rpcbind: Security Advisory - rpcbind - CVE-2015-7236
rpcbind: Fix memory corruption in PMAP_CALLIT code Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code. The patch comes from <http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't been in rpcbind upstream yet. (From OE-Core rev: cc4f62f3627f3804907e8ff9c68d9321979df32b) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
04034e75e0
commit
f42ef3f50f
|
@ -0,0 +1,83 @@
|
|||
commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
|
||||
Author: Olaf Kirch <okir@...e.de>
|
||||
Date: Thu Aug 6 16:27:20 2015 +0200
|
||||
|
||||
Fix memory corruption in PMAP_CALLIT code
|
||||
|
||||
- A PMAP_CALLIT call comes in on IPv4 UDP
|
||||
- rpcbind duplicates the caller's address to a netbuf and stores it in
|
||||
FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
|
||||
with a size of 16 bytes
|
||||
- rpcbind forwards the call to the local service, receives a reply
|
||||
- when processing the reply, it does this in xprt_set_caller:
|
||||
xprt->xp_rtaddr = *FINFO[0].caller_addr
|
||||
It sends out the reply, and then frees the netbuf caller_addr and
|
||||
caller_addr.buf.
|
||||
However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
|
||||
to memory region A, which is free.
|
||||
- When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
|
||||
be called, which will set xp_rtaddr to the client's address.
|
||||
It will reuse the buffer inside xp_rtaddr, ie it will write a
|
||||
sockaddr_in to region A
|
||||
|
||||
Some time down the road, an incoming TCP connection is accepted,
|
||||
allocating a fresh SVCXPRT. The memory region A is inside the
|
||||
new SVCXPRT
|
||||
|
||||
- While processing the TCP call, another UDP call comes in, again
|
||||
overwriting region A with the client's address
|
||||
- TCP client closes connection. In svc_destroy, we now trip over
|
||||
the garbage left in region A
|
||||
|
||||
We ran into the case where a commercial scanner was triggering
|
||||
occasional rpcbind segfaults. The core file that was captured showed
|
||||
a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
|
||||
|
||||
Signed-off-by: Olaf Kirch <okir@...e.de>
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
|
||||
1 file changed, 22 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
|
||||
===================================================================
|
||||
--- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c
|
||||
+++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
|
||||
@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int
|
||||
return (ncallbacks_found);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
|
||||
+ * been exported yet.
|
||||
+ */
|
||||
+static struct netbuf *
|
||||
+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
|
||||
+{
|
||||
+ if (nb->len != len) {
|
||||
+ if (nb->len)
|
||||
+ mem_free(nb->buf, nb->len);
|
||||
+ nb->buf = mem_alloc(len);
|
||||
+ if (nb->buf == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ nb->maxlen = nb->len = len;
|
||||
+ }
|
||||
+ memcpy(nb->buf, ptr, len);
|
||||
+ return nb;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
|
||||
{
|
||||
+ const struct netbuf *caller = fi->caller_addr;
|
||||
u_int32_t *xidp;
|
||||
|
||||
- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
|
||||
+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
|
||||
xidp = __rpcb_get_dg_xidp(xprt);
|
||||
*xidp = fi->caller_xid;
|
||||
}
|
|
@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
|
|||
file://rpcbind.conf \
|
||||
file://rpcbind.socket \
|
||||
file://rpcbind.service \
|
||||
file://cve-2015-7236.patch \
|
||||
"
|
||||
MUSLPATCHES_libc-musl = "file://musl-sunrpc.patch"
|
||||
|
||||
|
|
Loading…
Reference in New Issue