2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch
new file mode 100644
index 0000000000..f156290bf6
--- /dev/null
+++ b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch
@@ -0,0 +1,83 @@
+commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
+Author: Olaf Kirch <okir@...e.de>
+Date:   Thu Aug 6 16:27:20 2015 +0200
+    Fix memory corruption in PMAP_CALLIT code
+    
+     - A PMAP_CALLIT call comes in on IPv4 UDP
+     - rpcbind duplicates the caller's address to a netbuf and stores it in
+       FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
+       with a size of 16 bytes
+     - rpcbind forwards the call to the local service, receives a reply
+     - when processing the reply, it does this in xprt_set_caller:
+         xprt->xp_rtaddr = *FINFO[0].caller_addr
+       It sends out the reply, and then frees the netbuf caller_addr and
+       caller_addr.buf.
+       However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
+       to memory region A, which is free.
+     - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
+       be called, which will set xp_rtaddr to the client's address.
+       It will reuse the buffer inside xp_rtaddr, ie it will write a
+       sockaddr_in to region A
+    
+    Some time down the road, an incoming TCP connection is accepted,
+    allocating a fresh SVCXPRT. The memory region A is inside the
+    new SVCXPRT
+    
+     - While processing the TCP call, another UDP call comes in, again
+       overwriting region A with the client's address
+     - TCP client closes connection. In svc_destroy, we now trip over
+       the garbage left in region A
+    
+    We ran into the case where a commercial scanner was triggering
+    occasional rpcbind segfaults. The core file that was captured showed
+    a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
+    
+    Signed-off-by: Olaf Kirch <okir@...e.de>
+    Upstream-Status: Backport
+    Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/rpcb_svc_com.c |   23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
+===================================================================
+--- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c
+++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
+@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int
+        return (ncallbacks_found);
+ }
+ 
+/*
+ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
+ * been exported yet.
+ */
+static struct netbuf *
+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
+{
+       if (nb->len != len) {
+               if (nb->len)
+                       mem_free(nb->buf, nb->len);
+               nb->buf = mem_alloc(len);
+               if (nb->buf == NULL)
+                       return NULL;
+
+               nb->maxlen = nb->len = len;
+       }
+       memcpy(nb->buf, ptr, len);
+       return nb;
+}
+
+ static void
+ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
+       const struct netbuf *caller = fi->caller_addr;
+        u_int32_t *xidp;
+ 
+-       *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
+       __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
+        xidp = __rpcb_get_dg_xidp(xprt);
+        *xidp = fi->caller_xid;
+ }
diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb b/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
index 237018b439..ecd3ba8a50 100644
--- a/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
+++ b/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
           file://rpcbind.conf \
           file://rpcbind.socket \
           file://rpcbind.service \
+           file://cve-2015-7236.patch \
          "
 MUSLPATCHES_libc-musl = "file://musl-sunrpc.patch"

diff --git a/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch new file mode 100644 index 0000000000..f156290bf6 --- /dev/null +++ b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch
@@ -0,0 +1,83 @@
		1	commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
		2	Author: Olaf Kirch <okir@...e.de>
		3	Date: Thu Aug 6 16:27:20 2015 +0200
		4
		5	Fix memory corruption in PMAP_CALLIT code
		6
		7	- A PMAP_CALLIT call comes in on IPv4 UDP
		8	- rpcbind duplicates the caller's address to a netbuf and stores it in
		9	FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
		10	with a size of 16 bytes
		11	- rpcbind forwards the call to the local service, receives a reply
		12	- when processing the reply, it does this in xprt_set_caller:
		13	xprt->xp_rtaddr = *FINFO[0].caller_addr
		14	It sends out the reply, and then frees the netbuf caller_addr and
		15	caller_addr.buf.
		16	However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
		17	to memory region A, which is free.
		18	- When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
		19	be called, which will set xp_rtaddr to the client's address.
		20	It will reuse the buffer inside xp_rtaddr, ie it will write a
		21	sockaddr_in to region A
		22
		23	Some time down the road, an incoming TCP connection is accepted,
		24	allocating a fresh SVCXPRT. The memory region A is inside the
		25	new SVCXPRT
		26
		27	- While processing the TCP call, another UDP call comes in, again
		28	overwriting region A with the client's address
		29	- TCP client closes connection. In svc_destroy, we now trip over
		30	the garbage left in region A
		31
		32	We ran into the case where a commercial scanner was triggering
		33	occasional rpcbind segfaults. The core file that was captured showed
		34	a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
		35
		36	Signed-off-by: Olaf Kirch <okir@...e.de>
		37
		38	Upstream-Status: Backport
		39
		40	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		41	---
		42	src/rpcb_svc_com.c \| 23 ++++++++++++++++++++++-
		43	1 file changed, 22 insertions(+), 1 deletion(-)
		44
		45	Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
		46	===================================================================
		47	--- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c
		48	+++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
		49	@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int
		50	return (ncallbacks_found);
		51	}
		52
		53	+/*
		54	+ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
		55	+ * been exported yet.
		56	+ */
		57	+static struct netbuf *
		58	+__rpc_set_netbuf(struct netbuf nb, const void ptr, size_t len)
		59	+{
		60	+ if (nb->len != len) {
		61	+ if (nb->len)
		62	+ mem_free(nb->buf, nb->len);
		63	+ nb->buf = mem_alloc(len);
		64	+ if (nb->buf == NULL)
		65	+ return NULL;
		66	+
		67	+ nb->maxlen = nb->len = len;
		68	+ }
		69	+ memcpy(nb->buf, ptr, len);
		70	+ return nb;
		71	+}
		72	+
		73	static void
		74	xprt_set_caller(SVCXPRT xprt, struct finfo fi)
		75	{
		76	+ const struct netbuf *caller = fi->caller_addr;
		77	u_int32_t *xidp;
		78
		79	- (svc_getrpccaller(xprt)) = (fi->caller_addr);
		80	+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
		81	xidp = __rpcb_get_dg_xidp(xprt);
		82	*xidp = fi->caller_xid;
		83	}


diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb b/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb index 237018b439..ecd3ba8a50 100644 --- a/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb +++ b/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
19	file://rpcbind.conf \	19	file://rpcbind.conf \
20	file://rpcbind.socket \	20	file://rpcbind.socket \
21	file://rpcbind.service \	21	file://rpcbind.service \
		22	file://cve-2015-7236.patch \
22	"	23	"
23	MUSLPATCHES_libc-musl = "file://musl-sunrpc.patch"	24	MUSLPATCHES_libc-musl = "file://musl-sunrpc.patch"
24		25