diff options
Diffstat (limited to 'recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch')
-rw-r--r-- | recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch | 164 |
1 files changed, 164 insertions, 0 deletions
diff --git a/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch b/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch new file mode 100644 index 0000000..8f88096 --- /dev/null +++ b/recipes-core/glibc/glibc/CVE-2017-12133-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch | |||
@@ -0,0 +1,164 @@ | |||
1 | From bd43c78956040a5d419d5034cdddd4b62c5dd53e Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Wellving <andreas.wellving@enea.com> | ||
3 | Date: Mon, 22 Oct 2018 10:37:02 +0200 | ||
4 | Subject: [PATCH] sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] | ||
5 | |||
6 | After commit bc779a1a5b3035133024b21e2f339fe4219fb11c | ||
7 | (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call | ||
8 | [BZ #20112]), ancillary data is stored on the heap, | ||
9 | but it is accessed after it has been freed. | ||
10 | |||
11 | The test case must be run under a heap debugger such as valgrind | ||
12 | to observe the invalid access. A malloc implementation which | ||
13 | immediately calls munmap on free would catch this bug as well. | ||
14 | |||
15 | This patch is for CVE-2017-12133. | ||
16 | (cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491) | ||
17 | |||
18 | CVE: CVE-2017-12133 | ||
19 | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491] | ||
20 | |||
21 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
22 | --- | ||
23 | ChangeLog | 8 +++++++ | ||
24 | NEWS | 1 + | ||
25 | sunrpc/Makefile | 3 ++- | ||
26 | sunrpc/clnt_udp.c | 2 +- | ||
27 | sunrpc/tst-udp-error.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
28 | 5 files changed, 74 insertions(+), 2 deletions(-) | ||
29 | create mode 100644 sunrpc/tst-udp-error.c | ||
30 | |||
31 | diff --git a/ChangeLog b/ChangeLog | ||
32 | index 48b095b..097ab5c 100644 | ||
33 | --- a/ChangeLog | ||
34 | +++ b/ChangeLog | ||
35 | @@ -1,3 +1,11 @@ | ||
36 | +2017-02-27 Florian Weimer <fweimer@redhat.com> | ||
37 | + | ||
38 | + [BZ #21115] | ||
39 | + * sunrpc/clnt_udp.c (clntudp_call): Free ancillary data later. | ||
40 | + * sunrpc/Makefile (tests): Add tst-udp-error. | ||
41 | + (tst-udp-error): Link against libc.so explicitly. | ||
42 | + * sunrpc/tst-udp-error: New file. | ||
43 | + | ||
44 | 2018-01-18 Arjun Shankar <arjun@redhat.com> | ||
45 | |||
46 | [BZ #22343] | ||
47 | diff --git a/NEWS b/NEWS | ||
48 | index 5134f34..4765e1b 100644 | ||
49 | --- a/NEWS | ||
50 | +++ b/NEWS | ||
51 | @@ -376,6 +376,7 @@ The following bugs are resolved with this release: | ||
52 | [21081] string: Missing vzeroupper in memset-vec-unaligned-erms.S | ||
53 | [22343] malloc: Integer overflow in posix_memalign (CVE-2018-6485) | ||
54 | [22774] malloc: Integer overflow in malloc (CVE-2018-6551) | ||
55 | + [21115] sunrpc: Use-after-free in error path in clntudp_call | ||
56 | |||
57 | Version 2.24 | ||
58 | |||
59 | diff --git a/sunrpc/Makefile b/sunrpc/Makefile | ||
60 | index 12ec2e7..8b9f25f 100644 | ||
61 | --- a/sunrpc/Makefile | ||
62 | +++ b/sunrpc/Makefile | ||
63 | @@ -93,7 +93,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \ | ||
64 | extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs)) | ||
65 | others += rpcgen | ||
66 | |||
67 | -tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3 | ||
68 | +tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3 tst-udp-error | ||
69 | xtests := tst-getmyaddr | ||
70 | |||
71 | tests-special += $(objpfx)mtrace-tst-xdrmem3.out | ||
72 | @@ -163,6 +163,7 @@ $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so | ||
73 | $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so | ||
74 | $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so | ||
75 | (objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so | ||
76 | +$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so | ||
77 | |||
78 | $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs)) | ||
79 | |||
80 | diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c | ||
81 | index 4d9acb1..1de25cb 100644 | ||
82 | --- a/sunrpc/clnt_udp.c | ||
83 | +++ b/sunrpc/clnt_udp.c | ||
84 | @@ -421,9 +421,9 @@ send_again: | ||
85 | cmsg = CMSG_NXTHDR (&msg, cmsg)) | ||
86 | if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) | ||
87 | { | ||
88 | - free (cbuf); | ||
89 | e = (struct sock_extended_err *) CMSG_DATA(cmsg); | ||
90 | cu->cu_error.re_errno = e->ee_errno; | ||
91 | + free (cbuf); | ||
92 | return (cu->cu_error.re_status = RPC_CANTRECV); | ||
93 | } | ||
94 | free (cbuf); | ||
95 | diff --git a/sunrpc/tst-udp-error.c b/sunrpc/tst-udp-error.c | ||
96 | new file mode 100644 | ||
97 | index 0000000..1efc02f | ||
98 | --- /dev/null | ||
99 | +++ b/sunrpc/tst-udp-error.c | ||
100 | @@ -0,0 +1,62 @@ | ||
101 | +/* Check for use-after-free in clntudp_call (bug 21115). | ||
102 | + Copyright (C) 2017 Free Software Foundation, Inc. | ||
103 | + This file is part of the GNU C Library. | ||
104 | + | ||
105 | + The GNU C Library is free software; you can redistribute it and/or | ||
106 | + modify it under the terms of the GNU Lesser General Public | ||
107 | + License as published by the Free Software Foundation; either | ||
108 | + version 2.1 of the License, or (at your option) any later version. | ||
109 | + | ||
110 | + The GNU C Library is distributed in the hope that it will be useful, | ||
111 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
112 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
113 | + Lesser General Public License for more details. | ||
114 | + | ||
115 | + You should have received a copy of the GNU Lesser General Public | ||
116 | + License along with the GNU C Library; if not, see | ||
117 | + <http://www.gnu.org/licenses/>. */ | ||
118 | + | ||
119 | +#include <netinet/in.h> | ||
120 | +#include <rpc/clnt.h> | ||
121 | +#include <rpc/svc.h> | ||
122 | +#include <support/check.h> | ||
123 | +#include <support/namespace.h> | ||
124 | +#include <support/xsocket.h> | ||
125 | +#include <unistd.h> | ||
126 | + | ||
127 | +static int | ||
128 | +do_test (void) | ||
129 | +{ | ||
130 | + support_become_root (); | ||
131 | + support_enter_network_namespace (); | ||
132 | + | ||
133 | + /* Obtain a likely-unused port number. */ | ||
134 | + struct sockaddr_in sin = | ||
135 | + { | ||
136 | + .sin_family = AF_INET, | ||
137 | + .sin_addr.s_addr = htonl (INADDR_LOOPBACK), | ||
138 | + }; | ||
139 | + { | ||
140 | + int fd = xsocket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); | ||
141 | + xbind (fd, (struct sockaddr *) &sin, sizeof (sin)); | ||
142 | + socklen_t sinlen = sizeof (sin); | ||
143 | + xgetsockname (fd, (struct sockaddr *) &sin, &sinlen); | ||
144 | + /* Close the socket, so that we will receive an error below. */ | ||
145 | + close (fd); | ||
146 | + } | ||
147 | + | ||
148 | + int sock = RPC_ANYSOCK; | ||
149 | + CLIENT *clnt = clntudp_create | ||
150 | + (&sin, 1, 2, (struct timeval) { 1, 0 }, &sock); | ||
151 | + TEST_VERIFY_EXIT (clnt != NULL); | ||
152 | + TEST_VERIFY (clnt_call (clnt, 3, | ||
153 | + (xdrproc_t) xdr_void, NULL, | ||
154 | + (xdrproc_t) xdr_void, NULL, | ||
155 | + ((struct timeval) { 3, 0 })) | ||
156 | + == RPC_CANTRECV); | ||
157 | + clnt_destroy (clnt); | ||
158 | + | ||
159 | + return 0; | ||
160 | +} | ||
161 | + | ||
162 | +#include <support/test-driver.c> | ||
163 | |||
164 | |||