diff --git a/libslirp-4.7.0-CVE-2026-9539.patch b/libslirp-4.7.0-CVE-2026-9539.patch new file mode 100644 index 0000000000000000000000000000000000000000..920785b6c3078457e404a8f4723f4c72a49e3179 --- /dev/null +++ b/libslirp-4.7.0-CVE-2026-9539.patch @@ -0,0 +1,120 @@ +From 927bca7344e31fd58e2f7afaca784aad4400eb84 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Sat, 23 May 2026 22:06:59 +0200 +Subject: [PATCH] oob: cap urgent data count to what is actually available + +so_urgc is provided by the guest sender, so can arbitrary and beyond +what we actually have. Worse, this can lead to an sb_cc integer +underflow leading to leaking gigabytes of data. + +Fixes #93 + +Signed-off-by: Samuel Thibault + + +--- + src/socket.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/src/socket.c b/src/socket.c +index 6a3ddb1..ae3c0ae 100644 +--- a/src/socket.c ++++ b/src/socket.c +@@ -337,7 +337,8 @@ int sorecvoob(struct socket *so) + int sosendoob(struct socket *so) + { + struct sbuf *sb = &so->so_rcv; +- char buff[2048]; /* XXX Shouldn't be sending more oob data than this */ ++ uint32_t urgc = so->so_urgc; ++ char buff[2048]; + + int n; + +@@ -345,12 +346,15 @@ int sosendoob(struct socket *so) + DEBUG_ARG("so = %p", so); + DEBUG_ARG("sb->sb_cc = %d", sb->sb_cc); + +- if (so->so_urgc > sizeof(buff)) +- so->so_urgc = sizeof(buff); /* XXXX */ ++ if (urgc > sizeof(buff)) ++ urgc = sizeof(buff); ++ ++ if (urgc > sb->sb_cc) ++ urgc = sb->sb_cc; + + if (sb->sb_rptr < sb->sb_wptr) { + /* We can send it directly */ +- n = slirp_send(so, sb->sb_rptr, so->so_urgc, ++ n = slirp_send(so, sb->sb_rptr, urgc, + (MSG_OOB)); /* |MSG_DONTWAIT)); */ + } else { + /* +@@ -358,7 +362,6 @@ int sosendoob(struct socket *so) + * we must copy all data to a linear buffer then + * send it all + */ +- uint32_t urgc = so->so_urgc; /* Amount of room left in buff */ + int len = (sb->sb_data + sb->sb_datalen) - sb->sb_rptr; + if (len > urgc) { + len = urgc; +@@ -403,7 +406,7 @@ int sosendoob(struct socket *so) + */ + int sowrite(struct socket *so) + { +- int n, nn; ++ int n, nn, noob = 0; + struct sbuf *sb = &so->so_rcv; + int len = sb->sb_cc; + struct iovec iov[2]; +@@ -413,16 +416,20 @@ int sowrite(struct socket *so) + + if (so->so_urgc) { + uint32_t expected = so->so_urgc; +- if (sosendoob(so) < expected) { +- /* Treat a short write as a fatal error too, +- * rather than continuing on and sending the urgent +- * data as if it were non-urgent and leaving the +- * so_urgc count wrong. +- */ ++ int noob = sosendoob(so); ++ ++ if (noob <= 0) + goto err_disconnected; +- } ++ ++ if (noob < expected) ++ /* Short write: either we have not yet received all ++ * urgent data, or the socket buffers are full. Leave ++ * it for later when we have data or have room. */ ++ return noob; ++ + if (sb->sb_cc == 0) +- return 0; ++ /* Nothing left to write actually */ ++ return noob; + } + + /* +@@ -453,12 +460,11 @@ int sowrite(struct socket *so) + } else + n = 1; + } +- /* Check if there's urgent data to send, and if so, send it */ + + nn = slirp_send(so, iov[0].iov_base, iov[0].iov_len, 0); + /* This should never happen, but people tell me it does *shrug* */ + if (nn < 0 && (errno == EAGAIN || errno == EINTR)) +- return 0; ++ return noob; + + if (nn <= 0) { + goto err_disconnected; +@@ -485,7 +491,7 @@ int sowrite(struct socket *so) + if ((so->so_state & SS_FWDRAIN) && sb->sb_cc == 0) + sofcantsendmore(so); + +- return nn; ++ return noob + nn; + + err_disconnected: + DEBUG_MISC(" --- sowrite disconnected, so->so_state = %x, errno = %d", diff --git a/libslirp.spec b/libslirp.spec index 754c00ced3fb0d7707116bae7739f0c4cc89031c..e75a928c4d872ed592a7969ae537cb0196f99c3b 100644 --- a/libslirp.spec +++ b/libslirp.spec @@ -1,11 +1,15 @@ Summary: A general purpose TCP-IP emulator Name: libslirp Version: 4.7.0 -Release: 7%{?dist} +Release: 8%{?dist} License: BSD and MIT URL: https://gitlab.freedesktop.org/slirp/%{name} Source0: %{url}/-/archive/v%{version}/%{name}-v%{version}.tar.gz +# Fix CVE-2026-9539: Out-of-bounds heap read and integer underflow in TCP urgent data +# handling (sosendoob) - backport from upstream v4.9.2 +Patch0001: libslirp-4.7.0-CVE-2026-9539.patch + BuildRequires: meson gcc BuildRequires: git-core glib2-devel @@ -42,6 +46,10 @@ This package provides libraries and header files for developing applications tha %{_libdir}/pkgconfig/slirp.pc %changelog +* Mon Jul 06 2026 PkgAgent Robot - 4.7.0-8 +- [Type] security +- [DESC] Fix CVE-2026-9539: out-of-bounds heap read and integer underflow in TCP urgent data handling (sosendoob) + * Thu Sep 26 2024 OpenCloudOS Release Engineering - 4.7.0-7 - Rebuilt for clarifying the packages requirement in BaseOS and AppStream