From patchwork Tue May 20 19:48:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 63339 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49BFDC54ECC for ; Tue, 20 May 2025 19:48:34 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web10.416.1747770506456930253 for ; Tue, 20 May 2025 12:48:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=WDiWM/Cg; spf=softfail (domain: sakoman.com, ip: 209.85.216.50, mailfrom: steve@sakoman.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-30e8f4dbb72so4870627a91.1 for ; Tue, 20 May 2025 12:48:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1747770506; x=1748375306; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bIxV/Y5b1ZRtsPZZhksE4UGFBqCOZ56D+OrR8EfEuI0=; b=WDiWM/CgF4oyhT1twxJd36iU/+98MaoadcYvBbpyUuAZkTSREVBDMGN0BYSPdOTxJ/ tiySDuGppEOCrQzkFL6y+LLHBUe4/CoE69qSE9gHOqXGfHnyjJOEWU3rutrzcNIvbiA9 3OnqSZn8o85xOuPDNDAu62/Yc2OIG4f7paN/HigHj/6e1wp8Sz6/mDl/6VagjPPu87s6 9QgvNhxW1QZLuq8LwEWAC2kjYr4sa8i25SLdBCakmqH1U5Nj7eqDfaJeTef53P9RqblE yerpGaIYwVAiDYCSNvyj4pfgRWb+tmb5YJjrZTAbnrJGj7r3XNHfIYON6myv4vbx4JEe titw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747770506; x=1748375306; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bIxV/Y5b1ZRtsPZZhksE4UGFBqCOZ56D+OrR8EfEuI0=; b=T9SrAGlz9BrLT9O86idMY+7zglntORILa0b2xjIKlY3ug9JFuYQ+BBTBnjjdMgHgql S54oN2KWORBeG9WroUUUDEUNKLtDKHQKq0TAw/JV/WRipSQAJ6/GC263CDPi89ttxinP AOooVowjX5MWVI7DIMPTq2Ej41xYhVtqyynpcAAfx2KwfBZ5PFyy+dl5EwoPQJln0HwM bcHehThzc6aCmCUtAMKJ0ZWB4nK2XQRrqSviJ2/MHF0JtLBvspUbabUnF99h+44GHmq+ cDElIAA2XgoT4EHYQNe7ND2+PDo9JB/BHCNUqCfVuRyR8SDMlHPK2VIBBHp1deEcbjLo dXGA== X-Gm-Message-State: AOJu0YwEdn7TUZa1gvInywukTvAr2CafYwqTV6r5asD2RSLo52dw4IOY hXhTBP1w5wKOi2R/qFdqrryTYkd+RmGvOBFFodZ/I45QaxI3xZ9L/S3Y+CzzAysReXsQrWpRXOd FRvRv X-Gm-Gg: ASbGncuZ0X7IcaQdnJoamz4v1GF+89EGBDTYTEAq3oKWD095CrYd5ax4DNDkTR8bxXU 8awxB11Ym3yGerKVkp4YShu1bnfqBwHFJaak+Sfa3f92YDF0muZIm9rgrjBtkMzUc9uybVSaILK 88B1rRTDKjczlyoX48uc+mZZZzhwL454+EyzrRFlT2kcUHzBTrw7CS8T3sKI0DzYN0YkM4O0SBa hRI4l0cC9cXY3WmWzTHH58pX5PK9KshgqgQsMeXcIqZLA9Q+xbUwEKtxDoZ8vfbORIFIc/FxcfX YK5XQFwadB52Wb2PamDazyT22/5e2CwSKRvSGRDZaw== X-Google-Smtp-Source: AGHT+IEIG9IQ/zxT/FwN5+XaHOvOonniNa58lB2yp8Ds2RoR5q7HnI66WV9mk84ngT7LDiCFqwThVw== X-Received: by 2002:a17:90b:4b82:b0:2ff:6f88:b04a with SMTP id 98e67ed59e1d1-30e8314d95bmr26389081a91.15.1747770505658; Tue, 20 May 2025 12:48:25 -0700 (PDT) Received: from hexa.. ([2602:feb4:3b:2100:48df:296e:5350:93e]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30f36386944sm2120772a91.14.2025.05.20.12.48.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 May 2025 12:48:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][walnascar 2/8] iputils: Security fix for CVE-2025-47268 Date: Tue, 20 May 2025 12:48:09 -0700 Message-ID: <59f0d3befe0c828bdc16664af1f8b64b7f3911e7.1747770224.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 20 May 2025 19:48:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216935 From: Yi Zhao CVE-2025-47268 ping in iputils through 20240905 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47268 Patch from: https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40 Signed-off-by: Yi Zhao Signed-off-by: Steve Sakoman --- .../iputils/iputils/CVE-2025-47268.patch | 143 ++++++++++++++++++ .../iputils/iputils_20240905.bb | 4 +- 2 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch diff --git a/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch b/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch new file mode 100644 index 0000000000..dd31b79031 --- /dev/null +++ b/meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch @@ -0,0 +1,143 @@ +From 070cfacd7348386173231fb16fad4983d4e6ae40 Mon Sep 17 00:00:00 2001 +From: Petr Vorel +Date: Mon, 5 May 2025 23:55:57 +0200 +Subject: [PATCH] ping: Fix signed 64-bit integer overflow in RTT calculation + +Crafted ICMP Echo Reply packet can cause signed integer overflow in + +1) triptime calculation: +triptime = tv->tv_sec * 1000000 + tv->tv_usec; + +2) tsum2 increment which uses triptime +rts->tsum2 += (double)((long long)triptime * (long long)triptime); + +3) final tmvar: +tmvar = (rts->tsum2 / total) - (tmavg * tmavg) + + $ export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer" + $ export LDFLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" + $ meson setup .. -Db_sanitize=address,undefined + $ ninja + $ ./ping/ping -c2 127.0.0.1 + + PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. + 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.061 ms + ../ping/ping_common.c:757:25: runtime error: signed integer overflow: -2513732689199106 * 1000000 cannot be represented in type 'long int' + ../ping/ping_common.c:757:12: runtime error: signed integer overflow: -4975495174606980224 + -6510615555425289427 cannot be represented in type 'long int' + ../ping/ping_common.c:769:47: runtime error: signed integer overflow: 6960633343677281965 * 6960633343677281965 cannot be represented in type 'long int' + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ./ping/ping: Warning: time of day goes back (-7256972569576721377us), taking countermeasures + ./ping/ping: Warning: time of day goes back (-7256972569576721232us), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ../ping/ping_common.c:265:16: runtime error: signed integer overflow: 6960633343677281965 * 2 cannot be represented in type 'long int' + 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.565 ms + + --- 127.0.0.1 ping statistics --- + 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1002ms + ../ping/ping_common.c:940:42: runtime error: signed integer overflow: 1740158335919320832 * 1740158335919320832 cannot be represented in type 'long int' + rtt min/avg/max/mdev = 0.000/1740158335919320.832/6960633343677281.965/-1623514645242292.-224 ms + +To fix the overflow check allowed ranges of struct timeval members: +* tv_sec <0, LONG_MAX/1000000> +* tv_usec <0, 999999> + +Fix includes 2 new error messages (needs translation). +Also existing message "time of day goes back ..." needed to be modified +as it now prints tv->tv_sec which is a second (needs translation update). + +After fix: + + $ ./ping/ping -c2 127.0.0.1 + 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.057 ms + ./ping/ping: Warning: invalid tv_usec -6510615555424928611 us + ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures + ./ping/ping: Warning: invalid tv_usec -6510615555424928461 us + ./ping/ping: Warning: time of day goes back (-3985394643238914 s), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + ./ping/ping: Warning: invalid tv_usec -6510615555425884541 us + ./ping/ping: Warning: time of day goes back (-4243165695442945 s), taking countermeasures + 24 bytes from 127.0.0.1: icmp_seq=1 ttl=64 (truncated) + 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.111 ms + + --- 127.0.0.1 ping statistics --- + 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 101ms + rtt min/avg/max/mdev = 0.000/0.042/0.111/0.046 ms + +Fixes: https://github.com/iputils/iputils/issues/584 +Fixes: CVE-2025-472 +Link: https://github.com/Zephkek/ping-rtt-overflow/ +Co-developed-by: Cyril Hrubis +Reported-by: Mohamed Maatallah +Reviewed-by: Mohamed Maatallah +Reviewed-by: Cyril Hrubis +Reviewed-by: Noah Meyerhans +Signed-off-by: Petr Vorel + +CVE: CVE-2025-47268 + +Upstream-Status: Backport +[https://github.com/iputils/iputils/commit/070cfacd7348386173231fb16fad4983d4e6ae40] + +Signed-off-by: Yi Zhao +--- + iputils_common.h | 3 +++ + ping/ping_common.c | 22 +++++++++++++++++++--- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/iputils_common.h b/iputils_common.h +index 49e790d..829a749 100644 +--- a/iputils_common.h ++++ b/iputils_common.h +@@ -10,6 +10,9 @@ + !!__builtin_types_compatible_p(__typeof__(arr), \ + __typeof__(&arr[0]))])) * 0) + ++/* 1000001 = 1000000 tv_sec + 1 tv_usec */ ++#define TV_SEC_MAX_VAL (LONG_MAX/1000001) ++ + #ifdef __GNUC__ + # define iputils_attribute_format(t, n, m) __attribute__((__format__ (t, n, m))) + #else +diff --git a/ping/ping_common.c b/ping/ping_common.c +index dadd2a4..4e99d89 100644 +--- a/ping/ping_common.c ++++ b/ping/ping_common.c +@@ -754,16 +754,32 @@ int gather_statistics(struct ping_rts *rts, uint8_t *icmph, int icmplen, + + restamp: + tvsub(tv, &tmp_tv); +- triptime = tv->tv_sec * 1000000 + tv->tv_usec; +- if (triptime < 0) { +- error(0, 0, _("Warning: time of day goes back (%ldus), taking countermeasures"), triptime); ++ ++ if (tv->tv_usec >= 1000000) { ++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); ++ tv->tv_usec = 999999; ++ } ++ ++ if (tv->tv_usec < 0) { ++ error(0, 0, _("Warning: invalid tv_usec %ld us"), tv->tv_usec); ++ tv->tv_usec = 0; ++ } ++ ++ if (tv->tv_sec > TV_SEC_MAX_VAL) { ++ error(0, 0, _("Warning: invalid tv_sec %ld s"), tv->tv_sec); ++ triptime = 0; ++ } else if (tv->tv_sec < 0) { ++ error(0, 0, _("Warning: time of day goes back (%ld s), taking countermeasures"), tv->tv_sec); + triptime = 0; + if (!rts->opt_latency) { + gettimeofday(tv, NULL); + rts->opt_latency = 1; + goto restamp; + } ++ } else { ++ triptime = tv->tv_sec * 1000000 + tv->tv_usec; + } ++ + if (!csfailed) { + rts->tsum += triptime; + rts->tsum2 += (double)((long long)triptime * (long long)triptime); +-- +2.34.1 + diff --git a/meta/recipes-extended/iputils/iputils_20240905.bb b/meta/recipes-extended/iputils/iputils_20240905.bb index ca8ddc530d..64d58a91c2 100644 --- a/meta/recipes-extended/iputils/iputils_20240905.bb +++ b/meta/recipes-extended/iputils/iputils_20240905.bb @@ -10,7 +10,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=627cc07ec86a45951d43e30658bbd819" DEPENDS = "gnutls" -SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https" +SRC_URI = "git://github.com/iputils/iputils;branch=master;protocol=https \ + file://CVE-2025-47268.patch \ + " SRCREV = "10b50784aae3fb75c96cdf9b1668916b49557dd5" S = "${WORKDIR}/git"