Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]

mailing list of musl libc
 help / color / mirror / code / Atom feed

* Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]
@ 2015-03-30  4:01 Rich Felker
  2015-03-30  4:33 ` Рысь
  0 siblings, 1 reply; 5+ messages in thread
From: Rich Felker @ 2015-03-30  4:01 UTC (permalink / raw)
  To: musl, oss-security

[-- Attachment #1: Type: text/plain, Size: 720 bytes --]

A stack-based buffer overflow has been found in musl libc's ipv6
address literal parsing code. Programs which call the inet_pton or
getaddrinfo function with AF_INET6 or AF_UNSPEC and untrusted address
strings are affected. Successful exploitation yields control of the
return address. Having enabled stack protector at the application
level does not mitigate the issue. All users should patch or upgrade.

Software: musl libc (http://www.musl-libc.org)

Severity: high

Affected Versions: 0.9.15 - 1.0.4, 1.1.0 - 1.1.7.

Bug introduced in commit: 78f889153167452de4cbced921f6428b3d4f663a

Bug fixed in commit: fc13acc3dcb5b1f215c007f583a63551f6a71363

Patch: musl_dn_expand_overflow_fix.diff (attached) (fix+hardening)

[-- Attachment #2: musl_inet_pton_overflow_fix.diff --]
[-- Type: text/plain, Size: 591 bytes --]

diff --git a/src/network/inet_pton.c b/src/network/inet_pton.c
index 4496b47..d36c368 100644
--- a/src/network/inet_pton.c
+++ b/src/network/inet_pton.c
@@ -39,14 +39,15 @@ int inet_pton(int af, const char *restrict s, void *restrict a0)
 	for (i=0; ; i++) {
 		if (s[0]==':' && brk<0) {
 			brk=i;
-			ip[i]=0;
+			ip[i&7]=0;
 			if (!*++s) break;
+			if (i==7) return 0;
 			continue;
 		}
 		for (v=j=0; j<4 && (d=hexval(s[j]))>=0; j++)
 			v=16*v+d;
 		if (j==0) return 0;
-		ip[i] = v;
+		ip[i&7] = v;
 		if (!s[j] && (brk>=0 || i==7)) break;
 		if (i==7) return 0;
 		if (s[j]!=':') {

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]
  2015-03-30  4:01 Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817] Rich Felker
@ 2015-03-30  4:33 ` Рысь
  2015-03-30  4:41   ` Rich Felker
  0 siblings, 1 reply; 5+ messages in thread
From: Рысь @ 2015-03-30  4:33 UTC (permalink / raw)
  To: musl

On Mon, 30 Mar 2015 00:01:25 -0400
Rich Felker <dalias@libc.org> wrote:

> A stack-based buffer overflow has been found in musl libc's ipv6
> address literal parsing code. Programs which call the inet_pton or
> getaddrinfo function with AF_INET6 or AF_UNSPEC and untrusted address
> strings are affected. Successful exploitation yields control of the
> return address. Having enabled stack protector at the application
> level does not mitigate the issue. All users should patch or upgrade.
> 
> Software: musl libc (http://www.musl-libc.org)
> 
> Severity: high
> 
> Affected Versions: 0.9.15 - 1.0.4, 1.1.0 - 1.1.7.
> 
> Bug introduced in commit: 78f889153167452de4cbced921f6428b3d4f663a
> 
> Bug fixed in commit: fc13acc3dcb5b1f215c007f583a63551f6a71363
> 
> Patch: musl_dn_expand_overflow_fix.diff (attached) (fix+hardening)

How much it affects readonly embedded systems as well? Does almost
latest dropbear listening ssh port publicly is actually vulnerable?


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]
  2015-03-30  4:33 ` Рысь
@ 2015-03-30  4:41   ` Rich Felker
  2015-03-30  5:18     ` Рысь
  0 siblings, 1 reply; 5+ messages in thread
From: Rich Felker @ 2015-03-30  4:41 UTC (permalink / raw)
  To: musl

On Mon, Mar 30, 2015 at 11:33:37AM +0700, Рысь wrote:
> On Mon, 30 Mar 2015 00:01:25 -0400
> Rich Felker <dalias@libc.org> wrote:
> 
> > A stack-based buffer overflow has been found in musl libc's ipv6
> > address literal parsing code. Programs which call the inet_pton or
> > getaddrinfo function with AF_INET6 or AF_UNSPEC and untrusted address
> > strings are affected. Successful exploitation yields control of the
> > return address. Having enabled stack protector at the application
> > level does not mitigate the issue. All users should patch or upgrade.
> > 
> > Software: musl libc (http://www.musl-libc.org)
> > 
> > Severity: high
> > 
> > Affected Versions: 0.9.15 - 1.0.4, 1.1.0 - 1.1.7.
> > 
> > Bug introduced in commit: 78f889153167452de4cbced921f6428b3d4f663a
> > 
> > Bug fixed in commit: fc13acc3dcb5b1f215c007f583a63551f6a71363
> > 
> > Patch: musl_dn_expand_overflow_fix.diff (attached) (fix+hardening)
> 
> How much it affects readonly embedded systems as well? Does almost
> latest dropbear listening ssh port publicly is actually vulnerable?

I don't think so, but I haven't done analysis of specific software.
Busybox is affected if it's installed setuid and ping is enabled (a
configuration I strongly recommend not using since they don't handle
setuid securely in general) but that's limited to local attacks. I
don't think there's any way you can make dropbear (server) attempt to
parse ip literal strings remotely, but verifying this would take some
checking of the source.

Rich


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]
  2015-03-30  4:41   ` Rich Felker
@ 2015-03-30  5:18     ` Рысь
  0 siblings, 0 replies; 5+ messages in thread
From: Рысь @ 2015-03-30  5:18 UTC (permalink / raw)
  To: musl

On Mon, 30 Mar 2015 00:41:53 -0400
Rich Felker <dalias@libc.org> wrote:

> On Mon, Mar 30, 2015 at 11:33:37AM +0700, Рысь wrote:
> > On Mon, 30 Mar 2015 00:01:25 -0400
> > Rich Felker <dalias@libc.org> wrote:
> > 
> > > A stack-based buffer overflow has been found in musl libc's ipv6
> > > address literal parsing code. Programs which call the inet_pton or
> > > getaddrinfo function with AF_INET6 or AF_UNSPEC and untrusted
> > > address strings are affected. Successful exploitation yields
> > > control of the return address. Having enabled stack protector at
> > > the application level does not mitigate the issue. All users
> > > should patch or upgrade.
> > > 
> > > Software: musl libc (http://www.musl-libc.org)
> > > 
> > > Severity: high
> > > 
> > > Affected Versions: 0.9.15 - 1.0.4, 1.1.0 - 1.1.7.
> > > 
> > > Bug introduced in commit: 78f889153167452de4cbced921f6428b3d4f663a
> > > 
> > > Bug fixed in commit: fc13acc3dcb5b1f215c007f583a63551f6a71363
> > > 
> > > Patch: musl_dn_expand_overflow_fix.diff (attached) (fix+hardening)
> > 
> > How much it affects readonly embedded systems as well? Does almost
> > latest dropbear listening ssh port publicly is actually vulnerable?
> 
> I don't think so, but I haven't done analysis of specific software.
> Busybox is affected if it's installed setuid and ping is enabled (a
> configuration I strongly recommend not using since they don't handle
> setuid securely in general) but that's limited to local attacks. I
> don't think there's any way you can make dropbear (server) attempt to
> parse ip literal strings remotely, but verifying this would take some
> checking of the source.
> 
> Rich

Well thanks for your efforts to design musl such as it can be swapped
atomically at runtime without rebooting the machines! I already
upgraded it and critical daemons on my servers and all works nice :-)


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]
@ 2015-04-17 13:10 Matt Johnston
  0 siblings, 0 replies; 5+ messages in thread
From: Matt Johnston @ 2015-04-17 13:10 UTC (permalink / raw)
  To: musl

Hi,

I think Dropbear probably is vulnerable to CVE-2015-1817
post-authentication. TCP forwarding requests will call
getaddrinfo() 
https://secure.ucc.asn.au/hg/dropbear/file/cbd674d63cd4/dbutil.c#l415
(moved to netio.c in head, and PF_UNSPEC has been fixed to
AF_UNSPEC). Pre-authentication should be OK, only
getnameinfo() is called (if that's enabled).

musl's network-facing DNS code seems a bit precarious with
pointer arithmetic?

Please CC replies, I'm not subscribed.

Cheers,
Matt

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-04-17 13:10 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-30  4:01 Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817] Rich Felker
2015-03-30  4:33 ` Рысь
2015-03-30  4:41   ` Rich Felker
2015-03-30  5:18     ` Рысь
2015-04-17 13:10 Matt Johnston

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).