbuf->m_dat (q will be inside m_dat)
(q is structure containing link list of fragments and packet data).
Otherwise if m_ext buffer was allocated, then q will be inside the
external buffer and the calculation of the delta will be wrong.
Later the newly calculated pointer q is converted into ip structure
and values are modified, Due to the wrong calculation of the delta,
ip will be pointing to incorrect location and ip_src and ip_dst can
be used to write controlled data onto the calculated location. This
may also crash qemu if the calculated ip is located in unmaped area.
Do not queue fragments pointing out of the original payload to avoid
to calculate the variable delta.
[1] https://vishnudevtj.github.io/notes/qemu-vm-escape-cve-2019-14378
Fixes: CVE-2019-14378
Reported-by: Vishnu Dev TJ <vishnude...@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
---
src/ip_input.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/ip_input.c b/src/ip_input.c
index 7364ce0..ee52085 100644
--- a/src/ip_input.c
+++ b/src/ip_input.c
@@ -304,6 +304,19 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip,
struct ipq *fp)
ip_deq(q->ipf_prev);
}
+ /*
+ * If we received the first fragment, we know the original
+ * payload size. Verify fragments are within our payload.
+ */
+ for (q = fp->frag_link.next; q != (struct ipasfrag*)&fp->frag_link;
+ q = q->ipf_next) {
+ if (!q->ipf_off && q->ipf_len) {
+ if (ip->ip_off + ip->ip_len >= q->ipf_len) {
+ goto dropfrag;
+ }
+ }
+ }
+
insert:
/*
* Stick new segment in its place;
--
2.20.1
