Bug#535159: ser2net: fix use after in control port handling
* Marc Haber | 2009-07-03 11:25:40 [+0200]: Can we please get this in lenny? If upstream plans to do a new release in a reasonably short timeframe, I'd prefer waiting for the release to stay in sync with upstream. I remeber that the security team denied this version for Lenny and you had no time to backport the fix. So I tried to help and backported it. Please find attached a patch including everything :) I picked dpatch as you did in 2.6. Is it okay for proposed-updates? Greetings Marc Sebastian From d60aa6a9d26b49669e3fadb2fd9046f29b3d693a Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior sebast...@breakpoint.cc Date: Tue, 10 Aug 2010 21:39:45 +0200 Subject: [PATCH] Add fix for #535159 stable Signed-off-by: Sebastian Andrzej Siewior sebast...@breakpoint.cc --- debian/control |2 +- debian/patches/00list |1 + debian/patches/10-use_after_free-535159.dpatch | 67 debian/rules |1 + 4 files changed, 70 insertions(+), 1 deletions(-) create mode 100644 debian/patches/00list create mode 100644 debian/patches/10-use_after_free-535159.dpatch diff --git a/debian/control b/debian/control index 53cb26c..1fe3d63 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Marc Haber mh+debian-packa...@zugschlus.de Homepage: http://sourceforge.net/projects/ser2net Standards-Version: 3.7.2.2 -Build-Depends: cdbs (= 0.4.23-1.1), debhelper (= 5), libwrap0-dev +Build-Depends: cdbs (= 0.4.23-1.1), dpatch, debhelper (= 5), libwrap0-dev Package: ser2net Architecture: any diff --git a/debian/patches/00list b/debian/patches/00list new file mode 100644 index 000..ceb82f2 --- /dev/null +++ b/debian/patches/00list @@ -0,0 +1 @@ +10-use_after_free-535159 diff --git a/debian/patches/10-use_after_free-535159.dpatch b/debian/patches/10-use_after_free-535159.dpatch new file mode 100644 index 000..d6fee71 --- /dev/null +++ b/debian/patches/10-use_after_free-535159.dpatch @@ -0,0 +1,67 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10-use_after_free-535159.dpatch by Sebastian Andrzej Siewior +## sebast...@breakpoint.cc +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix for use after free which leads to a segfault. +## DP: thanks to Sebastian Andrzej Siewior, #535159 + +...@dpatch@ +--- a/controller.c 2005/10/20 13:44:34 1.18 b/controller.c 2009/06/30 13:58:01 1.19 +@@ -550,17 +550,17 @@ + if (write_count == -1) { + if (errno == EINTR) { + /* EINTR means we were interrupted, just retry by returning. */ +- return; ++ goto out; + } + + if (errno == EAGAIN) { + /* This again was due to O_NONBLOCK, just ignore it. */ + } else if (errno == EPIPE) { +- shutdown_controller(cntlr); ++ goto out_fail; + } else { + /* Some other bad error. */ + syslog(LOG_ERR, The tcp write for controller had error: %m); +- shutdown_controller(cntlr); ++ goto out_fail; + } + } else { + int i, j; +@@ -572,7 +572,7 @@ + if (td-out_telnet_cmd_size != 0) + /* If we have more telnet command data to send, don't + send any real data. */ +- return; ++ goto out; + } + } + +@@ -583,11 +583,11 @@ + if (errno == EAGAIN) { + /* This again was due to O_NONBLOCK, just ignore it. */ + } else if (errno == EPIPE) { +- shutdown_controller(cntlr); ++ goto out_fail; + } else { + /* Some other bad error. */ + syslog(LOG_ERR, The tcp write for controller had error: %m); +- shutdown_controller(cntlr); ++ goto out_fail; + } + } else { + cntlr-outbuf_count -= write_count; +@@ -604,6 +604,11 @@ +SEL_FD_HANDLER_DISABLED); + } + } ++ out: ++return; ++ ++ out_fail: ++shutdown_controller(cntlr); + } + + /* Handle an exception from the TCP port. */ diff --git a/debian/rules b/debian/rules index 2003809..b69b1b3 100755 --- a/debian/rules +++ b/debian/rules @@ -5,5 +5,6 @@ # automatic debian/control generation disabled, cdbs bug #311724. +include /usr/share/cdbs/1/rules/dpatch.mk include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/autotools.mk -- 1.7.1
Bug#535159: ser2net: fix use after in control port handling
Done, sorry that took so long. -corey Sebastian Andrzej Siewior wrote: * Marc Haber | 2009-07-03 11:25:40 [+0200]: On Thu, Jul 02, 2009 at 10:02:56PM +0200, Sebastian Andrzej Siewior wrote: upstream acked my patch and applied a similar one [0] to cvs. Has your discussion with upstream taken place on a public medium so that I can read up on it? He was on CC while I submitted but the bug and replied privately so no. However an equivalent patch is in upstream's CVS what looks like a kind of backup :) Can we please get this in lenny? If upstream plans to do a new release in a reasonably short timeframe, I'd prefer waiting for the release to stay in sync with upstream. That is reasonable. Corey: do plan a release? :) Greetings Marc Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535159: ser2net: fix use after in control port handling
On Thu, Jul 02, 2009 at 10:02:56PM +0200, Sebastian Andrzej Siewior wrote: upstream acked my patch and applied a similar one [0] to cvs. Has your discussion with upstream taken place on a public medium so that I can read up on it? Can we please get this in lenny? If upstream plans to do a new release in a reasonably short timeframe, I'd prefer waiting for the release to stay in sync with upstream. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535159: ser2net: fix use after in control port handling
* Marc Haber | 2009-07-03 11:25:40 [+0200]: On Thu, Jul 02, 2009 at 10:02:56PM +0200, Sebastian Andrzej Siewior wrote: upstream acked my patch and applied a similar one [0] to cvs. Has your discussion with upstream taken place on a public medium so that I can read up on it? He was on CC while I submitted but the bug and replied privately so no. However an equivalent patch is in upstream's CVS what looks like a kind of backup :) Can we please get this in lenny? If upstream plans to do a new release in a reasonably short timeframe, I'd prefer waiting for the release to stay in sync with upstream. That is reasonable. Corey: do plan a release? :) Greetings Marc Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535159: ser2net: fix use after in control port handling
tags 535159 + fixed-upstream thanks upstream acked my patch and applied a similar one [0] to cvs. Can we please get this in lenny? [0] http://ser2net.cvs.sourceforge.net/viewvc/ser2net/ser2net/controller.c?r1=1.18r2=1.19 Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535159: ser2net: fix use after in control port handling
Package: ser2net Version: 2.5-1 Severity: serious tags: patch ser2net provides a control port which may be (ab)used to a segfault via use after free. The write() handler may catch an error free the controler struct and continue writting. This leads to another error (invalid fd) and a free cleanup process on de-allocated data. This is the segfault. The patch attached fixes the problem. Sebastian Subject: Fix use after free in controller The controller will use its dynamically allocated data after it got free() in error path. What we see in syslog is: | Jun 30 10:26:38 consrv3 ser2net[3073]: read error for controller port: Connection reset by peer | Jun 30 10:26:39 consrv3 ser2net[3073]: The tcp write for controller had error: Bad file descriptor The first error is legal because the destitnation decided to close its socket a little to early than expected. The second error is allready bad because it tries to use allready deallocated fd. Later we segfault. Signed-off-by: Sebastian Andrzej Siewior bige...@linutronix.de Index: ser2net-2.5/controller.c === --- ser2net-2.5.orig/controller.c 2009-06-30 10:50:57.0 +0200 +++ ser2net-2.5/controller.c2009-06-30 10:52:28.0 +0200 @@ -557,10 +557,12 @@ /* This again was due to O_NONBLOCK, just ignore it. */ } else if (errno == EPIPE) { shutdown_controller(cntlr); + return; } else { /* Some other bad error. */ syslog(LOG_ERR, The tcp write for controller had error: %m); shutdown_controller(cntlr); + return; } } else { int i, j; @@ -584,10 +586,12 @@ /* This again was due to O_NONBLOCK, just ignore it. */ } else if (errno == EPIPE) { shutdown_controller(cntlr); + return; } else { /* Some other bad error. */ syslog(LOG_ERR, The tcp write for controller had error: %m); shutdown_controller(cntlr); + return; } } else { cntlr-outbuf_count -= write_count;