summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFan Xin <fan.xin@jp.fujitsu.com>2017-06-07 08:29:03 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-03-15 22:47:53 (GMT)
commit3a1b3aada39a54f261c8fcfd69325fd118a9ecfe (patch)
tree5c936468b4bed907e8db1cab54724309ad9707b2
parent4812f7574885b24f9acbc8efcf8843cfdb8f8a11 (diff)
downloadpoky-3a1b3aada39a54f261c8fcfd69325fd118a9ecfe.tar.gz
libtirpc: Fix CVE-2017-8779
This vulnerability is also called "rpcbomb". Backport upstream patch to fix this vulnerability. CVE: CVE-2017-8779 (From OE-Core rev: bb6af5f0dbb39553654ba3a587c8078bb635da6f) Signed-off-by: Fan Xin<fan.xin@jp.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch276
-rw-r--r--meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb1
2 files changed, 277 insertions, 0 deletions
diff --git a/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch b/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch
new file mode 100644
index 0000000..b3bae67
--- /dev/null
+++ b/meta/recipes-extended/libtirpc/libtirpc/0001-Fix-for-CVE-2017-8779.patch
@@ -0,0 +1,276 @@
1From dd9c7cf4f8f375c6d641b760d124650c418c2ce3 Mon Sep 17 00:00:00 2001
2From: Guido Vranken <guidovranken@gmail.com>
3Date: Mon, 15 May 2017 11:12:21 -0400
4Subject: [PATCH] Fix for CVE-2017-8779
5
6Signed-off-by: Steve Dickson <steved@redhat.com>
7---
8 src/rpc_generic.c | 8 ++++++++
9 src/rpcb_prot.c | 22 ++++++++++++++--------
10 src/rpcb_st_xdr.c | 9 +++++----
11 src/xdr.c | 30 +++++++++++++++++++++++++-----
12 4 files changed, 52 insertions(+), 17 deletions(-)
13
14CVE: CVE-2017-8779
15Upstream-Status: Backport
16
17Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
18
19diff --git a/src/rpc_generic.c b/src/rpc_generic.c
20index 2f09a8f..589cbd5 100644
21--- a/src/rpc_generic.c
22+++ b/src/rpc_generic.c
23@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
24
25 switch (af) {
26 case AF_INET:
27+ if (nbuf->len < sizeof(*sin)) {
28+ return NULL;
29+ }
30 sin = nbuf->buf;
31 if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
32 == NULL)
33@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
34 break;
35 #ifdef INET6
36 case AF_INET6:
37+ if (nbuf->len < sizeof(*sin6)) {
38+ return NULL;
39+ }
40 sin6 = nbuf->buf;
41 if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
42 == NULL)
43@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
44
45 port = 0;
46 sin = NULL;
47+ if (uaddr == NULL)
48+ return NULL;
49 addrstr = strdup(uaddr);
50 if (addrstr == NULL)
51 return NULL;
52diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
53index 43fd385..a923c8e 100644
54--- a/src/rpcb_prot.c
55+++ b/src/rpcb_prot.c
56@@ -41,6 +41,7 @@
57 #include <rpc/types.h>
58 #include <rpc/xdr.h>
59 #include <rpc/rpcb_prot.h>
60+#include "rpc_com.h"
61
62 bool_t
63 xdr_rpcb(xdrs, objp)
64@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
65 if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
66 return (FALSE);
67 }
68- if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
69+ if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
70 return (FALSE);
71 }
72- if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
73+ if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
74 return (FALSE);
75 }
76- if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
77+ if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
78 return (FALSE);
79 }
80 return (TRUE);
81@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
82 XDR *xdrs;
83 rpcb_entry *objp;
84 {
85- if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
86+ if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
87 return (FALSE);
88 }
89- if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
90+ if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
91 return (FALSE);
92 }
93 if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
94 return (FALSE);
95 }
96- if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
97+ if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
98 return (FALSE);
99 }
100- if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
101+ if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
102 return (FALSE);
103 }
104 return (TRUE);
105@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
106 bool_t dummy;
107 struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
108
109- if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
110+ if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
111 return (FALSE);
112 }
113 if (!xdr_u_int(xdrs, &objp->results.results_len)) {
114@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
115 if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
116 return (FALSE);
117 }
118+
119+ if (objp->maxlen > RPC_MAXDATASIZE) {
120+ return (FALSE);
121+ }
122+
123 dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
124 (u_int *)&(objp->len), objp->maxlen);
125 return (dummy);
126diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
127index 08db745..28e6a48 100644
128--- a/src/rpcb_st_xdr.c
129+++ b/src/rpcb_st_xdr.c
130@@ -37,6 +37,7 @@
131
132
133 #include <rpc/rpc.h>
134+#include "rpc_com.h"
135
136 /* Link list of all the stats about getport and getaddr */
137
138@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
139 if (!xdr_int(xdrs, &objp->failure)) {
140 return (FALSE);
141 }
142- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
143+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
144 return (FALSE);
145 }
146
147@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
148 IXDR_PUT_INT32(buf, objp->failure);
149 IXDR_PUT_INT32(buf, objp->indirect);
150 }
151- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
152+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
153 return (FALSE);
154 }
155 if (!xdr_pointer(xdrs, (char **)&objp->next,
156@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
157 objp->failure = (int)IXDR_GET_INT32(buf);
158 objp->indirect = (int)IXDR_GET_INT32(buf);
159 }
160- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
161+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
162 return (FALSE);
163 }
164 if (!xdr_pointer(xdrs, (char **)&objp->next,
165@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
166 if (!xdr_int(xdrs, &objp->indirect)) {
167 return (FALSE);
168 }
169- if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
170+ if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
171 return (FALSE);
172 }
173 if (!xdr_pointer(xdrs, (char **)&objp->next,
174diff --git a/src/xdr.c b/src/xdr.c
175index f3fb9ad..b9a1558 100644
176--- a/src/xdr.c
177+++ b/src/xdr.c
178@@ -42,8 +42,10 @@
179 #include <stdlib.h>
180 #include <string.h>
181
182+#include <rpc/rpc.h>
183 #include <rpc/types.h>
184 #include <rpc/xdr.h>
185+#include <rpc/rpc_com.h>
186
187 typedef quad_t longlong_t; /* ANSI long long type */
188 typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
189@@ -53,7 +55,6 @@ typedef u_quad_t u_longlong_t; /* ANSI unsigned long long type */
190 */
191 #define XDR_FALSE ((long) 0)
192 #define XDR_TRUE ((long) 1)
193-#define LASTUNSIGNED ((u_int) 0-1)
194
195 /*
196 * for unit alignment
197@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
198 {
199 char *sp = *cpp; /* sp is the actual string pointer */
200 u_int nodesize;
201+ bool_t ret, allocated = FALSE;
202
203 /*
204 * first deal with the length since xdr bytes are counted
205@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
206 }
207 if (sp == NULL) {
208 *cpp = sp = mem_alloc(nodesize);
209+ allocated = TRUE;
210 }
211 if (sp == NULL) {
212 warnx("xdr_bytes: out of memory");
213@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
214 /* FALLTHROUGH */
215
216 case XDR_ENCODE:
217- return (xdr_opaque(xdrs, sp, nodesize));
218+ ret = xdr_opaque(xdrs, sp, nodesize);
219+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
220+ if (allocated == TRUE) {
221+ free(sp);
222+ *cpp = NULL;
223+ }
224+ }
225+ return (ret);
226
227 case XDR_FREE:
228 if (sp != NULL) {
229@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
230 char *sp = *cpp; /* sp is the actual string pointer */
231 u_int size;
232 u_int nodesize;
233+ bool_t ret, allocated = FALSE;
234
235 /*
236 * first deal with the length since xdr strings are counted-strings
237@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
238 switch (xdrs->x_op) {
239
240 case XDR_DECODE:
241- if (sp == NULL)
242+ if (sp == NULL) {
243 *cpp = sp = mem_alloc(nodesize);
244+ allocated = TRUE;
245+ }
246 if (sp == NULL) {
247 warnx("xdr_string: out of memory");
248 return (FALSE);
249@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
250 /* FALLTHROUGH */
251
252 case XDR_ENCODE:
253- return (xdr_opaque(xdrs, sp, size));
254+ ret = xdr_opaque(xdrs, sp, size);
255+ if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
256+ if (allocated == TRUE) {
257+ free(sp);
258+ *cpp = NULL;
259+ }
260+ }
261+ return (ret);
262
263 case XDR_FREE:
264 mem_free(sp, nodesize);
265@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
266 XDR *xdrs;
267 char **cpp;
268 {
269- return xdr_string(xdrs, cpp, LASTUNSIGNED);
270+ return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
271 }
272
273 /*
274--
2751.9.1
276
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb b/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb
index 5518fb3..f41d2f3 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.0.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2;name=libtirpc \
16 file://export_key_secretkey_is_set.patch \ 16 file://export_key_secretkey_is_set.patch \
17 file://0001-replace-__bzero-with-memset-API.patch \ 17 file://0001-replace-__bzero-with-memset-API.patch \
18 file://0001-include-stdint.h-for-uintptr_t.patch \ 18 file://0001-include-stdint.h-for-uintptr_t.patch \
19 file://0001-Fix-for-CVE-2017-8779.patch \
19 " 20 "
20 21
21SRC_URI_append_libc-uclibc = " file://remove-des-functionality.patch \ 22SRC_URI_append_libc-uclibc = " file://remove-des-functionality.patch \