[Dnsmasq-discuss] How to use dnsmasq to mitigate dangers of CVE-2015-7547?

Discussion:

Ethan Rahn

2016-02-16 23:33:06 UTC

Hello,

I'd like to ask about how to use dnsmasq to limit the dangers of
CVE-2015-7547.

This issue was discussed in these links:

https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
<https://www.google.com/url?q=https%3A%2F%2Fsourceware.org%2Fml%2Flibc-alpha%2F2016-02%2Fmsg00416.html&sa=D&sntz=1&usg=AFQjCNEaOnkLB_utlE1Vs-NmxifGdiyc-A>

and they suggest using a local resolver ( google specifically mentions
dnsmasq ) to drop these malformed packets.

What I'd like to understand is what should be set in dnsmasq to actually
limit the UDP size to 512 bytes and the TCP replies to 1024 bytes as
suggested. Or if the packets needed are always malformed and dnsmasq will
always drop them?

I checked the settings and the only size limit I saw was for
"edns-packet-max", but that doesn't seem like the right setting.

I tried looking at the code, but I wasn't able to find where the size is
limited and large packets are therefore dropped. I also wasn't able to find
( by grepping all the instances of "my_syslog" ) a spot where malformed
packets were mentioned. So I'm at a bit of a loss about what to do to
progress further.

I did use the PoC script provided by Google and was able to see that while
running the test code does cause a segfault, having the test program query
through dnsmasq causes no issues. Since it appears the PoC code uses large
packets to cause the issue ( i.e. 2500 byte UDP packets when we should be
limiting it to 512 per the suggestion ), I'm not 100% convinced that
dnsmasq with it's default settings is the best mitigation to use until
glibc can be updated.

Thanks,

Ethan

Simon Kelley

2016-02-17 15:55:38 UTC

Permalink

I've not looked at the discussion in detail, but as far as the dnsmasq
code is concerned.

1) Reply UDP packets are truncated to edns_packet_size plus a smallish
constant.
2) Malformed packets will not generally be rejected.
3) There's no limit imposed on TCP stream size, other the 2^16 bytes
implied by the width of the "size" field in the protocol.

Cheers,

Simon.

Post by Ethan Rahn
Hello,
I'd like to ask about how to use dnsmasq to limit the dangers of
CVE-2015-7547.
https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
<https://www.google.com/url?q=https%3A%2F%2Fsourceware.org%2Fml%2Flibc-alpha%2F2016-02%2Fmsg00416.html&sa=D&sntz=1&usg=AFQjCNEaOnkLB_utlE1Vs-NmxifGdiyc-A>
and they suggest using a local resolver ( google specifically mentions
dnsmasq ) to drop these malformed packets.
What I'd like to understand is what should be set in dnsmasq to actually
limit the UDP size to 512 bytes and the TCP replies to 1024 bytes as
suggested. Or if the packets needed are always malformed and dnsmasq will
always drop them?
I checked the settings and the only size limit I saw was for
"edns-packet-max", but that doesn't seem like the right setting.
I tried looking at the code, but I wasn't able to find where the size is
limited and large packets are therefore dropped. I also wasn't able to find
( by grepping all the instances of "my_syslog" ) a spot where malformed
packets were mentioned. So I'm at a bit of a loss about what to do to
progress further.
I did use the PoC script provided by Google and was able to see that while
running the test code does cause a segfault, having the test program query
through dnsmasq causes no issues. Since it appears the PoC code uses large
packets to cause the issue ( i.e. 2500 byte UDP packets when we should be
limiting it to 512 per the suggestion ), I'm not 100% convinced that
dnsmasq with it's default settings is the best mitigation to use until
glibc can be updated.
Thanks,
Ethan
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Ethan Rahn

2016-02-17 18:11:40 UTC

Permalink

Simon,

Thanks for the response. I appreciate your insights on this.

I understand that you may not want to go into how dnsmasq would interact
with glibc, but I would like to try and understand this a bit better. I'm
going to think out loud below. Please correct me if I'm horrendously off
track.

Using edns_packet_size to limit the UDP size to 512 bytes will prevent the
issue with the first response buffer being filled up. This will in turn
prevent the normal attack that they describe and carry out in the proof of
concept code by failing to meet the criteria for the first response filling
up the buffer send_dg creates. It will not prevent the timing attack.

In the normal case libresolv.so ( at least in linux ) will always use UDP
to resolve a query, and getaddrinfo() will end up using libresolv.so so
linux users in the general case shouldn't have to worry about the TCP
attack if dnsmasq is handling all their dns queries.

So to conclude using edns_packet_size = 512 to limit the size of the
response is the solution to resolving this for programs that use
getaddrinfo() to resolve a DNS query? Or one could set a firewall rule
outside of dnsmasq to drop UDP DNS replies greater than 512 bytes?

Thanks,

Ethan

Post by Simon Kelley
I've not looked at the discussion in detail, but as far as the dnsmasq
code is concerned.
1) Reply UDP packets are truncated to edns_packet_size plus a smallish
constant.
2) Malformed packets will not generally be rejected.
3) There's no limit imposed on TCP stream size, other the 2^16 bytes
implied by the width of the "size" field in the protocol.
Cheers,
Simon.

Post by Ethan Rahn
Hello,
I'd like to ask about how to use dnsmasq to limit the dangers of
CVE-2015-7547.

https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Post by Ethan Rahn
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
<

https://www.google.com/url?q=https%3A%2F%2Fsourceware.org%2Fml%2Flibc-alpha%2F2016-02%2Fmsg00416.html&sa=D&sntz=1&usg=AFQjCNEaOnkLB_utlE1Vs-NmxifGdiyc-A

Post by Ethan Rahn
and they suggest using a local resolver ( google specifically mentions
dnsmasq ) to drop these malformed packets.
What I'd like to understand is what should be set in dnsmasq to actually
limit the UDP size to 512 bytes and the TCP replies to 1024 bytes as
suggested. Or if the packets needed are always malformed and dnsmasq will
always drop them?
I checked the settings and the only size limit I saw was for
"edns-packet-max", but that doesn't seem like the right setting.
I tried looking at the code, but I wasn't able to find where the size is
limited and large packets are therefore dropped. I also wasn't able to

find

Post by Ethan Rahn
( by grepping all the instances of "my_syslog" ) a spot where malformed
packets were mentioned. So I'm at a bit of a loss about what to do to
progress further.
I did use the PoC script provided by Google and was able to see that

while

Post by Ethan Rahn
running the test code does cause a segfault, having the test program

query

Post by Ethan Rahn
through dnsmasq causes no issues. Since it appears the PoC code uses

large

Post by Ethan Rahn
packets to cause the issue ( i.e. 2500 byte UDP packets when we should be
limiting it to 512 per the suggestion ), I'm not 100% convinced that
dnsmasq with it's default settings is the best mitigation to use until
glibc can be updated.
Thanks,
Ethan
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss