Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 1 | commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd |
| 2 | Author: Olaf Kirch <okir@...e.de> |
| 3 | Date: Thu Aug 6 16:27:20 2015 +0200 |
| 4 | |
| 5 | Fix memory corruption in PMAP_CALLIT code |
| 6 | |
| 7 | - A PMAP_CALLIT call comes in on IPv4 UDP |
| 8 | - rpcbind duplicates the caller's address to a netbuf and stores it in |
| 9 | FINFO[0].caller_addr. caller_addr->buf now points to a memory region A |
| 10 | with a size of 16 bytes |
| 11 | - rpcbind forwards the call to the local service, receives a reply |
| 12 | - when processing the reply, it does this in xprt_set_caller: |
| 13 | xprt->xp_rtaddr = *FINFO[0].caller_addr |
| 14 | It sends out the reply, and then frees the netbuf caller_addr and |
| 15 | caller_addr.buf. |
| 16 | However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers |
| 17 | to memory region A, which is free. |
| 18 | - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will |
| 19 | be called, which will set xp_rtaddr to the client's address. |
| 20 | It will reuse the buffer inside xp_rtaddr, ie it will write a |
| 21 | sockaddr_in to region A |
| 22 | |
| 23 | Some time down the road, an incoming TCP connection is accepted, |
| 24 | allocating a fresh SVCXPRT. The memory region A is inside the |
| 25 | new SVCXPRT |
| 26 | |
| 27 | - While processing the TCP call, another UDP call comes in, again |
| 28 | overwriting region A with the client's address |
| 29 | - TCP client closes connection. In svc_destroy, we now trip over |
| 30 | the garbage left in region A |
| 31 | |
| 32 | We ran into the case where a commercial scanner was triggering |
| 33 | occasional rpcbind segfaults. The core file that was captured showed |
| 34 | a corrupted xprt->xp_netid pointer that was really a sockaddr_in. |
| 35 | |
| 36 | Signed-off-by: Olaf Kirch <okir@...e.de> |
| 37 | |
| 38 | Upstream-Status: Backport |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 39 | CVE: CVE-2015-7236 |
Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame] | 40 | |
| 41 | Signed-off-by: Li Zhou <li.zhou@windriver.com> |
| 42 | --- |
| 43 | src/rpcb_svc_com.c | 23 ++++++++++++++++++++++- |
| 44 | 1 file changed, 22 insertions(+), 1 deletion(-) |
| 45 | |
| 46 | Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c |
| 47 | =================================================================== |
| 48 | --- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c |
| 49 | +++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c |
| 50 | @@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int |
| 51 | return (ncallbacks_found); |
| 52 | } |
| 53 | |
| 54 | +/* |
| 55 | + * This is really a helper function defined in libtirpc, but unfortunately, it hasn't |
| 56 | + * been exported yet. |
| 57 | + */ |
| 58 | +static struct netbuf * |
| 59 | +__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len) |
| 60 | +{ |
| 61 | + if (nb->len != len) { |
| 62 | + if (nb->len) |
| 63 | + mem_free(nb->buf, nb->len); |
| 64 | + nb->buf = mem_alloc(len); |
| 65 | + if (nb->buf == NULL) |
| 66 | + return NULL; |
| 67 | + |
| 68 | + nb->maxlen = nb->len = len; |
| 69 | + } |
| 70 | + memcpy(nb->buf, ptr, len); |
| 71 | + return nb; |
| 72 | +} |
| 73 | + |
| 74 | static void |
| 75 | xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) |
| 76 | { |
| 77 | + const struct netbuf *caller = fi->caller_addr; |
| 78 | u_int32_t *xidp; |
| 79 | |
| 80 | - *(svc_getrpccaller(xprt)) = *(fi->caller_addr); |
| 81 | + __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len); |
| 82 | xidp = __rpcb_get_dg_xidp(xprt); |
| 83 | *xidp = fi->caller_xid; |
| 84 | } |