From 2400efa839dfa7b7616773faa176a90180928d7c Mon Sep 17 00:00:00 2001 From: Yangyang Shen Date: Thu, 4 Jun 2020 21:29:56 +0800 Subject: [PATCH] fix double free in macsec_receive_channel_free() and fix crash in network L2TP --- network-L2TP-fix-crash.patch | 59 +++++++++++++++++++ ...le-free-in-macsec_receive_channel_fr.patch | 45 ++++++++++++++ systemd.spec | 11 +++- 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 network-L2TP-fix-crash.patch create mode 100644 network-fix-double-free-in-macsec_receive_channel_fr.patch diff --git a/network-L2TP-fix-crash.patch b/network-L2TP-fix-crash.patch new file mode 100644 index 0000000..d3cd0e9 --- /dev/null +++ b/network-L2TP-fix-crash.patch @@ -0,0 +1,59 @@ +From a1422af564e3b1128fc7754596b4c2f8b36a4620 Mon Sep 17 00:00:00 2001 +From: Susant Sahani +Date: Sat, 30 May 2020 06:35:28 +0200 +Subject: [PATCH] network: L2TP fix crash + +``` +=220358== Invalid read of size 8 +==220358== at 0x452F05: l2tp_session_free (l2tp-tunnel.c:46) +==220358== by 0x456926: l2tp_tunnel_done (l2tp-tunnel.c:725) +==220358== by 0x43CF4D: netdev_free (netdev.c:205) +==220358== by 0x43D045: netdev_unref (netdev.c:210) +==220358== by 0x4198B7: manager_free (networkd-manager.c:1877) +==220358== by 0x40D0B3: manager_freep (networkd-manager.h:105) +==220358== by 0x40DE1C: run (networkd.c:21) +==220358== by 0x40DE75: main (networkd.c:130) +==220358== Address 0x5c035d0 is 0 bytes inside a block of size 40 free'd +==220358== at 0x483A9F5: free (vg_replace_malloc.c:538) +==220358== by 0x452F87: l2tp_session_free (l2tp-tunnel.c:57) +==220358== by 0x456857: netdev_l2tp_tunnel_verify (l2tp-tunnel.c:710) +==220358== by 0x440947: netdev_load_one (netdev.c:738) +==220358== by 0x441222: netdev_load (netdev.c:851) +==220358== by 0x419C50: manager_load_config (networkd-manager.c:1934) +==220358== by 0x40D7BE: run (networkd.c:87) +==220358== by 0x40DE75: main (networkd.c:130) +==220358== Block was alloc'd at +==220358== at 0x4839809: malloc (vg_replace_malloc.c:307) +==220358== by 0x452A76: malloc_multiply (alloc-util.h:96) +==220358== by 0x4531E6: l2tp_session_new_static (l2tp-tunnel.c:82) +==220358== by 0x455C01: config_parse_l2tp_session_id (l2tp-tunnel.c:535) +==220358== by 0x48E6D72: next_assignment (conf-parser.c:133) +==220358== by 0x48E77A3: parse_line (conf-parser.c:271) +==220358== by 0x48E7E4F: config_parse (conf-parser.c:396) +==220358== by 0x48E80E5: config_parse_many_files (conf-parser.c:453) +==220358== by 0x48E8490: config_parse_many (conf-parser.c:512) +==220358== by 0x44089C: netdev_load_one (netdev.c:729) +==220358== by 0x441222: netdev_load (netdev.c:851) +==220358== by 0x419C50: manager_load_config (networkd-manager.c:1934) + +``` +--- + src/network/netdev/l2tp-tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/netdev/l2tp-tunnel.c b/src/network/netdev/l2tp-tunnel.c +index 19683c0a00..91788c3681 100644 +--- a/src/network/netdev/l2tp-tunnel.c ++++ b/src/network/netdev/l2tp-tunnel.c +@@ -44,7 +44,7 @@ static void l2tp_session_free(L2tpSession *s) { + return; + + if (s->tunnel && s->section) +- ordered_hashmap_remove(s->tunnel->sessions_by_section, s); ++ ordered_hashmap_remove(s->tunnel->sessions_by_section, s->section); + + network_config_section_free(s->section); + +-- +2.23.0 + diff --git a/network-fix-double-free-in-macsec_receive_channel_fr.patch b/network-fix-double-free-in-macsec_receive_channel_fr.patch new file mode 100644 index 0000000..4b266b6 --- /dev/null +++ b/network-fix-double-free-in-macsec_receive_channel_fr.patch @@ -0,0 +1,45 @@ +From 0e77fc66bceb9832da82a56a4c1040fe49f8d805 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 29 May 2020 16:56:09 +0900 +Subject: [PATCH] network: fix double free in macsec_receive_channel_free() + +Fixes #15941. +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22547 +--- + src/network/netdev/macsec.c | 2 +- + test/fuzz/fuzz-netdev-parser/oss-fuzz-22547 | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + create mode 100644 test/fuzz/fuzz-netdev-parser/oss-fuzz-22547 + +diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c +index 3542f9652a..8f7559e9ae 100644 +--- a/src/network/netdev/macsec.c ++++ b/src/network/netdev/macsec.c +@@ -102,7 +102,7 @@ static void macsec_receive_channel_free(ReceiveChannel *c) { + + if (c->macsec) { + if (c->sci.as_uint64 > 0) +- ordered_hashmap_remove(c->macsec->receive_channels, &c->sci.as_uint64); ++ ordered_hashmap_remove_value(c->macsec->receive_channels, &c->sci.as_uint64, c); + + if (c->section) + ordered_hashmap_remove(c->macsec->receive_channels_by_section, c->section); +diff --git a/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547 b/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547 +new file mode 100644 +index 0000000000..ca55a33ae9 +--- /dev/null ++++ b/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547 +@@ -0,0 +1,10 @@ ++[NetDev] ++Name=o ++Kind=macsec ++ ++[MACsecReceiveChannel] ++MACAddress=12.0.4 ++Port=913 ++[MACsecReceiveChannel] ++MACAddress=12.0.4 ++Port=913 +-- +2.23.0 + diff --git a/systemd.spec b/systemd.spec index 8d7c993..e7bc021 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 243 -Release: 23 +Release: 24 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -86,6 +86,8 @@ Patch0037: revert-shared-unit-file-add-a-function-to-validate-u.patch Patch0038: systemd-Fix-busctl-crash-on-aarch64-when-setting-out.patch Patch0039: seccomp-more-comprehensive-protection-against-libsec.patch +Patch0040: network-fix-double-free-in-macsec_receive_channel_fr.patch +Patch0041: network-L2TP-fix-crash.patch #openEuler Patch9002: 1509-fix-journal-file-descriptors-leak-problems.patch @@ -1478,6 +1480,13 @@ fi %exclude /usr/share/man/man3/* %changelog +* Thu May 28 2020 openEuler Buildteam - 243-24 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:fix double free in macsec_receive_channel_free() and + fix crash in network L2TP + * Thu May 28 2020 openEuler Buildteam - 243-23 - Type:enhancement - ID:NA -- Gitee