[Dnsmasq-discuss] [PATCH] Re: Open CVEs against dnsmasq

Petr Menšík pemensik at redhat.com
Wed Feb 16 22:20:54 UTC 2022 

Hi!

I have been playing with oss-fuzz project over one week. I think many of
them might be invalid, because failures are caused by wrong fuzzing.
More precisely by incomplete initialization used when fuzzing. I have
created fix for one [1]. I have attached patch, which seems prevents
such failures. I am not 100% sure resize_packet should never increase
udp message to larger packet than received. But because it does not have
other limit available but plen, I used that as a top. I am confident
that is correct limit of usable buffer in handling tcp response.

But I think CVE-2021-45955
<https://access.redhat.com/security/cve/CVE-2021-45955> might be a valid
one. It seems no proper bound is checked on pseudo header reinsertion.
Patch attached.

My attempts to build fuzzers with debuggable code were partially
successful. I have pushed the code I use for started fuzzing at oss-fuzz
branch [2]. I just source fuzz/env-rpm.sh, then fuzz/build.sh to create
fuzzers.

It seems all functions crashing in extract_name are invalid, because too
small buffer is used in fuzzer. And it correctly detects it would write
behind allocated space. I haven't met them after [1] were applied.

Should I create better integration to dnsmasq upstream project? It seems
to be interesting way of checking possible inputs to dnsmasq. Has anyone
other been successful in fuzzing something themselves? Have you been
able to validate details using reproducers?

Cheers,
Petr

1. https://github.com/google/oss-fuzz/pull/7293
2. https://github.com/InfrastructureServices/dnsmasq/tree/oss-fuzz/fuzz

On 2/14/22 23:32, Hauke Mehrtens wrote:
> Hi,
>
> Our CVE checking scripts in OpenWrt found the following recently
> opened CVEs against dnsmasq:
> https://nvd.nist.gov/vuln/detail/CVE-2021-45951
> https://nvd.nist.gov/vuln/detail/CVE-2021-45952
> https://nvd.nist.gov/vuln/detail/CVE-2021-45953
> https://nvd.nist.gov/vuln/detail/CVE-2021-45954
> https://nvd.nist.gov/vuln/detail/CVE-2021-45955
> https://nvd.nist.gov/vuln/detail/CVE-2021-45956
> https://nvd.nist.gov/vuln/detail/CVE-2021-45957
>
> We think these CVE reports are wrong and should get rejected.
Not all of them. How were they validated? How do you know they are
wrong? Have you reproduced and debugged them?
>
> Hauke

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20220216/13a7ebea/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Prevent-writing-behind-packet-size-on-resize_packet.patch
Type: text/x-patch
Size: 1059 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20220216/13a7ebea/attachment.bin>

More information about the Dnsmasq-discuss mailing list