Andrew Geissler | 595f630 | 2022-01-24 19:11:47 +0000 | [diff] [blame] | 1 | From ef972a4c50014a16132b5c75571cfb6b30bef136 Mon Sep 17 00:00:00 2001 |
| 2 | From: Martin Sebor <msebor@redhat.com> |
| 3 | Date: Mon, 17 Jan 2022 10:21:34 +0100 |
| 4 | Subject: [PATCH] sunrpc: Test case for clnt_create "unix" buffer overflow (bug |
| 5 | 22542) |
| 6 | |
| 7 | Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=ef972a4c50014a16132b5c75571cfb6b30bef136] |
| 8 | CVE: CVE-2022-23219 |
| 9 | |
| 10 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> |
| 11 | Signed-off-by: Pgowda <pgowda.cve@gmail.com> |
| 12 | --- |
| 13 | sunrpc/Makefile | 5 ++++- |
| 14 | sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ |
| 15 | 2 files changed, 48 insertions(+), 1 deletion(-) |
| 16 | create mode 100644 sunrpc/tst-bug22542.c |
| 17 | |
| 18 | diff --git a/sunrpc/Makefile b/sunrpc/Makefile |
| 19 | index 9a31fe48b9..183ef3dc55 100644 |
| 20 | --- a/sunrpc/Makefile |
| 21 | +++ b/sunrpc/Makefile |
| 22 | @@ -65,7 +65,7 @@ shared-only-routines = $(routines) |
| 23 | endif |
| 24 | |
| 25 | tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ |
| 26 | - tst-udp-nonblocking tst-bug28768 |
| 27 | + tst-udp-nonblocking tst-bug22542 tst-bug28768 |
| 28 | xtests := tst-getmyaddr |
| 29 | |
| 30 | ifeq ($(have-thread-library),yes) |
| 31 | @@ -110,6 +110,8 @@ $(objpfx)tst-udp-nonblocking: $(common-o |
| 32 | $(objpfx)tst-udp-garbage: \ |
| 33 | $(common-objpfx)linkobj/libc.so $(shared-thread-library) |
| 34 | |
| 35 | +$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so |
| 36 | + |
| 37 | else # !have-GLIBC_2.31 |
| 38 | |
| 39 | routines = $(routines-for-nss) |
| 40 | diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c |
| 41 | new file mode 100644 |
| 42 | index 0000000000..d6cd79787b |
| 43 | --- /dev/null |
| 44 | +++ b/sunrpc/tst-bug22542.c |
| 45 | @@ -0,0 +1,44 @@ |
| 46 | +/* Test to verify that overlong hostname is rejected by clnt_create |
| 47 | + and doesn't cause a buffer overflow (bug 22542). |
| 48 | + |
| 49 | + Copyright (C) 2022 Free Software Foundation, Inc. |
| 50 | + This file is part of the GNU C Library. |
| 51 | + |
| 52 | + The GNU C Library is free software; you can redistribute it and/or |
| 53 | + modify it under the terms of the GNU Lesser General Public |
| 54 | + License as published by the Free Software Foundation; either |
| 55 | + version 2.1 of the License, or (at your option) any later version. |
| 56 | + |
| 57 | + The GNU C Library is distributed in the hope that it will be useful, |
| 58 | + but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 59 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 60 | + Lesser General Public License for more details. |
| 61 | + |
| 62 | + You should have received a copy of the GNU Lesser General Public |
| 63 | + License along with the GNU C Library; if not, see |
| 64 | + <http://www.gnu.org/licenses/>. */ |
| 65 | + |
| 66 | +#include <errno.h> |
| 67 | +#include <rpc/clnt.h> |
| 68 | +#include <string.h> |
| 69 | +#include <support/check.h> |
| 70 | +#include <sys/socket.h> |
| 71 | +#include <sys/un.h> |
| 72 | + |
| 73 | +static int |
| 74 | +do_test (void) |
| 75 | +{ |
| 76 | + /* Create an arbitrary hostname that's longer than fits in sun_path. */ |
| 77 | + char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; |
| 78 | + memset (name, 'x', sizeof name - 1); |
| 79 | + name [sizeof name - 1] = '\0'; |
| 80 | + |
| 81 | + errno = 0; |
| 82 | + CLIENT *clnt = clnt_create (name, 0, 0, "unix"); |
| 83 | + |
| 84 | + TEST_VERIFY (clnt == NULL); |
| 85 | + TEST_COMPARE (errno, EINVAL); |
| 86 | + return 0; |
| 87 | +} |
| 88 | + |
| 89 | +#include <support/test-driver.c> |