From 84f14b868ebcd8761cbba15e41dc9706c9f6040b Mon Sep 17 00:00:00 2001 From: Zhixiong Chi Date: Tue, 22 Nov 2022 04:43:27 -0800 Subject: [PATCH] Debian: isc-dhcp: fix CVE-2022-2928 Backport the source patch from the version 4.4.1-2.3+deb11u1. [https://sources.debian.org/src/isc-dhcp/4.4.1-2.3+deb11u1/debian/patches/CVE-2022-2928.patch] Refer to: https://security-tracker.debian.org/tracker/DSA-5251-1 It refers to two issues, CVE-2022-2928 and CVE-2022-2928. We are not addressing CVE-2022-2929 here. Test Plan: Pass: build-pkgs -c -p isc-dhcp Pass: build-pkgs -a Pass: build-image Pass: Debian AIO jenkins installation Pass: Successfully host-unlock Issue is very difficult to reproduce, so we are simply focused on making sure that this doesn't break anything. Closes-Bug: 1997328 Signed-off-by: Zhixiong Chi Change-Id: Icd9e07420a0b8be1e3542a861e7f3d95f9bb7772 --- base/dhcp/debian/patches/CVE-2022-2928.patch | 127 +++++++++++++++++++ base/dhcp/debian/patches/series | 3 +- 2 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 base/dhcp/debian/patches/CVE-2022-2928.patch diff --git a/base/dhcp/debian/patches/CVE-2022-2928.patch b/base/dhcp/debian/patches/CVE-2022-2928.patch new file mode 100644 index 000000000..accbbb473 --- /dev/null +++ b/base/dhcp/debian/patches/CVE-2022-2928.patch @@ -0,0 +1,127 @@ +From 8f1212b200fd44f9fc0ff8e35b1f2f98cc9d91b6 Mon Sep 17 00:00:00 2001 +From: Zhixiong Chi +Date: Tue, 22 Nov 2022 03:55:10 -0800 +Subject: [PATCH] CVE-2022-2928 + +Description: An option refcount overflow exists in dhcpd +Origin: upstream +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2928 +Forwarded: not-needed +Last-Update: 2022-10-04 + +The upstream patch is only in diff format without a git header which I +have created here. +[Backport patch from https://sources.debian.org/src/isc-dhcp/4.4.1-2.3%252Bdeb11u1/debian/patches/CVE-2022-2928.patch] +Signed-off-by: Zhixiong Chi +--- + common/options.c | 7 +++++ + common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+) + +diff --git a/common/options.c b/common/options.c +index fc0e088..253cbc1 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -4366,6 +4366,8 @@ add_option(struct option_state *options, + if (!option_cache_allocate(&oc, MDL)) { + log_error("No memory for option cache adding %s (option %d).", + option->name, option_num); ++ /* Get rid of reference created during hash lookup. */ ++ option_dereference(&option, MDL); + return 0; + } + +@@ -4377,6 +4379,8 @@ add_option(struct option_state *options, + MDL)) { + log_error("No memory for constant data adding %s (option %d).", + option->name, option_num); ++ /* Get rid of reference created during hash lookup. */ ++ option_dereference(&option, MDL); + option_cache_dereference(&oc, MDL); + return 0; + } +@@ -4385,6 +4389,9 @@ add_option(struct option_state *options, + save_option(&dhcp_universe, options, oc); + option_cache_dereference(&oc, MDL); + ++ /* Get rid of reference created during hash lookup. */ ++ option_dereference(&option, MDL); ++ + return 1; + } + +diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c +index cd52cfb..690704d 100644 +--- a/common/tests/option_unittest.c ++++ b/common/tests/option_unittest.c +@@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc) + } + + ++ATF_TC(add_option_ref_cnt); ++ ++ATF_TC_HEAD(add_option_ref_cnt, tc) ++{ ++ atf_tc_set_md_var(tc, "descr", ++ "Verify add_option() does not leak option ref counts."); ++} ++ ++ATF_TC_BODY(add_option_ref_cnt, tc) ++{ ++ struct option_state *options = NULL; ++ struct option *option = NULL; ++ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER; ++ char *cid_str = "1234"; ++ int refcnt_before = 0; ++ ++ // Look up the option we're going to add. ++ initialize_common_option_spaces(); ++ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash, ++ &cid_code, 0, MDL)) { ++ atf_tc_fail("cannot find option definition?"); ++ } ++ ++ // Get the option's reference count before we call add_options. ++ refcnt_before = option->refcnt; ++ ++ // Allocate a option_state to which to add an option. ++ if (!option_state_allocate(&options, MDL)) { ++ atf_tc_fail("cannot allocat options state"); ++ } ++ ++ // Call add_option() to add the option to the option state. ++ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) { ++ atf_tc_fail("add_option returned 0"); ++ } ++ ++ // Verify that calling add_option() only adds 1 to the option ref count. ++ if (option->refcnt != (refcnt_before + 1)) { ++ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d", ++ refcnt_before, option->refcnt); ++ } ++ ++ // Derefrence the option_state, this should reduce the ref count to ++ // it's starting value. ++ option_state_dereference(&options, MDL); ++ ++ // Verify that dereferencing option_state restores option ref count. ++ if (option->refcnt != refcnt_before) { ++ atf_tc_fail("after state deref, count is wrong, before %d, after: %d", ++ refcnt_before, option->refcnt); ++ } ++} ++ + /* This macro defines main() method that will call specified + test cases. tp and simple_test_case names can be whatever you want + as long as it is a valid variable identifier. */ +@@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp) + { + ATF_TP_ADD_TC(tp, option_refcnt); + ATF_TP_ADD_TC(tp, pretty_print_option); ++ ATF_TP_ADD_TC(tp, add_option_ref_cnt); + + return (atf_no_error()); + } +-- +2.34.1 + diff --git a/base/dhcp/debian/patches/series b/base/dhcp/debian/patches/series index a997a285b..7f729ae15 100644 --- a/base/dhcp/debian/patches/series +++ b/base/dhcp/debian/patches/series @@ -1,4 +1,5 @@ dhclient-restrict-interfaces-to-command-line.patch dhclient-ipv6-bind-to-interface.patch dhclient-ipv6-conditionally-set-hostname.patch -dhclient-set-the-default-prefix-length-to-64.patch \ No newline at end of file +dhclient-set-the-default-prefix-length-to-64.patch +CVE-2022-2928.patch