From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 14569 invoked from network); 23 Feb 2023 20:34:20 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 23 Feb 2023 20:34:20 -0000 Received: (qmail 22055 invoked by uid 550); 23 Feb 2023 20:34:15 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 22011 invoked from network); 23 Feb 2023 20:34:14 -0000 DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 2D4EC40755C9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1677184441; bh=I8DQXP0YtIXQV+u2vhuZrYJkjs4pw84DeHZ1g/DwcB8=; h=Date:From:To:Subject:Reply-To:From; b=fcIOMAJEPnn0YQapd/6UDvCd8VW2QLNQsPpmdYqS4VWWBT1fzzehLqTy3RIAip6Tq nGY/d9TC6hPUyEI43lySAgyNIqJOXF6+RXJ8MDzqsX1+ygiCBU5nnO0T6NZd6bEVW2 hCZ7plod27pKbpqSVDBS+wMGnFIB9KSnW1SkfywQ= MIME-Version: 1.0 Date: Thu, 23 Feb 2023 23:34:01 +0300 From: Alexey Izbyshev To: musl@lists.openwall.com Mail-Followup-To: musl@lists.openwall.com User-Agent: Roundcube Webmail/1.4.4 Message-ID: X-Sender: izbyshev@ispras.ru Content-Type: multipart/mixed; boundary="=_15d47b147bcf4136366ec73379b6f7bc" Subject: [musl] Out-of-bounds reads in DNS response parsing --=_15d47b147bcf4136366ec73379b6f7bc Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, I've found several issues with DNS response parsing that can result in getaddrinfo/getnameinfo reading unininitialized or (nearby) out-of-bounds data on stack and returning garbage. The issues are described in the attached patches. Alexey --=_15d47b147bcf4136366ec73379b6f7bc Content-Transfer-Encoding: base64 Content-Type: text/x-diff; name=0001-fix-out-of-bounds-reads-in-__dns_parse.patch Content-Disposition: attachment; filename=0001-fix-out-of-bounds-reads-in-__dns_parse.patch; size=2247 RnJvbSBiYmJiZDUzNzYxYjQ4NDQyMmM3MDMxZmU5N2FkN2VhOTJhMGJkYjA0IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBBbGV4ZXkgSXpieXNoZXYgPGl6YnlzaGV2QGlzcHJhcy5ydT4K RGF0ZTogU2F0LCAyOCBKYW4gMjAyMyAwMDoxNzozNyArMDMwMApTdWJqZWN0OiBbUEFUQ0ggMS8y XSBmaXggb3V0LW9mLWJvdW5kcyByZWFkcyBpbiBfX2Ruc19wYXJzZQpNYWlsLUZvbGxvd3VwLVRv OiBtdXNsQGxpc3RzLm9wZW53YWxsLmNvbQoKVGhlcmUgYXJlIHNldmVyYWwgaXNzdWVzIHdpdGgg cmFuZ2UgY2hlY2tzIGluIHRoaXMgZnVuY3Rpb246CgoqIFRoZSBxdWVzdGlvbiBzZWN0aW9uIHBh cnNpbmcgbG9vcCBjYW4gcmVhZCB1cCB0byB0d28gb3V0LW9mLWJvdW5kcwogIGJ5dGVzIGJlZm9y ZSBkb2luZyB0aGUgcmFuZ2UgY2hlY2sgYW5kIGJhaWxpbmcgb3V0LgoKKiBUaGUgYW5zd2VyIHNl Y3Rpb24gcGFyc2luZyBsb29wLCBpbiBhZGRpdGlvbiB0byB0aGUgc2FtZSBpc3N1ZSBhcwogIGFi b3ZlLCB1c2VzIHRoZSB3cm9uZyBsZW5ndGggaW4gdGhlIHJhbmdlIGNoZWNrIHRoYXQgZG9lc24n dCBwcmV2ZW50CiAgT09CIHJlYWRzIHdoZW4gY29tcHV0aW5nIGxlbiBsYXRlci4KCiogVGhlIGxl biByYW5nZSBjaGVjayBiZWZvcmUgY2FsbGluZyB0aGUgY2FsbGJhY2sgaXMgb2ZmIGJ5IDEwLiBB bHNvLAogIHArbGVuIGNhbiBvdmVyZmxvdyBpbiBhIChwcm9iYWJseSB0aGVvcmV0aWNhbCkgY2Fz ZSB3aGVuIHAgaXMgd2l0aGluCiAgMl4xNiBmcm9tIFVJTlRQVFJfTUFYLgoKQmVjYXVzZSBfX2Ru c19wYXJzZSBpcyB1c2VkIG9ubHkgd2l0aCBzdGFjay1hbGxvY2F0ZWQgYnVmZmVycywgc3VjaApz bWFsbCBvdmVycmVhZHMgY2FuJ3QgcmVzdWx0IGluIGEgc2VnZmF1bHQuIFRoZSBmaXJzdCB0d28g YWxzbyBkb24ndAphZmZlY3QgdGhlIGZ1bmN0aW9uIHJlc3VsdCwgYnV0IHRoZSBsYXN0IG9uZSBt YXkgcmVzdWx0IGluIGdldGFkZHJpbmZvCmluY29ycmVjdGx5IHN1Y2NlZWRpbmcgYW5kIHJldHVy bmluZyB1cCB0byAxMCBieXRlcyBwYXN0IHRoZQpyZXNwb25zZSBidWZmZXIgYXMgYSBwYXJ0IG9m IHRoZSBJUCBhZGRyZXNzLCBhbmQgaW4gKGNhbm9uKSBuYW1lCnJldHVybmVkIGJ5IGdldGFkZHJp bmZvL2dldG5hbWVpbmZvIGJlaW5nIGFmZmVjdGVkIGJ5IG1lbW9yeSBwYXN0IHRoZQpyZXNwb25z ZSBidWZmZXIgKGJlY2F1c2UgZG5fZXhwYW5kIG1pZ2h0IGludGVycHJldCBpdCBhcyBhIHBvaW50 ZXIpLgotLS0KIHNyYy9uZXR3b3JrL2Ruc19wYXJzZS5jIHwgNiArKystLS0KIDEgZmlsZSBjaGFu Z2VkLCAzIGluc2VydGlvbnMoKyksIDMgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvc3JjL25l dHdvcmsvZG5zX3BhcnNlLmMgYi9zcmMvbmV0d29yay9kbnNfcGFyc2UuYwppbmRleCBlNmVlMTlk OS4uMzIwZGY2MGQgMTAwNjQ0Ci0tLSBhL3NyYy9uZXR3b3JrL2Ruc19wYXJzZS5jCisrKyBiL3Ny Yy9uZXR3b3JrL2Ruc19wYXJzZS5jCkBAIC0xNSwxNyArMTUsMTcgQEAgaW50IF9fZG5zX3BhcnNl KGNvbnN0IHVuc2lnbmVkIGNoYXIgKnIsIGludCBybGVuLCBpbnQgKCpjYWxsYmFjaykodm9pZCAq LCBpbnQsIGMKIAlpZiAocWRjb3VudCthbmNvdW50ID4gNjQpIHJldHVybiAtMTsKIAl3aGlsZSAo cWRjb3VudC0tKSB7CiAJCXdoaWxlIChwLXIgPCBybGVuICYmICpwLTFVIDwgMTI3KSBwKys7Ci0J CWlmICgqcD4xOTMgfHwgKCpwPT0xOTMgJiYgcFsxXT4yNTQpIHx8IHA+citybGVuLTYpCisJCWlm IChwPnIrcmxlbi02IHx8ICpwPjE5MyB8fCAoKnA9PTE5MyAmJiBwWzFdPjI1NCkpCiAJCQlyZXR1 cm4gLTE7CiAJCXAgKz0gNSArICEhKnA7CiAJfQogCXdoaWxlIChhbmNvdW50LS0pIHsKIAkJd2hp bGUgKHAtciA8IHJsZW4gJiYgKnAtMVUgPCAxMjcpIHArKzsKLQkJaWYgKCpwPjE5MyB8fCAoKnA9 PTE5MyAmJiBwWzFdPjI1NCkgfHwgcD5yK3JsZW4tNikKKwkJaWYgKHA+citybGVuLTEyIHx8ICpw PjE5MyB8fCAoKnA9PTE5MyAmJiBwWzFdPjI1NCkpCiAJCQlyZXR1cm4gLTE7CiAJCXAgKz0gMSAr ICEhKnA7CiAJCWxlbiA9IHBbOF0qMjU2ICsgcFs5XTsKLQkJaWYgKHArbGVuID4gcitybGVuKSBy ZXR1cm4gLTE7CisJCWlmIChsZW4rMTAgPiByK3JsZW4tcCkgcmV0dXJuIC0xOwogCQlpZiAoY2Fs bGJhY2soY3R4LCBwWzFdLCBwKzEwLCBsZW4sIHIpIDwgMCkgcmV0dXJuIC0xOwogCQlwICs9IDEw ICsgbGVuOwogCX0KLS0gCjIuMzkuMQoK --=_15d47b147bcf4136366ec73379b6f7bc Content-Transfer-Encoding: base64 Content-Type: text/x-diff; name=0002-prevent-CNAME-PTR-parsing-from-reading-data-past-the.patch Content-Disposition: attachment; filename=0002-prevent-CNAME-PTR-parsing-from-reading-data-past-the.patch; size=3783 RnJvbSAxZWI3ZmQ1MGQ3YzA0NWMxMjAzZjcwMGNiMDgxNjkzMDg0MzVhZTcyIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBBbGV4ZXkgSXpieXNoZXYgPGl6YnlzaGV2QGlzcHJhcy5ydT4K RGF0ZTogU3VuLCAyOSBKYW4gMjAyMyAxOTo0Njo1MSArMDMwMApTdWJqZWN0OiBbUEFUQ0ggMi8y XSBwcmV2ZW50IENOQU1FL1BUUiBwYXJzaW5nIGZyb20gcmVhZGluZyBkYXRhIHBhc3QgdGhlCiBy ZXNwb25zZSBlbmQKTWFpbC1Gb2xsb3d1cC1UbzogbXVzbEBsaXN0cy5vcGVud2FsbC5jb20KCkRO UyBwYXJzaW5nIGNhbGxiYWNrcyBwYXNzIHRoZSByZXNwb25zZSBidWZmZXIgZW5kIGluc3RlYWQg b2YgdGhlIGFjdHVhbApyZXNwb25zZSBlbmQgdG8gZG5fZXhwYW5kLCBzbyBhIG1hbGZvcm1lZCBE TlMgcmVzcG9uc2UgY2FuIHVzZSBtZXNzYWdlCmNvbXByZXNzaW9uIHRvIG1ha2UgZG5fZXhwYW5k IGp1bXAgcGFzdCB0aGUgcmVzcG9uc2UgZW5kIGFuZCBhdHRlbXB0IHRvCnBhcnNlIHVuaW5pdGlh bGl6ZWQgcGFydHMgb2YgdGhhdCBidWZmZXIsIHdoaWNoIG1pZ2h0IHN1Y2NlZWQgYW5kIHJldHVy bgpnYXJiYWdlLgotLS0KIHNyYy9uZXR3b3JrL2Ruc19wYXJzZS5jICAgfCA0ICsrLS0KIHNyYy9u ZXR3b3JrL2dldG5hbWVpbmZvLmMgfCA0ICsrLS0KIHNyYy9uZXR3b3JrL2xvb2t1cC5oICAgICAg fCAyICstCiBzcmMvbmV0d29yay9sb29rdXBfbmFtZS5jIHwgNCArKy0tCiA0IGZpbGVzIGNoYW5n ZWQsIDcgaW5zZXJ0aW9ucygrKSwgNyBkZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9zcmMvbmV0 d29yay9kbnNfcGFyc2UuYyBiL3NyYy9uZXR3b3JrL2Ruc19wYXJzZS5jCmluZGV4IDMyMGRmNjBk Li43ZjgzZTc5MSAxMDA2NDQKLS0tIGEvc3JjL25ldHdvcmsvZG5zX3BhcnNlLmMKKysrIGIvc3Jj L25ldHdvcmsvZG5zX3BhcnNlLmMKQEAgLTEsNyArMSw3IEBACiAjaW5jbHVkZSA8c3RyaW5nLmg+ CiAjaW5jbHVkZSAibG9va3VwLmgiCiAKLWludCBfX2Ruc19wYXJzZShjb25zdCB1bnNpZ25lZCBj aGFyICpyLCBpbnQgcmxlbiwgaW50ICgqY2FsbGJhY2spKHZvaWQgKiwgaW50LCBjb25zdCB2b2lk ICosIGludCwgY29uc3Qgdm9pZCAqKSwgdm9pZCAqY3R4KQoraW50IF9fZG5zX3BhcnNlKGNvbnN0 IHVuc2lnbmVkIGNoYXIgKnIsIGludCBybGVuLCBpbnQgKCpjYWxsYmFjaykodm9pZCAqLCBpbnQs IGNvbnN0IHZvaWQgKiwgaW50LCBjb25zdCB2b2lkICosIGludCksIHZvaWQgKmN0eCkKIHsKIAlp bnQgcWRjb3VudCwgYW5jb3VudDsKIAljb25zdCB1bnNpZ25lZCBjaGFyICpwOwpAQCAtMjYsNyAr MjYsNyBAQCBpbnQgX19kbnNfcGFyc2UoY29uc3QgdW5zaWduZWQgY2hhciAqciwgaW50IHJsZW4s IGludCAoKmNhbGxiYWNrKSh2b2lkICosIGludCwgYwogCQlwICs9IDEgKyAhISpwOwogCQlsZW4g PSBwWzhdKjI1NiArIHBbOV07CiAJCWlmIChsZW4rMTAgPiByK3JsZW4tcCkgcmV0dXJuIC0xOwot CQlpZiAoY2FsbGJhY2soY3R4LCBwWzFdLCBwKzEwLCBsZW4sIHIpIDwgMCkgcmV0dXJuIC0xOwor CQlpZiAoY2FsbGJhY2soY3R4LCBwWzFdLCBwKzEwLCBsZW4sIHIsIHJsZW4pIDwgMCkgcmV0dXJu IC0xOwogCQlwICs9IDEwICsgbGVuOwogCX0KIAlyZXR1cm4gMDsKZGlmZiAtLWdpdCBhL3NyYy9u ZXR3b3JrL2dldG5hbWVpbmZvLmMgYi9zcmMvbmV0d29yay9nZXRuYW1laW5mby5jCmluZGV4IDk0 OWUxODExLi4wODBkM2MwNiAxMDA2NDQKLS0tIGEvc3JjL25ldHdvcmsvZ2V0bmFtZWluZm8uYwor KysgYi9zcmMvbmV0d29yay9nZXRuYW1laW5mby5jCkBAIC0xMDgsMTAgKzEwOCwxMCBAQCBzdGF0 aWMgdm9pZCByZXZlcnNlX3NlcnZpY2VzKGNoYXIgKmJ1ZiwgaW50IHBvcnQsIGludCBkZ3JhbSkK IAlfX2ZjbG9zZV9jYShmKTsKIH0KIAotc3RhdGljIGludCBkbnNfcGFyc2VfY2FsbGJhY2sodm9p ZCAqYywgaW50IHJyLCBjb25zdCB2b2lkICpkYXRhLCBpbnQgbGVuLCBjb25zdCB2b2lkICpwYWNr ZXQpCitzdGF0aWMgaW50IGRuc19wYXJzZV9jYWxsYmFjayh2b2lkICpjLCBpbnQgcnIsIGNvbnN0 IHZvaWQgKmRhdGEsIGludCBsZW4sIGNvbnN0IHZvaWQgKnBhY2tldCwgaW50IHBsZW4pCiB7CiAJ aWYgKHJyICE9IFJSX1BUUikgcmV0dXJuIDA7Ci0JaWYgKF9fZG5fZXhwYW5kKHBhY2tldCwgKGNv bnN0IHVuc2lnbmVkIGNoYXIgKilwYWNrZXQgKyA1MTIsCisJaWYgKF9fZG5fZXhwYW5kKHBhY2tl dCwgKGNvbnN0IHVuc2lnbmVkIGNoYXIgKilwYWNrZXQgKyBwbGVuLAogCSAgICBkYXRhLCBjLCAy NTYpIDw9IDApCiAJCSooY2hhciAqKWMgPSAwOwogCXJldHVybiAwOwpkaWZmIC0tZ2l0IGEvc3Jj L25ldHdvcmsvbG9va3VwLmggYi9zcmMvbmV0d29yay9sb29rdXAuaAppbmRleCBlZjY2MjcyNS4u NTRiMmY4YjUgMTAwNjQ0Ci0tLSBhL3NyYy9uZXR3b3JrL2xvb2t1cC5oCisrKyBiL3NyYy9uZXR3 b3JrL2xvb2t1cC5oCkBAIC01MCw2ICs1MCw2IEBAIGhpZGRlbiBpbnQgX19sb29rdXBfaXBsaXRl cmFsKHN0cnVjdCBhZGRyZXNzIGJ1ZltzdGF0aWMgMV0sIGNvbnN0IGNoYXIgKm5hbWUsIGluCiBo aWRkZW4gaW50IF9fZ2V0X3Jlc29sdl9jb25mKHN0cnVjdCByZXNvbHZjb25mICosIGNoYXIgKiwg c2l6ZV90KTsKIGhpZGRlbiBpbnQgX19yZXNfbXNlbmRfcmMoaW50LCBjb25zdCB1bnNpZ25lZCBj aGFyICpjb25zdCAqLCBjb25zdCBpbnQgKiwgdW5zaWduZWQgY2hhciAqY29uc3QgKiwgaW50ICos IGludCwgY29uc3Qgc3RydWN0IHJlc29sdmNvbmYgKik7CiAKLWhpZGRlbiBpbnQgX19kbnNfcGFy c2UoY29uc3QgdW5zaWduZWQgY2hhciAqLCBpbnQsIGludCAoKikodm9pZCAqLCBpbnQsIGNvbnN0 IHZvaWQgKiwgaW50LCBjb25zdCB2b2lkICopLCB2b2lkICopOworaGlkZGVuIGludCBfX2Ruc19w YXJzZShjb25zdCB1bnNpZ25lZCBjaGFyICosIGludCwgaW50ICgqKSh2b2lkICosIGludCwgY29u c3Qgdm9pZCAqLCBpbnQsIGNvbnN0IHZvaWQgKiwgaW50KSwgdm9pZCAqKTsKIAogI2VuZGlmCmRp ZmYgLS1naXQgYS9zcmMvbmV0d29yay9sb29rdXBfbmFtZS5jIGIvc3JjL25ldHdvcmsvbG9va3Vw X25hbWUuYwppbmRleCA1ZjY4NjdjYi4uZjI2OGJjZGEgMTAwNjQ0Ci0tLSBhL3NyYy9uZXR3b3Jr L2xvb2t1cF9uYW1lLmMKKysrIGIvc3JjL25ldHdvcmsvbG9va3VwX25hbWUuYwpAQCAtMTExLDEz ICsxMTEsMTMgQEAgc3RydWN0IGRwY19jdHggewogCiAjZGVmaW5lIEFCVUZfU0laRSA3NjgKIAot c3RhdGljIGludCBkbnNfcGFyc2VfY2FsbGJhY2sodm9pZCAqYywgaW50IHJyLCBjb25zdCB2b2lk ICpkYXRhLCBpbnQgbGVuLCBjb25zdCB2b2lkICpwYWNrZXQpCitzdGF0aWMgaW50IGRuc19wYXJz ZV9jYWxsYmFjayh2b2lkICpjLCBpbnQgcnIsIGNvbnN0IHZvaWQgKmRhdGEsIGludCBsZW4sIGNv bnN0IHZvaWQgKnBhY2tldCwgaW50IHBsZW4pCiB7CiAJY2hhciB0bXBbMjU2XTsKIAlpbnQgZmFt aWx5OwogCXN0cnVjdCBkcGNfY3R4ICpjdHggPSBjOwogCWlmIChyciA9PSBSUl9DTkFNRSkgewot CQlpZiAoX19kbl9leHBhbmQocGFja2V0LCAoY29uc3QgdW5zaWduZWQgY2hhciAqKXBhY2tldCAr IEFCVUZfU0laRSwKKwkJaWYgKF9fZG5fZXhwYW5kKHBhY2tldCwgKGNvbnN0IHVuc2lnbmVkIGNo YXIgKilwYWNrZXQgKyBwbGVuLAogCQkgICAgZGF0YSwgdG1wLCBzaXplb2YgdG1wKSA+IDAgJiYg aXNfdmFsaWRfaG9zdG5hbWUodG1wKSkKIAkJCXN0cmNweShjdHgtPmNhbm9uLCB0bXApOwogCQly ZXR1cm4gMDsKLS0gCjIuMzkuMQoK --=_15d47b147bcf4136366ec73379b6f7bc--