File 0344-Fix-use-afte-free-in-ip_reass-CVE-2.patch of Package qemu-linux-user.15026
From 79d0adda10afa64eddb8cf6dfb391b41f5388f62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Sat, 4 Apr 2020 22:42:13 +0200
Subject: [PATCH] Fix use-afte-free in ip_reass() (CVE-2020-1983)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 2faae0f778f818fadc873308f983289df697eb93
References: bsc#1170940, CVE-2020-1983
The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.
m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit 9bd6c5913271eabcb7768a58197ed3301fe19f2d)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
slirp/ip_input.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/slirp/ip_input.c b/slirp/ip_input.c
index b5cd3ae04c..e550fda052 100644
--- a/slirp/ip_input.c
+++ b/slirp/ip_input.c
@@ -336,8 +336,7 @@ insert:
*/
q = fp->frag_link.next;
m = dtom(slirp, q);
-
- int was_ext = m->m_flags & M_EXT;
+ int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
q = (struct ipasfrag *) q->ipf_next;
while (q != (struct ipasfrag*)&fp->frag_link) {
@@ -361,8 +360,7 @@ insert:
* the old buffer (in the mbuf), so we must point ip
* into the new buffer.
*/
- if (!was_ext && m->m_flags & M_EXT) {
- int delta = (char *)q - m->m_dat;
+ if (m->m_flags & M_EXT) {
q = (struct ipasfrag *)(m->m_ext + delta);
}