From patchwork Wed Mar 20 08:19:45 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lev Stipakov <lstipakov@gmail.com>
X-Patchwork-Id: 3660
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:f20a:b0:55c:c090:46f0 with SMTP id
 sk10csp2359521mab;
        Wed, 20 Mar 2024 01:21:20 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWSeIcpJ8GKMDh7VcqrsjtzIa1lZECfcptCG7Gsm/EutLrkqe4FNlWUsr2GpHXE+Badd7S1dcXfvFyIvvPuJ4hHSRdYACw=
X-Google-Smtp-Source: 
 AGHT+IFg6BO6Bwz3HSMIGkW5RO3fhm0KkEcLsJTiXWb1CtcgHWyMOx0LHwE1rQI2ShV9ob/9w0l4
X-Received: by 2002:a05:6a21:3392:b0:1a3:6aac:30fb with SMTP id
 yy18-20020a056a21339200b001a36aac30fbmr4806417pzb.0.1710922880031;
        Wed, 20 Mar 2024 01:21:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1710922880; cv=none;
        d=google.com; s=arc-20160816;
        b=nO+5NQo850efqwEHLR4nQ8zXWfVj8MBSKnjWFKzw2+/Z+nJm410S5slvsFXGYtZ7/7
         7II0z6stSoTrSiZ/Cz+Nzu9BmjsxSBUTUP2W+1k0akWAYAf/Dr+EUPOfdt5/18YejpBv
         V+zzxzx07AUKywrbNGl544EmqlVLksVLgtXt1mSJs+wVAtSrxpybUq0XvvU02inUkz28
         le3VRCsaZbSRi9BwotSluDa6UbiSn1aEB2dV0ZC9dU7z4juZ08CwRdjbwlfjdnGQDxk3
         yJSzMt80Kvl/8OouBjeFF9BP03Epr+02037c/15RrG4tb+/7TbrUHwmH2olmugNIi3/V
         TKlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature
         :dkim-signature;
        bh=oRqvg0TXK5zpwe7VDkZpTwnj88QfL6VfW47r21O36Dw=;
        fh=JQtvQMdY0aU81u1PtOJ6Ar75S/5wsLS1L5pTmOy/Wzo=;
        b=IojjuVSp4FJKqIOyKD4PEEevs6/Q2gYLX7sAiT3Jha4arhX0ks+9eWGlasICQc1tRs
         Hz+nuVnIJypUpgPmp469CR/kIltxiP8xvvBwke9GdBKbXNc92Pyu7BvHziT6keiLobGt
         bHS04wonkGnes7k1b/FzjxF25XG9dTnGgP3glqw83cO8DYH2866I4oVYs+fCuF78/n70
         V2+hidvROH9gPgKq7ChoxGFjcIXyTYt51VONuRZzIe/PJR10iNTpJtOWhC80p6Zzdw2p
         kX32wEuyegyY7nQHfkYQaVHf8tiJmdiiQpoBsvh9On54F3bn7WJKfP0HLkfbGjD9TY+U
         6YWw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=MyLSKGaf;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=h8ZDd9Gh;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=ZGdBi3pX;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 d15-20020a170902654f00b001dcfadb02bcsi12655043pln.406.2024.03.20.01.21.19
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 20 Mar 2024 01:21:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=MyLSKGaf;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=h8ZDd9Gh;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=ZGdBi3pX;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1rmrBw-00088N-Rv;
	Wed, 20 Mar 2024 08:20:57 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <lstipakov@gmail.com>) id 1rmrBv-000887-Ke
 for openvpn-devel@lists.sourceforge.net;
 Wed, 20 Mar 2024 08:20:56 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=a+z8bYihNUSwUQ5NybZxNqSqu8UeapYXyfHE1K8in0k=; b=MyLSKGafRsO9pvzieYH4YA222r
 v7FnGRbRlJvZr7Q0/m/Edc+kZ3X4P95GPVXntzMADPgO8wR6iOugdDBdXLcOhb70Ro532iHJ7w7Ll
 HfaeWLxtJyaKtNuWCyFICunaRNCkBPCim1bB4XXRwNxHWkYQ61T0j50l5LtOoWyd8gHc=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From
 :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=a+z8bYihNUSwUQ5NybZxNqSqu8UeapYXyfHE1K8in0k=; b=h
 8ZDd9Ghn4Zet1JUZayellJWtD+f+jxlniMPHwE5ebdFKlvdg/cC9g5/xskuztG7WE/MN7Bywf+Vhf
 OMuaZqZ2bz3uEp4MRRqG9E8T3f2QS+bEFexphNU7AgYKA9MqObNwXxG9NJUPuWoT61mo/N9KJ7A5P
 stZzLlGBQTPh5oMo=;
Received: from mail-lf1-f46.google.com ([209.85.167.46])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1rmrBo-0005Tx-3n for openvpn-devel@lists.sourceforge.net;
 Wed, 20 Mar 2024 08:20:56 +0000
Received: by mail-lf1-f46.google.com with SMTP id
 2adb3069b0e04-513d3746950so7917537e87.1
 for <openvpn-devel@lists.sourceforge.net>;
 Wed, 20 Mar 2024 01:20:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1710922844; x=1711527644;
 darn=lists.sourceforge.net;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=a+z8bYihNUSwUQ5NybZxNqSqu8UeapYXyfHE1K8in0k=;
 b=ZGdBi3pXHgK9jMRYj+3jBWuKOFXMwJqsrAYXhAZQeRCJBO9oxne2dwutUP1Eq5EH4c
 Haxzo7AoR320ZbEAdfrMeoBsyKNhTzsfUASgUvtSTrUp6E0zLUsyIQKt1yJR5NAV0B86
 JmAv/6OjWJjS4keauKDp15YXJvCX+7ogSjTNs7xjPA9kOTBuHD7jlEn8bTeEc1D5zY9r
 77vLTd815MJnu69io57Suoksfy7JtEZf0T6GxCSNDCySZsHmqcPl3sB5Fl7qppqmvGvO
 Zr5f5Ahocuy7V1j0eD08WK3vlQj2/B9WtECYNCKNtFwymEDKG6rId5tOlVqh7/1he/9L
 YgCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1710922844; x=1711527644;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=a+z8bYihNUSwUQ5NybZxNqSqu8UeapYXyfHE1K8in0k=;
 b=EVyO6N0f+Vd08G/pPnlCT20+pevGSD3IX3LGRXlII8h8H298EIT8RQR2JiGspMDuGB
 e601UZrf83AaHfom7Zv/0LOdqHE5P30uIC8VvTQT9nOE5pEKyVqLoy6A4xRuGmqKp2fC
 9t+m7DY2erySwvjSmUFwM2zSrQQc2jckzafMz0qKbN6IiqFAhQE6Uvsm7pxx6FId0rnR
 8vGJ1WbO6Yhcx5ImTWGqeSSBILIPhZWNIb+I59CnrqW93cyGS9SR1/An7UAcvyKJrpqE
 Y24vvLYt0RajkDhBW7aU3xYTjaZ9PeQGgdyOglqvJSmtNa6bFX0k2Osa4tYf9jEKia+z
 qQOw==
X-Gm-Message-State: AOJu0YyDw84G8DX1l3Q9dViS6xbaL2Tvg2w0D1c7AdarN5/LxrTplAYV
 X+niaZIs+XtulX6/rde63GH0DSsOdL2jiBzxF6XukP0ghXqbx1OL5WO8s/gM4Os=
X-Received: by 2002:a05:6512:45b:b0:513:c4b8:388b with SMTP id
 y27-20020a056512045b00b00513c4b8388bmr944682lfk.27.1710922843338;
 Wed, 20 Mar 2024 01:20:43 -0700 (PDT)
Received: from localhost.localdomain ([2a00:1d50:3:0:fde5:e979:3633:51ee])
 by smtp.gmail.com with ESMTPSA id
 x22-20020ac25dd6000000b00513e9f88249sm999849lfq.207.2024.03.20.01.20.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 20 Mar 2024 01:20:42 -0700 (PDT)
From: Lev Stipakov <lstipakov@gmail.com>
X-Google-Original-From: Lev Stipakov <lev@openvpn.net>
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 20 Mar 2024 10:19:45 +0200
Message-ID: <20240320082000.284-2-lev@openvpn.net>
X-Mailer: git-send-email 2.42.0.windows.2
MIME-Version: 1.0
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  When reading message from the pipe, we first peek the pipe
 to get the size of the message waiting to be read and then read the message.
 A compromised OpenVPN process could send an excessively large me [...]
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [lstipakov[at]gmail.com]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.167.46 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.167.46 listed in wl.mailspike.net]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Headers-End: 1rmrBo-0005Tx-3n
Subject: [Openvpn-devel] [PATCH release/2.5] interactive.c: Fix potential
 stack overflow issue
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Lev Stipakov <lev@openvpn.net>, Heiko Hund <heiko@openvpn.net>,
 Vladimir Tokarev <vtokarev@microsoft.com>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1794032670226658403?=
X-GMAIL-MSGID: =?utf-8?q?1794032670226658403?=

When reading message from the pipe, we first peek the pipe to get the size
of the message waiting to be read and then read the message. A compromised
OpenVPN process could send an excessively large message, which would result
in a stack-allocated message buffer overflow.

To address this, we terminate the misbehaving process if the peeked message
size exceeds the maximum allowable size.

This commit is backported from 9b2693f in release/2.6 branch, fixing
merge conflicts around &ring_buffer_handles and wins_cfg_message_t.

CVE: 2024-27459
Microsoft case number: 85932

Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Heiko Hund <heiko@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpnserv/interactive.c | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 5e3ff125..933b5c8c 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -111,6 +111,17 @@ typedef struct {
     HANDLE device;
 } ring_buffer_handles_t;
 
+typedef union {
+    message_header_t header;
+    address_message_t address;
+    route_message_t route;
+    flush_neighbors_message_t flush_neighbors;
+    block_dns_message_t block_dns;
+    dns_cfg_message_t dns;
+    enable_dhcp_message_t dhcp;
+    register_ring_buffers_message_t rrb;
+    set_mtu_message_t mtu;
+} pipe_message_t;
 
 static DWORD
 AddListItem(list_item_t **pfirst, LPVOID data)
@@ -1444,18 +1455,7 @@ static VOID
 HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_handles,
               DWORD bytes, DWORD count, LPHANDLE events, undo_lists_t *lists)
 {
-    DWORD read;
-    union {
-        message_header_t header;
-        address_message_t address;
-        route_message_t route;
-        flush_neighbors_message_t flush_neighbors;
-        block_dns_message_t block_dns;
-        dns_cfg_message_t dns;
-        enable_dhcp_message_t dhcp;
-        register_ring_buffers_message_t rrb;
-        set_mtu_message_t mtu;
-    } msg;
+    pipe_message_t msg;
     ack_message_t ack = {
         .header = {
             .type = msg_acknowledgement,
@@ -1465,7 +1465,7 @@ HandleMessage(HANDLE pipe, HANDLE ovpn_proc, ring_buffer_handles_t *ring_buffer_
         .error_number = ERROR_MESSAGE_DATA
     };
 
-    read = ReadPipeAsync(pipe, &msg, bytes, count, events);
+    DWORD read = ReadPipeAsync(pipe, &msg, bytes, count, events);
     if (read != bytes || read < sizeof(msg.header) || read != msg.header.size)
     {
         goto out;
@@ -1884,6 +1884,13 @@ RunOpenvpn(LPVOID p)
             break;
         }
 
+        if (bytes > sizeof(pipe_message_t))
+        {
+            /* process at the other side of the pipe is misbehaving, shut it down */
+            MsgToEventLog(MSG_FLAGS_ERROR, TEXT("OpenVPN process sent too large payload length to the pipe (%lu bytes), it will be terminated"), bytes);
+            break;
+        }
+
         HandleMessage(ovpn_pipe, proc_info.hProcess, &ring_buffer_handles, bytes, 1, &exit_event, &undo_lists);
     }