1 files changed, 164 insertions, 0 deletions
diff --git a/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch b/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch
new file mode 100644
index 0000000..8f88096
--- /dev/null
+++ b/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch
@@ -0,0 +1,164 @@
+From bd43c78956040a5d419d5034cdddd4b62c5dd53e Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 10:37:02 +0200
+Subject: [PATCH] sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115]
+After commit bc779a1a5b3035133024b21e2f339fe4219fb11c
+(CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call
+[BZ #20112]), ancillary data is stored on the heap,
+but it is accessed after it has been freed.
+The test case must be run under a heap debugger such as valgrind
+to observe the invalid access.  A malloc implementation which
+immediately calls munmap on free would catch this bug as well.
+This patch is for CVE-2017-12133.
+(cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491)
+CVE: CVE-2017-12133
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ ChangeLog              |  8 +++++++
+ NEWS                   |  1 +
+ sunrpc/Makefile        |  3 ++-
+ sunrpc/clnt_udp.c      |  2 +-
+ sunrpc/tst-udp-error.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 74 insertions(+), 2 deletions(-)
+ create mode 100644 sunrpc/tst-udp-error.c
+diff --git a/ChangeLog b/ChangeLog
+index 48b095b..097ab5c 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,11 @@
+2017-02-27  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #21115]
+       * sunrpc/clnt_udp.c (clntudp_call): Free ancillary data later.
+       * sunrpc/Makefile (tests): Add tst-udp-error.
+       (tst-udp-error): Link against libc.so explicitly.
+       * sunrpc/tst-udp-error: New file.
+
+ 2018-01-18  Arjun Shankar  <arjun@redhat.com>
+ 
+        [BZ #22343]
+diff --git a/NEWS b/NEWS
+index 5134f34..4765e1b 100644
+--- a/NEWS
+++ b/NEWS
+@@ -376,6 +376,7 @@ The following bugs are resolved with this release:
+   [21081] string: Missing vzeroupper in memset-vec-unaligned-erms.S
+   [22343] malloc: Integer overflow in posix_memalign (CVE-2018-6485)
+   [22774] malloc: Integer overflow in malloc (CVE-2018-6551)
+  [21115] sunrpc: Use-after-free in error path in clntudp_call
+ 
+ Version 2.24
+ 
+diff --git a/sunrpc/Makefile b/sunrpc/Makefile
+index 12ec2e7..8b9f25f 100644
+--- a/sunrpc/Makefile
+++ b/sunrpc/Makefile
+@@ -93,7 +93,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \
+ extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
+ others += rpcgen
+ 
+-tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3
+tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3 tst-udp-error
+ xtests := tst-getmyaddr
+ 
+ tests-special += $(objpfx)mtrace-tst-xdrmem3.out
+@@ -163,6 +163,7 @@ $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
+ $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
+ (objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
+$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so
+ 
+ $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))
+ 
+diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
+index 4d9acb1..1de25cb 100644
+--- a/sunrpc/clnt_udp.c
+++ b/sunrpc/clnt_udp.c
+@@ -421,9 +421,9 @@ send_again:
+                 cmsg = CMSG_NXTHDR (&msg, cmsg))
+              if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+                {
+-                 free (cbuf);
+                  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+                  cu->cu_error.re_errno = e->ee_errno;
+                 free (cbuf);
+                  return (cu->cu_error.re_status = RPC_CANTRECV);
+                }
+          free (cbuf);
+diff --git a/sunrpc/tst-udp-error.c b/sunrpc/tst-udp-error.c
+new file mode 100644
+index 0000000..1efc02f
+--- /dev/null
+++ b/sunrpc/tst-udp-error.c
+@@ -0,0 +1,62 @@
+/* Check for use-after-free in clntudp_call (bug 21115).
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <netinet/in.h>
+#include <rpc/clnt.h>
+#include <rpc/svc.h>
+#include <support/check.h>
+#include <support/namespace.h>
+#include <support/xsocket.h>
+#include <unistd.h>
+
+static int
+do_test (void)
+{
+  support_become_root ();
+  support_enter_network_namespace ();
+
+  /* Obtain a likely-unused port number.  */
+  struct sockaddr_in sin =
+    {
+      .sin_family = AF_INET,
+      .sin_addr.s_addr = htonl (INADDR_LOOPBACK),
+    };
+  {
+    int fd = xsocket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
+    xbind (fd, (struct sockaddr *) &sin, sizeof (sin));
+    socklen_t sinlen = sizeof (sin);
+    xgetsockname (fd, (struct sockaddr *) &sin, &sinlen);
+    /* Close the socket, so that we will receive an error below.  */
+    close (fd);
+  }
+
+  int sock = RPC_ANYSOCK;
+  CLIENT *clnt = clntudp_create
+    (&sin, 1, 2, (struct timeval) { 1, 0 }, &sock);
+  TEST_VERIFY_EXIT (clnt != NULL);
+  TEST_VERIFY (clnt_call (clnt, 3,
+                          (xdrproc_t) xdr_void, NULL,
+                          (xdrproc_t) xdr_void, NULL,
+                          ((struct timeval) { 3, 0 }))
+               == RPC_CANTRECV);
+  clnt_destroy (clnt);
+
+  return 0;
+}
+
+#include <support/test-driver.c>

diff --git a/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch b/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch new file mode 100644 index 0000000..8f88096 --- /dev/null +++ b/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch
@@ -0,0 +1,164 @@
	1	From bd43c78956040a5d419d5034cdddd4b62c5dd53e Mon Sep 17 00:00:00 2001
	2	From: Andreas Wellving <andreas.wellving@enea.com>
	3	Date: Mon, 22 Oct 2018 10:37:02 +0200
	4	Subject: [PATCH] sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115]
	5
	6	After commit bc779a1a5b3035133024b21e2f339fe4219fb11c
	7	(CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call
	8	[BZ #20112]), ancillary data is stored on the heap,
	9	but it is accessed after it has been freed.
	10
	11	The test case must be run under a heap debugger such as valgrind
	12	to observe the invalid access. A malloc implementation which
	13	immediately calls munmap on free would catch this bug as well.
	14
	15	This patch is for CVE-2017-12133.
	16	(cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491)
	17
	18	CVE: CVE-2017-12133
	19	Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491]
	20
	21	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	22	---
	23	ChangeLog \| 8 +++++++
	24	NEWS \| 1 +
	25	sunrpc/Makefile \| 3 ++-
	26	sunrpc/clnt_udp.c \| 2 +-
	27	sunrpc/tst-udp-error.c \| 62 ++++++++++++++++++++++++++++++++++++++++++++++++++
	28	5 files changed, 74 insertions(+), 2 deletions(-)
	29	create mode 100644 sunrpc/tst-udp-error.c
	30
	31	diff --git a/ChangeLog b/ChangeLog
	32	index 48b095b..097ab5c 100644
	33	--- a/ChangeLog
	34	+++ b/ChangeLog
	35	@@ -1,3 +1,11 @@
	36	+2017-02-27 Florian Weimer <fweimer@redhat.com>
	37	+
	38	+ [BZ #21115]
	39	+ * sunrpc/clnt_udp.c (clntudp_call): Free ancillary data later.
	40	+ * sunrpc/Makefile (tests): Add tst-udp-error.
	41	+ (tst-udp-error): Link against libc.so explicitly.
	42	+ * sunrpc/tst-udp-error: New file.
	43	+
	44	2018-01-18 Arjun Shankar <arjun@redhat.com>
	45
	46	[BZ #22343]
	47	diff --git a/NEWS b/NEWS
	48	index 5134f34..4765e1b 100644
	49	--- a/NEWS
	50	+++ b/NEWS
	51	@@ -376,6 +376,7 @@ The following bugs are resolved with this release:
	52	[21081] string: Missing vzeroupper in memset-vec-unaligned-erms.S
	53	[22343] malloc: Integer overflow in posix_memalign (CVE-2018-6485)
	54	[22774] malloc: Integer overflow in malloc (CVE-2018-6551)
	55	+ [21115] sunrpc: Use-after-free in error path in clntudp_call
	56
	57	Version 2.24
	58
	59	diff --git a/sunrpc/Makefile b/sunrpc/Makefile
	60	index 12ec2e7..8b9f25f 100644
	61	--- a/sunrpc/Makefile
	62	+++ b/sunrpc/Makefile
	63	@@ -93,7 +93,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \
	64	extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
	65	others += rpcgen
	66
	67	-tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3
	68	+tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3 tst-udp-error
	69	xtests := tst-getmyaddr
	70
	71	tests-special += $(objpfx)mtrace-tst-xdrmem3.out
	72	@@ -163,6 +163,7 @@ $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
	73	$(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
	74	$(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
	75	(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
	76	+$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so
	77
	78	$(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))
	79
	80	diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
	81	index 4d9acb1..1de25cb 100644
	82	--- a/sunrpc/clnt_udp.c
	83	+++ b/sunrpc/clnt_udp.c
	84	@@ -421,9 +421,9 @@ send_again:
	85	cmsg = CMSG_NXTHDR (&msg, cmsg))
	86	if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
	87	{
	88	- free (cbuf);
	89	e = (struct sock_extended_err *) CMSG_DATA(cmsg);
	90	cu->cu_error.re_errno = e->ee_errno;
	91	+ free (cbuf);
	92	return (cu->cu_error.re_status = RPC_CANTRECV);
	93	}
	94	free (cbuf);
	95	diff --git a/sunrpc/tst-udp-error.c b/sunrpc/tst-udp-error.c
	96	new file mode 100644
	97	index 0000000..1efc02f
	98	--- /dev/null
	99	+++ b/sunrpc/tst-udp-error.c
	100	@@ -0,0 +1,62 @@
	101	+/* Check for use-after-free in clntudp_call (bug 21115).
	102	+ Copyright (C) 2017 Free Software Foundation, Inc.
	103	+ This file is part of the GNU C Library.
	104	+
	105	+ The GNU C Library is free software; you can redistribute it and/or
	106	+ modify it under the terms of the GNU Lesser General Public
	107	+ License as published by the Free Software Foundation; either
	108	+ version 2.1 of the License, or (at your option) any later version.
	109	+
	110	+ The GNU C Library is distributed in the hope that it will be useful,
	111	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
	112	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	113	+ Lesser General Public License for more details.
	114	+
	115	+ You should have received a copy of the GNU Lesser General Public
	116	+ License along with the GNU C Library; if not, see
	117	+ <http://www.gnu.org/licenses/>. */
	118	+
	119	+#include <netinet/in.h>
	120	+#include <rpc/clnt.h>
	121	+#include <rpc/svc.h>
	122	+#include <support/check.h>
	123	+#include <support/namespace.h>
	124	+#include <support/xsocket.h>
	125	+#include <unistd.h>
	126	+
	127	+static int
	128	+do_test (void)
	129	+{
	130	+ support_become_root ();
	131	+ support_enter_network_namespace ();
	132	+
	133	+ /* Obtain a likely-unused port number. */
	134	+ struct sockaddr_in sin =
	135	+ {
	136	+ .sin_family = AF_INET,
	137	+ .sin_addr.s_addr = htonl (INADDR_LOOPBACK),
	138	+ };
	139	+ {
	140	+ int fd = xsocket (AF_INET, SOCK_DGRAM \| SOCK_CLOEXEC, 0);
	141	+ xbind (fd, (struct sockaddr *) &sin, sizeof (sin));
	142	+ socklen_t sinlen = sizeof (sin);
	143	+ xgetsockname (fd, (struct sockaddr *) &sin, &sinlen);
	144	+ /* Close the socket, so that we will receive an error below. */
	145	+ close (fd);
	146	+ }
	147	+
	148	+ int sock = RPC_ANYSOCK;
	149	+ CLIENT *clnt = clntudp_create
	150	+ (&sin, 1, 2, (struct timeval) { 1, 0 }, &sock);
	151	+ TEST_VERIFY_EXIT (clnt != NULL);
	152	+ TEST_VERIFY (clnt_call (clnt, 3,
	153	+ (xdrproc_t) xdr_void, NULL,
	154	+ (xdrproc_t) xdr_void, NULL,
	155	+ ((struct timeval) { 3, 0 }))
	156	+ == RPC_CANTRECV);
	157	+ clnt_destroy (clnt);
	158	+
	159	+ return 0;
	160	+}
	161	+
	162	+#include <support/test-driver.c>
	163
	164