From f9d7407e54f1fa3d3a316a5bbb8b80665e6f03fd Mon Sep 17 00:00:00 2001 From: Shan Hai Date: Mon, 28 Jul 2014 01:18:50 -0400 Subject: pulseaudio: fix CVE-2014-3970 The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of service (assertion failure and abort) via an empty UDP packet. Fix it by picking a patch from pulseaudio upstream code. Signed-off-by: Shan Hai Signed-off-by: Jackie Huang Signed-off-by: Saul Wold Signed-off-by: Richard Purdie --- .../pulseaudio/pulseaudio/CVE-2014-3970.patch | 52 ++++++++++++++++++++++ .../pulseaudio/pulseaudio_5.0.bb | 4 +- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch (limited to 'meta') diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch new file mode 100644 index 0000000000..d5f33dc42e --- /dev/null +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch @@ -0,0 +1,52 @@ +Upstream-Status: Backport + +commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream + +rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) + +On FIONREAD returning 0 bytes, we cannot return success, as the caller +(rtpoll_work_cb in module-rtp-recv.c) would then try to +pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger +an assertion. + +Also we have to read out the possible empty packet from the socket, so +that the kernel doesn't tell us again and again about it. + +Signed-off-by: Alexander E. Patrakov + +diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c +index 9195493..c45981e 100644 +--- a/src/modules/rtp/rtp.c ++++ b/src/modules/rtp/rtp.c +@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct + goto fail; + } + +- if (size <= 0) +- return 0; ++ if (size <= 0) { ++ /* size can be 0 due to any of the following reasons: ++ * ++ * 1. Somebody sent us a perfectly valid zero-length UDP packet. ++ * 2. Somebody sent us a UDP packet with a bad CRC. ++ * ++ * It is unknown whether size can actually be less than zero. ++ * ++ * In the first case, the packet has to be read out, otherwise the ++ * kernel will tell us again and again about it, thus preventing ++ * reception of any further packets. So let's just read it out ++ * now and discard it later, when comparing the number of bytes ++ * received (0) with the number of bytes wanted (1, see below). ++ * ++ * In the second case, recvmsg() will fail, thus allowing us to ++ * return the error. ++ * ++ * Just to avoid passing zero-sized memchunks and NULL pointers to ++ * recvmsg(), let's force allocation of at least one byte by setting ++ * size to 1. ++ */ ++ size = 1; ++ } + + if (c->memchunk.length < (unsigned) size) { + size_t l; diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb index 8d8c421179..99f0ef3a46 100644 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb +++ b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb @@ -2,7 +2,9 @@ require pulseaudio.inc SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \ file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \ - file://volatiles.04_pulse" + file://volatiles.04_pulse \ + file://CVE-2014-3970.patch \ +" SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e" SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939" -- cgit v1.2.3