libssh: CVE-2020-16135 NULL pointer dereference in sftpserver.c if ssh_buffer_new returns NULL

Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53 & https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40 & https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181 & https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-06-26 10:46:53 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-07-14 07:08:54 -0400
commit: 00de17fa466b91de7bdbf8655929fb627aad18a8 (patch)
tree: bce4b2d87a72a2f8899a012545639fd5d679fa6f
parent: 6334241447e461f849035c47f071fa4a2125fee1 (diff)
download: meta-openembedded-00de17fa466b91de7bdbf8655929fb627aad18a8.tar.gz
5 files changed, 193 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch
new file mode 100644
index 0000000000..2944a44622
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch
@@ -0,0 +1,40 @@
+From 533d881b0f4b24c72b35ecc97fa35d295d063e53 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:04:09 +0200
+Subject: [PATCH] sftpserver: Add missing NULL check for ssh_buffer_new()
+Thanks to Ramin Farajpour Cami for spotting this.
+Fixes T232
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53]
+CVE: CVE-2020-16135
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/sftpserver.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index 5a2110e58..b639a2ce3 100644
+--- a/src/sftpserver.c
+++ b/src/sftpserver.c
+@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
+ 
+   /* take a copy of the whole packet */
+   msg->complete_message = ssh_buffer_new();
+  if (msg->complete_message == NULL) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
+
+   ssh_buffer_add_data(msg->complete_message,
+                       ssh_buffer_get(payload),
+                       ssh_buffer_get_len(payload));
+-- 
+GitLab
diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch
new file mode 100644
index 0000000000..3c4ff0c614
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch
@@ -0,0 +1,42 @@
+From 2782cb0495b7450bd8fe43ce4af886b66fea6c40 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:05:51 +0200
+Subject: [PATCH] sftpserver: Add missing return check for
+ ssh_buffer_add_data()
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40]
+CVE: CVE-2020-16135
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/sftpserver.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/src/sftpserver.c b/src/sftpserver.c
+index b639a2ce3..9117f155f 100644
+--- a/src/sftpserver.c
+++ b/src/sftpserver.c
+@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
+       return NULL;
+   }
+ 
+-  ssh_buffer_add_data(msg->complete_message,
+-                      ssh_buffer_get(payload),
+-                      ssh_buffer_get_len(payload));
+  rc = ssh_buffer_add_data(msg->complete_message,
+                           ssh_buffer_get(payload),
+                           ssh_buffer_get_len(payload));
+  if (rc < 0) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
+ 
+   ssh_buffer_get_u32(payload, &msg->id);
+ 
+-- 
+GitLab
diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch
new file mode 100644
index 0000000000..03a8ac156a
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch
@@ -0,0 +1,70 @@
+From 10b3ebbe61a7031a3dae97f05834442220447181 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:10:11 +0200
+Subject: [PATCH] buffer: Reformat ssh_buffer_add_data()
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181]
+CVE: CVE-2020-16135
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/buffer.c | 35 ++++++++++++++++++-----------------
+ 1 file changed, 18 insertions(+), 17 deletions(-)
+diff --git a/src/buffer.c b/src/buffer.c
+index a2e6246af..476bc1358 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
+  */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
+-  buffer_verify(buffer);
+    buffer_verify(buffer);
+ 
+-  if (data == NULL) {
+-      return -1;
+-  }
+    if (data == NULL) {
+        return -1;
+    }
+ 
+-  if (buffer->used + len < len) {
+-    return -1;
+-  }
+    if (buffer->used + len < len) {
+        return -1;
+    }
+ 
+-  if (buffer->allocated < (buffer->used + len)) {
+-    if(buffer->pos > 0)
+-      buffer_shift(buffer);
+-    if (realloc_buffer(buffer, buffer->used + len) < 0) {
+-      return -1;
+    if (buffer->allocated < (buffer->used + len)) {
+        if (buffer->pos > 0) {
+            buffer_shift(buffer);
+        }
+        if (realloc_buffer(buffer, buffer->used + len) < 0) {
+            return -1;
+        }
+     }
+-  }
+ 
+-  memcpy(buffer->data+buffer->used, data, len);
+-  buffer->used+=len;
+-  buffer_verify(buffer);
+-  return 0;
+    memcpy(buffer->data + buffer->used, data, len);
+    buffer->used += len;
+    buffer_verify(buffer);
+    return 0;
+ }
+ 
+ /**
+-- 
+GitLab
diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch
new file mode 100644
index 0000000000..8e9a4c3f5c
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch
@@ -0,0 +1,34 @@
+From 245ad744b5ab0582fef7cf3905a717b791d7e08b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 3 Jun 2020 10:11:21 +0200
+Subject: [PATCH] buffer: Add NULL check for 'buffer' argument
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Reviewed-by: Jakub Jelen <jjelen@redhat.com>
+Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b]
+CVE: CVE-2020-16135
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/buffer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/buffer.c b/src/buffer.c
+index 476bc1358..ce12f491a 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
+  */
+ int ssh_buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len)
+ {
+    if (buffer == NULL) {
+        return -1;
+    }
+
+     buffer_verify(buffer);
+ 
+     if (data == NULL) {
+-- 
+GitLab
diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
index 39ed8a8fbb..0fb07a0eb7 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
@@ -6,7 +6,13 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0"
 DEPENDS = "zlib openssl libgcrypt"
-SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8"
+SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8 \
+           file://CVE-2020-16135-1.patch \
+           file://CVE-2020-16135-2.patch \
+           file://CVE-2020-16135-3.patch \
+           file://CVE-2020-16135-4.patch \
+          "
 SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"
 S = "${WORKDIR}/git"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-06-26 10:46:53 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-07-14 07:08:54 -0400
commit	00de17fa466b91de7bdbf8655929fb627aad18a8 (patch)
tree	bce4b2d87a72a2f8899a012545639fd5d679fa6f
parent	6334241447e461f849035c47f071fa4a2125fee1 (diff)
download	meta-openembedded-00de17fa466b91de7bdbf8655929fb627aad18a8.tar.gz

diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch new file mode 100644 index 0000000000..2944a44622 --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-1.patch
@@ -0,0 +1,40 @@
		1	From 533d881b0f4b24c72b35ecc97fa35d295d063e53 Mon Sep 17 00:00:00 2001
		2	From: Andreas Schneider <asn@cryptomilk.org>
		3	Date: Wed, 3 Jun 2020 10:04:09 +0200
		4	Subject: [PATCH] sftpserver: Add missing NULL check for ssh_buffer_new()
		5
		6	Thanks to Ramin Farajpour Cami for spotting this.
		7
		8	Fixes T232
		9
		10	Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
		11	Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
		12	Reviewed-by: Jakub Jelen <jjelen@redhat.com>
		13
		14	Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/533d881b0f4b24c72b35ecc97fa35d295d063e53]
		15	CVE: CVE-2020-16135
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	src/sftpserver.c \| 6 ++++++
		19	1 file changed, 6 insertions(+)
		20
		21	diff --git a/src/sftpserver.c b/src/sftpserver.c
		22	index 5a2110e58..b639a2ce3 100644
		23	--- a/src/sftpserver.c
		24	+++ b/src/sftpserver.c
		25	@@ -67,6 +67,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
		26
		27	/* take a copy of the whole packet */
		28	msg->complete_message = ssh_buffer_new();
		29	+ if (msg->complete_message == NULL) {
		30	+ ssh_set_error_oom(session);
		31	+ sftp_client_message_free(msg);
		32	+ return NULL;
		33	+ }
		34	+
		35	ssh_buffer_add_data(msg->complete_message,
		36	ssh_buffer_get(payload),
		37	ssh_buffer_get_len(payload));
		38	--
		39	GitLab
		40


diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch new file mode 100644 index 0000000000..3c4ff0c614 --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-2.patch
@@ -0,0 +1,42 @@
		1	From 2782cb0495b7450bd8fe43ce4af886b66fea6c40 Mon Sep 17 00:00:00 2001
		2	From: Andreas Schneider <asn@cryptomilk.org>
		3	Date: Wed, 3 Jun 2020 10:05:51 +0200
		4	Subject: [PATCH] sftpserver: Add missing return check for
		5	ssh_buffer_add_data()
		6
		7	Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
		8	Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
		9	Reviewed-by: Jakub Jelen <jjelen@redhat.com>
		10
		11	Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/2782cb0495b7450bd8fe43ce4af886b66fea6c40]
		12	CVE: CVE-2020-16135
		13	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		14	---
		15	src/sftpserver.c \| 11 ++++++++---
		16	1 file changed, 8 insertions(+), 3 deletions(-)
		17
		18	diff --git a/src/sftpserver.c b/src/sftpserver.c
		19	index b639a2ce3..9117f155f 100644
		20	--- a/src/sftpserver.c
		21	+++ b/src/sftpserver.c
		22	@@ -73,9 +73,14 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
		23	return NULL;
		24	}
		25
		26	- ssh_buffer_add_data(msg->complete_message,
		27	- ssh_buffer_get(payload),
		28	- ssh_buffer_get_len(payload));
		29	+ rc = ssh_buffer_add_data(msg->complete_message,
		30	+ ssh_buffer_get(payload),
		31	+ ssh_buffer_get_len(payload));
		32	+ if (rc < 0) {
		33	+ ssh_set_error_oom(session);
		34	+ sftp_client_message_free(msg);
		35	+ return NULL;
		36	+ }
		37
		38	ssh_buffer_get_u32(payload, &msg->id);
		39
		40	--
		41	GitLab
		42


diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch new file mode 100644 index 0000000000..03a8ac156a --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-3.patch
@@ -0,0 +1,70 @@
		1	From 10b3ebbe61a7031a3dae97f05834442220447181 Mon Sep 17 00:00:00 2001
		2	From: Andreas Schneider <asn@cryptomilk.org>
		3	Date: Wed, 3 Jun 2020 10:10:11 +0200
		4	Subject: [PATCH] buffer: Reformat ssh_buffer_add_data()
		5
		6	Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
		7	Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
		8	Reviewed-by: Jakub Jelen <jjelen@redhat.com>
		9
		10	Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/10b3ebbe61a7031a3dae97f05834442220447181]
		11	CVE: CVE-2020-16135
		12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		13	---
		14	src/buffer.c \| 35 ++++++++++++++++++-----------------
		15	1 file changed, 18 insertions(+), 17 deletions(-)
		16
		17	diff --git a/src/buffer.c b/src/buffer.c
		18	index a2e6246af..476bc1358 100644
		19	--- a/src/buffer.c
		20	+++ b/src/buffer.c
		21	@@ -299,28 +299,29 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
		22	*/
		23	int ssh_buffer_add_data(struct ssh_buffer_struct buffer, const void data, uint32_t len)
		24	{
		25	- buffer_verify(buffer);
		26	+ buffer_verify(buffer);
		27
		28	- if (data == NULL) {
		29	- return -1;
		30	- }
		31	+ if (data == NULL) {
		32	+ return -1;
		33	+ }
		34
		35	- if (buffer->used + len < len) {
		36	- return -1;
		37	- }
		38	+ if (buffer->used + len < len) {
		39	+ return -1;
		40	+ }
		41
		42	- if (buffer->allocated < (buffer->used + len)) {
		43	- if(buffer->pos > 0)
		44	- buffer_shift(buffer);
		45	- if (realloc_buffer(buffer, buffer->used + len) < 0) {
		46	- return -1;
		47	+ if (buffer->allocated < (buffer->used + len)) {
		48	+ if (buffer->pos > 0) {
		49	+ buffer_shift(buffer);
		50	+ }
		51	+ if (realloc_buffer(buffer, buffer->used + len) < 0) {
		52	+ return -1;
		53	+ }
		54	}
		55	- }
		56
		57	- memcpy(buffer->data+buffer->used, data, len);
		58	- buffer->used+=len;
		59	- buffer_verify(buffer);
		60	- return 0;
		61	+ memcpy(buffer->data + buffer->used, data, len);
		62	+ buffer->used += len;
		63	+ buffer_verify(buffer);
		64	+ return 0;
		65	}
		66
		67	/**
		68	--
		69	GitLab
		70


diff --git a/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch new file mode 100644 index 0000000000..8e9a4c3f5c --- /dev/null +++ b/meta-oe/recipes-support/libssh/files/CVE-2020-16135-4.patch
@@ -0,0 +1,34 @@
		1	From 245ad744b5ab0582fef7cf3905a717b791d7e08b Mon Sep 17 00:00:00 2001
		2	From: Andreas Schneider <asn@cryptomilk.org>
		3	Date: Wed, 3 Jun 2020 10:11:21 +0200
		4	Subject: [PATCH] buffer: Add NULL check for 'buffer' argument
		5
		6	Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
		7	Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
		8	Reviewed-by: Jakub Jelen <jjelen@redhat.com>
		9
		10	Upstream-Status: Backport [https://gitlab.com/libssh/libssh-mirror/-/commit/245ad744b5ab0582fef7cf3905a717b791d7e08b]
		11	CVE: CVE-2020-16135
		12	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		13	---
		14	src/buffer.c \| 4 ++++
		15	1 file changed, 4 insertions(+)
		16
		17	diff --git a/src/buffer.c b/src/buffer.c
		18	index 476bc1358..ce12f491a 100644
		19	--- a/src/buffer.c
		20	+++ b/src/buffer.c
		21	@@ -299,6 +299,10 @@ int ssh_buffer_reinit(struct ssh_buffer_struct *buffer)
		22	*/
		23	int ssh_buffer_add_data(struct ssh_buffer_struct buffer, const void data, uint32_t len)
		24	{
		25	+ if (buffer == NULL) {
		26	+ return -1;
		27	+ }
		28	+
		29	buffer_verify(buffer);
		30
		31	if (data == NULL) {
		32	--
		33	GitLab
		34


diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb index 39ed8a8fbb..0fb07a0eb7 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
@@ -6,7 +6,13 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0"
6		6
7	DEPENDS = "zlib openssl libgcrypt"	7	DEPENDS = "zlib openssl libgcrypt"
8		8
9	SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8"	9	SRC_URI = "git://git.libssh.org/projects/libssh.git;branch=stable-0.8 \
		10	file://CVE-2020-16135-1.patch \
		11	file://CVE-2020-16135-2.patch \
		12	file://CVE-2020-16135-3.patch \
		13	file://CVE-2020-16135-4.patch \
		14	"
		15
10	SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"	16	SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"
11		17
12	S = "${WORKDIR}/git"	18	S = "${WORKDIR}/git"