From patchwork Tue Mar 19 15:27:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 3658 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:f20a:b0:55c:c090:46f0 with SMTP id sk10csp1974129mab; Tue, 19 Mar 2024 08:32:34 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW1OW4Lh4a//cc2jCAlG0LxYqtk7+CCry0R1ay8Y/ufTgrPu9MMV3C++XlX/Xy1mwGHDVG8peStA6WYHtqsYiJ0FdXxDNA= X-Google-Smtp-Source: AGHT+IGkbx2yc+Z8lxj6NXApJSXx4vn5HOCVm/UM6LLU1wluv7ocrz1wxDEc4ewAvK1NcgrBsiEu X-Received: by 2002:a6b:fd03:0:b0:7cb:fd33:120a with SMTP id c3-20020a6bfd03000000b007cbfd33120amr2855306ioi.2.1710862353933; Tue, 19 Mar 2024 08:32:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710862353; cv=none; d=google.com; s=arc-20160816; b=0/vt4s+HaKR1/Q+KYaRFYUaL6KnD4YL45HHNRgUgawKYwaE+9/fBrdkbxUf21E0L1D sLJMATD9xuM9f9kru/kEN4H+VA7+3lHCJmctpxGxeWejlFuJT71je5AnrHF8+nNrkxXo nG34PcGaK68dLIWyAy3JHBT96oIyFKcTYxrSPmoOqWZaphZgEXoqJuYENmoyKqFiynZ1 9TWcm30AkDe/Fq/7QfPFlZDZk8UjC9B2EY2qmode5iztUtM4QQHca4hzjPse7nZJ32V1 pnAhqK0EgKAyZMrsmWtp5cI1ZVD4ReI4BO6V1/GnFKTTjasG/vH04L6umyXi7HPl3IL2 un2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=VoWP/Bo3vOnzRtRKuqUWhhiSQ1idAUbkALb2EDbjgHQ=; fh=JQtvQMdY0aU81u1PtOJ6Ar75S/5wsLS1L5pTmOy/Wzo=; b=0MBZuxeL2R70Dn7Nt8mJk6z5/x7XOWc6DPpWmaJfbEHPJHiVyN8WvzqaKC2OAL06ni t21jO0nQSSSbV8uB7InI3lK1IfLveOo++uXBFNHnhUfSVuLNdE1SzYC/BeP/E6/qJAdZ d4R6RkZp31M5jhRfnNUxtjTqNp8CEEIOahipFYmf9yE4JFdR3i2dFPKTiB8ZBv+g03/f OfKRX42q78rvZdzfN+fpfebHAkZANmWdUAuG8NxGlVRDYvFqrchUIvHd3E+oVV33t99E 330Axi5YO62xI8DCJC8Eve0BUxUk6XH+HpYwLdz8nq3LeCsdsMiB0MK7hxu9vwaOlqwL nOpw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EqESH038; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=c6XZkdoS; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=IzJf+rWh; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id ln19-20020a056a003cd300b006e708ebcc86si7290606pfb.187.2024.03.19.08.32.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Mar 2024 08:32:33 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EqESH038; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=c6XZkdoS; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=IzJf+rWh; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rmbRm-00012E-CB; Tue, 19 Mar 2024 15:32:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rmbRl-000128-Ro for openvpn-devel@lists.sourceforge.net; Tue, 19 Mar 2024 15:32:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jjkUMBLSYVEfvOjC/aRcCianzDmGWijwB71XaJYgAps=; b=EqESH038meh1nq4ilHiMhBdwoY ubNiYsqRTtF3iC29K9xAYDvADB4xuFJsbqtq/cndRxycs+WNftYJ9COXr/5ZH4L6P40/Ia4BAIzG8 eaMXEY772oxFMxRQPU0N3fhffN1VgCoe6Gc3yK/Hy/ziZv+ZoJgXzxsu7CvS/JHOhOF8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jjkUMBLSYVEfvOjC/aRcCianzDmGWijwB71XaJYgAps=; b=c6XZkdoSijf+WwRfjYkz5l+ZVX LOTht1MdHFitHQG17T/vqiJ3oLUG9gtpNrPRUFbI5BFLjgnUInP5PEJ/xSKiC+gT4ZEZXk19/3k3F VxG8C0yNkOvD/FHgn4y3p0aDSdCjgwuTsFxic4PC719xXdDWsgmdRmh6WTzhz2IB1AL8=; Received: from mail-lf1-f41.google.com ([209.85.167.41]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rmbRW-0005xq-IH for openvpn-devel@lists.sourceforge.net; Tue, 19 Mar 2024 15:32:14 +0000 Received: by mail-lf1-f41.google.com with SMTP id 2adb3069b0e04-515830dc79cso698177e87.1 for ; Tue, 19 Mar 2024 08:32:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710862319; x=1711467119; darn=lists.sourceforge.net; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jjkUMBLSYVEfvOjC/aRcCianzDmGWijwB71XaJYgAps=; b=IzJf+rWhDIYDJcBG8fyS6u0D9Ld2HEIQHJy5fXpozI8sm9RKaHVIKHQebWjE2mIyBo IoRt96l4diAfqxaFXioTn8ixVbJ41VIakRHSfP+dcfHDajtTKLKSjDriq/hJlVbtm/VC DPa2X/qa3p/lM/PNm/qNEwbFh3vDp5nEa8/WbYTW9kKfEKmkT51tPksqkOmIVcDzlhML awiIPzQtE7Eq083o1D3VlEO3dztlCaWAE7iGuL+Fgtk/okeWo9wfzC5Wi3+J4devC9X3 TBmH05DK7g8Gc3P83XhzqIxi8xH2Ck2uNaGcSZSg3MwSsQVbUlISW1yoO8SgOpHv2G0H CO+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710862319; x=1711467119; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jjkUMBLSYVEfvOjC/aRcCianzDmGWijwB71XaJYgAps=; b=TYfT4NLT89M4OWzfURvhcbZXQK8hHUs4gOsmtX8O646gi12pF1gU2TcODhAXMrbelc +S0P7mmw1wZ9gIrXiqTgK4IdCThALR14nPiUMA0NFHH7uVH42vmTxjiOiJKcxpKE+Ldb UoaVT1TQBGQ0YCv88kBugrk7h+U7PPX8YV9V1WtV8eTWC/Locq8ZJEAfmnQ2gCifhT+E mgDLyXMzNqqz/dfWaKo4QF0PbKMhFMqeGM0pE1GTEEPFyVX8XunXb/kMallEY2iF4dIn HVIybUW0tp+UlJ5Xj+MDFv7/foDpEdlI7Xljzga6U0abqsTtsf82vgYD1BnVdV9lXypG idHg== X-Gm-Message-State: AOJu0Yw1XInnNRy1tKvYHo8QWy7KLQ9Nr/lAqBfmTwel4uZNz6pSlI+O cPQJCv3IOQvf/FJJ+Qw/fCpcMaP5ai+TwsRnBO0eQ6TwRH6fRRDY/BJpFE5BaL4= X-Received: by 2002:ac2:5b41:0:b0:513:dae2:dd7e with SMTP id i1-20020ac25b41000000b00513dae2dd7emr9048433lfp.32.1710862318470; Tue, 19 Mar 2024 08:31:58 -0700 (PDT) Received: from localhost.localdomain ([2001:999:404:a6fe:8454:770b:5c0f:3333]) by smtp.gmail.com with ESMTPSA id m2-20020a05600c3b0200b004142894df64sm5007239wms.5.2024.03.19.08.31.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Mar 2024 08:31:58 -0700 (PDT) From: Lev Stipakov X-Google-Original-From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Mar 2024 17:27:11 +0200 Message-ID: <20240319152803.1801-2-lev@openvpn.net> X-Mailer: git-send-email 2.42.0.windows.2 In-Reply-To: <20240319140957.2033-3-lev@openvpn.net> References: <20240319140957.2033-3-lev@openvpn.net> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When reading message from the pipe, we first peek the pipe to get the size of the message waiting to be read and then read the message. A compromised OpenVPN process could send an excessively large me [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.41 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.41 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1rmbRW-0005xq-IH Subject: [Openvpn-devel] [PATCH v2] interactive.c: Fix potential stack overflow issue X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov , Heiko Hund , Vladimir Tokarev Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1793964145870800193?= X-GMAIL-MSGID: =?utf-8?q?1793969203386353842?= When reading message from the pipe, we first peek the pipe to get the size of the message waiting to be read and then read the message. A compromised OpenVPN process could send an excessively large message, which would result in a stack-allocated message buffer overflow. To address this, we terminate the misbehaving process if the peeked message size exceeds the maximum allowable size. CVE: 2024-27459 Microsoft case number: 85932 Reported-by: Vladimir Tokarev Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada Signed-off-by: Lev Stipakov Acked-by: Heiko Hund --- v2: added CVE and MSFT case number src/openvpnserv/interactive.c | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 32c8996c..24e3f341 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -106,6 +106,18 @@ typedef struct { struct tun_ring *receive_ring; } ring_buffer_maps_t; +typedef union { + message_header_t header; + address_message_t address; + route_message_t route; + flush_neighbors_message_t flush_neighbors; + block_dns_message_t block_dns; + dns_cfg_message_t dns; + enable_dhcp_message_t dhcp; + register_ring_buffers_message_t rrb; + set_mtu_message_t mtu; + wins_cfg_message_t wins; +} pipe_message_t; static DWORD AddListItem(list_item_t **pfirst, LPVOID data) @@ -1610,19 +1622,7 @@ static VOID HandleMessage(HANDLE pipe, HANDLE ovpn_proc, DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists) { - DWORD read; - union { - message_header_t header; - address_message_t address; - route_message_t route; - flush_neighbors_message_t flush_neighbors; - block_dns_message_t block_dns; - dns_cfg_message_t dns; - enable_dhcp_message_t dhcp; - register_ring_buffers_message_t rrb; - set_mtu_message_t mtu; - wins_cfg_message_t wins; - } msg; + pipe_message_t msg; ack_message_t ack = { .header = { .type = msg_acknowledgement, @@ -1632,7 +1632,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, .error_number = ERROR_MESSAGE_DATA }; - read = ReadPipeAsync(pipe, &msg, bytes, count, events); + DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events); if (read != bytes || read < sizeof(msg.header) || read != msg.header.size) { goto out; @@ -2059,6 +2059,13 @@ RunOpenvpn(LPVOID p) break; } + if (bytes > sizeof(pipe_message_t)) + { + /* process at the other side of the pipe is misbehaving, shut it down */ + MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes); + break; + } + HandleMessage(ovpn_pipe, proc_info.hProcess, bytes, 1, &exit_event, &undo_lists); }