diff options
author | Li Zhou <li.zhou@windriver.com> | 2015-11-17 02:18:32 -0500 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-03-03 11:11:40 +0000 |
commit | d4b6c1657bde83f1267a4fef6b645bf0a64d31d1 (patch) | |
tree | a55cb0d8487655f15bef53b425ed0067accbcd81 /meta/recipes-extended | |
parent | 854c2e724d0aeb19f390e3ac2e7b40c94b2d383b (diff) | |
download | poky-d4b6c1657bde83f1267a4fef6b645bf0a64d31d1.tar.gz |
rpcbind: Security Advisory - rpcbind - CVE-2015-7236
rpcbind: Fix memory corruption in PMAP_CALLIT code
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in
rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of
service (daemon crash) via crafted packets, involving a PMAP_CALLIT
code.
The patch comes from
<http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't
been in rpcbind upstream yet.
(From OE-Core master rev: cc4f62f3627f3804907e8ff9c68d9321979df32b)
(From OE-Core rev: 224bcc2ead676600bcd9e290ed23d9b2ed2f481e)
(From OE-Core rev: 16cf2f5386bc438dc20c4ae40de267618e9dc500)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r-- | meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch | 83 | ||||
-rw-r--r-- | meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb | 1 |
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch new file mode 100644 index 0000000000..f156290bf6 --- /dev/null +++ b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch | |||
@@ -0,0 +1,83 @@ | |||
1 | commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd | ||
2 | Author: Olaf Kirch <okir@...e.de> | ||
3 | Date: Thu Aug 6 16:27:20 2015 +0200 | ||
4 | |||
5 | Fix memory corruption in PMAP_CALLIT code | ||
6 | |||
7 | - A PMAP_CALLIT call comes in on IPv4 UDP | ||
8 | - rpcbind duplicates the caller's address to a netbuf and stores it in | ||
9 | FINFO[0].caller_addr. caller_addr->buf now points to a memory region A | ||
10 | with a size of 16 bytes | ||
11 | - rpcbind forwards the call to the local service, receives a reply | ||
12 | - when processing the reply, it does this in xprt_set_caller: | ||
13 | xprt->xp_rtaddr = *FINFO[0].caller_addr | ||
14 | It sends out the reply, and then frees the netbuf caller_addr and | ||
15 | caller_addr.buf. | ||
16 | However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers | ||
17 | to memory region A, which is free. | ||
18 | - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will | ||
19 | be called, which will set xp_rtaddr to the client's address. | ||
20 | It will reuse the buffer inside xp_rtaddr, ie it will write a | ||
21 | sockaddr_in to region A | ||
22 | |||
23 | Some time down the road, an incoming TCP connection is accepted, | ||
24 | allocating a fresh SVCXPRT. The memory region A is inside the | ||
25 | new SVCXPRT | ||
26 | |||
27 | - While processing the TCP call, another UDP call comes in, again | ||
28 | overwriting region A with the client's address | ||
29 | - TCP client closes connection. In svc_destroy, we now trip over | ||
30 | the garbage left in region A | ||
31 | |||
32 | We ran into the case where a commercial scanner was triggering | ||
33 | occasional rpcbind segfaults. The core file that was captured showed | ||
34 | a corrupted xprt->xp_netid pointer that was really a sockaddr_in. | ||
35 | |||
36 | Signed-off-by: Olaf Kirch <okir@...e.de> | ||
37 | |||
38 | Upstream-Status: Backport | ||
39 | |||
40 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
41 | --- | ||
42 | src/rpcb_svc_com.c | 23 ++++++++++++++++++++++- | ||
43 | 1 file changed, 22 insertions(+), 1 deletion(-) | ||
44 | |||
45 | Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c | ||
46 | =================================================================== | ||
47 | --- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c | ||
48 | +++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c | ||
49 | @@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int | ||
50 | return (ncallbacks_found); | ||
51 | } | ||
52 | |||
53 | +/* | ||
54 | + * This is really a helper function defined in libtirpc, but unfortunately, it hasn't | ||
55 | + * been exported yet. | ||
56 | + */ | ||
57 | +static struct netbuf * | ||
58 | +__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len) | ||
59 | +{ | ||
60 | + if (nb->len != len) { | ||
61 | + if (nb->len) | ||
62 | + mem_free(nb->buf, nb->len); | ||
63 | + nb->buf = mem_alloc(len); | ||
64 | + if (nb->buf == NULL) | ||
65 | + return NULL; | ||
66 | + | ||
67 | + nb->maxlen = nb->len = len; | ||
68 | + } | ||
69 | + memcpy(nb->buf, ptr, len); | ||
70 | + return nb; | ||
71 | +} | ||
72 | + | ||
73 | static void | ||
74 | xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) | ||
75 | { | ||
76 | + const struct netbuf *caller = fi->caller_addr; | ||
77 | u_int32_t *xidp; | ||
78 | |||
79 | - *(svc_getrpccaller(xprt)) = *(fi->caller_addr); | ||
80 | + __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len); | ||
81 | xidp = __rpcb_get_dg_xidp(xprt); | ||
82 | *xidp = fi->caller_xid; | ||
83 | } | ||
diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb b/meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb index 1952b2a298..486073e28c 100644 --- a/meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb +++ b/meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb | |||
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \ | |||
16 | file://rpcbind.conf \ | 16 | file://rpcbind.conf \ |
17 | file://rpcbind.socket \ | 17 | file://rpcbind.socket \ |
18 | file://rpcbind.service \ | 18 | file://rpcbind.service \ |
19 | file://cve-2015-7236.patch \ | ||
19 | " | 20 | " |
20 | 21 | ||
21 | UCLIBCPATCHES_libc-uclibc = "file://0001-uclibc-nss.patch \ | 22 | UCLIBCPATCHES_libc-uclibc = "file://0001-uclibc-nss.patch \ |