From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from olivedrab.birch.relay.mailchannels.net (olivedrab.birch.relay.mailchannels.net [23.83.209.135]) by sourceware.org (Postfix) with ESMTPS id 7EFB83858021 for ; Mon, 17 Jan 2022 09:43:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7EFB83858021 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 274D5820898; Mon, 17 Jan 2022 09:43:08 +0000 (UTC) Received: from pdx1-sub0-mail-a307.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 6203B8210E5; Mon, 17 Jan 2022 09:43:07 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a307.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.121.92.82 (trex/6.4.3); Mon, 17 Jan 2022 09:43:08 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Bitter-Supply: 5d8aa7710c5e1499_1642412587652_4015203055 X-MC-Loop-Signature: 1642412587652:1139046565 X-MC-Ingress-Time: 1642412587651 Received: from [192.168.1.174] (unknown [1.186.224.209]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a307.dreamhost.com (Postfix) with ESMTPSA id 4Jcn5Q0dm8z33; Mon, 17 Jan 2022 01:43:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=gotplt.org; s=gotplt.org; t=1642412587; bh=D69xOYY4ey4w4X75nsECq6AEiNQ=; h=Date:Subject:To:From:Content-Type:Content-Transfer-Encoding; b=CdfJotyHECe1CB0NT67sFwul0ojIsB62IOWdDj18O4OdLdBkx3wn5sirkRSZdOA7D Lj8rlBt0uwwjnYm9l1DDOPdqBLVKZUXeaOdIpeEq2RXk3Av3FAaLDmkkcLA3k+zZYR Y1iTprmslpxhuf422s5xOZiKKroxwl8zd7s5W6GE= Message-ID: <6a84d906-b3a1-f4ac-f4eb-2e921d385b53@gotplt.org> Date: Mon, 17 Jan 2022 15:13:01 +0530 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.4.0 Subject: Re: [PATCH v2 4/4] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) Content-Language: en-US To: Florian Weimer , libc-alpha@sourceware.org References: <4e87feed87235e9143778454147e04469a1e7380.1642148513.git.fweimer@redhat.com> From: Siddhesh Poyarekar In-Reply-To: <4e87feed87235e9143778454147e04469a1e7380.1642148513.git.fweimer@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3036.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP, URIBL_BLACK autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2022 09:43:11 -0000 On 14/01/2022 13:54, Florian Weimer via Libc-alpha wrote: > The sunrpc function svcunix_create suffers from a stack-based buffer > overflow with overlong pathname arguments. > --- > NEWS | 3 +++ > sunrpc/Makefile | 2 +- > sunrpc/svc_unix.c | 11 ++++------- > sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 50 insertions(+), 8 deletions(-) > create mode 100644 sunrpc/tst-bug28768.c > LGTM. Reviewed-by: Siddhesh Poyarekar > diff --git a/NEWS b/NEWS > index 94248b580d..85ec7e4c6a 100644 > --- a/NEWS > +++ b/NEWS > @@ -154,6 +154,9 @@ Security related changes: > legacy function could result in a stack-based buffer overflow when > using the "unix" protocol. Reported by Martin Sebor. > > + CVE-2022-23218: Passing an overlong file name to the svcunix_create > + legacy function could result in a stack-based buffer overflow. > + > The following bugs are resolved with this release: > > [The release manager will add the list generated by > diff --git a/sunrpc/Makefile b/sunrpc/Makefile > index 183ef3dc55..a79a7195fc 100644 > --- a/sunrpc/Makefile > +++ b/sunrpc/Makefile > @@ -65,7 +65,7 @@ shared-only-routines = $(routines) > endif > > tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ > - tst-udp-nonblocking tst-bug22542 > + tst-udp-nonblocking tst-bug22542 tst-bug28768 > > xtests := tst-getmyaddr > > diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c > index f2280b4c49..67177a2e78 100644 > --- a/sunrpc/svc_unix.c > +++ b/sunrpc/svc_unix.c > @@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) > SVCXPRT *xprt; > struct unix_rendezvous *r; > struct sockaddr_un addr; > - socklen_t len = sizeof (struct sockaddr_in); > + socklen_t len = sizeof (addr); > + > + if (__sockaddr_un_set (&addr, path) < 0) > + return NULL; > > if (sock == RPC_ANYSOCK) > { > @@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) > } > madesock = TRUE; > } > - memset (&addr, '\0', sizeof (addr)); > - addr.sun_family = AF_UNIX; > - len = strlen (path) + 1; > - memcpy (addr.sun_path, path, len); > - len += sizeof (addr.sun_family); > - > __bind (sock, (struct sockaddr *) &addr, len); > > if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 > diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c > new file mode 100644 > index 0000000000..35a4b7b0b3 > --- /dev/null > +++ b/sunrpc/tst-bug28768.c > @@ -0,0 +1,42 @@ > +/* Test to verify that long path is rejected by svcunix_create (bug 28768). > + Copyright (C) 2022 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + . */ > + > +#include > +#include > +#include > +#include > +#include > + > +/* svcunix_create does not have a default version in linkobj/libc.so. */ > +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); > + > +static int > +do_test (void) > +{ > + char pathname[109]; > + memset (pathname, 'x', sizeof (pathname)); > + pathname[sizeof (pathname) - 1] = '\0'; > + > + errno = 0; > + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); > + TEST_COMPARE (errno, EINVAL); > + > + return 0; > +} > + > +#include