diff options
-rw-r--r-- | meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch | 221 | ||||
-rw-r--r-- | meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch | 30 | ||||
-rw-r--r-- | meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch | 100 | ||||
-rw-r--r-- | meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb (renamed from meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb) | 9 |
4 files changed, 2 insertions, 358 deletions
diff --git a/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch b/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch deleted file mode 100644 index bf7aaef5a9..0000000000 --- a/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch +++ /dev/null | |||
@@ -1,221 +0,0 @@ | |||
1 | From 7ea36eeece56b59f98e469934e4c20b4da043346 Mon Sep 17 00:00:00 2001 | ||
2 | From: Doran Moppert <dmoppert@redhat.com> | ||
3 | Date: Thu, 11 May 2017 11:42:54 -0400 | ||
4 | Subject: [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to | ||
5 | avoid memory leak | ||
6 | |||
7 | This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed | ||
8 | at [1], [2], [3]. The last link suggests this issue is actually a bug | ||
9 | in rpcbind, which led me here. | ||
10 | |||
11 | The leak caused by the reproducer at [4] appears to come from | ||
12 | rpcb_service_4(), in the case where svc_getargs() returns false and the | ||
13 | function had an early return, rather than passing through the cleanup | ||
14 | path at done:, as would otherwise occur. | ||
15 | |||
16 | It also addresses a couple of other locations where the same fault seems | ||
17 | to exist, though I haven't been able to exercise those. I hope someone | ||
18 | more intimate with rpc(3) can confirm my understanding is correct, and | ||
19 | that I haven't introduced any new bugs. | ||
20 | |||
21 | Without this patch, using the reproducer (and variants) repeatedly | ||
22 | against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof | ||
23 | rpcbind)/status reports VmSize increase of 976564 kB each call, and | ||
24 | VmRSS increase of around 260 kB every 33 calls - the specific numbers | ||
25 | are probably an artifact of my rhel/glibc version. With the patch, | ||
26 | there is a small (~50 kB) VmSize increase with the first message, but | ||
27 | thereafter both VmSize and VmRSS remain steady. | ||
28 | |||
29 | [1]: http://seclists.org/oss-sec/2017/q2/209 | ||
30 | [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124 | ||
31 | [3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html | ||
32 | [4]: https://github.com/guidovranken/rpcbomb/ | ||
33 | |||
34 | |||
35 | CVE: CVE-2017-8779 | ||
36 | Upstream-Status: Backport | ||
37 | |||
38 | Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> | ||
39 | --- | ||
40 | src/pmap_svc.c | 56 +++++++++++++++++++++++++++++++++++++++++++++--------- | ||
41 | src/rpcb_svc.c | 2 +- | ||
42 | src/rpcb_svc_4.c | 2 +- | ||
43 | src/rpcb_svc_com.c | 8 ++++++++ | ||
44 | 4 files changed, 57 insertions(+), 11 deletions(-) | ||
45 | |||
46 | diff --git a/src/pmap_svc.c b/src/pmap_svc.c | ||
47 | index 4c744fe..e926cdc 100644 | ||
48 | --- a/src/pmap_svc.c | ||
49 | +++ b/src/pmap_svc.c | ||
50 | @@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long | ||
51 | long ans; | ||
52 | uid_t uid; | ||
53 | char uidbuf[32]; | ||
54 | + int rc = TRUE; | ||
55 | |||
56 | /* | ||
57 | * Can't use getpwnam here. We might end up calling ourselves | ||
58 | @@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long | ||
59 | |||
60 | if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { | ||
61 | svcerr_decode(xprt); | ||
62 | - return (FALSE); | ||
63 | + rc = FALSE; | ||
64 | + goto done; | ||
65 | } | ||
66 | #ifdef RPCBIND_DEBUG | ||
67 | if (debugging) | ||
68 | @@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long | ||
69 | |||
70 | if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) { | ||
71 | svcerr_weakauth(xprt); | ||
72 | - return (FALSE); | ||
73 | + rc = (FALSE); | ||
74 | + goto done; | ||
75 | } | ||
76 | |||
77 | rpcbreg.r_prog = reg.pm_prog; | ||
78 | @@ -258,7 +261,16 @@ done_change: | ||
79 | rpcbs_set(RPCBVERS_2_STAT, ans); | ||
80 | else | ||
81 | rpcbs_unset(RPCBVERS_2_STAT, ans); | ||
82 | - return (TRUE); | ||
83 | +done: | ||
84 | + if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { | ||
85 | + if (debugging) { | ||
86 | + /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/ | ||
87 | + if (doabort) { | ||
88 | + rpcbind_abort(); | ||
89 | + } | ||
90 | + } | ||
91 | + } | ||
92 | + return (rc); | ||
93 | } | ||
94 | |||
95 | /* ARGSUSED */ | ||
96 | @@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) | ||
97 | #ifdef RPCBIND_DEBUG | ||
98 | char *uaddr; | ||
99 | #endif | ||
100 | + int rc = TRUE; | ||
101 | |||
102 | if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { | ||
103 | svcerr_decode(xprt); | ||
104 | - return (FALSE); | ||
105 | + rc = FALSE; | ||
106 | + goto done; | ||
107 | } | ||
108 | |||
109 | if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) { | ||
110 | svcerr_weakauth(xprt); | ||
111 | - return FALSE; | ||
112 | + rc = FALSE; | ||
113 | + goto done; | ||
114 | } | ||
115 | |||
116 | #ifdef RPCBIND_DEBUG | ||
117 | @@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) | ||
118 | pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>", | ||
119 | port ? udptrans : ""); | ||
120 | |||
121 | - return (TRUE); | ||
122 | +done: | ||
123 | + if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { | ||
124 | + if (debugging) { | ||
125 | + /* (void) xlog(LOG_DEBUG, "unable to free arguments\n");*/ | ||
126 | + if (doabort) { | ||
127 | + rpcbind_abort(); | ||
128 | + } | ||
129 | + } | ||
130 | + } | ||
131 | + return (rc); | ||
132 | } | ||
133 | |||
134 | /* ARGSUSED */ | ||
135 | static bool_t | ||
136 | pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) | ||
137 | { | ||
138 | + int rc = TRUE; | ||
139 | + | ||
140 | if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) { | ||
141 | svcerr_decode(xprt); | ||
142 | - return (FALSE); | ||
143 | + rc = FALSE; | ||
144 | + goto done; | ||
145 | } | ||
146 | |||
147 | if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) { | ||
148 | svcerr_weakauth(xprt); | ||
149 | - return FALSE; | ||
150 | + rc = FALSE; | ||
151 | + goto done; | ||
152 | } | ||
153 | |||
154 | if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr, | ||
155 | @@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) | ||
156 | rpcbind_abort(); | ||
157 | } | ||
158 | } | ||
159 | - return (TRUE); | ||
160 | + | ||
161 | +done: | ||
162 | + if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) { | ||
163 | + if (debugging) { | ||
164 | + /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/ | ||
165 | + if (doabort) { | ||
166 | + rpcbind_abort(); | ||
167 | + } | ||
168 | + } | ||
169 | + } | ||
170 | + return (rc); | ||
171 | } | ||
172 | |||
173 | int pmap_netid2ipprot(const char *netid) | ||
174 | diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c | ||
175 | index 709e3fb..091f530 100644 | ||
176 | --- a/src/rpcb_svc.c | ||
177 | +++ b/src/rpcb_svc.c | ||
178 | @@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp) | ||
179 | svcerr_decode(transp); | ||
180 | if (debugging) | ||
181 | (void) xlog(LOG_DEBUG, "rpcbind: could not decode"); | ||
182 | - return; | ||
183 | + goto done; | ||
184 | } | ||
185 | |||
186 | if (rqstp->rq_proc == RPCBPROC_SET | ||
187 | diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c | ||
188 | index 5094879..eebbbbe 100644 | ||
189 | --- a/src/rpcb_svc_4.c | ||
190 | +++ b/src/rpcb_svc_4.c | ||
191 | @@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp) | ||
192 | svcerr_decode(transp); | ||
193 | if (debugging) | ||
194 | (void) xlog(LOG_DEBUG, "rpcbind: could not decode\n"); | ||
195 | - return; | ||
196 | + goto done; | ||
197 | } | ||
198 | |||
199 | if (rqstp->rq_proc == RPCBPROC_SET | ||
200 | diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c | ||
201 | index 5862c26..cb63afd 100644 | ||
202 | --- a/src/rpcb_svc_com.c | ||
203 | +++ b/src/rpcb_svc_com.c | ||
204 | @@ -927,6 +927,14 @@ error: | ||
205 | if (call_msg.rm_xid != 0) | ||
206 | (void) free_slot_by_xid(call_msg.rm_xid); | ||
207 | out: | ||
208 | + if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { | ||
209 | + if (debugging) { | ||
210 | + (void) xlog(LOG_DEBUG, "unable to free arguments\n"); | ||
211 | + if (doabort) { | ||
212 | + rpcbind_abort(); | ||
213 | + } | ||
214 | + } | ||
215 | + } | ||
216 | if (local_uaddr) | ||
217 | free(local_uaddr); | ||
218 | if (buf_alloc) | ||
219 | -- | ||
220 | 1.9.1 | ||
221 | |||
diff --git a/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch b/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch deleted file mode 100644 index 4c23ee01ca..0000000000 --- a/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | From c49a7ea639eb700823e174fd605bbbe183e229aa Mon Sep 17 00:00:00 2001 | ||
2 | From: Steve Dickson <steved@redhat.com> | ||
3 | Date: Wed, 17 May 2017 10:52:25 -0400 | ||
4 | Subject: [PATCH] pmapproc_dump: Fixed typo in memory leak patch | ||
5 | |||
6 | commit 7ea36eee introduce a typo that caused | ||
7 | NIS (aka ypbind) to fail. | ||
8 | |||
9 | Signed-off-by: Steve Dickson <steved@redhat.com> | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | |||
13 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
14 | --- | ||
15 | src/pmap_svc.c | 2 +- | ||
16 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
17 | |||
18 | Index: rpcbind-0.2.4/src/pmap_svc.c | ||
19 | =================================================================== | ||
20 | --- rpcbind-0.2.4.orig/src/pmap_svc.c | ||
21 | +++ rpcbind-0.2.4/src/pmap_svc.c | ||
22 | @@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__ | ||
23 | } | ||
24 | |||
25 | done: | ||
26 | - if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) { | ||
27 | + if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) { | ||
28 | if (debugging) { | ||
29 | /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/ | ||
30 | if (doabort) { | ||
diff --git a/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch b/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch deleted file mode 100644 index 9a000d0285..0000000000 --- a/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch +++ /dev/null | |||
@@ -1,100 +0,0 @@ | |||
1 | From 7c7590ad536c0e24bef790cb1e65702fc54db566 Mon Sep 17 00:00:00 2001 | ||
2 | From: Steve Dickson <steved@redhat.com> | ||
3 | Date: Tue, 30 May 2017 11:27:22 -0400 | ||
4 | Subject: [PATCH] rpcbproc_callit_com: Stop freeing a static pointer | ||
5 | |||
6 | commit 7ea36ee introduced a svc_freeargs() call | ||
7 | that ended up freeing static pointer. | ||
8 | |||
9 | It turns out the allocations for the rmt_args | ||
10 | is not necessary . The xdr routines (xdr_bytes) will | ||
11 | handle the memory management and the largest | ||
12 | possible message size is UDPMSGSIZE (due to UDP only) | ||
13 | which is smaller than RPC_BUF_MAX | ||
14 | |||
15 | Signed-off-by: Steve Dickson <steved@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
20 | --- | ||
21 | src/rpcb_svc_com.c | 39 ++++++--------------------------------- | ||
22 | 1 file changed, 6 insertions(+), 33 deletions(-) | ||
23 | |||
24 | diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c | ||
25 | index cb63afd..1fc2229 100644 | ||
26 | --- a/src/rpcb_svc_com.c | ||
27 | +++ b/src/rpcb_svc_com.c | ||
28 | @@ -612,9 +612,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, | ||
29 | struct netconfig *nconf; | ||
30 | struct netbuf *caller; | ||
31 | struct r_rmtcall_args a; | ||
32 | - char *buf_alloc = NULL, *outbufp; | ||
33 | + char *outbufp; | ||
34 | char *outbuf_alloc = NULL; | ||
35 | - char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX]; | ||
36 | + char outbuf[RPC_BUF_MAX]; | ||
37 | struct netbuf *na = (struct netbuf *) NULL; | ||
38 | struct rpc_msg call_msg; | ||
39 | int outlen; | ||
40 | @@ -635,36 +635,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, | ||
41 | } | ||
42 | if (si.si_socktype != SOCK_DGRAM) | ||
43 | return; /* Only datagram type accepted */ | ||
44 | - sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE); | ||
45 | - if (sendsz == 0) { /* data transfer not supported */ | ||
46 | - if (reply_type == RPCBPROC_INDIRECT) | ||
47 | - svcerr_systemerr(transp); | ||
48 | - return; | ||
49 | - } | ||
50 | - /* | ||
51 | - * Should be multiple of 4 for XDR. | ||
52 | - */ | ||
53 | - sendsz = ((sendsz + 3) / 4) * 4; | ||
54 | - if (sendsz > RPC_BUF_MAX) { | ||
55 | -#ifdef notyet | ||
56 | - buf_alloc = alloca(sendsz); /* not in IDR2? */ | ||
57 | -#else | ||
58 | - buf_alloc = malloc(sendsz); | ||
59 | -#endif /* notyet */ | ||
60 | - if (buf_alloc == NULL) { | ||
61 | - if (debugging) | ||
62 | - xlog(LOG_DEBUG, | ||
63 | - "rpcbproc_callit_com: No Memory!\n"); | ||
64 | - if (reply_type == RPCBPROC_INDIRECT) | ||
65 | - svcerr_systemerr(transp); | ||
66 | - return; | ||
67 | - } | ||
68 | - a.rmt_args.args = buf_alloc; | ||
69 | - } else { | ||
70 | - a.rmt_args.args = buf; | ||
71 | - } | ||
72 | + sendsz = UDPMSGSIZE; | ||
73 | |||
74 | call_msg.rm_xid = 0; /* For error checking purposes */ | ||
75 | + memset(&a, 0, sizeof(a)); /* Zero out the input buffer */ | ||
76 | if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { | ||
77 | if (reply_type == RPCBPROC_INDIRECT) | ||
78 | svcerr_decode(transp); | ||
79 | @@ -704,7 +678,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, | ||
80 | if (rbl == (rpcblist_ptr)NULL) { | ||
81 | #ifdef RPCBIND_DEBUG | ||
82 | if (debugging) | ||
83 | - xlog(LOG_DEBUG, "not found\n"); | ||
84 | + xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n", | ||
85 | + a.rmt_prog, a.rmt_vers); | ||
86 | #endif | ||
87 | if (reply_type == RPCBPROC_INDIRECT) | ||
88 | svcerr_noprog(transp); | ||
89 | @@ -937,8 +912,6 @@ out: | ||
90 | } | ||
91 | if (local_uaddr) | ||
92 | free(local_uaddr); | ||
93 | - if (buf_alloc) | ||
94 | - free(buf_alloc); | ||
95 | if (outbuf_alloc) | ||
96 | free(outbuf_alloc); | ||
97 | if (na) { | ||
98 | -- | ||
99 | 2.7.4 | ||
100 | |||
diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb b/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb index 3c6774c28b..7c96aca36b 100644 --- a/meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb +++ b/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb | |||
@@ -15,13 +15,10 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \ | |||
15 | file://rpcbind.conf \ | 15 | file://rpcbind.conf \ |
16 | file://rpcbind.socket \ | 16 | file://rpcbind.socket \ |
17 | file://rpcbind.service \ | 17 | file://rpcbind.service \ |
18 | file://0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch \ | ||
19 | file://pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch \ | ||
20 | file://rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch \ | ||
21 | file://rpcbind_add_option_to_fix_port_number.patch \ | 18 | file://rpcbind_add_option_to_fix_port_number.patch \ |
22 | " | 19 | " |
23 | SRC_URI[md5sum] = "cf10cd41ed8228fc54c316191c1f07fe" | 20 | SRC_URI[md5sum] = "ed46f09b9c0fa2d49015f6431bc5ea7b" |
24 | SRC_URI[sha256sum] = "074a9a530dc7c11e0d905aa59bcb0847c009313f02e98d3d798aa9568f414c66" | 21 | SRC_URI[sha256sum] = "2ce360683963b35c19c43f0ee2c7f18aa5b81ef41c3fdbd15ffcb00b8bffda7a" |
25 | 22 | ||
26 | inherit autotools update-rc.d systemd pkgconfig | 23 | inherit autotools update-rc.d systemd pkgconfig |
27 | 24 | ||
@@ -48,8 +45,6 @@ PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/ | |||
48 | EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc" | 45 | EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc" |
49 | 46 | ||
50 | do_install_append () { | 47 | do_install_append () { |
51 | mv ${D}${bindir} ${D}${sbindir} | ||
52 | |||
53 | install -d ${D}${sysconfdir}/init.d | 48 | install -d ${D}${sysconfdir}/init.d |
54 | sed -e 's,/etc/,${sysconfdir}/,g' \ | 49 | sed -e 's,/etc/,${sysconfdir}/,g' \ |
55 | -e 's,/sbin/,${sbindir}/,g' \ | 50 | -e 's,/sbin/,${sbindir}/,g' \ |