From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1804) id 9D72B3858C62; Fri, 7 Oct 2022 08:20:58 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9D72B3858C62 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1665130858; bh=5vJVb+PBYn0N8JCNN9rlamk3QDRJvNnIHAIrVPXSDsQ=; h=From:To:Subject:Date:From; b=u1qPXYjEaEdA3xKSbUCX9ATp7K9PsjhtYXuSZnp6zGZ0Vif9I4TEW/vt8nelE4EhE lstkT9BlahiDPbzAU52wCXM1f+RxSu4ATJBqA0kx13h6SOVWmu6omOatvFNmm1kUr7 YwYiCa6A9VFJDrOqYxm/s9tF4f+JDK4v7hhTgIgk= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Dmitry Levin To: glibc-cvs@sourceware.org Subject: [glibc/release/2.32/master] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) X-Act-Checkin: glibc X-Git-Author: Florian Weimer X-Git-Refname: refs/heads/release/2.32/master X-Git-Oldrev: 7a9e8a984a32ccaf8947d116fca63ad406452bfa X-Git-Newrev: 0c9137a4449789649eb42b3f1b7cfdff4968ff2b Message-Id: <20221007082058.9D72B3858C62@sourceware.org> Date: Fri, 7 Oct 2022 08:20:58 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0c9137a4449789649eb42b3f1b7cfdff4968ff2b commit 0c9137a4449789649eb42b3f1b7cfdff4968ff2b Author: Florian Weimer Date: Mon Jan 17 11:49:25 2022 +0100 CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) The sunrpc function svcunix_create suffers from a stack-based buffer overflow with overlong pathname arguments. Reviewed-by: Siddhesh Poyarekar (cherry picked from commit f545ad4928fa1f27a3075265182b38a4f939a5f7) Diff: --- NEWS | 4 ++++ sunrpc/Makefile | 2 +- sunrpc/svc_unix.c | 11 ++++------- sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/NEWS b/NEWS index 53ca17db43..0adef96756 100644 --- a/NEWS +++ b/NEWS @@ -42,6 +42,9 @@ Security related changes: legacy function could result in a stack-based buffer overflow when using the "unix" protocol. Reported by Martin Sebor. + CVE-2022-23218: Passing an overlong file name to the svcunix_create + legacy function could result in a stack-based buffer overflow. + The following bugs are resolved with this release: [20019] NULL pointer dereference in libc.so.6 IFUNC due to uninitialized GOT @@ -101,6 +104,7 @@ The following bugs are resolved with this release: [28524] Conversion from ISO-2022-JP-3 with iconv may emit spurious NULs [28607] Masked signals are delivered on thread exit [28755] overflow bug in wcsncmp_avx2 and wcsncmp_evex + [28768] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create [28896] strncmp-avx2-rtm and wcsncmp-avx2-rtm fallback on non-rtm variants when avoiding overflow [29304] libc: mq_timedreceive does not handle 64 bit syscall return diff --git a/sunrpc/Makefile b/sunrpc/Makefile index cea958608e..0d36071ba4 100644 --- a/sunrpc/Makefile +++ b/sunrpc/Makefile @@ -65,7 +65,7 @@ shared-only-routines = $(routines) endif tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ - tst-udp-nonblocking tst-bug22542 + tst-udp-nonblocking tst-bug22542 tst-bug28768 xtests := tst-getmyaddr diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c index e01afeabe6..b065d6063a 100644 --- a/sunrpc/svc_unix.c +++ b/sunrpc/svc_unix.c @@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) SVCXPRT *xprt; struct unix_rendezvous *r; struct sockaddr_un addr; - socklen_t len = sizeof (struct sockaddr_in); + socklen_t len = sizeof (addr); + + if (__sockaddr_un_set (&addr, path) < 0) + return NULL; if (sock == RPC_ANYSOCK) { @@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) } madesock = TRUE; } - memset (&addr, '\0', sizeof (addr)); - addr.sun_family = AF_UNIX; - len = strlen (path) + 1; - memcpy (addr.sun_path, path, len); - len += sizeof (addr.sun_family); - __bind (sock, (struct sockaddr *) &addr, len); if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c new file mode 100644 index 0000000000..35a4b7b0b3 --- /dev/null +++ b/sunrpc/tst-bug28768.c @@ -0,0 +1,42 @@ +/* Test to verify that long path is rejected by svcunix_create (bug 28768). + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include + +/* svcunix_create does not have a default version in linkobj/libc.so. */ +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); + +static int +do_test (void) +{ + char pathname[109]; + memset (pathname, 'x', sizeof (pathname)); + pathname[sizeof (pathname) - 1] = '\0'; + + errno = 0; + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); + TEST_COMPARE (errno, EINVAL); + + return 0; +} + +#include