On Mon, 2020-07-20 at 15:48 -0700, Khem Raj wrote: > On Mon, Jul 20, 2020 at 3:27 PM Julius Hemanth Pitti < > [email protected]> wrote: > > > > netoprintf() was not handling a case where > > return value of vsnprintf is greater than > > "size"(2nd argument), results in buffer overflow > > while adjusting "nfrontp" pointer to point > > beyond "netobuf" buffer. > > > > Here is one such case where "nfrontp" > > crossed boundaries of "netobuf", and > > pointing to another global variable. > > > > (gdb) p &netobuf[8255] > > $5 = 0x55c93afe8b1f <netobuf+8255> "" > > (gdb) p nfrontp > > $6 = 0x55c93afe8c20 <terminaltype> "\377" > > (gdb) p &terminaltype > > $7 = (char **) 0x55c93afe8c20 <terminaltype> > > (gdb) > > > > This resulted in crash of telnetd service > > with segmentation fault. > > > > it seems like one. Can you also reproduce it with something like > fedora ? >
I looked at latest centos and ubuntu, their refactored code do not have this bug. > > Signed-off-by: Julius Hemanth Pitti <[email protected]> > > --- > > ....c-Fix-buffer-overflow-in-netoprintf.patch | 56 > > +++++++++++++++++++ > > .../netkit-telnet/netkit-telnet_0.17.bb | 1 + > > 2 files changed, 57 insertions(+) > > create mode 100644 meta-networking/recipes-netkit/netkit- > > telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in- > > netoprintf.patch > > > > diff --git a/meta-networking/recipes-netkit/netkit- > > telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in- > > netoprintf.patch b/meta-networking/recipes-netkit/netkit- > > telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in- > > netoprintf.patch > > new file mode 100644 > > index 000000000..8f983e40a > > --- /dev/null > > +++ b/meta-networking/recipes-netkit/netkit-telnet/files/0001- > > telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch > > @@ -0,0 +1,56 @@ > > +From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 > > 2001 > > +From: Julius Hemanth Pitti <[email protected]> > > +Date: Tue, 14 Jul 2020 22:34:19 -0700 > > +Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in > > netoprintf > > + > > +As per man page of vsnprintf, when formated > > +string size is greater than "size"(2nd argument), > > +then vsnprintf returns size of formated string, > > +not "size"(2nd argument). > > + > > +netoprintf() was not handling a case where > > +return value of vsnprintf is greater than > > +"size"(2nd argument), results in buffer overflow > > +while adjusting "nfrontp" pointer to point > > +beyond "netobuf" buffer. > > + > > +Here is one such case where "nfrontp" > > +crossed boundaries of "netobuf", and > > +pointing to another global variable. > > + > > +(gdb) p &netobuf[8255] > > +$5 = 0x55c93afe8b1f <netobuf+8255> "" > > +(gdb) p nfrontp > > +$6 = 0x55c93afe8c20 <terminaltype> "\377" > > +(gdb) p &terminaltype > > +$7 = (char **) 0x55c93afe8c20 <terminaltype> > > +(gdb) > > + > > +This resulted in crash of telnetd service > > +with segmentation fault. > > + > > +Though this is DoS security bug, I couldn't > > +find any CVE ID for this. > > + > > +Upstream-Status: Pending > > + > > +Signed-off-by: Julius Hemanth Pitti <[email protected]> > > +--- > > + telnetd/utility.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/telnetd/utility.c b/telnetd/utility.c > > +index b9a46a6..4811f14 100644 > > +--- a/telnetd/utility.c > > ++++ b/telnetd/utility.c > > +@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...) > > + len = vsnprintf(nfrontp, maxsize, fmt, ap); > > + va_end(ap); > > + > > +- if (len<0 || len==maxsize) { > > ++ if (len<0 || len>=maxsize) { > > + /* didn't fit */ > > + netflush(); > > + } > > +-- > > +2.19.1 > > diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit- > > telnet_0.17.bb b/meta-networking/recipes-netkit/netkit- > > telnet/netkit-telnet_0.17.bb > > index 0e92add63..08dd532b6 100644 > > --- a/meta-networking/recipes-netkit/netkit-telnet/netkit- > > telnet_0.17.bb > > +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit- > > telnet_0.17.bb > > @@ -13,6 +13,7 @@ SRC_URI = " > > http://ftp.linux.org.uk/pub/linux/Networking/netkit/${BP}.tar.gz \ > > file://0001-telnet-telnetd-Fix-print-format- > > strings.patch \ > > file://0001-telnet-telnetd-Fix-deadlock-on- > > cleanup.patch \ > > file://CVE-2020-10188.patch \ > > + file://0001-telnetd-utility.c-Fix-buffer-overflow-in- > > netoprintf.patch \ > > " > > > > UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/" > > -- > > 2.19.1 > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#85840): https://lists.openembedded.org/g/openembedded-devel/message/85840 Mute This Topic: https://lists.openembedded.org/mt/75693009/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
