snailed
/
void-packages
2
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Activity

rpcbind: update to 1.2.5.

This commit is contained in:
maxice8 2018-08-15 15:31:19 -03:00
parent 412459dcbe
commit 22e283bfe3
No known key found for this signature in database
GPG Key ID: 543B9D4F4299F06B
4 changed files with 3 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

217
srcpkgs/rpcbind/patches/CVE-2017-8779.patch
View File

@ -1,217 +0,0 @@
From 7ea36eeece56b59f98e469934e4c20b4da043346 Mon Sep 17 00:00:00 2001
From: Doran Moppert <dmoppert@redhat.com>
Date: Thu, 11 May 2017 11:42:54 -0400
Subject: [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to
avoid memory leak
This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
at [1], [2], [3]. The last link suggests this issue is actually a bug
in rpcbind, which led me here.
The leak caused by the reproducer at [4] appears to come from
rpcb_service_4(), in the case where svc_getargs() returns false and the
function had an early return, rather than passing through the cleanup
path at done:, as would otherwise occur.
It also addresses a couple of other locations where the same fault seems
to exist, though I haven't been able to exercise those. I hope someone
more intimate with rpc(3) can confirm my understanding is correct, and
that I haven't introduced any new bugs.
Without this patch, using the reproducer (and variants) repeatedly
against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
rpcbind)/status reports VmSize increase of 976564 kB each call, and
VmRSS increase of around 260 kB every 33 calls - the specific numbers
are probably an artifact of my rhel/glibc version. With the patch,
there is a small (~50 kB) VmSize increase with the first message, but
thereafter both VmSize and VmRSS remain steady.
[1]: http://seclists.org/oss-sec/2017/q2/209
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
[4]: https://github.com/guidovranken/rpcbomb/
Signed-off-by: Doran Moppert <dmoppert@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/pmap_svc.c | 56 +++++++++++++++++++++++++++++++++++++++++++++---------
src/rpcb_svc.c | 2 +-
src/rpcb_svc_4.c | 2 +-
src/rpcb_svc_com.c | 8 ++++++++
4 files changed, 57 insertions(+), 11 deletions(-)
--- src/pmap_svc.c
+++ src/pmap_svc.c
@@ -175,6 +175,7 @@
long ans;
uid_t uid;
char uidbuf[32];
+ int rc = TRUE;
/*
* Can't use getpwnam here. We might end up calling ourselves
@@ -194,7 +195,8 @@
if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
svcerr_decode(xprt);
- return (FALSE);
+ rc = FALSE;
+ goto done;
}
#ifdef RPCBIND_DEBUG
if (debugging)
@@ -205,7 +207,8 @@
if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) {
svcerr_weakauth(xprt);
- return (FALSE);
+ rc = (FALSE);
+ goto done;
}
rpcbreg.r_prog = reg.pm_prog;
@@ -258,7 +261,18 @@
rpcbs_set(RPCBVERS_2_STAT, ans);
else
rpcbs_unset(RPCBVERS_2_STAT, ans);
- return (TRUE);
+done:
+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
+ if (debugging) {
+#ifdef RPCBIND_DEBUG
+ (void) xlog(LOG_DEBUG, "unable to free arguments\n");
+#endif
+ if (doabort) {
+ rpcbind_abort();
+ }
+ }
+ }
+ return (rc);
}
/* ARGSUSED */
@@ -272,15 +286,18 @@
#ifdef RPCBIND_DEBUG
char *uaddr;
#endif
+ int rc = TRUE;
if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
svcerr_decode(xprt);
- return (FALSE);
+ rc = FALSE;
+ goto done;
}
if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) {
svcerr_weakauth(xprt);
- return FALSE;
+ rc = FALSE;
+ goto done;
}
#ifdef RPCBIND_DEBUG
@@ -330,21 +347,36 @@
pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>",
port ? udptrans : "");
- return (TRUE);
+done:
+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
+ if (debugging) {
+#ifdef RPCBIND_DEBUG
+ (void) xlog(LOG_DEBUG, "unable to free arguments\n");
+#endif
+ if (doabort) {
+ rpcbind_abort();
+ }
+ }
+ }
+ return (rc);
}
/* ARGSUSED */
static bool_t
pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
{
+ int rc = TRUE;
+
if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) {
svcerr_decode(xprt);
- return (FALSE);
+ rc = FALSE;
+ goto done;
}
if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) {
svcerr_weakauth(xprt);
- return FALSE;
+ rc = FALSE;
+ goto done;
}
if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr,
@@ -354,7 +386,19 @@
rpcbind_abort();
}
}
- return (TRUE);
+
+done:
+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
+ if (debugging) {
+#ifdef RPCBIND_DEBUG
+ (void) xlog(LOG_DEBUG, "unable to free arguments\n");
+#endif
+ if (doabort) {
+ rpcbind_abort();
+ }
+ }
+ }
+ return (rc);
}
int pmap_netid2ipprot(const char *netid)
--- src/rpcb_svc.c
+++ src/rpcb_svc.c
@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp)
svcerr_decode(transp);
if (debugging)
(void) xlog(LOG_DEBUG, "rpcbind: could not decode");
- return;
+ goto done;
}
if (rqstp->rq_proc == RPCBPROC_SET
--- src/rpcb_svc_4.c
+++ src/rpcb_svc_4.c
@@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp)
svcerr_decode(transp);
if (debugging)
(void) xlog(LOG_DEBUG, "rpcbind: could not decode\n");
- return;
+ goto done;
}
if (rqstp->rq_proc == RPCBPROC_SET
--- src/rpcb_svc_com.c
+++ src/rpcb_svc_com.c
@@ -927,6 +927,14 @@ error:
if (call_msg.rm_xid != 0)
(void) free_slot_by_xid(call_msg.rm_xid);
out:
+ if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
+ if (debugging) {
+ (void) xlog(LOG_DEBUG, "unable to free arguments\n");
+ if (doabort) {
+ rpcbind_abort();
+ }
+ }
+ }
if (local_uaddr)
free(local_uaddr);
if (buf_alloc)
--
1.8.3.1

30
srcpkgs/rpcbind/patches/pmapproc_dump-Fixed-type-in-memory-leak-patch.patch
View File

@ -1,30 +0,0 @@
From c49a7ea639eb700823e174fd605bbbe183e229aa Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Wed, 17 May 2017 10:52:25 -0400
Subject: [PATCH] pmapproc_dump: Fixed typo in memory leak patch
commit 7ea36eee introduce a typo that caused
NIS (aka ypbind) to fail.
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/pmap_svc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git src/pmap_svc.c src/pmap_svc.c
index e926cdc..26c31d0 100644
--- src/pmap_svc.c
+++ src/pmap_svc.c
@@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
}
done:
- if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) {
if (debugging) {
(void) xlog(LOG_DEBUG, "unable to free arguments\n");
if (doabort) {
--
1.8.3.1

95
srcpkgs/rpcbind/patches/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch
View File

@ -1,95 +0,0 @@
From 7c7590ad536c0e24bef790cb1e65702fc54db566 Mon Sep 17 00:00:00 2001
From: Steve Dickson <steved@redhat.com>
Date: Tue, 30 May 2017 11:27:22 -0400
Subject: [PATCH] rpcbproc_callit_com: Stop freeing a static pointer
commit 7ea36ee introduced a svc_freeargs() call
that ended up freeing static pointer.
It turns out the allocations for the rmt_args
is not necessary . The xdr routines (xdr_bytes) will
handle the memory management and the largest
possible message size is UDPMSGSIZE (due to UDP only)
which is smaller than RPC_BUF_MAX
Signed-off-by: Steve Dickson <steved@redhat.com>
---
src/rpcb_svc_com.c | 39 ++++++---------------------------------
1 file changed, 6 insertions(+), 33 deletions(-)
--- src/rpcb_svc_com.c
+++ src/rpcb_svc_com.c
@@ -612,9 +612,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
struct netconfig *nconf;
struct netbuf *caller;
struct r_rmtcall_args a;
- char *buf_alloc = NULL, *outbufp;
+ char *outbufp;
char *outbuf_alloc = NULL;
- char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX];
+ char outbuf[RPC_BUF_MAX];
struct netbuf *na = (struct netbuf *) NULL;
struct rpc_msg call_msg;
int outlen;
@@ -635,36 +635,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
}
if (si.si_socktype != SOCK_DGRAM)
return; /* Only datagram type accepted */
- sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE);
- if (sendsz == 0) { /* data transfer not supported */
- if (reply_type == RPCBPROC_INDIRECT)
- svcerr_systemerr(transp);
- return;
- }
- /*
- * Should be multiple of 4 for XDR.
- */
- sendsz = ((sendsz + 3) / 4) * 4;
- if (sendsz > RPC_BUF_MAX) {
-#ifdef notyet
- buf_alloc = alloca(sendsz); /* not in IDR2? */
-#else
- buf_alloc = malloc(sendsz);
-#endif /* notyet */
- if (buf_alloc == NULL) {
- if (debugging)
- xlog(LOG_DEBUG,
- "rpcbproc_callit_com: No Memory!\n");
- if (reply_type == RPCBPROC_INDIRECT)
- svcerr_systemerr(transp);
- return;
- }
- a.rmt_args.args = buf_alloc;
- } else {
- a.rmt_args.args = buf;
- }
+ sendsz = UDPMSGSIZE;
call_msg.rm_xid = 0; /* For error checking purposes */
+ memset(&a, 0, sizeof(a)); /* Zero out the input buffer */
if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
if (reply_type == RPCBPROC_INDIRECT)
svcerr_decode(transp);
@@ -704,7 +678,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp,
if (rbl == (rpcblist_ptr)NULL) {
#ifdef RPCBIND_DEBUG
if (debugging)
- xlog(LOG_DEBUG, "not found\n");
+ xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n",
+ a.rmt_prog, a.rmt_vers);
#endif
if (reply_type == RPCBPROC_INDIRECT)
svcerr_noprog(transp);
@@ -937,8 +912,6 @@ out:
}
if (local_uaddr)
free(local_uaddr);
- if (buf_alloc)
- free(buf_alloc);
if (outbuf_alloc)
free(outbuf_alloc);
if (na) {
--
1.8.3.1

6
srcpkgs/rpcbind/template
View File

@ -1,6 +1,6 @@
# Template file for 'rpcbind'
pkgname=rpcbind
version=0.2.4
version=1.2.5
revision=1
build_style=gnu-configure
configure_args="--enable-warmstarts --with-statedir=/run --with-rpcuser=rpc
@ -12,8 +12,8 @@ short_desc="Converts RPC program numbers into universal addresses"
maintainer="Juan RP <xtraeme@voidlinux.eu>"
homepage="http://rpcbind.sourceforge.net"
license="BSD"
distfiles="${SOURCEFORGE_SITE}/$pkgname/$pkgname-$version.tar.bz2"
checksum=074a9a530dc7c11e0d905aa59bcb0847c009313f02e98d3d798aa9568f414c66
distfiles="${SOURCEFORGE_SITE}/${pkgname}/${pkgname}-${version}.tar.bz2"
checksum=2ce360683963b35c19c43f0ee2c7f18aa5b81ef41c3fdbd15ffcb00b8bffda7a
post_install() {
vlicense COPYING