glibc: CVE-2017-8804

Fixes memory leak in sunrpc when decoding malformed XDR References: https://security-tracker.debian.org/tracker/CVE-2017-8804 Upstream patch: https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-12 07:54:13 +0200
committer: Martin Borg <martin.borg@enea.com> 2017-09-15 16:02:27 +0200
commit: 0aea3a20062923f5c39c947e31ac9f87b9b351ce (patch)
tree: 7e4068f5f9e68b4289cc84bb515eaa42640a3ec7
parent: c5b7ab645351fd3767d096a3c500355a9a896878 (diff)
download: meta-el-common-0aea3a20062923f5c39c947e31ac9f87b9b351ce.tar.gz
2 files changed, 226 insertions, 0 deletions
diff --git a/recipes-core/glibc/glibc/CVE-2017-8804.patch b/recipes-core/glibc/glibc/CVE-2017-8804.patch
new file mode 100644
index 0000000..ae21ad0
--- /dev/null
+++ b/recipes-core/glibc/glibc/CVE-2017-8804.patch
@@ -0,0 +1,225 @@
+From 45619a54f7d751a2a7dec7d7ee323e1545b881af Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Mon, 11 Sep 2017 13:35:44 +0200
+Subject: [PATCH] CVE-2017-8804
+The xdr_bytes and xdr_string functions in the glibc or libc6 2.25 mishandle
+failures of buffer deserialization, which allows remote attackers to cause
+a denial of service (virtual memory allocation, or memory consumption if an
+overcommit setting is not used) via a crafted UDP packet to port 111, a
+related issue to CVE-2017-8779.
+CVE: CVE-2017-8804
+Upstream-Status: Backport [https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ NEWS                 |  3 ++
+ sunrpc/Makefile      | 10 ++++++-
+ sunrpc/tst-xdrmem3.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ sunrpc/xdr.c         | 41 ++++++++++++++++++++------
+ 4 files changed, 127 insertions(+), 10 deletions(-)
+ create mode 100644 sunrpc/tst-xdrmem3.c
+diff --git a/NEWS b/NEWS
+index ec15dde..29e795a 100644
+--- a/NEWS
+++ b/NEWS
+@@ -211,6 +211,9 @@ Security related changes:
+   question type which is outside the range of valid question type values.
+   (CVE-2015-5180)
+ 
+* The xdr_bytes and xdr_string routines free the internally allocated buffer
+  if deserialization of the buffer contents fails for any reason.
+
+ The following bugs are resolved with this release:
+ 
+   [4099] stdio: Overly agressive caching by stream i/o functions.
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index 0c1e612..12ec2e7 100644
+--- a/sunrpc/Makefile
+++ b/sunrpc/Makefile
+@@ -93,9 +93,16 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \
+ extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
+ others += rpcgen
+ 
+-tests = tst-xdrmem tst-xdrmem2 test-rpcent
+tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3
+ xtests := tst-getmyaddr
+ 
+tests-special += $(objpfx)mtrace-tst-xdrmem3.out
+generated += mtrace-tst-xdrmem3.out tst-xdrmem3.mtrace
+tst-xdrmem3-ENV = MALLOC_TRACE=$(objpfx)tst-xdrmem3.mtrace
+$(objpfx)mtrace-tst-xdrmem3.out: $(objpfx)tst-xdrmem3.out
+       $(common-objpfx)malloc/mtrace $(objpfx)tst-xdrmem3.mtrace > $@; \
+       $(evaluate-test)
+
+ ifeq ($(have-thread-library),yes)
+ xtests += thrsvc
+ endif
+@@ -155,6 +162,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS)
+ $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
+(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
+ 
+ $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))
+ 
+diff --git a/sunrpc/tst-xdrmem3.c b/sunrpc/tst-xdrmem3.c
+new file mode 100644
+index 0000000..b3c72ae
+--- /dev/null
+++ b/sunrpc/tst-xdrmem3.c
+@@ -0,0 +1,83 @@
+/* Test xdr_bytes, xdr_string behavior on deserialization failure.
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <mcheck.h>
+#include <rpc/rpc.h>
+#include <support/check.h>
+#include <support/support.h>
+
+static int
+do_test (void)
+{
+  mtrace ();
+
+  /* If do_own_buffer, allocate the buffer and pass it to the
+     deserialization routine.  Otherwise the routine is requested to
+     allocate the buffer.  */
+  for (int do_own_buffer = 0; do_own_buffer < 2; ++do_own_buffer)
+    {
+      /* Length 16 MiB, but only 2 bytes of data in the packet.  */
+      unsigned char buf[] = "\x01\x00\x00\x00\xff";
+      XDR xdrs;
+      char *result;
+      unsigned int result_len;
+
+      /* Test xdr_bytes.  */
+      xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
+      result_len = 0;
+      if (do_own_buffer)
+        {
+          char *own_buffer = xmalloc (10);
+          result = own_buffer;
+          TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, 10));
+          TEST_VERIFY (result == own_buffer);
+          free (own_buffer);
+        }
+      else
+        {
+          result = NULL;
+          TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, -1));
+          TEST_VERIFY (result == NULL);
+        }
+      TEST_VERIFY (result_len == 16 * 1024 * 1024);
+      xdr_destroy (&xdrs);
+
+      /* Test xdr_string.  */
+      xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
+      if (do_own_buffer)
+        {
+          char *own_buffer = xmalloc (10);
+          result = own_buffer;
+          TEST_VERIFY (!xdr_string (&xdrs, &result, 10));
+          TEST_VERIFY (result == own_buffer);
+          free (own_buffer);
+        }
+      else
+        {
+          result = NULL;
+          TEST_VERIFY (!xdr_string (&xdrs, &result, -1));
+          TEST_VERIFY (result == NULL);
+        }
+      xdr_destroy (&xdrs);
+    }
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+
+diff --git a/sunrpc/xdr.c b/sunrpc/xdr.c
+index bfabf33..857f7c8 100644
+--- a/sunrpc/xdr.c
+++ b/sunrpc/xdr.c
+@@ -620,14 +620,24 @@ xdr_bytes (XDR *xdrs, char **cpp, u_int *sizep, u_int maxsize)
+        }
+       if (sp == NULL)
+        {
+-         *cpp = sp = (char *) mem_alloc (nodesize);
+         sp = (char *) mem_alloc (nodesize);
+         if (sp == NULL)
+           {
+             (void) __fxprintf (NULL, "%s: %s", __func__,
+                                _("out of memory\n"));
+             return FALSE;
+           }
+        }
+-      if (sp == NULL)
+      if (!xdr_opaque (xdrs, sp, nodesize))
+        {
+-         (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
+         if (sp != *cpp)
+           /* *cpp was NULL, so this function allocated a new
+              buffer.  */
+           free (sp);
+          return FALSE;
+        }
+-      /* fall into ... */
+      *cpp = sp;
+      return TRUE;
+ 
+     case XDR_ENCODE:
+       return xdr_opaque (xdrs, sp, nodesize);
+@@ -781,14 +791,27 @@ xdr_string (XDR *xdrs, char **cpp, u_int maxsize)
+     {
+     case XDR_DECODE:
+       if (sp == NULL)
+-       *cpp = sp = (char *) mem_alloc (nodesize);
+-      if (sp == NULL)
+        {
+-         (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
+-         return FALSE;
+         sp = (char *) mem_alloc (nodesize);
+         if (sp == NULL)
+           {
+             (void) __fxprintf (NULL, "%s: %s", __func__,
+                                _("out of memory\n"));
+             return FALSE;
+           }
+        }
+       sp[size] = 0;
+-      /* fall into ... */
+
+      if (!xdr_opaque (xdrs, sp, size))
+       {
+         if (sp != *cpp)
+           /* *cpp was NULL, so this function allocated a new
+              buffer.  */
+           free (sp);
+         return FALSE;
+       }
+      *cpp = sp;
+      return TRUE;
+ 
+     case XDR_ENCODE:
+       return xdr_opaque (xdrs, sp, size);
+-- 
+1.9.1
diff --git a/recipes-core/glibc/glibc_%.bbappend b/recipes-core/glibc/glibc_%.bbappend
index 0e2cb2e..f2c9a31 100644
--- a/recipes-core/glibc/glibc_%.bbappend
+++ b/recipes-core/glibc/glibc_%.bbappend
@@ -3,5 +3,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://CVE-2017-1000366.patch \
            file://CVE-2017-12132.patch \
+            file://CVE-2017-8804.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-12 07:54:13 +0200
committer	Martin Borg <martin.borg@enea.com>	2017-09-15 16:02:27 +0200
commit	0aea3a20062923f5c39c947e31ac9f87b9b351ce (patch)
tree	7e4068f5f9e68b4289cc84bb515eaa42640a3ec7
parent	c5b7ab645351fd3767d096a3c500355a9a896878 (diff)
download	meta-el-common-0aea3a20062923f5c39c947e31ac9f87b9b351ce.tar.gz

diff --git a/recipes-core/glibc/glibc/CVE-2017-8804.patch b/recipes-core/glibc/glibc/CVE-2017-8804.patch new file mode 100644 index 0000000..ae21ad0 --- /dev/null +++ b/recipes-core/glibc/glibc/CVE-2017-8804.patch
@@ -0,0 +1,225 @@
		1	From 45619a54f7d751a2a7dec7d7ee323e1545b881af Mon Sep 17 00:00:00 2001
		2	From: Sona Sarmadi <sona.sarmadi@enea.com>
		3	Date: Mon, 11 Sep 2017 13:35:44 +0200
		4	Subject: [PATCH] CVE-2017-8804
		5
		6	The xdr_bytes and xdr_string functions in the glibc or libc6 2.25 mishandle
		7	failures of buffer deserialization, which allows remote attackers to cause
		8	a denial of service (virtual memory allocation, or memory consumption if an
		9	overcommit setting is not used) via a crafted UDP packet to port 111, a
		10	related issue to CVE-2017-8779.
		11
		12	CVE: CVE-2017-8804
		13	Upstream-Status: Backport [https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html]
		14
		15	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		16	---
		17	NEWS \| 3 ++
		18	sunrpc/Makefile \| 10 ++++++-
		19	sunrpc/tst-xdrmem3.c \| 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++
		20	sunrpc/xdr.c \| 41 ++++++++++++++++++++------
		21	4 files changed, 127 insertions(+), 10 deletions(-)
		22	create mode 100644 sunrpc/tst-xdrmem3.c
		23
		24	diff --git a/NEWS b/NEWS
		25	index ec15dde..29e795a 100644
		26	--- a/NEWS
		27	+++ b/NEWS
		28	@@ -211,6 +211,9 @@ Security related changes:
		29	question type which is outside the range of valid question type values.
		30	(CVE-2015-5180)
		31
		32	+* The xdr_bytes and xdr_string routines free the internally allocated buffer
		33	+ if deserialization of the buffer contents fails for any reason.
		34	+
		35	The following bugs are resolved with this release:
		36
		37	[4099] stdio: Overly agressive caching by stream i/o functions.
		38	diff --git a/sunrpc/Makefile b/sunrpc/Makefile
		39	index 0c1e612..12ec2e7 100644
		40	--- a/sunrpc/Makefile
		41	+++ b/sunrpc/Makefile
		42	@@ -93,9 +93,16 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \
		43	extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
		44	others += rpcgen
		45
		46	-tests = tst-xdrmem tst-xdrmem2 test-rpcent
		47	+tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3
		48	xtests := tst-getmyaddr
		49
		50	+tests-special += $(objpfx)mtrace-tst-xdrmem3.out
		51	+generated += mtrace-tst-xdrmem3.out tst-xdrmem3.mtrace
		52	+tst-xdrmem3-ENV = MALLOC_TRACE=$(objpfx)tst-xdrmem3.mtrace
		53	+$(objpfx)mtrace-tst-xdrmem3.out: $(objpfx)tst-xdrmem3.out
		54	+ $(common-objpfx)malloc/mtrace $(objpfx)tst-xdrmem3.mtrace > $@; \
		55	+ $(evaluate-test)
		56	+
		57	ifeq ($(have-thread-library),yes)
		58	xtests += thrsvc
		59	endif
		60	@@ -155,6 +162,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS)
		61	$(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
		62	$(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
		63	$(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
		64	+(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
		65
		66	$(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))
		67
		68	diff --git a/sunrpc/tst-xdrmem3.c b/sunrpc/tst-xdrmem3.c
		69	new file mode 100644
		70	index 0000000..b3c72ae
		71	--- /dev/null
		72	+++ b/sunrpc/tst-xdrmem3.c
		73	@@ -0,0 +1,83 @@
		74	+/* Test xdr_bytes, xdr_string behavior on deserialization failure.
		75	+ Copyright (C) 2017 Free Software Foundation, Inc.
		76	+ This file is part of the GNU C Library.
		77	+
		78	+ The GNU C Library is free software; you can redistribute it and/or
		79	+ modify it under the terms of the GNU Lesser General Public
		80	+ License as published by the Free Software Foundation; either
		81	+ version 2.1 of the License, or (at your option) any later version.
		82	+
		83	+ The GNU C Library is distributed in the hope that it will be useful,
		84	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
		85	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		86	+ Lesser General Public License for more details.
		87	+
		88	+ You should have received a copy of the GNU Lesser General Public
		89	+ License along with the GNU C Library; if not, see
		90	+ <http://www.gnu.org/licenses/>. */
		91	+
		92	+#include <mcheck.h>
		93	+#include <rpc/rpc.h>
		94	+#include <support/check.h>
		95	+#include <support/support.h>
		96	+
		97	+static int
		98	+do_test (void)
		99	+{
		100	+ mtrace ();
		101	+
		102	+ /* If do_own_buffer, allocate the buffer and pass it to the
		103	+ deserialization routine. Otherwise the routine is requested to
		104	+ allocate the buffer. */
		105	+ for (int do_own_buffer = 0; do_own_buffer < 2; ++do_own_buffer)
		106	+ {
		107	+ /* Length 16 MiB, but only 2 bytes of data in the packet. */
		108	+ unsigned char buf[] = "\x01\x00\x00\x00\xff";
		109	+ XDR xdrs;
		110	+ char *result;
		111	+ unsigned int result_len;
		112	+
		113	+ /* Test xdr_bytes. */
		114	+ xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
		115	+ result_len = 0;
		116	+ if (do_own_buffer)
		117	+ {
		118	+ char *own_buffer = xmalloc (10);
		119	+ result = own_buffer;
		120	+ TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, 10));
		121	+ TEST_VERIFY (result == own_buffer);
		122	+ free (own_buffer);
		123	+ }
		124	+ else
		125	+ {
		126	+ result = NULL;
		127	+ TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, -1));
		128	+ TEST_VERIFY (result == NULL);
		129	+ }
		130	+ TEST_VERIFY (result_len == 16 * 1024 * 1024);
		131	+ xdr_destroy (&xdrs);
		132	+
		133	+ /* Test xdr_string. */
		134	+ xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
		135	+ if (do_own_buffer)
		136	+ {
		137	+ char *own_buffer = xmalloc (10);
		138	+ result = own_buffer;
		139	+ TEST_VERIFY (!xdr_string (&xdrs, &result, 10));
		140	+ TEST_VERIFY (result == own_buffer);
		141	+ free (own_buffer);
		142	+ }
		143	+ else
		144	+ {
		145	+ result = NULL;
		146	+ TEST_VERIFY (!xdr_string (&xdrs, &result, -1));
		147	+ TEST_VERIFY (result == NULL);
		148	+ }
		149	+ xdr_destroy (&xdrs);
		150	+ }
		151	+
		152	+ return 0;
		153	+}
		154	+
		155	+#include <support/test-driver.c>
		156	+
		157	diff --git a/sunrpc/xdr.c b/sunrpc/xdr.c
		158	index bfabf33..857f7c8 100644
		159	--- a/sunrpc/xdr.c
		160	+++ b/sunrpc/xdr.c
		161	@@ -620,14 +620,24 @@ xdr_bytes (XDR xdrs, char cpp, u_int sizep, u_int maxsize)
		162	}
		163	if (sp == NULL)
		164	{
		165	- cpp = sp = (char ) mem_alloc (nodesize);
		166	+ sp = (char *) mem_alloc (nodesize);
		167	+ if (sp == NULL)
		168	+ {
		169	+ (void) __fxprintf (NULL, "%s: %s", __func__,
		170	+ _("out of memory\n"));
		171	+ return FALSE;
		172	+ }
		173	}
		174	- if (sp == NULL)
		175	+ if (!xdr_opaque (xdrs, sp, nodesize))
		176	{
		177	- (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
		178	+ if (sp != *cpp)
		179	+ /* *cpp was NULL, so this function allocated a new
		180	+ buffer. */
		181	+ free (sp);
		182	return FALSE;
		183	}
		184	- /* fall into ... */
		185	+ *cpp = sp;
		186	+ return TRUE;
		187
		188	case XDR_ENCODE:
		189	return xdr_opaque (xdrs, sp, nodesize);
		190	@@ -781,14 +791,27 @@ xdr_string (XDR xdrs, char *cpp, u_int maxsize)
		191	{
		192	case XDR_DECODE:
		193	if (sp == NULL)
		194	- cpp = sp = (char ) mem_alloc (nodesize);
		195	- if (sp == NULL)
		196	{
		197	- (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
		198	- return FALSE;
		199	+ sp = (char *) mem_alloc (nodesize);
		200	+ if (sp == NULL)
		201	+ {
		202	+ (void) __fxprintf (NULL, "%s: %s", __func__,
		203	+ _("out of memory\n"));
		204	+ return FALSE;
		205	+ }
		206	}
		207	sp[size] = 0;
		208	- /* fall into ... */
		209	+
		210	+ if (!xdr_opaque (xdrs, sp, size))
		211	+ {
		212	+ if (sp != *cpp)
		213	+ /* *cpp was NULL, so this function allocated a new
		214	+ buffer. */
		215	+ free (sp);
		216	+ return FALSE;
		217	+ }
		218	+ *cpp = sp;
		219	+ return TRUE;
		220
		221	case XDR_ENCODE:
		222	return xdr_opaque (xdrs, sp, size);
		223	--
		224	1.9.1
		225


diff --git a/recipes-core/glibc/glibc_%.bbappend b/recipes-core/glibc/glibc_%.bbappend index 0e2cb2e..f2c9a31 100644 --- a/recipes-core/glibc/glibc_%.bbappend +++ b/recipes-core/glibc/glibc_%.bbappend
@@ -3,5 +3,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3		3
4	SRC_URI += "file://CVE-2017-1000366.patch \	4	SRC_URI += "file://CVE-2017-1000366.patch \
5	file://CVE-2017-12132.patch \	5	file://CVE-2017-12132.patch \
		6	file://CVE-2017-8804.patch \
6	"	7	"
7		8