Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 1 | From 226b46770c82899b555986583294b049c6ec9b40 Mon Sep 17 00:00:00 2001 |
| 2 | From: Florian Weimer <fweimer@redhat.com> |
| 3 | Date: Mon, 17 Jan 2022 10:21:34 +0100 |
| 4 | Subject: [PATCH] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for |
| 5 | "unix" (bug 22542) |
| 6 | |
| 7 | Processing an overlong pathname in the sunrpc clnt_create function |
| 8 | results in a stack-based buffer overflow. |
| 9 | |
| 10 | Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=226b46770c82899b555986583294b049c6ec9b40] |
| 11 | CVE: CVE-2022-23219 |
| 12 | |
| 13 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> |
| 14 | Signed-off-by: Pgowda <pgowda.cve@gmail.com> |
| 15 | --- |
| 16 | NEWS | 4 +++- |
| 17 | sunrpc/clnt_gen.c | 10 +++++++--- |
| 18 | 2 files changed, 10 insertions(+), 4 deletions(-) |
| 19 | |
| 20 | diff --git a/NEWS b/NEWS |
| 21 | index ddd95a8329..38a9ddb2cf 100644 |
| 22 | --- a/NEWS |
| 23 | +++ b/NEWS |
| 24 | @@ -206,6 +206,10 @@ Security related changes: |
| 25 | CVE-2022-23218: Passing an overlong file name to the svcunix_create |
| 26 | legacy function could result in a stack-based buffer overflow. |
| 27 | |
| 28 | + CVE-2022-23219: Passing an overlong file name to the clnt_create |
| 29 | + legacy function could result in a stack-based buffer overflow when |
| 30 | + using the "unix" protocol. Reported by Martin Sebor. |
| 31 | + |
| 32 | The following bugs are resolved with this release: |
| 33 | |
| 34 | [4737] libc: fork is not async-signal-safe |
| 35 | diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c |
| 36 | index 13ced8994e..b44357cd88 100644 |
| 37 | --- a/sunrpc/clnt_gen.c |
| 38 | +++ b/sunrpc/clnt_gen.c |
| 39 | @@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_lon |
| 40 | |
| 41 | if (strcmp (proto, "unix") == 0) |
| 42 | { |
| 43 | - memset ((char *)&sun, 0, sizeof (sun)); |
| 44 | - sun.sun_family = AF_UNIX; |
| 45 | - strcpy (sun.sun_path, hostname); |
| 46 | + if (__sockaddr_un_set (&sun, hostname) < 0) |
| 47 | + { |
| 48 | + struct rpc_createerr *ce = &get_rpc_createerr (); |
| 49 | + ce->cf_stat = RPC_SYSTEMERROR; |
| 50 | + ce->cf_error.re_errno = errno; |
| 51 | + return NULL; |
| 52 | + } |
| 53 | sock = RPC_ANYSOCK; |
| 54 | client = clntunix_create (&sun, prog, vers, &sock, 0, 0); |
| 55 | if (client == NULL) |