diff --git a/0021-check-for-header-length-underflow-during-checksum-ca.patch b/0021-check-for-header-length-underflow-during-checksum-ca.patch new file mode 100644 index 0000000000000000000000000000000000000000..81011ab8e1bc4431bd6cca04e37a0947b0f4e1d4 --- /dev/null +++ b/0021-check-for-header-length-underflow-during-checksum-ca.patch @@ -0,0 +1,33 @@ +From e2383973cbca64f8e17ed7c4ad98258edfed6644 Mon Sep 17 00:00:00 2001 +From: Chris Leech +Date: Tue, 10 Nov 2020 13:36:37 -0800 +Subject: [PATCH 1/4] check for header length underflow during checksum + calculation + +CVE-2020-13987 +--- + iscsiuio/src/uip/uip.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c +index e2ce2cc..cfff43c 100644 +--- a/iscsiuio/src/uip/uip.c ++++ b/iscsiuio/src/uip/uip.c +@@ -316,7 +316,13 @@ static u16_t upper_layer_chksum_ipv4(struct uip_stack *ustack, u8_t proto) + tcp_ipv4_hdr = (struct uip_tcp_ipv4_hdr *)ustack->network_layer; + + upper_layer_len = (((u16_t) (tcp_ipv4_hdr->len[0]) << 8) + +- tcp_ipv4_hdr->len[1]) - UIP_IPv4_H_LEN; ++ tcp_ipv4_hdr->len[1]); ++ /* check for underflow from an invalid length field */ ++ if (upper_layer_len < UIP_IPv4_H_LEN) { ++ /* return 0 as an invalid checksum */ ++ return 0; ++ } ++ upper_layer_len -= UIP_IPv4_H_LEN; + + /* First sum pseudoheader. */ + /* IP protocol and length fields. This addition cannot carry. */ +-- +1.8.3.1 + diff --git a/0022-check-for-u8-overflow-when-processing-TCP-options.patch b/0022-check-for-u8-overflow-when-processing-TCP-options.patch new file mode 100644 index 0000000000000000000000000000000000000000..0fb91cd756897da1c28e939640aee4cc19bcabdb --- /dev/null +++ b/0022-check-for-u8-overflow-when-processing-TCP-options.patch @@ -0,0 +1,56 @@ +From 1f7968efff15eb737eb086a298cc1f0f0e308411 Mon Sep 17 00:00:00 2001 +From: Chris Leech +Date: Tue, 10 Nov 2020 13:55:18 -0800 +Subject: [PATCH 2/4] check for u8 overflow when processing TCP options + +CVE-2020-13988 +--- + iscsiuio/src/uip/uip.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c +index cfff43c..522fd9d 100644 +--- a/iscsiuio/src/uip/uip.c ++++ b/iscsiuio/src/uip/uip.c +@@ -1795,16 +1795,18 @@ found_listen: + } else { + /* All other options have a length field, so + that we easily can skip past them. */ +- if (ustack-> +- uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + +- c] == 0) { ++ if (ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c] == 0) { + /* If the length field is zero, the + options are malformed + and we don't process them further. */ + break; + } +- c += ustack->uip_buf[uip_ip_tcph_len + +- UIP_LLH_LEN + 1 + c]; ++ if ((ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]) > (256 - c)) { ++ /* u8 overflow, actually there should ++ * never be more than 40 bytes of options */ ++ break; ++ } ++ c += ustack->uip_buf[uip_ip_tcph_len + UIP_LLH_LEN + 1 + c]; + } + } + } +@@ -2010,6 +2012,14 @@ found: + further. */ + break; + } ++ if ((ustack->uip_buf[uip_ip_tcph_len ++ + UIP_LLH_LEN + 1 + ++ c]) > (256 - c)) { ++ /* u8 overflow, actually there should ++ * never be more than 40 bytes of ++ * options */ ++ break; ++ } + c += ustack-> + uip_buf[uip_ip_tcph_len + + UIP_LLH_LEN + 1 + +-- +1.8.3.1 + diff --git a/0023-check-for-TCP-urgent-pointer-past-end-of-frame.patch b/0023-check-for-TCP-urgent-pointer-past-end-of-frame.patch new file mode 100644 index 0000000000000000000000000000000000000000..ebdd79c57fbaacf848f61aaa3ac33b4405573e11 --- /dev/null +++ b/0023-check-for-TCP-urgent-pointer-past-end-of-frame.patch @@ -0,0 +1,39 @@ +From d63ce0d64c5abe9f285f14ce394660bfb9a16538 Mon Sep 17 00:00:00 2001 +From: Chris Leech +Date: Tue, 10 Nov 2020 14:14:11 -0800 +Subject: [PATCH 3/4] check for TCP urgent pointer past end of frame + +CVE-2020-17437 +--- + iscsiuio/src/uip/uip.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/iscsiuio/src/uip/uip.c b/iscsiuio/src/uip/uip.c +index 522fd9d..e0a7221 100644 +--- a/iscsiuio/src/uip/uip.c ++++ b/iscsiuio/src/uip/uip.c +@@ -2095,11 +2095,16 @@ tcp_send_finack: + } else { + uip_urglen = 0; + #else /* UIP_URGDATA > 0 */ +- ustack->uip_appdata = +- ((char *)ustack->uip_appdata) + +- ((tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]); +- ustack->uip_len -= +- (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]; ++ tmp16 = (tcp_hdr->urgp[0] << 8) | tcp_hdr->urgp[1]; ++ if (tmp16 <= ustack->uip_len) { ++ ustack->uip_appdata = ((char *)ustack->uip_appdata) + tmp16; ++ ustack->uip_len -= tmp16; ++ } else { ++ /* invalid urgent pointer length greater than frame */ ++ /* we're discarding urgent data anyway, throw it all out */ ++ ustack->uip_appdata = ((char *)ustack->uip_appdata) + ustack->uip_len; ++ ustack->uip_len = 0; ++ } + #endif /* UIP_URGDATA > 0 */ + } + +-- +1.8.3.1 + diff --git a/open-iscsi.spec b/open-iscsi.spec index 3d60681d187d924c7df4959ac451fdcb6911b5a0..149c1dea77b92e991c63df1e6e3f09cd1427d4ca 100644 --- a/open-iscsi.spec +++ b/open-iscsi.spec @@ -4,7 +4,7 @@ Name: open-iscsi Version: 2.1.1 -Release: 3 +Release: 4 Summary: ISCSI software initiator daemon and utility programs License: GPLv2+ and BSD URL: http://www.open-iscsi.org @@ -29,7 +29,9 @@ Patch17: 0017-Fix-devel-without-node-header-files.patch Patch18: 0018-resolve-compilation-errors.patch Patch19: 0019-Update-systemd-unit-files-for-iscsid.patch Patch20: 0020-iscsid-Change-iscsid-service-PIDFile-to-run-iscsid.i.patch - +Patch21: 0021-check-for-header-length-underflow-during-checksum-ca.patch +Patch22: 0022-check-for-u8-overflow-when-processing-TCP-options.patch +Patch23: 0023-check-for-TCP-urgent-pointer-past-end-of-frame.patch BuildRequires: flex bison doxygen kmod-devel systemd-units gcc git isns-utils-devel systemd-devel BuildRequires: autoconf automake libtool libmount-devel openssl-devel pkg-config gdb @@ -162,6 +164,9 @@ fi %{_mandir}/man8/* %changelog +* Mon Feb 22 2021 haowenchao - 2.1.1-4 +- Fix CVE-2020-13987 CVE-2020-13988 CVE-2020-17437 + * Tue Dec 15 2020 haowenchao - 2.1.1-3 - Change iscsid service PIDFile to /run/iscsid.ipd The pid file has be changed from /var/run/iscsid.pid to