Bug#535159: ser2net: fix use after in control port handling
* Marc Haber | 2009-07-03 11:25:40 [+0200]:
Can we please get this in lenny?
If upstream plans to do a new release in a reasonably short timeframe,
I'd prefer waiting for the release to stay in sync with upstream.
I remeber that the security team denied this version for Lenny and you
had no time to backport the fix. So I tried to help and backported it.
Please find attached a patch including everything :) I picked dpatch as
you did in 2.6. Is it okay for proposed-updates?
Greetings
Marc
Sebastian
From d60aa6a9d26b49669e3fadb2fd9046f29b3d693a Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior sebast...@breakpoint.cc
Date: Tue, 10 Aug 2010 21:39:45 +0200
Subject: [PATCH] Add fix for #535159 stable
Signed-off-by: Sebastian Andrzej Siewior sebast...@breakpoint.cc
---
debian/control |2 +-
debian/patches/00list |1 +
debian/patches/10-use_after_free-535159.dpatch | 67
debian/rules |1 +
4 files changed, 70 insertions(+), 1 deletions(-)
create mode 100644 debian/patches/00list
create mode 100644 debian/patches/10-use_after_free-535159.dpatch
diff --git a/debian/control b/debian/control
index 53cb26c..1fe3d63 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
Maintainer: Marc Haber mh+debian-packa...@zugschlus.de
Homepage: http://sourceforge.net/projects/ser2net
Standards-Version: 3.7.2.2
-Build-Depends: cdbs (= 0.4.23-1.1), debhelper (= 5), libwrap0-dev
+Build-Depends: cdbs (= 0.4.23-1.1), dpatch, debhelper (= 5), libwrap0-dev
Package: ser2net
Architecture: any
diff --git a/debian/patches/00list b/debian/patches/00list
new file mode 100644
index 000..ceb82f2
--- /dev/null
+++ b/debian/patches/00list
@@ -0,0 +1 @@
+10-use_after_free-535159
diff --git a/debian/patches/10-use_after_free-535159.dpatch
b/debian/patches/10-use_after_free-535159.dpatch
new file mode 100644
index 000..d6fee71
--- /dev/null
+++ b/debian/patches/10-use_after_free-535159.dpatch
@@ -0,0 +1,67 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10-use_after_free-535159.dpatch by Sebastian Andrzej Siewior
+## sebast...@breakpoint.cc
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix for use after free which leads to a segfault.
+## DP: thanks to Sebastian Andrzej Siewior, #535159
+
+...@dpatch@
+--- a/controller.c 2005/10/20 13:44:34 1.18
b/controller.c 2009/06/30 13:58:01 1.19
+@@ -550,17 +550,17 @@
+ if (write_count == -1) {
+ if (errno == EINTR) {
+ /* EINTR means we were interrupted, just retry by returning. */
+- return;
++ goto out;
+ }
+
+ if (errno == EAGAIN) {
+ /* This again was due to O_NONBLOCK, just ignore it. */
+ } else if (errno == EPIPE) {
+- shutdown_controller(cntlr);
++ goto out_fail;
+ } else {
+ /* Some other bad error. */
+ syslog(LOG_ERR, The tcp write for controller had error: %m);
+- shutdown_controller(cntlr);
++ goto out_fail;
+ }
+ } else {
+ int i, j;
+@@ -572,7 +572,7 @@
+ if (td-out_telnet_cmd_size != 0)
+ /* If we have more telnet command data to send, don't
+ send any real data. */
+- return;
++ goto out;
+ }
+ }
+
+@@ -583,11 +583,11 @@
+ if (errno == EAGAIN) {
+ /* This again was due to O_NONBLOCK, just ignore it. */
+ } else if (errno == EPIPE) {
+- shutdown_controller(cntlr);
++ goto out_fail;
+ } else {
+ /* Some other bad error. */
+ syslog(LOG_ERR, The tcp write for controller had error: %m);
+- shutdown_controller(cntlr);
++ goto out_fail;
+ }
+ } else {
+ cntlr-outbuf_count -= write_count;
+@@ -604,6 +604,11 @@
+SEL_FD_HANDLER_DISABLED);
+ }
+ }
++ out:
++return;
++
++ out_fail:
++shutdown_controller(cntlr);
+ }
+
+ /* Handle an exception from the TCP port. */
diff --git a/debian/rules b/debian/rules
index 2003809..b69b1b3 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,5 +5,6 @@
# automatic debian/control generation disabled, cdbs bug #311724.
+include /usr/share/cdbs/1/rules/dpatch.mk
include /usr/share/cdbs/1/rules/debhelper.mk
include /usr/share/cdbs/1/class/autotools.mk
--
1.7.1
Bug#535159: ser2net: fix use after in control port handling
Done, sorry that took so long. -corey Sebastian Andrzej Siewior wrote: * Marc Haber | 2009-07-03 11:25:40 [+0200]: On Thu, Jul 02, 2009 at 10:02:56PM +0200, Sebastian Andrzej Siewior wrote: upstream acked my patch and applied a similar one [0] to cvs. Has your discussion with upstream taken place on a public medium so that I can read up on it? He was on CC while I submitted but the bug and replied privately so no. However an equivalent patch is in upstream's CVS what looks like a kind of backup :) Can we please get this in lenny? If upstream plans to do a new release in a reasonably short timeframe, I'd prefer waiting for the release to stay in sync with upstream. That is reasonable. Corey: do plan a release? :) Greetings Marc Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535159: ser2net: fix use after in control port handling
On Thu, Jul 02, 2009 at 10:02:56PM +0200, Sebastian Andrzej Siewior wrote: upstream acked my patch and applied a similar one [0] to cvs. Has your discussion with upstream taken place on a public medium so that I can read up on it? Can we please get this in lenny? If upstream plans to do a new release in a reasonably short timeframe, I'd prefer waiting for the release to stay in sync with upstream. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535159: ser2net: fix use after in control port handling
* Marc Haber | 2009-07-03 11:25:40 [+0200]: On Thu, Jul 02, 2009 at 10:02:56PM +0200, Sebastian Andrzej Siewior wrote: upstream acked my patch and applied a similar one [0] to cvs. Has your discussion with upstream taken place on a public medium so that I can read up on it? He was on CC while I submitted but the bug and replied privately so no. However an equivalent patch is in upstream's CVS what looks like a kind of backup :) Can we please get this in lenny? If upstream plans to do a new release in a reasonably short timeframe, I'd prefer waiting for the release to stay in sync with upstream. That is reasonable. Corey: do plan a release? :) Greetings Marc Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535159: ser2net: fix use after in control port handling
tags 535159 + fixed-upstream thanks upstream acked my patch and applied a similar one [0] to cvs. Can we please get this in lenny? [0] http://ser2net.cvs.sourceforge.net/viewvc/ser2net/ser2net/controller.c?r1=1.18r2=1.19 Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535159: ser2net: fix use after in control port handling
Package: ser2net
Version: 2.5-1
Severity: serious
tags: patch
ser2net provides a control port which may be (ab)used to a segfault via
use after free. The write() handler may catch an error free the
controler struct and continue writting. This leads to another error
(invalid fd) and a free cleanup process on de-allocated data. This is
the segfault.
The patch attached fixes the problem.
Sebastian
Subject: Fix use after free in controller
The controller will use its dynamically allocated data after it got free()
in error path. What we see in syslog is:
| Jun 30 10:26:38 consrv3 ser2net[3073]: read error for controller port:
Connection reset by peer
| Jun 30 10:26:39 consrv3 ser2net[3073]: The tcp write for controller had
error: Bad file descriptor
The first error is legal because the destitnation decided to close its
socket a little to early than expected. The second error is allready bad
because it tries to use allready deallocated fd. Later we segfault.
Signed-off-by: Sebastian Andrzej Siewior bige...@linutronix.de
Index: ser2net-2.5/controller.c
===
--- ser2net-2.5.orig/controller.c 2009-06-30 10:50:57.0 +0200
+++ ser2net-2.5/controller.c2009-06-30 10:52:28.0 +0200
@@ -557,10 +557,12 @@
/* This again was due to O_NONBLOCK, just ignore it. */
} else if (errno == EPIPE) {
shutdown_controller(cntlr);
+ return;
} else {
/* Some other bad error. */
syslog(LOG_ERR, The tcp write for controller had error: %m);
shutdown_controller(cntlr);
+ return;
}
} else {
int i, j;
@@ -584,10 +586,12 @@
/* This again was due to O_NONBLOCK, just ignore it. */
} else if (errno == EPIPE) {
shutdown_controller(cntlr);
+ return;
} else {
/* Some other bad error. */
syslog(LOG_ERR, The tcp write for controller had error: %m);
shutdown_controller(cntlr);
+ return;
}
} else {
cntlr-outbuf_count -= write_count;
