oss-sec mailing list archives
CVE-2017-9445: Out-of-bounds write in systemd-resolved with crafted TCP payload
From: Chris Coulson <chris.coulson () canonical com>
Date: Tue, 27 Jun 2017 18:58:29 +0100
Hi, I recently discovered an out-of-bounds write in systemd-resolved in Ubuntu, which is possible to trigger with a specially crafted TCP payload. Details from the Ubuntu bug follow: https://launchpad.net/bugs/1695546 ---- Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016 on x86 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct. A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it. I believe this was introduced by https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37 (v223) and affects all subsequent versions up to and including v233. ---- A patch to resolve this has been provided by Zbigniew Jędrzejewski-Szmek, along with an additional patch to implement a test. Both of these are attached. Many thanks, Chris
Attachment:
0001-test-resolved-packet-add-a-simple-test-for-our-alloc.patch
Description:
Attachment:
0002-resolved-simplify-alloc-size-calculation.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2017-9445: Out-of-bounds write in systemd-resolved with crafted TCP payload Chris Coulson (Jun 27)