[Bug 1695546] Re: Out of bounds write in resolved with crafted TCP responses

Łukasz Zemczak 1695546 at bugs.launchpad.net
Mon Jul 10 15:33:41 UTC 2017 

Hello Chris, or anyone else affected,

Accepted systemd into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu18
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: systemd (Ubuntu Xenial)
       Status: Confirmed => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1695546

Title:
  Out of bounds write in resolved with crafted TCP responses

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Xenial:
  Fix Committed
Status in systemd source package in Yakkety:
  Fix Released
Status in systemd source package in Zesty:
  Fix Released
Status in systemd source package in Artful:
  Fix Released

Bug description:
  [Impact]
  Certain sizes passed to dns_packet_new can cause it to allocate a buffer that's too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.

  A malicious DNS server can exploit this by responding with a specially
  crafted TCP payload to trick systemd-resolved in to allocating a
  buffer that's too small, and subsequently write arbitrary data beyond
  the end of it.

  To demonstrate this you can run the attached python script. This is a
  mock DNS server that sends a response where the first two bytes of the
  TCP payload specify a size of 4016 (note, this size is picked to
  trigger an out of bounds write on x86 - you'll probably need to pick a
  different number for x86-64). You'll need to temporarily set your DNS
  server to 127.0.0.1.

  [Testcase]
  Launch the attached script on i386, point resolved at the started dns server, execute a dns query via resolved observe that it crashes.
  Upgrade systemd package and observe that resolved no longer crashes.

  [Regression Potential]
  Low, resolved is not used by default in xenial. This is a bug fix to resolved, in case somebody does use resolved in xenial.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1695546/+subscriptions

More information about the foundations-bugs mailing list