!43 Fix CVEs introduced by uIP

From: @wenchao-hao Reviewed-by: @volcanodragon Signed-off-by:
2021-02-22 21:21:00 +08:00 · 2021-02-22 21:21:00 +08:00 · 13b4ddfd79
commit 13b4ddfd79
parent 5400826ae9 77771bcf2e
4 changed files with 135 additions and 2 deletions
--- a/0020-check-for-header-length-underflow-during-checksum-ca.patch
+++ b/0020-check-for-header-length-underflow-during-checksum-ca.patch
@ -0,0 +1,33 @@
+From e2383973cbca64f8e17ed7c4ad98258edfed6644 Mon Sep 17 00:00:00 2001
+From: Chris Leech <cleech@redhat.com>
+Date: Tue, 10 Nov 2020 13:36:37 -0800
+Subject: [PATCH 1/4] check for header length underflow during checksum
+ calculation
+
+CVE-2020-13987
+---
+ iscsiuio/src/uip/uip.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
+index e2ce2cc..cfff43c 100644
+--- a/iscsiuio/src/uip/uip.c
+++ b/iscsiuio/src/uip/uip.c
+@@ -316,7 +316,13 @@ static u16_t upper_layer_chksum_ipv4(struct uip_stack *ustack, u8_t proto)
+ 	tcp_ipv4_hdr = (struct uip_tcp_ipv4_hdr *)ustack->network_layer;
+ 
+ 	upper_layer_len = (((u16_t) (tcp_ipv4_hdr->len[0]) << 8) +
+-			   tcp_ipv4_hdr->len[1]) - UIP_IPv4_H_LEN;
+			   tcp_ipv4_hdr->len[1]);
+	/* check for underflow from an invalid length field */
+	if (upper_layer_len < UIP_IPv4_H_LEN) {
+		/* return 0 as an invalid checksum */
+		return 0;
+	}
+	upper_layer_len -= UIP_IPv4_H_LEN;
+ 
+ 	/* First sum pseudoheader. */
+ 	/* IP protocol and length fields. This addition cannot carry. */
+-- 
+1.8.3.1
+
--- a/0021-check-for-u8-overflow-when-processing-TCP-options.patch
+++ b/0021-check-for-u8-overflow-when-processing-TCP-options.patch
@ -0,0 +1,56 @@
+From 1f7968efff15eb737eb086a298cc1f0f0e308411 Mon Sep 17 00:00:00 2001
+From: Chris Leech <cleech@redhat.com>
+Date: Tue, 10 Nov 2020 13:55:18 -0800
+Subject: [PATCH 2/4] check for u8 overflow when processing TCP options
+
+CVE-2020-13988
+---
+ iscsiuio/src/uip/uip.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
+index cfff43c..522fd9d 100644
+--- a/iscsiuio/src/uip/uip.c
+++ b/iscsiuio/src/uip/uip.c
+@@ -1795,16 +1795,18 @@ found_listen:
+ 			} else {
+ 				/* All other options have a length field, so
+ 				   that we easily can skip past them. */
+-				if (ustack->
+-				    uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 +
+-					    c] == 0) {
+				if (ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c] == 0) {
+ 					/* If the length field is zero, the
+ 					   options are malformed
+ 					   and we don't process them further. */
+ 					break;
+ 				}
+-				c += ustack->uip_buf[uip_ip_tcph_len +
+-						     UIP_LLH_LEN + 1 + c];
+				if ((ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]) > (256 - c)) {
+					/* u8 overflow, actually there should
+					 * never be more than 40 bytes of options */
+					break;
+				}
+				c += ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c];
+ 			}
+ 		}
+ 	}
+@@ -2010,6 +2012,14 @@ found:
+ 							   further. */
+ 							break;
+ 						}
+						if ((ustack->uip_buf[uip_ip_tcph_len
+							  + UIP_LLH_LEN + 1 +
+							  c]) > (256 - c)) {
+							/* u8 overflow, actually there should
+							 * never be more than 40 bytes of
+							 * options */
+							break;
+						}
+ 						c += ustack->
+ 						    uip_buf[uip_ip_tcph_len +
+ 							    UIP_LLH_LEN + 1 +
+-- 
+1.8.3.1
+
--- a/0022-check-for-TCP-urgent-pointer-past-end-of-frame.patch
+++ b/0022-check-for-TCP-urgent-pointer-past-end-of-frame.patch
@ -0,0 +1,39 @@
+From d63ce0d64c5abe9f285f14ce394660bfb9a16538 Mon Sep 17 00:00:00 2001
+From: Chris Leech <cleech@redhat.com>
+Date: Tue, 10 Nov 2020 14:14:11 -0800
+Subject: [PATCH 3/4] check for TCP urgent pointer past end of frame
+
+CVE-2020-17437
+---
+ iscsiuio/src/uip/uip.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c
+index 522fd9d..e0a7221 100644
+--- a/iscsiuio/src/uip/uip.c
+++ b/iscsiuio/src/uip/uip.c
+@@ -2095,11 +2095,16 @@ tcp_send_finack:
+ 		} else {
+ 			uip_urglen = 0;
+ #else /* UIP_URGDATA > 0 */
+-			ustack->uip_appdata =
+-			    ((char *)ustack->uip_appdata) +
+-			    ((tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]);
+-			ustack->uip_len -=
+-			    (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1];
+			tmp16 = (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1];
+			if (tmp16 <= ustack->uip_len) {
+				ustack->uip_appdata = ((char *)ustack->uip_appdata) + tmp16;
+				ustack->uip_len -= tmp16;
+			} else {
+				/* invalid urgent pointer length greater than frame */
+				/* we're discarding urgent data anyway, throw it all out */
+				ustack->uip_appdata = ((char *)ustack->uip_appdata) + ustack->uip_len;
+				ustack->uip_len = 0;
+			}
+ #endif /* UIP_URGDATA > 0 */
+ 		}
+ 
+-- 
+1.8.3.1
+
--- a/open-iscsi.spec
+++ b/open-iscsi.spec
@ -4,7 +4,7 @@

 Name:    open-iscsi
 Version: 2.1.1
-Release: 3
+Release: 4
 Summary: ISCSI software initiator daemon and utility programs
 License: GPLv2+ and BSD
 URL:     http://www.open-iscsi.org
@ -28,7 +28,9 @@ Patch16: 0016-iscsi-fix-fd-leak.patch
 Patch17: 0017-Fix-devel-without-node-header-files.patch
 Patch18: 0018-resolve-compilation-errors.patch
 Patch19: 0019-iscsid-Change-iscsid-service-PIDFile-to-run-iscsid.i.patch
-
+Patch20: 0020-check-for-header-length-underflow-during-checksum-ca.patch
+Patch21: 0021-check-for-u8-overflow-when-processing-TCP-options.patch
+Patch22: 0022-check-for-TCP-urgent-pointer-past-end-of-frame.patch

 BuildRequires: flex bison doxygen kmod-devel systemd-units gcc git isns-utils-devel systemd-devel
 BuildRequires: autoconf automake libtool libmount-devel openssl-devel pkg-config gdb
@ -162,6 +164,9 @@ fi
 %{_mandir}/man8/*

 %changelog
+* Tue Mon 22 2021 haowenchao <haowenchao@huawei.com> - 2.1.1-4
+- Fix CVE-2020-13987 CVE-2020-13988 CVE-2020-17437
+
 * Tue Dec 15 2020 haowenchao <haowenchao@huawei.com> - 2.1.1-3
 - Change iscsid service PIDFile to /run/iscsid.ipd
  The pid file has be changed from /var/run/iscsid.pid to