From 66d3427dc8980dd310b5fb5857c3253e7ce04e1e Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 22 Sep 2021 10:59:07 +0800 Subject: [PATCH] fix CVE-2021-3570 (cherry picked from commit b97b875c15cf4ab6bcb79e3d7a9ac76fdb433f91) --- CVE-2021-3570.patch | 91 +++++++++++++++++++++++++++++++++++++++++++++ linuxptp.spec | 6 ++- 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3570.patch diff --git a/CVE-2021-3570.patch b/CVE-2021-3570.patch new file mode 100644 index 0000000..e868972 --- /dev/null +++ b/CVE-2021-3570.patch @@ -0,0 +1,91 @@ +From ce15e4de5926724557e8642ec762a210632f15ca Mon Sep 17 00:00:00 2001 +From: Richard Cochran +Date: Sat, 17 Apr 2021 15:15:18 -0700 +Subject: [PATCH] Validate the messageLength field of incoming messages. + +The PTP messageLength field is redundant because the length of a PTP +message is precisely determined by the message type and the appended +TLVs. The current implementation validates the sizes of both the main +message (according to the fixed header length and fixed length by +type) and the TLVs (by using the 'L' of the TLV). + +However, when forwarding a message, the messageLength field is used. +If a message arrives with a messageLength field larger than the actual +message size, the code will read and possibly write data beyond the +allocated buffer. + +Fix the issue by validating the field on ingress. This prevents +reading and sending data past the message buffer when forwarding a +management message or other messages when operating as a transparent +clock, and it also prevents a memory corruption in msg_post_recv() +after forwarding a management message. + +Reported-by: Miroslav Lichvar +Signed-off-by: Richard Cochran +--- + msg.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/msg.c b/msg.c +index d1619d49..5ae8ebbf 100644 +--- a/msg.c ++++ b/msg.c +@@ -186,7 +186,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len) + { + uint8_t *ptr = msg_suffix(msg); + struct tlv_extra *extra; +- int err; ++ int err, suffix_len = 0; + + if (!ptr) + return 0; +@@ -204,12 +204,14 @@ static int suffix_post_recv(struct ptp_message *msg, int len) + tlv_extra_recycle(extra); + return -EBADMSG; + } ++ suffix_len += sizeof(struct TLV); + len -= sizeof(struct TLV); + ptr += sizeof(struct TLV); + if (extra->tlv->length > len) { + tlv_extra_recycle(extra); + return -EBADMSG; + } ++ suffix_len += extra->tlv->length; + len -= extra->tlv->length; + ptr += extra->tlv->length; + err = tlv_post_recv(extra); +@@ -219,7 +221,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len) + } + msg_tlv_attach(msg, extra); + } +- return 0; ++ return suffix_len; + } + + static void suffix_pre_send(struct ptp_message *msg) +@@ -337,7 +339,7 @@ void msg_get(struct ptp_message *m) + + int msg_post_recv(struct ptp_message *m, int cnt) + { +- int pdulen, type, err; ++ int err, pdulen, suffix_len, type; + + if (cnt < sizeof(struct ptp_header)) + return -EBADMSG; +@@ -422,9 +424,13 @@ int msg_post_recv(struct ptp_message *m, int cnt) + break; + } + +- err = suffix_post_recv(m, cnt - pdulen); +- if (err) +- return err; ++ suffix_len = suffix_post_recv(m, cnt - pdulen); ++ if (suffix_len < 0) { ++ return suffix_len; ++ } ++ if (pdulen + suffix_len != m->header.messageLength) { ++ return -EBADMSG; ++ } + + return 0; + } diff --git a/linuxptp.spec b/linuxptp.spec index 90c7eb8..ceee79a 100644 --- a/linuxptp.spec +++ b/linuxptp.spec @@ -1,6 +1,6 @@ Name: linuxptp Version: 2.0 -Release: 4 +Release: 5 Summary: Linuxptp is an implementation of the Precision Time Protocol (PTP) Group: System Environment/Base License: GPLv2+ @@ -10,6 +10,7 @@ Source1: phc2sys.service Source2: ptp4l.service patch0000: CVE-2021-3571.patch +Patch0001: CVE-2021-3570.patch BuildRequires: gcc gcc-c++ systemd git net-tools @@ -80,6 +81,9 @@ echo 'OPTIONS="-a -r"' > %{buildroot}%{_sysconfdir}/sysconfig/phc2sys %{_mandir}/man8/*.8* %changelog +* Wed Sep 22 2021 yaoxin - 2.0-5 +- Fix CVE-2021-3570 + * Wed Jul 14 2021 houyingchao - 2.0-4 - fix CVE-2021-3571 -- Gitee