aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2015-11-17 02:18:32 -0500
committerJoshua Lock <joshua.g.lock@intel.com>2016-02-29 15:05:16 +0000
commit16cf2f5386bc438dc20c4ae40de267618e9dc500 (patch)
treeba59c72a6586522d1fbee07fb6fc8c7b732403d4
parente479ec9e6cbd34f3a7a56a170aaabcc4229f1959 (diff)
downloadopenembedded-core-16cf2f5386bc438dc20c4ae40de267618e9dc500.zip
openembedded-core-16cf2f5386bc438dc20c4ae40de267618e9dc500.tar.gz
openembedded-core-16cf2f5386bc438dc20c4ae40de267618e9dc500.tar.bz2
rpcbind: Security Advisory - rpcbind - CVE-2015-7236
rpcbind: Fix memory corruption in PMAP_CALLIT code Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code. The patch comes from <http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't been in rpcbind upstream yet. (From OE-Core master rev: cc4f62f3627f3804907e8ff9c68d9321979df32b) (From OE-Core rev: 224bcc2ead676600bcd9e290ed23d9b2ed2f481e) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch83
-rw-r--r--meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb1
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch
new file mode 100644
index 0000000..f156290
--- /dev/null
+++ b/meta/recipes-extended/rpcbind/rpcbind/cve-2015-7236.patch
@@ -0,0 +1,83 @@
+commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
+Author: Olaf Kirch <okir@...e.de>
+Date: Thu Aug 6 16:27:20 2015 +0200
+
+ Fix memory corruption in PMAP_CALLIT code
+
+ - A PMAP_CALLIT call comes in on IPv4 UDP
+ - rpcbind duplicates the caller's address to a netbuf and stores it in
+ FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
+ with a size of 16 bytes
+ - rpcbind forwards the call to the local service, receives a reply
+ - when processing the reply, it does this in xprt_set_caller:
+ xprt->xp_rtaddr = *FINFO[0].caller_addr
+ It sends out the reply, and then frees the netbuf caller_addr and
+ caller_addr.buf.
+ However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
+ to memory region A, which is free.
+ - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
+ be called, which will set xp_rtaddr to the client's address.
+ It will reuse the buffer inside xp_rtaddr, ie it will write a
+ sockaddr_in to region A
+
+ Some time down the road, an incoming TCP connection is accepted,
+ allocating a fresh SVCXPRT. The memory region A is inside the
+ new SVCXPRT
+
+ - While processing the TCP call, another UDP call comes in, again
+ overwriting region A with the client's address
+ - TCP client closes connection. In svc_destroy, we now trip over
+ the garbage left in region A
+
+ We ran into the case where a commercial scanner was triggering
+ occasional rpcbind segfaults. The core file that was captured showed
+ a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
+
+ Signed-off-by: Olaf Kirch <okir@...e.de>
+
+ Upstream-Status: Backport
+
+ Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
+===================================================================
+--- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c
++++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
+@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int
+ return (ncallbacks_found);
+ }
+
++/*
++ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
++ * been exported yet.
++ */
++static struct netbuf *
++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
++{
++ if (nb->len != len) {
++ if (nb->len)
++ mem_free(nb->buf, nb->len);
++ nb->buf = mem_alloc(len);
++ if (nb->buf == NULL)
++ return NULL;
++
++ nb->maxlen = nb->len = len;
++ }
++ memcpy(nb->buf, ptr, len);
++ return nb;
++}
++
+ static void
+ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
++ const struct netbuf *caller = fi->caller_addr;
+ u_int32_t *xidp;
+
+- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
++ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
+ xidp = __rpcb_get_dg_xidp(xprt);
+ *xidp = fi->caller_xid;
+ }
diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb b/meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb
index 1952b2a..486073e 100644
--- a/meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb
+++ b/meta/recipes-extended/rpcbind/rpcbind_0.2.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
file://rpcbind.conf \
file://rpcbind.socket \
file://rpcbind.service \
+ file://cve-2015-7236.patch \
"
UCLIBCPATCHES_libc-uclibc = "file://0001-uclibc-nss.patch \