84f14b868e
Backport the source patch from the version 4.4.1-2.3+deb11u1. [https://sources.debian.org/src/isc-dhcp/4.4.1-2.3+deb11u1/debian/patches/CVE-2022-2928.patch] Refer to: https://security-tracker.debian.org/tracker/DSA-5251-1 It refers to two issues, CVE-2022-2928 and CVE-2022-2928. We are not addressing CVE-2022-2929 here. Test Plan: Pass: build-pkgs -c -p isc-dhcp Pass: build-pkgs -a Pass: build-image Pass: Debian AIO jenkins installation Pass: Successfully host-unlock Issue is very difficult to reproduce, so we are simply focused on making sure that this doesn't break anything. Closes-Bug: 1997328 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Change-Id: Icd9e07420a0b8be1e3542a861e7f3d95f9bb7772
128 lines
4.2 KiB
Diff
128 lines
4.2 KiB
Diff
From 8f1212b200fd44f9fc0ff8e35b1f2f98cc9d91b6 Mon Sep 17 00:00:00 2001
|
|
From: Zhixiong Chi <zhixiong.chi@windriver.com>
|
|
Date: Tue, 22 Nov 2022 03:55:10 -0800
|
|
Subject: [PATCH] CVE-2022-2928
|
|
|
|
Description: An option refcount overflow exists in dhcpd
|
|
Origin: upstream
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2928
|
|
Forwarded: not-needed
|
|
Last-Update: 2022-10-04
|
|
|
|
The upstream patch is only in diff format without a git header which I
|
|
have created here.
|
|
[Backport patch from https://sources.debian.org/src/isc-dhcp/4.4.1-2.3%252Bdeb11u1/debian/patches/CVE-2022-2928.patch]
|
|
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
|
|
---
|
|
common/options.c | 7 +++++
|
|
common/tests/option_unittest.c | 54 ++++++++++++++++++++++++++++++++++
|
|
2 files changed, 61 insertions(+)
|
|
|
|
diff --git a/common/options.c b/common/options.c
|
|
index fc0e088..253cbc1 100644
|
|
--- a/common/options.c
|
|
+++ b/common/options.c
|
|
@@ -4366,6 +4366,8 @@ add_option(struct option_state *options,
|
|
if (!option_cache_allocate(&oc, MDL)) {
|
|
log_error("No memory for option cache adding %s (option %d).",
|
|
option->name, option_num);
|
|
+ /* Get rid of reference created during hash lookup. */
|
|
+ option_dereference(&option, MDL);
|
|
return 0;
|
|
}
|
|
|
|
@@ -4377,6 +4379,8 @@ add_option(struct option_state *options,
|
|
MDL)) {
|
|
log_error("No memory for constant data adding %s (option %d).",
|
|
option->name, option_num);
|
|
+ /* Get rid of reference created during hash lookup. */
|
|
+ option_dereference(&option, MDL);
|
|
option_cache_dereference(&oc, MDL);
|
|
return 0;
|
|
}
|
|
@@ -4385,6 +4389,9 @@ add_option(struct option_state *options,
|
|
save_option(&dhcp_universe, options, oc);
|
|
option_cache_dereference(&oc, MDL);
|
|
|
|
+ /* Get rid of reference created during hash lookup. */
|
|
+ option_dereference(&option, MDL);
|
|
+
|
|
return 1;
|
|
}
|
|
|
|
diff --git a/common/tests/option_unittest.c b/common/tests/option_unittest.c
|
|
index cd52cfb..690704d 100644
|
|
--- a/common/tests/option_unittest.c
|
|
+++ b/common/tests/option_unittest.c
|
|
@@ -130,6 +130,59 @@ ATF_TC_BODY(pretty_print_option, tc)
|
|
}
|
|
|
|
|
|
+ATF_TC(add_option_ref_cnt);
|
|
+
|
|
+ATF_TC_HEAD(add_option_ref_cnt, tc)
|
|
+{
|
|
+ atf_tc_set_md_var(tc, "descr",
|
|
+ "Verify add_option() does not leak option ref counts.");
|
|
+}
|
|
+
|
|
+ATF_TC_BODY(add_option_ref_cnt, tc)
|
|
+{
|
|
+ struct option_state *options = NULL;
|
|
+ struct option *option = NULL;
|
|
+ unsigned int cid_code = DHO_DHCP_CLIENT_IDENTIFIER;
|
|
+ char *cid_str = "1234";
|
|
+ int refcnt_before = 0;
|
|
+
|
|
+ // Look up the option we're going to add.
|
|
+ initialize_common_option_spaces();
|
|
+ if (!option_code_hash_lookup(&option, dhcp_universe.code_hash,
|
|
+ &cid_code, 0, MDL)) {
|
|
+ atf_tc_fail("cannot find option definition?");
|
|
+ }
|
|
+
|
|
+ // Get the option's reference count before we call add_options.
|
|
+ refcnt_before = option->refcnt;
|
|
+
|
|
+ // Allocate a option_state to which to add an option.
|
|
+ if (!option_state_allocate(&options, MDL)) {
|
|
+ atf_tc_fail("cannot allocat options state");
|
|
+ }
|
|
+
|
|
+ // Call add_option() to add the option to the option state.
|
|
+ if (!add_option(options, cid_code, cid_str, strlen(cid_str))) {
|
|
+ atf_tc_fail("add_option returned 0");
|
|
+ }
|
|
+
|
|
+ // Verify that calling add_option() only adds 1 to the option ref count.
|
|
+ if (option->refcnt != (refcnt_before + 1)) {
|
|
+ atf_tc_fail("after add_option(), count is wrong, before %d, after: %d",
|
|
+ refcnt_before, option->refcnt);
|
|
+ }
|
|
+
|
|
+ // Derefrence the option_state, this should reduce the ref count to
|
|
+ // it's starting value.
|
|
+ option_state_dereference(&options, MDL);
|
|
+
|
|
+ // Verify that dereferencing option_state restores option ref count.
|
|
+ if (option->refcnt != refcnt_before) {
|
|
+ atf_tc_fail("after state deref, count is wrong, before %d, after: %d",
|
|
+ refcnt_before, option->refcnt);
|
|
+ }
|
|
+}
|
|
+
|
|
/* This macro defines main() method that will call specified
|
|
test cases. tp and simple_test_case names can be whatever you want
|
|
as long as it is a valid variable identifier. */
|
|
@@ -137,6 +190,7 @@ ATF_TP_ADD_TCS(tp)
|
|
{
|
|
ATF_TP_ADD_TC(tp, option_refcnt);
|
|
ATF_TP_ADD_TC(tp, pretty_print_option);
|
|
+ ATF_TP_ADD_TC(tp, add_option_ref_cnt);
|
|
|
|
return (atf_no_error());
|
|
}
|
|
--
|
|
2.34.1
|
|
|