Date: Tue, 27 Jun 2017 18:58:29 +0100 From: Chris Coulson <chris.coulson@...onical.com> To: oss-security@...ts.openwall.com Subject: CVE-2017-9445: Out-of-bounds write in systemd-resolved with crafted TCP payload Hi, I recently discovered an out-of-bounds write in systemd-resolved in Ubuntu, which is possible to trigger with a specially crafted TCP payload. Details from the Ubuntu bug follow: https://launchpad.net/bugs/1695546 ---- Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016 on x86 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct. A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it. I believe this was introduced by https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37 (v223) and affects all subsequent versions up to and including v233. ---- A patch to resolve this has been provided by Zbigniew Jędrzejewski-Szmek, along with an additional patch to implement a test. Both of these are attached. Many thanks, Chris View attachment "0001-test-resolved-packet-add-a-simple-test-for-our-alloc.patch" of type "text/x-patch" (3748 bytes) View attachment "0002-resolved-simplify-alloc-size-calculation.patch" of type "text/x-patch" (1828 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ