From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from camel.birch.relay.mailchannels.net (camel.birch.relay.mailchannels.net [23.83.209.29]) by sourceware.org (Postfix) with ESMTPS id 9692E3858417 for ; Mon, 17 Jan 2022 03:35:21 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 9692E3858417 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 5E3ED120E1E; Mon, 17 Jan 2022 03:35:20 +0000 (UTC) Received: from pdx1-sub0-mail-a306.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id EE02C121219; Mon, 17 Jan 2022 03:35:19 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a306.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.124.238.86 (trex/6.4.3); Mon, 17 Jan 2022 03:35:20 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Shade-Harmony: 2bccce5c2fe4eb72_1642390520214_3343516119 X-MC-Loop-Signature: 1642390520214:2204582113 X-MC-Ingress-Time: 1642390520214 Received: from [192.168.1.174] (unknown [1.186.224.209]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a306.dreamhost.com (Postfix) with ESMTPSA id 4Jccx25xLWz3Z; Sun, 16 Jan 2022 19:35:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=gotplt.org; s=gotplt.org; t=1642390519; bh=LAuT3kY4LP0Cwqur88uGHsrPPes=; h=Date:Subject:From:To:Content-Type:Content-Transfer-Encoding; b=b9nQwsx6++FwMgM3YSJOr73xOO8s50WRT0UX5eu/UvWargJudT2MJjZXXqgpWrcco B3zdgZULuaDeFALeZTdZgicelFx7iCG+LziaXu83OLoEKm3OhX0adZpeS7Vc7lr3fc UHnbPwH6zNUONJXR3tV43sg68UfOnOt0xFslcf6o= Message-ID: Date: Mon, 17 Jan 2022 09:05:13 +0530 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.4.0 Subject: Re: [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) Content-Language: en-US From: Siddhesh Poyarekar To: Florian Weimer , libc-alpha@sourceware.org References: <5e6f9d7240e55d438438d457f169132cf89fb8a0.1642148513.git.fweimer@redhat.com> <3c2a7cbc-9284-75dc-e7d0-8cab8571fe3a@gotplt.org> In-Reply-To: <3c2a7cbc-9284-75dc-e7d0-8cab8571fe3a@gotplt.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3034.5 required=5.0 tests=BAYES_00, BODY_8BITS, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP, URIBL_BLACK autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2022 03:35:23 -0000 On 17/01/2022 09:01, Siddhesh Poyarekar wrote: > On 14/01/2022 13:54, Florian Weimer via Libc-alpha wrote: >> From: Martin Sebor >> >> --- >>   sunrpc/Makefile       |  5 ++++- >>   sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ >>   2 files changed, 48 insertions(+), 1 deletion(-) >>   create mode 100644 sunrpc/tst-bug22542.c > > LGTM. > > Reviewed-by: Siddhesh Poyarekar Oh wait... > >> >> diff --git a/sunrpc/Makefile b/sunrpc/Makefile >> index 9a31fe48b9..183ef3dc55 100644 >> --- a/sunrpc/Makefile >> +++ b/sunrpc/Makefile >> @@ -65,7 +65,8 @@ shared-only-routines = $(routines) >>   endif >>   tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error >> tst-udp-timeout \ >> -  tst-udp-nonblocking >> +  tst-udp-nonblocking tst-bug22542 >> + >>   xtests := tst-getmyaddr >>   ifeq ($(have-thread-library),yes) >> @@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: >> $(common-objpfx)linkobj/libc.so >>   $(objpfx)tst-udp-garbage: \ >>     $(common-objpfx)linkobj/libc.so $(shared-thread-library) >> +$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so >> + >>   else # !have-GLIBC_2.31 >>   routines = $(routines-for-nss) >> diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c >> new file mode 100644 >> index 0000000000..d6cd79787b >> --- /dev/null >> +++ b/sunrpc/tst-bug22542.c >> @@ -0,0 +1,44 @@ >> +/* Test to verify that overlong hostname is rejected by clnt_create >> +   and doesn't cause a buffer overflow (bug  22542). >> + >> +   Copyright (C) 2022 Free Software Foundation, Inc. >> +   This file is part of the GNU C Library. >> + >> +   The GNU C Library is free software; you can redistribute it and/or >> +   modify it under the terms of the GNU Lesser General Public >> +   License as published by the Free Software Foundation; either >> +   version 2.1 of the License, or (at your option) any later version. >> + >> +   The GNU C Library is distributed in the hope that it will be useful, >> +   but WITHOUT ANY WARRANTY; without even the implied warranty of >> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU >> +   Lesser General Public License for more details. >> + >> +   You should have received a copy of the GNU Lesser General Public >> +   License along with the GNU C Library; if not, see >> +   .  */ >> + >> +#include >> +#include >> +#include >> +#include >> +#include >> +#include >> + >> +static int >> +do_test (void) >> +{ >> +  /* Create an arbitrary hostname that's longer than fits in >> sun_path.  */ >> +  char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; >> +  memset (name, 'x', sizeof name - 1); >> +  name [sizeof name - 1] = '\0'; >> + >> +  errno = 0; >> +  CLIENT *clnt = clnt_create (name, 0, 0, "unix"); Does this link? clnt_create doesn't have a default version in libc.so AFAICT. >> + >> +  TEST_VERIFY (clnt == NULL); >> +  TEST_COMPARE (errno, EINVAL); >> +  return 0; >> +} >> + >> +#include >