* [PATCH] rpcbind: Security Advisory - rpcbind - CVE-2015-7236
@ 2015-11-17 7:18 wenzong.fan
2015-11-18 1:44 ` akuster808
0 siblings, 1 reply; 4+ messages in thread
From: wenzong.fan @ 2015-11-17 7:18 UTC (permalink / raw)
To: openembedded-core
From: Li Zhou <li.zhou@windriver.com>
rpcbind: Fix memory corruption in PMAP_CALLIT code
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in
rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of
service (daemon crash) via crafted packets, involving a PMAP_CALLIT
code.
The patch comes from
<http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't
been in rpcbind upstream yet.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
...Fix_memory_corruption_in_PMAP_CALLIT_code.patch | 83 ++++++++++++++++++++++
meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb | 1 +
2 files changed, 84 insertions(+)
create mode 100644 meta/recipes-extended/rpcbind/rpcbind/rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch
diff --git a/meta/recipes-extended/rpcbind/rpcbind/rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch b/meta/recipes-extended/rpcbind/rpcbind/rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch
new file mode 100644
index 0000000..f156290
--- /dev/null
+++ b/meta/recipes-extended/rpcbind/rpcbind/rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch
@@ -0,0 +1,83 @@
+commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
+Author: Olaf Kirch <okir@...e.de>
+Date: Thu Aug 6 16:27:20 2015 +0200
+
+ Fix memory corruption in PMAP_CALLIT code
+
+ - A PMAP_CALLIT call comes in on IPv4 UDP
+ - rpcbind duplicates the caller's address to a netbuf and stores it in
+ FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
+ with a size of 16 bytes
+ - rpcbind forwards the call to the local service, receives a reply
+ - when processing the reply, it does this in xprt_set_caller:
+ xprt->xp_rtaddr = *FINFO[0].caller_addr
+ It sends out the reply, and then frees the netbuf caller_addr and
+ caller_addr.buf.
+ However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
+ to memory region A, which is free.
+ - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
+ be called, which will set xp_rtaddr to the client's address.
+ It will reuse the buffer inside xp_rtaddr, ie it will write a
+ sockaddr_in to region A
+
+ Some time down the road, an incoming TCP connection is accepted,
+ allocating a fresh SVCXPRT. The memory region A is inside the
+ new SVCXPRT
+
+ - While processing the TCP call, another UDP call comes in, again
+ overwriting region A with the client's address
+ - TCP client closes connection. In svc_destroy, we now trip over
+ the garbage left in region A
+
+ We ran into the case where a commercial scanner was triggering
+ occasional rpcbind segfaults. The core file that was captured showed
+ a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
+
+ Signed-off-by: Olaf Kirch <okir@...e.de>
+
+ Upstream-Status: Backport
+
+ Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
+===================================================================
+--- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c
++++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
+@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int
+ return (ncallbacks_found);
+ }
+
++/*
++ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
++ * been exported yet.
++ */
++static struct netbuf *
++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
++{
++ if (nb->len != len) {
++ if (nb->len)
++ mem_free(nb->buf, nb->len);
++ nb->buf = mem_alloc(len);
++ if (nb->buf == NULL)
++ return NULL;
++
++ nb->maxlen = nb->len = len;
++ }
++ memcpy(nb->buf, ptr, len);
++ return nb;
++}
++
+ static void
+ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
++ const struct netbuf *caller = fi->caller_addr;
+ u_int32_t *xidp;
+
+- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
++ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
+ xidp = __rpcb_get_dg_xidp(xprt);
+ *xidp = fi->caller_xid;
+ }
diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb b/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
index 237018b..9b1c650 100644
--- a/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
+++ b/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
@@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
file://rpcbind.conf \
file://rpcbind.socket \
file://rpcbind.service \
+ file://rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch \
"
MUSLPATCHES_libc-musl = "file://musl-sunrpc.patch"
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] rpcbind: Security Advisory - rpcbind - CVE-2015-7236
2015-11-17 7:18 [PATCH] rpcbind: Security Advisory - rpcbind - CVE-2015-7236 wenzong.fan
@ 2015-11-18 1:44 ` akuster808
2015-11-18 22:50 ` Burton, Ross
0 siblings, 1 reply; 4+ messages in thread
From: akuster808 @ 2015-11-18 1:44 UTC (permalink / raw)
To: openembedded-core
Li Zhou,
Can we get the CVE mentioned in the patch or rename the the patch to
include the CVE #.
regards,
Armin
On 11/16/2015 11:18 PM, wenzong.fan@windriver.com wrote:
> From: Li Zhou <li.zhou@windriver.com>
>
> rpcbind: Fix memory corruption in PMAP_CALLIT code
>
> Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in
> rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of
> service (daemon crash) via crafted packets, involving a PMAP_CALLIT
> code.
>
> The patch comes from
> <http://www.openwall.com/lists/oss-security/2015/09/18/7>, and it hasn't
> been in rpcbind upstream yet.
>
> Signed-off-by: Li Zhou <li.zhou@windriver.com>
> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> ---
> ...Fix_memory_corruption_in_PMAP_CALLIT_code.patch | 83 ++++++++++++++++++++++
> meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb | 1 +
> 2 files changed, 84 insertions(+)
> create mode 100644 meta/recipes-extended/rpcbind/rpcbind/rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch
>
> diff --git a/meta/recipes-extended/rpcbind/rpcbind/rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch b/meta/recipes-extended/rpcbind/rpcbind/rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch
> new file mode 100644
> index 0000000..f156290
> --- /dev/null
> +++ b/meta/recipes-extended/rpcbind/rpcbind/rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch
> @@ -0,0 +1,83 @@
> +commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
> +Author: Olaf Kirch <okir@...e.de>
> +Date: Thu Aug 6 16:27:20 2015 +0200
> +
> + Fix memory corruption in PMAP_CALLIT code
> +
> + - A PMAP_CALLIT call comes in on IPv4 UDP
> + - rpcbind duplicates the caller's address to a netbuf and stores it in
> + FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
> + with a size of 16 bytes
> + - rpcbind forwards the call to the local service, receives a reply
> + - when processing the reply, it does this in xprt_set_caller:
> + xprt->xp_rtaddr = *FINFO[0].caller_addr
> + It sends out the reply, and then frees the netbuf caller_addr and
> + caller_addr.buf.
> + However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
> + to memory region A, which is free.
> + - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
> + be called, which will set xp_rtaddr to the client's address.
> + It will reuse the buffer inside xp_rtaddr, ie it will write a
> + sockaddr_in to region A
> +
> + Some time down the road, an incoming TCP connection is accepted,
> + allocating a fresh SVCXPRT. The memory region A is inside the
> + new SVCXPRT
> +
> + - While processing the TCP call, another UDP call comes in, again
> + overwriting region A with the client's address
> + - TCP client closes connection. In svc_destroy, we now trip over
> + the garbage left in region A
> +
> + We ran into the case where a commercial scanner was triggering
> + occasional rpcbind segfaults. The core file that was captured showed
> + a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
> +
> + Signed-off-by: Olaf Kirch <okir@...e.de>
> +
> + Upstream-Status: Backport
> +
> + Signed-off-by: Li Zhou <li.zhou@windriver.com>
> +---
> + src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
> + 1 file changed, 22 insertions(+), 1 deletion(-)
> +
> +Index: rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
> +===================================================================
> +--- rpcbind-0.1.6+git20080930.orig/src/rpcb_svc_com.c
> ++++ rpcbind-0.1.6+git20080930/src/rpcb_svc_com.c
> +@@ -1298,12 +1298,33 @@ check_rmtcalls(struct pollfd *pfds, int
> + return (ncallbacks_found);
> + }
> +
> ++/*
> ++ * This is really a helper function defined in libtirpc, but unfortunately, it hasn't
> ++ * been exported yet.
> ++ */
> ++static struct netbuf *
> ++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
> ++{
> ++ if (nb->len != len) {
> ++ if (nb->len)
> ++ mem_free(nb->buf, nb->len);
> ++ nb->buf = mem_alloc(len);
> ++ if (nb->buf == NULL)
> ++ return NULL;
> ++
> ++ nb->maxlen = nb->len = len;
> ++ }
> ++ memcpy(nb->buf, ptr, len);
> ++ return nb;
> ++}
> ++
> + static void
> + xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
> + {
> ++ const struct netbuf *caller = fi->caller_addr;
> + u_int32_t *xidp;
> +
> +- *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
> ++ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
> + xidp = __rpcb_get_dg_xidp(xprt);
> + *xidp = fi->caller_xid;
> + }
> diff --git a/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb b/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
> index 237018b..9b1c650 100644
> --- a/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
> +++ b/meta/recipes-extended/rpcbind/rpcbind_0.2.3.bb
> @@ -19,6 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \
> file://rpcbind.conf \
> file://rpcbind.socket \
> file://rpcbind.service \
> + file://rpcbind_Fix_memory_corruption_in_PMAP_CALLIT_code.patch \
> "
> MUSLPATCHES_libc-musl = "file://musl-sunrpc.patch"
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] rpcbind: Security Advisory - rpcbind - CVE-2015-7236
2015-11-18 1:44 ` akuster808
@ 2015-11-18 22:50 ` Burton, Ross
2015-11-25 3:58 ` akuster808
0 siblings, 1 reply; 4+ messages in thread
From: Burton, Ross @ 2015-11-18 22:50 UTC (permalink / raw)
To: akuster808; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 243 bytes --]
On 18 November 2015 at 01:44, akuster808 <akuster808@gmail.com> wrote:
> Can we get the CVE mentioned in the patch or rename the the patch to
> include the CVE #.
>
I'd already merged this into mut, so have renamed the patch.
Ross
[-- Attachment #2: Type: text/html, Size: 651 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] rpcbind: Security Advisory - rpcbind - CVE-2015-7236
2015-11-18 22:50 ` Burton, Ross
@ 2015-11-25 3:58 ` akuster808
0 siblings, 0 replies; 4+ messages in thread
From: akuster808 @ 2015-11-25 3:58 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
On 11/18/2015 02:50 PM, Burton, Ross wrote:
> On 18 November 2015 at 01:44, akuster808 <akuster808@gmail.com> wrote:
>
>> Can we get the CVE mentioned in the patch or rename the the patch to
>> include the CVE #.
>>
>
> I'd already merged this into mut, so have renamed the patch.
thanks.
- armin
>
> Ross
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-11-25 3:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-17 7:18 [PATCH] rpcbind: Security Advisory - rpcbind - CVE-2015-7236 wenzong.fan
2015-11-18 1:44 ` akuster808
2015-11-18 22:50 ` Burton, Ross
2015-11-25 3:58 ` akuster808
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox