From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 0F7C2385841D for ; Fri, 14 Jan 2022 08:24:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0F7C2385841D Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-417-d_EuQdOnPO2XdJ6wW_7-8w-1; Fri, 14 Jan 2022 03:24:09 -0500 X-MC-Unique: d_EuQdOnPO2XdJ6wW_7-8w-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 90E71190B2A2 for ; Fri, 14 Jan 2022 08:24:08 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.39.192.49]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E915B78B11 for ; Fri, 14 Jan 2022 08:24:07 +0000 (UTC) From: Florian Weimer To: libc-alpha@sourceware.org Subject: [PATCH v2 2/4] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542) In-Reply-To: References: X-From-Line: aafa82f116bad4d781e66751177cdd4995eb7c07 Mon Sep 17 00:00:00 2001 Message-Id: Date: Fri, 14 Jan 2022 09:24:05 +0100 User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-12.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2022 08:24:14 -0000 Processing an overlong pathname in the sunrpc clnt_create function results in a stack-based buffer overflow. --- NEWS | 4 +++- sunrpc/clnt_gen.c | 10 +++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index a957b19fdc..94248b580d 100644 --- a/NEWS +++ b/NEWS @@ -150,7 +150,9 @@ Changes to build and runtime requirements: Security related changes: - [Add security related changes here] + CVE-2022-23219: Passing an overlong file name to the clnt_create + legacy function could result in a stack-based buffer overflow when + using the "unix" protocol. Reported by Martin Sebor. The following bugs are resolved with this release: diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c index 13ced8994e..b44357cd88 100644 --- a/sunrpc/clnt_gen.c +++ b/sunrpc/clnt_gen.c @@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers, if (strcmp (proto, "unix") == 0) { - memset ((char *)&sun, 0, sizeof (sun)); - sun.sun_family = AF_UNIX; - strcpy (sun.sun_path, hostname); + if (__sockaddr_un_set (&sun, hostname) < 0) + { + struct rpc_createerr *ce = &get_rpc_createerr (); + ce->cf_stat = RPC_SYSTEMERROR; + ce->cf_error.re_errno = errno; + return NULL; + } sock = RPC_ANYSOCK; client = clntunix_create (&sun, prog, vers, &sock, 0, 0); if (client == NULL) -- 2.34.1