* [PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.
@ 2020-12-02 8:56 Stefan Liebler
2020-12-03 11:37 ` Adhemerval Zanella
0 siblings, 1 reply; 5+ messages in thread
From: Stefan Liebler @ 2020-12-02 8:56 UTC (permalink / raw)
To: libc-alpha; +Cc: Stefan Liebler
If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
gcc 11 dumps this warning:
svc_tcp.c: In function 'rendezvous_request':
svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
In out-of-memory case, if one of the mallocs in makefd_xprt function
returns NULL, a message is dumped, makefd_xprt returns NULL
and the subsequent memcpy would copy to NULL.
Instead of a segfaulting, svctcp_rendezvous_abort is now called.
The same applies to svc_unix.c.
---
sunrpc/svc_tcp.c | 5 +++++
sunrpc/svc_unix.c | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c
index efbdd22548..738d47edb0 100644
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -271,6 +271,11 @@ again:
* make a new transporter (re-uses xprt)
*/
xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
+
+ /* If we are out of memory, makefd_xprt has already dumped an error. */
+ if (xprt == NULL)
+ svctcp_rendezvous_abort ();
+
memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
xprt->xp_addrlen = len;
return FALSE; /* there is never an rpc msg to be processed */
diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
index e01afeabe6..b13a4cd282 100644
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -270,6 +270,11 @@ again:
memset (&in_addr, '\0', sizeof (in_addr));
in_addr.sin_family = AF_UNIX;
xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
+
+ /* If we are out of memory, makefd_xprt has already dumped an error. */
+ if (xprt == NULL)
+ svcunix_rendezvous_abort ();
+
memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr));
xprt->xp_addrlen = len;
return FALSE; /* there is never an rpc msg to be processed */
--
2.23.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.
2020-12-02 8:56 [PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request Stefan Liebler
@ 2020-12-03 11:37 ` Adhemerval Zanella
2020-12-03 21:03 ` Florian Weimer
0 siblings, 1 reply; 5+ messages in thread
From: Adhemerval Zanella @ 2020-12-03 11:37 UTC (permalink / raw)
To: libc-alpha
On 02/12/2020 05:56, Stefan Liebler via Libc-alpha wrote:
> If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
> gcc 11 dumps this warning:
> svc_tcp.c: In function 'rendezvous_request':
> svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
> 274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors
>
> In out-of-memory case, if one of the mallocs in makefd_xprt function
> returns NULL, a message is dumped, makefd_xprt returns NULL
> and the subsequent memcpy would copy to NULL.
>
> Instead of a segfaulting, svctcp_rendezvous_abort is now called.
It does not do what other parts of sunrpc does in case of memory allocation
failure, it seems that usually the idea is to do some cleanup and return
FALSE (for the case if the function returns bool_t).
>
> The same applies to svc_unix.c.
> ---
> sunrpc/svc_tcp.c | 5 +++++
> sunrpc/svc_unix.c | 5 +++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c
> index efbdd22548..738d47edb0 100644
> --- a/sunrpc/svc_tcp.c
> +++ b/sunrpc/svc_tcp.c
> @@ -271,6 +271,11 @@ again:
> * make a new transporter (re-uses xprt)
> */
> xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
> +
> + /* If we are out of memory, makefd_xprt has already dumped an error. */
> + if (xprt == NULL)
> + svctcp_rendezvous_abort ();
> +
> memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
> xprt->xp_addrlen = len;
> return FALSE; /* there is never an rpc msg to be processed */
> diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
> index e01afeabe6..b13a4cd282 100644
> --- a/sunrpc/svc_unix.c
> +++ b/sunrpc/svc_unix.c
> @@ -270,6 +270,11 @@ again:
> memset (&in_addr, '\0', sizeof (in_addr));
> in_addr.sin_family = AF_UNIX;
> xprt = makefd_xprt (sock, r->sendsize, r->recvsize);
> +
> + /* If we are out of memory, makefd_xprt has already dumped an error. */
> + if (xprt == NULL)
> + svcunix_rendezvous_abort ();
> +
> memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr));
> xprt->xp_addrlen = len;
> return FALSE; /* there is never an rpc msg to be processed */
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.
2020-12-03 11:37 ` Adhemerval Zanella
@ 2020-12-03 21:03 ` Florian Weimer
2020-12-04 12:25 ` Adhemerval Zanella
0 siblings, 1 reply; 5+ messages in thread
From: Florian Weimer @ 2020-12-03 21:03 UTC (permalink / raw)
To: Adhemerval Zanella via Libc-alpha
* Adhemerval Zanella via Libc-alpha:
> On 02/12/2020 05:56, Stefan Liebler via Libc-alpha wrote:
>> If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
>> gcc 11 dumps this warning:
>> svc_tcp.c: In function 'rendezvous_request':
>> svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
>> 274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
>> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> cc1: all warnings being treated as errors
>>
>> In out-of-memory case, if one of the mallocs in makefd_xprt function
>> returns NULL, a message is dumped, makefd_xprt returns NULL
>> and the subsequent memcpy would copy to NULL.
>>
>> Instead of a segfaulting, svctcp_rendezvous_abort is now called.
>
> It does not do what other parts of sunrpc does in case of memory allocation
> failure, it seems that usually the idea is to do some cleanup and return
> FALSE (for the case if the function returns bool_t).
I think returning FALSE would introduce a variant of CVE-2011-4609 (bug
14889). The sleeping added in commit 14bc93a967e62abf8cf2704725b6f7 for
that is rather hackish (more correct would be to remove the accepting
socket from the polling set until a client exits), but sleeping on
ENOMEM might be a reasonable approach here, given that the sunrpc code
is deep maintenance.
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.
2020-12-03 21:03 ` Florian Weimer
@ 2020-12-04 12:25 ` Adhemerval Zanella
2020-12-04 16:02 ` Stefan Liebler
0 siblings, 1 reply; 5+ messages in thread
From: Adhemerval Zanella @ 2020-12-04 12:25 UTC (permalink / raw)
To: Florian Weimer, Adhemerval Zanella via Libc-alpha
On 03/12/2020 18:03, Florian Weimer wrote:
> * Adhemerval Zanella via Libc-alpha:
>
>> On 02/12/2020 05:56, Stefan Liebler via Libc-alpha wrote:
>>> If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
>>> gcc 11 dumps this warning:
>>> svc_tcp.c: In function 'rendezvous_request':
>>> svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
>>> 274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
>>> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> cc1: all warnings being treated as errors
>>>
>>> In out-of-memory case, if one of the mallocs in makefd_xprt function
>>> returns NULL, a message is dumped, makefd_xprt returns NULL
>>> and the subsequent memcpy would copy to NULL.
>>>
>>> Instead of a segfaulting, svctcp_rendezvous_abort is now called.
>>
>> It does not do what other parts of sunrpc does in case of memory allocation
>> failure, it seems that usually the idea is to do some cleanup and return
>> FALSE (for the case if the function returns bool_t).
>
> I think returning FALSE would introduce a variant of CVE-2011-4609 (bug
> 14889). The sleeping added in commit 14bc93a967e62abf8cf2704725b6f7 for
> that is rather hackish (more correct would be to remove the accepting
> socket from the polling set until a client exits), but sleeping on
> ENOMEM might be a reasonable approach here, given that the sunrpc code
> is deep maintenance.
Using the sleep hack should be slight better and avoid ENOMEM to abort
the process.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request.
2020-12-04 12:25 ` Adhemerval Zanella
@ 2020-12-04 16:02 ` Stefan Liebler
0 siblings, 0 replies; 5+ messages in thread
From: Stefan Liebler @ 2020-12-04 16:02 UTC (permalink / raw)
To: libc-alpha
On 12/4/20 1:25 PM, Adhemerval Zanella via Libc-alpha wrote:
>
>
> On 03/12/2020 18:03, Florian Weimer wrote:
>> * Adhemerval Zanella via Libc-alpha:
>>
>>> On 02/12/2020 05:56, Stefan Liebler via Libc-alpha wrote:
>>>> If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32),
>>>> gcc 11 dumps this warning:
>>>> svc_tcp.c: In function 'rendezvous_request':
>>>> svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds]
>>>> 274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr));
>>>> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> cc1: all warnings being treated as errors
>>>>
>>>> In out-of-memory case, if one of the mallocs in makefd_xprt function
>>>> returns NULL, a message is dumped, makefd_xprt returns NULL
>>>> and the subsequent memcpy would copy to NULL.
>>>>
>>>> Instead of a segfaulting, svctcp_rendezvous_abort is now called.
>>>
>>> It does not do what other parts of sunrpc does in case of memory allocation
>>> failure, it seems that usually the idea is to do some cleanup and return
>>> FALSE (for the case if the function returns bool_t).
>>
>> I think returning FALSE would introduce a variant of CVE-2011-4609 (bug
>> 14889). The sleeping added in commit 14bc93a967e62abf8cf2704725b6f7 for
>> that is rather hackish (more correct would be to remove the accepting
>> socket from the polling set until a client exits), but sleeping on
>> ENOMEM might be a reasonable approach here, given that the sunrpc code
>> is deep maintenance.
>
> Using the sleep hack should be slight better and avoid ENOMEM to abort
> the process.
>
Now it sleeps and FALSE is returned.
Please have a look at:
"[PATCH v2] Handle out-of-memory case in
svc_tcp.c/svc_unix.c:rendezvous_request."
https://sourceware.org/pipermail/libc-alpha/2020-December/120410.html
Thanks,
Stefan
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-12-04 16:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-02 8:56 [PATCH] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request Stefan Liebler
2020-12-03 11:37 ` Adhemerval Zanella
2020-12-03 21:03 ` Florian Weimer
2020-12-04 12:25 ` Adhemerval Zanella
2020-12-04 16:02 ` Stefan Liebler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).