1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
|
From 45619a54f7d751a2a7dec7d7ee323e1545b881af Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Mon, 11 Sep 2017 13:35:44 +0200
Subject: [PATCH] CVE-2017-8804
The xdr_bytes and xdr_string functions in the glibc or libc6 2.25 mishandle
failures of buffer deserialization, which allows remote attackers to cause
a denial of service (virtual memory allocation, or memory consumption if an
overcommit setting is not used) via a crafted UDP packet to port 111, a
related issue to CVE-2017-8779.
CVE: CVE-2017-8804
Upstream-Status: Backport [https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html]
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
NEWS | 3 ++
sunrpc/Makefile | 10 ++++++-
sunrpc/tst-xdrmem3.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++
sunrpc/xdr.c | 41 ++++++++++++++++++++------
4 files changed, 127 insertions(+), 10 deletions(-)
create mode 100644 sunrpc/tst-xdrmem3.c
diff --git a/NEWS b/NEWS
index ec15dde..29e795a 100644
--- a/NEWS
+++ b/NEWS
@@ -211,6 +211,9 @@ Security related changes:
question type which is outside the range of valid question type values.
(CVE-2015-5180)
+* The xdr_bytes and xdr_string routines free the internally allocated buffer
+ if deserialization of the buffer contents fails for any reason.
+
The following bugs are resolved with this release:
[4099] stdio: Overly agressive caching by stream i/o functions.
diff --git a/sunrpc/Makefile b/sunrpc/Makefile
index 0c1e612..12ec2e7 100644
--- a/sunrpc/Makefile
+++ b/sunrpc/Makefile
@@ -93,9 +93,16 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \
extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
others += rpcgen
-tests = tst-xdrmem tst-xdrmem2 test-rpcent
+tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-xdrmem3
xtests := tst-getmyaddr
+tests-special += $(objpfx)mtrace-tst-xdrmem3.out
+generated += mtrace-tst-xdrmem3.out tst-xdrmem3.mtrace
+tst-xdrmem3-ENV = MALLOC_TRACE=$(objpfx)tst-xdrmem3.mtrace
+$(objpfx)mtrace-tst-xdrmem3.out: $(objpfx)tst-xdrmem3.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-xdrmem3.mtrace > $@; \
+ $(evaluate-test)
+
ifeq ($(have-thread-library),yes)
xtests += thrsvc
endif
@@ -155,6 +162,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS)
$(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
$(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
$(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
+(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
$(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))
diff --git a/sunrpc/tst-xdrmem3.c b/sunrpc/tst-xdrmem3.c
new file mode 100644
index 0000000..b3c72ae
--- /dev/null
+++ b/sunrpc/tst-xdrmem3.c
@@ -0,0 +1,83 @@
+/* Test xdr_bytes, xdr_string behavior on deserialization failure.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <mcheck.h>
+#include <rpc/rpc.h>
+#include <support/check.h>
+#include <support/support.h>
+
+static int
+do_test (void)
+{
+ mtrace ();
+
+ /* If do_own_buffer, allocate the buffer and pass it to the
+ deserialization routine. Otherwise the routine is requested to
+ allocate the buffer. */
+ for (int do_own_buffer = 0; do_own_buffer < 2; ++do_own_buffer)
+ {
+ /* Length 16 MiB, but only 2 bytes of data in the packet. */
+ unsigned char buf[] = "\x01\x00\x00\x00\xff";
+ XDR xdrs;
+ char *result;
+ unsigned int result_len;
+
+ /* Test xdr_bytes. */
+ xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
+ result_len = 0;
+ if (do_own_buffer)
+ {
+ char *own_buffer = xmalloc (10);
+ result = own_buffer;
+ TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, 10));
+ TEST_VERIFY (result == own_buffer);
+ free (own_buffer);
+ }
+ else
+ {
+ result = NULL;
+ TEST_VERIFY (!xdr_bytes (&xdrs, &result, &result_len, -1));
+ TEST_VERIFY (result == NULL);
+ }
+ TEST_VERIFY (result_len == 16 * 1024 * 1024);
+ xdr_destroy (&xdrs);
+
+ /* Test xdr_string. */
+ xdrmem_create (&xdrs, (char *) buf, sizeof (buf), XDR_DECODE);
+ if (do_own_buffer)
+ {
+ char *own_buffer = xmalloc (10);
+ result = own_buffer;
+ TEST_VERIFY (!xdr_string (&xdrs, &result, 10));
+ TEST_VERIFY (result == own_buffer);
+ free (own_buffer);
+ }
+ else
+ {
+ result = NULL;
+ TEST_VERIFY (!xdr_string (&xdrs, &result, -1));
+ TEST_VERIFY (result == NULL);
+ }
+ xdr_destroy (&xdrs);
+ }
+
+ return 0;
+}
+
+#include <support/test-driver.c>
+
diff --git a/sunrpc/xdr.c b/sunrpc/xdr.c
index bfabf33..857f7c8 100644
--- a/sunrpc/xdr.c
+++ b/sunrpc/xdr.c
@@ -620,14 +620,24 @@ xdr_bytes (XDR *xdrs, char **cpp, u_int *sizep, u_int maxsize)
}
if (sp == NULL)
{
- *cpp = sp = (char *) mem_alloc (nodesize);
+ sp = (char *) mem_alloc (nodesize);
+ if (sp == NULL)
+ {
+ (void) __fxprintf (NULL, "%s: %s", __func__,
+ _("out of memory\n"));
+ return FALSE;
+ }
}
- if (sp == NULL)
+ if (!xdr_opaque (xdrs, sp, nodesize))
{
- (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
+ if (sp != *cpp)
+ /* *cpp was NULL, so this function allocated a new
+ buffer. */
+ free (sp);
return FALSE;
}
- /* fall into ... */
+ *cpp = sp;
+ return TRUE;
case XDR_ENCODE:
return xdr_opaque (xdrs, sp, nodesize);
@@ -781,14 +791,27 @@ xdr_string (XDR *xdrs, char **cpp, u_int maxsize)
{
case XDR_DECODE:
if (sp == NULL)
- *cpp = sp = (char *) mem_alloc (nodesize);
- if (sp == NULL)
{
- (void) __fxprintf (NULL, "%s: %s", __func__, _("out of memory\n"));
- return FALSE;
+ sp = (char *) mem_alloc (nodesize);
+ if (sp == NULL)
+ {
+ (void) __fxprintf (NULL, "%s: %s", __func__,
+ _("out of memory\n"));
+ return FALSE;
+ }
}
sp[size] = 0;
- /* fall into ... */
+
+ if (!xdr_opaque (xdrs, sp, size))
+ {
+ if (sp != *cpp)
+ /* *cpp was NULL, so this function allocated a new
+ buffer. */
+ free (sp);
+ return FALSE;
+ }
+ *cpp = sp;
+ return TRUE;
case XDR_ENCODE:
return xdr_opaque (xdrs, sp, size);
--
1.9.1
|
