Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 27 Jun 2017 18:58:29 +0100
From: Chris Coulson <chris.coulson@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-9445: Out-of-bounds write in systemd-resolved with crafted
 TCP payload

Hi,

I recently discovered an out-of-bounds write in systemd-resolved in
Ubuntu, which is possible to trigger with a specially crafted TCP payload.

Details from the Ubuntu bug follow:
https://launchpad.net/bugs/1695546

----
Certain sizes passed to dns_packet_new can cause it to allocate a buffer
that's too small. A page-aligned number - sizeof(DnsPacket) +
sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a
page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016
on x86 will result in an allocation of 4096 bytes, but 108 bytes of this
are for the DnsPacket struct.

A malicious DNS server can exploit this by responding with a specially
crafted TCP payload to trick systemd-resolved in to allocating a buffer
that's too small, and subsequently write arbitrary data beyond the end
of it.

I believe this was introduced by
https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37
(v223) and affects all subsequent versions up to and including v233.
----

A patch to resolve this has been provided by Zbigniew
Jędrzejewski-Szmek, along with an additional patch to implement a test.
Both of these are attached.

Many thanks,
Chris

View attachment "0001-test-resolved-packet-add-a-simple-test-for-our-alloc.patch" of type "text/x-patch" (3748 bytes)

View attachment "0002-resolved-simplify-alloc-size-calculation.patch" of type "text/x-patch" (1828 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ