From 0b13cc2376a5bf69fcbf809ddad8a4bf928970be Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 14 Mar 2016 13:55:32 +0100 Subject: rpcbind: CVE-2015-7236 Fixes a use-after-free flaw in rpcbind. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236 Reference to the upstream fix: http://openwall.com/lists/oss-security/2015/09/18/7 Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- .../rpcbind/rpcbind/CVE-2015-7236.patch | 83 ++++++++++++++++++++++ meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb | 1 + 2 files changed, 84 insertions(+) create mode 100644 meta/recipes-extended/rpcbind/rpcbind/CVE-2015-7236.patch (limited to 'meta/recipes-extended') diff --git a/meta/recipes-extended/rpcbind/rpcbind/CVE-2015-7236.patch b/meta/recipes-extended/rpcbind/rpcbind/CVE-2015-7236.patch new file mode 100644 index 0000000000..fc1fcc8629 --- /dev/null +++ b/meta/recipes-extended/rpcbind/rpcbind/CVE-2015-7236.patch @@ -0,0 +1,83 @@ +commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd +Author: Olaf Kirch +Date: Thu Aug 6 16:27:20 2015 +0200 + + Fix memory corruption in PMAP_CALLIT code + + - A PMAP_CALLIT call comes in on IPv4 UDP + - rpcbind duplicates the caller's address to a netbuf and stores it in + FINFO[0].caller_addr. caller_addr->buf now points to a memory region A + with a size of 16 bytes + - rpcbind forwards the call to the local service, receives a reply + - when processing the reply, it does this in xprt_set_caller: + xprt->xp_rtaddr = *FINFO[0].caller_addr + It sends out the reply, and then frees the netbuf caller_addr and + caller_addr.buf. + However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers + to memory region A, which is free. + - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will + be called, which will set xp_rtaddr to the client's address. + It will reuse the buffer inside xp_rtaddr, ie it will write a + sockaddr_in to region A + + Some time down the road, an incoming TCP connection is accepted, + allocating a fresh SVCXPRT. The memory region A is inside the + new SVCXPRT + + - While processing the TCP call, another UDP call comes in, again + overwriting region A with the client's address + - TCP client closes connection. In svc_destroy, we now trip over + the garbage left in region A + + We ran into the case where a commercial scanner was triggering + occasional rpcbind segfaults. The core file that was captured showed + a corrupted xprt->xp_netid pointer that was really a sockaddr_in. + + Fixes CVE-2015-7236 + Upstream-Status: Backport + + Signed-off-by: Olaf Kirch + Signed-off-by: Sona Sarmadi +--- + src/rpcb_svc_com.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c +=================================================================== +--- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c ++++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c +@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int + return (ncallbacks_found); + } + ++/* ++ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't ++ * been exported yet. ++ */ ++static struct netbuf * ++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len) ++{ ++ if (nb->len != len) { ++ if (nb->len) ++ mem_free(nb->buf, nb->len); ++ nb->buf = mem_alloc(len); ++ if (nb->buf == NULL) ++ return NULL; ++ ++ nb->maxlen = nb->len = len; ++ } ++ memcpy(nb->buf, ptr, len); ++ return nb; ++} ++ + static void + xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) + { ++ const struct netbuf *caller = fi->caller_addr; + u_int32_t *xidp; + +- *(svc_getrpccaller(xprt)) = *(fi->caller_addr); ++ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len); + xidp = __rpcb_get_dg_xidp(xprt); + *xidp = fi->caller_xid; + } diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb b/meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb index b7324766f7..460726dc5a 100644 --- a/meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb +++ b/meta/recipes-extended/rpcbind/rpcbind_0.2.1.bb @@ -17,6 +17,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \ file://rpcbind.conf \ file://rpcbind.socket \ file://rpcbind.service \ + file://CVE-2015-7236.patch \ " UCLIBCPATCHES_libc-uclibc = "file://0001-uclibc-nss.patch \ -- cgit v1.2.3-54-g00ecf