| Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 1 | From f545ad4928fa1f27a3075265182b38a4f939a5f7 Mon Sep 17 00:00:00 2001 |
| 2 | From: Florian Weimer <fweimer@redhat.com> |
| 3 | Date: Mon, 17 Jan 2022 10:21:34 +0100 |
| 4 | Subject: [PATCH] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug |
| 5 | 28768) |
| 6 | |
| 7 | The sunrpc function svcunix_create suffers from a stack-based buffer |
| 8 | overflow with overlong pathname arguments. |
| 9 | |
| 10 | Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=f545ad4928fa1f27a3075265182b38a4f939a5f7] |
| 11 | CVE: CVE-2022-23218 |
| 12 | |
| 13 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> |
| 14 | Signed-off-by: Pgowda <pgowda.cve@gmail.com> |
| 15 | --- |
| 16 | NEWS | 3 +++ |
| 17 | sunrpc/Makefile | 2 +- |
| 18 | sunrpc/svc_unix.c | 11 ++++------- |
| 19 | sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ |
| 20 | 4 files changed, 50 insertions(+), 8 deletions(-) |
| 21 | create mode 100644 sunrpc/tst-bug28768.c |
| 22 | |
| 23 | diff --git a/NEWS b/NEWS |
| 24 | index 38a9ddb2cf..38802f0673 100644 |
| 25 | --- a/NEWS |
| 26 | +++ b/NEWS |
| 27 | @@ -203,6 +203,9 @@ Security related changes: |
| 28 | parameter number when processing the expansion resulting in a crash. |
| 29 | Reported by Philippe Antoine. |
| 30 | |
| 31 | + CVE-2022-23218: Passing an overlong file name to the svcunix_create |
| 32 | + legacy function could result in a stack-based buffer overflow. |
| 33 | + |
| 34 | The following bugs are resolved with this release: |
| 35 | |
| 36 | [4737] libc: fork is not async-signal-safe |
| 37 | diff --git a/sunrpc/Makefile b/sunrpc/Makefile |
| 38 | index 183ef3dc55..a79a7195fc 100644 |
| 39 | --- a/sunrpc/Makefile |
| 40 | +++ b/sunrpc/Makefile |
| 41 | @@ -65,7 +65,7 @@ shared-only-routines = $(routines) |
| 42 | endif |
| 43 | |
| 44 | tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ |
| 45 | - tst-udp-nonblocking |
| 46 | + tst-udp-nonblocking tst-bug28768 |
| 47 | xtests := tst-getmyaddr |
| 48 | |
| 49 | ifeq ($(have-thread-library),yes) |
| 50 | diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c |
| 51 | index f2280b4c49..67177a2e78 100644 |
| 52 | --- a/sunrpc/svc_unix.c |
| 53 | +++ b/sunrpc/svc_unix.c |
| 54 | @@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize |
| 55 | SVCXPRT *xprt; |
| 56 | struct unix_rendezvous *r; |
| 57 | struct sockaddr_un addr; |
| 58 | - socklen_t len = sizeof (struct sockaddr_in); |
| 59 | + socklen_t len = sizeof (addr); |
| 60 | + |
| 61 | + if (__sockaddr_un_set (&addr, path) < 0) |
| 62 | + return NULL; |
| 63 | |
| 64 | if (sock == RPC_ANYSOCK) |
| 65 | { |
| 66 | @@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize |
| 67 | } |
| 68 | madesock = TRUE; |
| 69 | } |
| 70 | - memset (&addr, '\0', sizeof (addr)); |
| 71 | - addr.sun_family = AF_UNIX; |
| 72 | - len = strlen (path) + 1; |
| 73 | - memcpy (addr.sun_path, path, len); |
| 74 | - len += sizeof (addr.sun_family); |
| 75 | - |
| 76 | __bind (sock, (struct sockaddr *) &addr, len); |
| 77 | |
| 78 | if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 |
| 79 | diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c |
| 80 | new file mode 100644 |
| 81 | index 0000000000..35a4b7b0b3 |
| 82 | --- /dev/null |
| 83 | +++ b/sunrpc/tst-bug28768.c |
| 84 | @@ -0,0 +1,42 @@ |
| 85 | +/* Test to verify that long path is rejected by svcunix_create (bug 28768). |
| 86 | + Copyright (C) 2022 Free Software Foundation, Inc. |
| 87 | + This file is part of the GNU C Library. |
| 88 | + |
| 89 | + The GNU C Library is free software; you can redistribute it and/or |
| 90 | + modify it under the terms of the GNU Lesser General Public |
| 91 | + License as published by the Free Software Foundation; either |
| 92 | + version 2.1 of the License, or (at your option) any later version. |
| 93 | + |
| 94 | + The GNU C Library is distributed in the hope that it will be useful, |
| 95 | + but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 96 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 97 | + Lesser General Public License for more details. |
| 98 | + |
| 99 | + You should have received a copy of the GNU Lesser General Public |
| 100 | + License along with the GNU C Library; if not, see |
| 101 | + <http://www.gnu.org/licenses/>. */ |
| 102 | + |
| 103 | +#include <errno.h> |
| 104 | +#include <rpc/svc.h> |
| 105 | +#include <shlib-compat.h> |
| 106 | +#include <string.h> |
| 107 | +#include <support/check.h> |
| 108 | + |
| 109 | +/* svcunix_create does not have a default version in linkobj/libc.so. */ |
| 110 | +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); |
| 111 | + |
| 112 | +static int |
| 113 | +do_test (void) |
| 114 | +{ |
| 115 | + char pathname[109]; |
| 116 | + memset (pathname, 'x', sizeof (pathname)); |
| 117 | + pathname[sizeof (pathname) - 1] = '\0'; |
| 118 | + |
| 119 | + errno = 0; |
| 120 | + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); |
| 121 | + TEST_COMPARE (errno, EINVAL); |
| 122 | + |
| 123 | + return 0; |
| 124 | +} |
| 125 | + |
| 126 | +#include <support/test-driver.c> |