From 0699307bb580ed6873e2cae4af1e55ecd677d33b Mon Sep 17 00:00:00 2001 From: Vivek Kumbhar Date: Tue, 21 Mar 2023 03:58:40 +0000 Subject: [PATCH] c-ares:fix CVE-2022-4904 buffer overflow in config_sortlist() due to missing string length check Source: https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d MR: 125266 Type: Security Fix Disposition: Backport from https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d ChangeID: 33b40926ed3ed7620434f30ff30874e241a3257c Description: Add str len check in config_sortlist to avoid stack overflow (#497) In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse the input str and initialize a sortlist configuration. However, ares_set_sortlist has not any checks about the validity of the input str. It is very easy to create an arbitrary length stack overflow with the unchecked `memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` statements in the config_sortlist call, which could potentially cause severe security impact in practical programs. This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the potential stack overflows. fixes #496 Fix By: @hopper-vul Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/9903253c347f9e0bffd285ae3829aef251cc852d] CVE: CVE-2022-4904 Signed-off-by: Vivek Kumbhar Signed-off-by: Jeremy A. Puhlman --- .../c-ares/c-ares/CVE-2022-4904.patch | 48 +++++++++++++++++++ .../recipes-support/c-ares/c-ares_1.13.0.bb | 3 +- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-support/c-ares/c-ares/CVE-2022-4904.patch diff --git a/meta-networking/recipes-support/c-ares/c-ares/CVE-2022-4904.patch b/meta-networking/recipes-support/c-ares/c-ares/CVE-2022-4904.patch new file mode 100644 index 00000000000..c9f140e838f --- /dev/null +++ b/meta-networking/recipes-support/c-ares/c-ares/CVE-2022-4904.patch @@ -0,0 +1,48 @@ +From 2aa53d00147001301482d26c1ad1b12cdd1dc6b4 Mon Sep 17 00:00:00 2001 +From: Vivek Kumbhar +Date: Tue, 21 Mar 2023 03:52:30 +0000 +Subject: [PATCH] CVE-2022-4904 + +--- + ares_init.c | 4 ++++ + test/ares-test-init.cc | 2 ++ + 2 files changed, 6 insertions(+) + +diff --git a/ares_init.c b/ares_init.c +index f7b700b..5aad7c8 100644 +--- a/ares_init.c ++++ b/ares_init.c +@@ -2065,6 +2065,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2073,6 +2075,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +diff --git a/test/ares-test-init.cc b/test/ares-test-init.cc +index 66570ac..cd65e77 100644 +--- a/test/ares-test-init.cc ++++ b/test/ares-test-init.cc +@@ -265,6 +265,8 @@ TEST_F(DefaultChannelTest, SetAddresses) { + + TEST_F(DefaultChannelTest, SetSortlistFailures) { + EXPECT_EQ(ARES_ENODATA, ares_set_sortlist(nullptr, "1.2.3.4")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111*/16")); ++ EXPECT_EQ(ARES_EBADSTR, ares_set_sortlist(channel_, "111.111.111.111/255.255.255.240*")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; lwk")); + EXPECT_EQ(ARES_SUCCESS, ares_set_sortlist(channel_, "xyzzy ; 0x123")); + } +-- +2.18.2 + diff --git a/meta-networking/recipes-support/c-ares/c-ares_1.13.0.bb b/meta-networking/recipes-support/c-ares/c-ares_1.13.0.bb index 930e21fb734..7dc11abf28a 100644 --- a/meta-networking/recipes-support/c-ares/c-ares_1.13.0.bb +++ b/meta-networking/recipes-support/c-ares/c-ares_1.13.0.bb @@ -7,12 +7,13 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=f4b026880834eb01c035c5e5cb47ccac" SRCREV = "3be1924221e1326df520f8498d704a5c4c8d0cce" PV = "1.13.0+gitr${SRCPV}" -PR .= ".1" +PR .= ".2" SRC_URI = "\ git://github.com/c-ares/c-ares.git \ file://cmake-install-libcares.pc.patch \ file://0001-CVE-2021-3672.patch \ + file://CVE-2022-4904.patch \ " S = "${WORKDIR}/git"