summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-03-14 12:55:32 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-03-16 21:44:24 (GMT)
commit0b13cc2376a5bf69fcbf809ddad8a4bf928970be (patch)
treeba42e7405e36533cdd5073eb496cf37d174f9cbb
parente15d15673f5faa4623657eabab351986f650d509 (diff)
downloadpoky-0b13cc2376a5bf69fcbf809ddad8a4bf928970be.tar.gz
rpcbind: CVE-2015-7236
Fixes a use-after-free flaw in rpcbind. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236 Reference to the upstream fix: http://openwall.com/lists/oss-security/2015/09/18/7 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind/CVE-2015-7236.patch83
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb1
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-extended/rpcbind/rpcbind/CVE-2015-7236.patch b/meta/recipes-extended/rpcbind/rpcbind/CVE-2015-7236.patch
new file mode 100644
index 0000000..fc1fcc8
--- /dev/null
+++ b/meta/recipes-extended/rpcbind/rpcbind/CVE-2015-7236.patch
@@ -0,0 +1,83 @@
1commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
2Author: Olaf Kirch <okir () suse de>
3Date: Thu Aug 6 16:27:20 2015 +0200
4
5 Fix memory corruption in PMAP_CALLIT code
6
7 - A PMAP_CALLIT call comes in on IPv4 UDP
8 - rpcbind duplicates the caller's address to a netbuf and stores it in
9 FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
10 with a size of 16 bytes
11 - rpcbind forwards the call to the local service, receives a reply
12 - when processing the reply, it does this in xprt_set_caller:
13 xprt->xp_rtaddr = *FINFO[0].caller_addr
14 It sends out the reply, and then frees the netbuf caller_addr and
15 caller_addr.buf.
16 However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
17 to memory region A, which is free.
18 - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
19 be called, which will set xp_rtaddr to the client's address.
20 It will reuse the buffer inside xp_rtaddr, ie it will write a
21 sockaddr_in to region A
22
23 Some time down the road, an incoming TCP connection is accepted,
24 allocating a fresh SVCXPRT. The memory region A is inside the
25 new SVCXPRT
26
27 - While processing the TCP call, another UDP call comes in, again
28 overwriting region A with the client's address
29 - TCP client closes connection. In svc_destroy, we now trip over
30 the garbage left in region A
31
32 We ran into the case where a commercial scanner was triggering
33 occasional rpcbind segfaults. The core file that was captured showed
34 a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
35
36 Fixes CVE-2015-7236
37 Upstream-Status: Backport
38
39 Signed-off-by: Olaf Kirch <okir () suse de>
40 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
41---
42 src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
43 1 file changed, 22 insertions(+), 1 deletion(-)
44
45Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
46===================================================================
47--- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c
48+++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
49@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int
50 return (ncallbacks_found);
51 }
52
53+/*
54+ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
55+ * been exported yet.
56+ */
57+static struct netbuf *
58+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
59+{
60+ if (nb->len != len) {
61+ if (nb->len)
62+ mem_free(nb->buf, nb->len);
63+ nb->buf = mem_alloc(len);
64+ if (nb->buf == NULL)
65+ return NULL;
66+
67+ nb->maxlen = nb->len = len;
68+ }
69+ memcpy(nb->buf, ptr, len);
70+ return nb;
71+}
72+
73 static void
74 xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
75 {
76+ const struct netbuf *caller = fi->caller_addr;
77 u_int32_t *xidp;
78
79- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
80+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
81 xidp = __rpcb_get_dg_xidp(xprt);
82 *xidp = fi->caller_xid;
83 }
diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb b/meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb
index b732476..460726d 100644
--- a/meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb
+++ b/meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
17 file://rpcbind.conf \ 17 file://rpcbind.conf \
18 file://rpcbind.socket \ 18 file://rpcbind.socket \
19 file://rpcbind.service \ 19 file://rpcbind.service \
20 file://CVE-2015-7236.patch \
20 " 21 "
21 22
22UCLIBCPATCHES_libc-uclibc = "file://0001-uclibc-nss.patch \ 23UCLIBCPATCHES_libc-uclibc = "file://0001-uclibc-nss.patch \