From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id B252D3858402 for ; Mon, 17 Jan 2022 09:15:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org B252D3858402 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-583-3MJb8lduP4mUy0RKsiDRrA-1; Mon, 17 Jan 2022 04:15:18 -0500 X-MC-Unique: 3MJb8lduP4mUy0RKsiDRrA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id F06D5814249; Mon, 17 Jan 2022 09:15:16 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.39.192.198]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CE3C71F43D; Mon, 17 Jan 2022 09:15:15 +0000 (UTC) From: Florian Weimer To: Siddhesh Poyarekar Cc: libc-alpha@sourceware.org Subject: Re: [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) References: <5e6f9d7240e55d438438d457f169132cf89fb8a0.1642148513.git.fweimer@redhat.com> <3c2a7cbc-9284-75dc-e7d0-8cab8571fe3a@gotplt.org> Date: Mon, 17 Jan 2022 10:15:13 +0100 In-Reply-To: (Siddhesh Poyarekar's message of "Mon, 17 Jan 2022 09:05:13 +0530") Message-ID: <87mtjuoh9a.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-10.3 required=5.0 tests=BAYES_00, BODY_8BITS, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, URIBL_BLACK autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2022 09:15:24 -0000 * Siddhesh Poyarekar: > On 17/01/2022 09:01, Siddhesh Poyarekar wrote: >> On 14/01/2022 13:54, Florian Weimer via Libc-alpha wrote: >>> From: Martin Sebor >>> >>> --- >>> =C2=A0 sunrpc/Makefile=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 5 ++= ++- >>> =C2=A0 sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++= ++++++ >>> =C2=A0 2 files changed, 48 insertions(+), 1 deletion(-) >>> =C2=A0 create mode 100644 sunrpc/tst-bug22542.c >> LGTM. >> Reviewed-by: Siddhesh Poyarekar > > Oh wait... > >>=20 >>> >>> diff --git a/sunrpc/Makefile b/sunrpc/Makefile >>> index 9a31fe48b9..183ef3dc55 100644 >>> --- a/sunrpc/Makefile >>> +++ b/sunrpc/Makefile >>> @@ -65,7 +65,8 @@ shared-only-routines =3D $(routines) >>> =C2=A0 endif >>> =C2=A0 tests =3D tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error >>> tst-udp-timeout \ >>> -=C2=A0 tst-udp-nonblocking >>> +=C2=A0 tst-udp-nonblocking tst-bug22542 >>> + >>> =C2=A0 xtests :=3D tst-getmyaddr >>> =C2=A0 ifeq ($(have-thread-library),yes) >>> @@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: >>> $(common-objpfx)linkobj/libc.so >>> =C2=A0 $(objpfx)tst-udp-garbage: \ >>> =C2=A0=C2=A0=C2=A0 $(common-objpfx)linkobj/libc.so $(shared-thread-libr= ary) >>> +$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so >>> + >>> =C2=A0 else # !have-GLIBC_2.31 >>> =C2=A0 routines =3D $(routines-for-nss) >>> diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c >>> new file mode 100644 >>> index 0000000000..d6cd79787b >>> --- /dev/null >>> +++ b/sunrpc/tst-bug22542.c >>> @@ -0,0 +1,44 @@ >>> +/* Test to verify that overlong hostname is rejected by clnt_create >>> +=C2=A0=C2=A0 and doesn't cause a buffer overflow (bug=C2=A0 22542). >>> + >>> +=C2=A0=C2=A0 Copyright (C) 2022 Free Software Foundation, Inc. >>> +=C2=A0=C2=A0 This file is part of the GNU C Library. >>> + >>> +=C2=A0=C2=A0 The GNU C Library is free software; you can redistribute = it and/or >>> +=C2=A0=C2=A0 modify it under the terms of the GNU Lesser General Publi= c >>> +=C2=A0=C2=A0 License as published by the Free Software Foundation; eit= her >>> +=C2=A0=C2=A0 version 2.1 of the License, or (at your option) any later= version. >>> + >>> +=C2=A0=C2=A0 The GNU C Library is distributed in the hope that it will= be useful, >>> +=C2=A0=C2=A0 but WITHOUT ANY WARRANTY; without even the implied warran= ty of >>> +=C2=A0=C2=A0 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.=C2= =A0 See the GNU >>> +=C2=A0=C2=A0 Lesser General Public License for more details. >>> + >>> +=C2=A0=C2=A0 You should have received a copy of the GNU Lesser General= Public >>> +=C2=A0=C2=A0 License along with the GNU C Library; if not, see >>> +=C2=A0=C2=A0 .=C2=A0 */ >>> + >>> +#include >>> +#include >>> +#include >>> +#include >>> +#include >>> +#include >>> + >>> +static int >>> +do_test (void) >>> +{ >>> +=C2=A0 /* Create an arbitrary hostname that's longer than fits in >>> sun_path.=C2=A0 */ >>> +=C2=A0 char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; >>> +=C2=A0 memset (name, 'x', sizeof name - 1); >>> +=C2=A0 name [sizeof name - 1] =3D '\0'; >>> + >>> +=C2=A0 errno =3D 0; >>> +=C2=A0 CLIENT *clnt =3D clnt_create (name, 0, 0, "unix"); > > Does this link? clnt_create doesn't have a default version in libc.so > AFAICT. It has in linkobj/libc.so: $ eu-readelf --symbols=3D.dynsym linkobj/libc.so | grep clnt_create 3126: 000387a0 465 FUNC GLOBAL DEFAULT 14 clnt_create@@GLIBC_2= .0 Thanks, Florian