summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch221
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch30
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch100
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb (renamed from meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb)9
4 files changed, 2 insertions, 358 deletions
diff --git a/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch b/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch
deleted file mode 100644
index bf7aaef5a9..0000000000
--- a/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch
+++ /dev/null
@@ -1,221 +0,0 @@
1From 7ea36eeece56b59f98e469934e4c20b4da043346 Mon Sep 17 00:00:00 2001
2From: Doran Moppert <dmoppert@redhat.com>
3Date: Thu, 11 May 2017 11:42:54 -0400
4Subject: [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to
5 avoid memory leak
6
7This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
8at [1], [2], [3]. The last link suggests this issue is actually a bug
9in rpcbind, which led me here.
10
11The leak caused by the reproducer at [4] appears to come from
12rpcb_service_4(), in the case where svc_getargs() returns false and the
13function had an early return, rather than passing through the cleanup
14path at done:, as would otherwise occur.
15
16It also addresses a couple of other locations where the same fault seems
17to exist, though I haven't been able to exercise those. I hope someone
18more intimate with rpc(3) can confirm my understanding is correct, and
19that I haven't introduced any new bugs.
20
21Without this patch, using the reproducer (and variants) repeatedly
22against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
23rpcbind)/status reports VmSize increase of 976564 kB each call, and
24VmRSS increase of around 260 kB every 33 calls - the specific numbers
25are probably an artifact of my rhel/glibc version. With the patch,
26there is a small (~50 kB) VmSize increase with the first message, but
27thereafter both VmSize and VmRSS remain steady.
28
29[1]: http://seclists.org/oss-sec/2017/q2/209
30[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
31[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
32[4]: https://github.com/guidovranken/rpcbomb/
33
34
35CVE: CVE-2017-8779
36Upstream-Status: Backport
37
38Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
39---
40 src/pmap_svc.c | 56 +++++++++++++++++++++++++++++++++++++++++++++---------
41 src/rpcb_svc.c | 2 +-
42 src/rpcb_svc_4.c | 2 +-
43 src/rpcb_svc_com.c | 8 ++++++++
44 4 files changed, 57 insertions(+), 11 deletions(-)
45
46diff --git a/src/pmap_svc.c b/src/pmap_svc.c
47index 4c744fe..e926cdc 100644
48--- a/src/pmap_svc.c
49+++ b/src/pmap_svc.c
50@@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
51 long ans;
52 uid_t uid;
53 char uidbuf[32];
54+ int rc = TRUE;
55
56 /*
57 * Can't use getpwnam here. We might end up calling ourselves
58@@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
59
60 if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
61 svcerr_decode(xprt);
62- return (FALSE);
63+ rc = FALSE;
64+ goto done;
65 }
66 #ifdef RPCBIND_DEBUG
67 if (debugging)
68@@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
69
70 if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) {
71 svcerr_weakauth(xprt);
72- return (FALSE);
73+ rc = (FALSE);
74+ goto done;
75 }
76
77 rpcbreg.r_prog = reg.pm_prog;
78@@ -258,7 +261,16 @@ done_change:
79 rpcbs_set(RPCBVERS_2_STAT, ans);
80 else
81 rpcbs_unset(RPCBVERS_2_STAT, ans);
82- return (TRUE);
83+done:
84+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
85+ if (debugging) {
86+ /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/
87+ if (doabort) {
88+ rpcbind_abort();
89+ }
90+ }
91+ }
92+ return (rc);
93 }
94
95 /* ARGSUSED */
96@@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
97 #ifdef RPCBIND_DEBUG
98 char *uaddr;
99 #endif
100+ int rc = TRUE;
101
102 if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
103 svcerr_decode(xprt);
104- return (FALSE);
105+ rc = FALSE;
106+ goto done;
107 }
108
109 if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) {
110 svcerr_weakauth(xprt);
111- return FALSE;
112+ rc = FALSE;
113+ goto done;
114 }
115
116 #ifdef RPCBIND_DEBUG
117@@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
118 pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>",
119 port ? udptrans : "");
120
121- return (TRUE);
122+done:
123+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
124+ if (debugging) {
125+ /* (void) xlog(LOG_DEBUG, "unable to free arguments\n");*/
126+ if (doabort) {
127+ rpcbind_abort();
128+ }
129+ }
130+ }
131+ return (rc);
132 }
133
134 /* ARGSUSED */
135 static bool_t
136 pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
137 {
138+ int rc = TRUE;
139+
140 if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) {
141 svcerr_decode(xprt);
142- return (FALSE);
143+ rc = FALSE;
144+ goto done;
145 }
146
147 if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) {
148 svcerr_weakauth(xprt);
149- return FALSE;
150+ rc = FALSE;
151+ goto done;
152 }
153
154 if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr,
155@@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
156 rpcbind_abort();
157 }
158 }
159- return (TRUE);
160+
161+done:
162+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
163+ if (debugging) {
164+ /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/
165+ if (doabort) {
166+ rpcbind_abort();
167+ }
168+ }
169+ }
170+ return (rc);
171 }
172
173 int pmap_netid2ipprot(const char *netid)
174diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c
175index 709e3fb..091f530 100644
176--- a/src/rpcb_svc.c
177+++ b/src/rpcb_svc.c
178@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp)
179 svcerr_decode(transp);
180 if (debugging)
181 (void) xlog(LOG_DEBUG, "rpcbind: could not decode");
182- return;
183+ goto done;
184 }
185
186 if (rqstp->rq_proc == RPCBPROC_SET
187diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c
188index 5094879..eebbbbe 100644
189--- a/src/rpcb_svc_4.c
190+++ b/src/rpcb_svc_4.c
191@@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp)
192 svcerr_decode(transp);
193 if (debugging)
194 (void) xlog(LOG_DEBUG, "rpcbind: could not decode\n");
195- return;
196+ goto done;
197 }
198
199 if (rqstp->rq_proc == RPCBPROC_SET
200diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
201index 5862c26..cb63afd 100644
202--- a/src/rpcb_svc_com.c
203+++ b/src/rpcb_svc_com.c
204@@ -927,6 +927,14 @@ error:
205 if (call_msg.rm_xid != 0)
206 (void) free_slot_by_xid(call_msg.rm_xid);
207 out:
208+ if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
209+ if (debugging) {
210+ (void) xlog(LOG_DEBUG, "unable to free arguments\n");
211+ if (doabort) {
212+ rpcbind_abort();
213+ }
214+ }
215+ }
216 if (local_uaddr)
217 free(local_uaddr);
218 if (buf_alloc)
219--
2201.9.1
221
diff --git a/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch b/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
deleted file mode 100644
index 4c23ee01ca..0000000000
--- a/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch
+++ /dev/null
@@ -1,30 +0,0 @@
1From c49a7ea639eb700823e174fd605bbbe183e229aa Mon Sep 17 00:00:00 2001
2From: Steve Dickson <steved@redhat.com>
3Date: Wed, 17 May 2017 10:52:25 -0400
4Subject: [PATCH] pmapproc_dump: Fixed typo in memory leak patch
5
6commit 7ea36eee introduce a typo that caused
7NIS (aka ypbind) to fail.
8
9Signed-off-by: Steve Dickson <steved@redhat.com>
10
11Upstream-Status: Backport
12
13Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
14---
15 src/pmap_svc.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18Index: rpcbind-0.2.4/src/pmap_svc.c
19===================================================================
20--- rpcbind-0.2.4.orig/src/pmap_svc.c
21+++ rpcbind-0.2.4/src/pmap_svc.c
22@@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__
23 }
24
25 done:
26- if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
27+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) {
28 if (debugging) {
29 /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/
30 if (doabort) {
diff --git a/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch b/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
deleted file mode 100644
index 9a000d0285..0000000000
--- a/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
+++ /dev/null
@@ -1,100 +0,0 @@
1From 7c7590ad536c0e24bef790cb1e65702fc54db566 Mon Sep 17 00:00:00 2001
2From: Steve Dickson <steved@redhat.com>
3Date: Tue, 30 May 2017 11:27:22 -0400
4Subject: [PATCH] rpcbproc_callit_com: Stop freeing a static pointer
5
6commit 7ea36ee introduced a svc_freeargs() call
7that ended up freeing static pointer.
8
9It turns out the allocations for the rmt_args
10is not necessary . The xdr routines (xdr_bytes) will
11handle the memory management and the largest
12possible message size is UDPMSGSIZE (due to UDP only)
13which is smaller than RPC_BUF_MAX
14
15Signed-off-by: Steve Dickson <steved@redhat.com>
16
17Upstream-Status: Backport
18
19Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
20---
21 src/rpcb_svc_com.c | 39 ++++++---------------------------------
22 1 file changed, 6 insertions(+), 33 deletions(-)
23
24diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
25index cb63afd..1fc2229 100644
26--- a/src/rpcb_svc_com.c
27+++ b/src/rpcb_svc_com.c
28@@ -612,9 +612,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
29 struct netconfig *nconf;
30 struct netbuf *caller;
31 struct r_rmtcall_args a;
32- char *buf_alloc = NULL, *outbufp;
33+ char *outbufp;
34 char *outbuf_alloc = NULL;
35- char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX];
36+ char outbuf[RPC_BUF_MAX];
37 struct netbuf *na = (struct netbuf *) NULL;
38 struct rpc_msg call_msg;
39 int outlen;
40@@ -635,36 +635,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
41 }
42 if (si.si_socktype != SOCK_DGRAM)
43 return; /* Only datagram type accepted */
44- sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE);
45- if (sendsz == 0) { /* data transfer not supported */
46- if (reply_type == RPCBPROC_INDIRECT)
47- svcerr_systemerr(transp);
48- return;
49- }
50- /*
51- * Should be multiple of 4 for XDR.
52- */
53- sendsz = ((sendsz + 3) / 4) * 4;
54- if (sendsz > RPC_BUF_MAX) {
55-#ifdef notyet
56- buf_alloc = alloca(sendsz); /* not in IDR2? */
57-#else
58- buf_alloc = malloc(sendsz);
59-#endif /* notyet */
60- if (buf_alloc == NULL) {
61- if (debugging)
62- xlog(LOG_DEBUG,
63- "rpcbproc_callit_com: No Memory!\n");
64- if (reply_type == RPCBPROC_INDIRECT)
65- svcerr_systemerr(transp);
66- return;
67- }
68- a.rmt_args.args = buf_alloc;
69- } else {
70- a.rmt_args.args = buf;
71- }
72+ sendsz = UDPMSGSIZE;
73
74 call_msg.rm_xid = 0; /* For error checking purposes */
75+ memset(&a, 0, sizeof(a)); /* Zero out the input buffer */
76 if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
77 if (reply_type == RPCBPROC_INDIRECT)
78 svcerr_decode(transp);
79@@ -704,7 +678,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
80 if (rbl == (rpcblist_ptr)NULL) {
81 #ifdef RPCBIND_DEBUG
82 if (debugging)
83- xlog(LOG_DEBUG, "not found\n");
84+ xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n",
85+ a.rmt_prog, a.rmt_vers);
86 #endif
87 if (reply_type == RPCBPROC_INDIRECT)
88 svcerr_noprog(transp);
89@@ -937,8 +912,6 @@ out:
90 }
91 if (local_uaddr)
92 free(local_uaddr);
93- if (buf_alloc)
94- free(buf_alloc);
95 if (outbuf_alloc)
96 free(outbuf_alloc);
97 if (na) {
98--
992.7.4
100
diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb b/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb
index 3c6774c28b..7c96aca36b 100644
--- a/meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb
+++ b/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb
@@ -15,13 +15,10 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
15 file://rpcbind.conf \ 15 file://rpcbind.conf \
16 file://rpcbind.socket \ 16 file://rpcbind.socket \
17 file://rpcbind.service \ 17 file://rpcbind.service \
18 file://0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch \
19 file://pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch \
20 file://rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch \
21 file://rpcbind_add_option_to_fix_port_number.patch \ 18 file://rpcbind_add_option_to_fix_port_number.patch \
22 " 19 "
23SRC_URI[md5sum] = "cf10cd41ed8228fc54c316191c1f07fe" 20SRC_URI[md5sum] = "ed46f09b9c0fa2d49015f6431bc5ea7b"
24SRC_URI[sha256sum] = "074a9a530dc7c11e0d905aa59bcb0847c009313f02e98d3d798aa9568f414c66" 21SRC_URI[sha256sum] = "2ce360683963b35c19c43f0ee2c7f18aa5b81ef41c3fdbd15ffcb00b8bffda7a"
25 22
26inherit autotools update-rc.d systemd pkgconfig 23inherit autotools update-rc.d systemd pkgconfig
27 24
@@ -48,8 +45,6 @@ PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/
48EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc" 45EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc"
49 46
50do_install_append () { 47do_install_append () {
51 mv ${D}${bindir} ${D}${sbindir}
52
53 install -d ${D}${sysconfdir}/init.d 48 install -d ${D}${sysconfdir}/init.d
54 sed -e 's,/etc/,${sysconfdir}/,g' \ 49 sed -e 's,/etc/,${sysconfdir}/,g' \
55 -e 's,/sbin/,${sbindir}/,g' \ 50 -e 's,/sbin/,${sbindir}/,g' \