group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #14544
[Bug 1695546] Re: Out of bounds write in resolved with crafted TCP responses
** Also affects: systemd (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu Artful)
Importance: High
Assignee: Dimitri John Ledkov (xnox)
Status: Fix Released
** Also affects: systemd (Ubuntu Zesty)
Importance: Undecided
Status: New
** Changed in: systemd (Ubuntu Xenial)
Status: New => Confirmed
** Changed in: systemd (Ubuntu Yakkety)
Status: New => Fix Released
** Changed in: systemd (Ubuntu Zesty)
Status: New => Fix Released
** Description changed:
- Certain sizes passed to dns_packet_new can cause it to allocate a buffer
- that's too small. A page-aligned number - sizeof(DnsPacket) +
- sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a
- page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016
- will result in an allocation of 4096 bytes, but 108 bytes of this are
- for the DnsPacket struct.
+ [Impact]
+ Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.
A malicious DNS server can exploit this by responding with a specially
crafted TCP payload to trick systemd-resolved in to allocating a buffer
that's too small, and subsequently write arbitrary data beyond the end
of it.
To demonstrate this you can run the attached python script. This is a
mock DNS server that sends a response where the first two bytes of the
TCP payload specify a size of 4016 (note, this size is picked to trigger
an out of bounds write on x86 - you'll probably need to pick a different
number for x86-64). You'll need to temporarily set your DNS server to
127.0.0.1.
+
+ [Testcase]
+ Launch the attached script on i386, point resolved at the started dns server, execute a dns query via resolved observe that it crashes.
+ Upgrade systemd package and observe that resolved no longer crashes.
+
+ [Regression Potential]
+ Low, resolved is not used by default in xenial. This is a bug fix to resolved, in case somebody does use resolved in xenial.
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1695546
Title:
Out of bounds write in resolved with crafted TCP responses
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Xenial:
Confirmed
Status in systemd source package in Yakkety:
Fix Released
Status in systemd source package in Zesty:
Fix Released
Status in systemd source package in Artful:
Fix Released
Bug description:
[Impact]
Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.
A malicious DNS server can exploit this by responding with a specially
crafted TCP payload to trick systemd-resolved in to allocating a
buffer that's too small, and subsequently write arbitrary data beyond
the end of it.
To demonstrate this you can run the attached python script. This is a
mock DNS server that sends a response where the first two bytes of the
TCP payload specify a size of 4016 (note, this size is picked to
trigger an out of bounds write on x86 - you'll probably need to pick a
different number for x86-64). You'll need to temporarily set your DNS
server to 127.0.0.1.
[Testcase]
Launch the attached script on i386, point resolved at the started dns server, execute a dns query via resolved observe that it crashes.
Upgrade systemd package and observe that resolved no longer crashes.
[Regression Potential]
Low, resolved is not used by default in xenial. This is a bug fix to resolved, in case somebody does use resolved in xenial.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1695546/+subscriptions