* [PATCH 0/4] Fix two sunrpc buffer overflows @ 2022-01-12 17:00 Florian Weimer 2022-01-12 17:00 ` [PATCH 1/4] socket: Add the __sockaddr_un_set function Florian Weimer ` (3 more replies) 0 siblings, 4 replies; 12+ messages in thread From: Florian Weimer @ 2022-01-12 17:00 UTC (permalink / raw) To: libc-alpha; +Cc: Martin Sebor The first one was reported by Martin Sebor in 2017, but we didn't fix it. Grepping for sun_path I found another similar one. Tested on i686-linux-gnu, x86_64-linux-gnu. Built with build-many-glibcs.py. Thanks, Florian Florian Weimer (3): socket: Add the __sockaddr_un_set function sunrpc: Fix buffer overflow in clnt_create for "unix" (bug 22542) sunrpc: Fix path buffer overflow in svcunix_create (bug 28768) Martin Sebor (1): sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) NEWS | 7 +++- include/sys/un.h | 12 +++++++ socket/Makefile | 6 +++- socket/sockaddr_un_set.c | 41 ++++++++++++++++++++++++ socket/tst-sockaddr_un_set.c | 62 ++++++++++++++++++++++++++++++++++++ sunrpc/Makefile | 5 ++- sunrpc/clnt_gen.c | 10 ++++-- sunrpc/svc_unix.c | 11 +++---- sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++ sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++ 10 files changed, 227 insertions(+), 13 deletions(-) create mode 100644 socket/sockaddr_un_set.c create mode 100644 socket/tst-sockaddr_un_set.c create mode 100644 sunrpc/tst-bug22542.c create mode 100644 sunrpc/tst-bug28768.c base-commit: 0005e54f762b2ec65cee2c4ecf1e9d42612030f0 -- 2.34.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/4] socket: Add the __sockaddr_un_set function 2022-01-12 17:00 [PATCH 0/4] Fix two sunrpc buffer overflows Florian Weimer @ 2022-01-12 17:00 ` Florian Weimer 2022-01-12 17:01 ` [PATCH 2/4] sunrpc: Fix buffer overflow in clnt_create for "unix" (bug 22542) Florian Weimer ` (2 subsequent siblings) 3 siblings, 0 replies; 12+ messages in thread From: Florian Weimer @ 2022-01-12 17:00 UTC (permalink / raw) To: libc-alpha; +Cc: Martin Sebor --- include/sys/un.h | 12 +++++++ socket/Makefile | 6 +++- socket/sockaddr_un_set.c | 41 ++++++++++++++++++++++++ socket/tst-sockaddr_un_set.c | 62 ++++++++++++++++++++++++++++++++++++ 4 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 socket/sockaddr_un_set.c create mode 100644 socket/tst-sockaddr_un_set.c diff --git a/include/sys/un.h b/include/sys/un.h index bdbee99980..152afd9fc7 100644 --- a/include/sys/un.h +++ b/include/sys/un.h @@ -1 +1,13 @@ #include <socket/sys/un.h> + +#ifndef _ISOMAC + +/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME. + Return 0 on success or -1 on failure (due to overlong PATHNAME). + The caller should always use sizeof (struct sockaddr_un) as the + socket address length, disregaring the length of PATHNAME. + Only concrete (non-abstract) pathnames are supported. */ +int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) + attribute_hidden; + +#endif /* _ISOMAC */ diff --git a/socket/Makefile b/socket/Makefile index 39333e10ca..156eec6c85 100644 --- a/socket/Makefile +++ b/socket/Makefile @@ -29,13 +29,17 @@ headers := sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \ routines := accept bind connect getpeername getsockname getsockopt \ listen recv recvfrom recvmsg send sendmsg sendto \ setsockopt shutdown socket socketpair isfdtype opensock \ - sockatmark accept4 recvmmsg sendmmsg + sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set tests := \ tst-accept4 \ tst-sockopt \ # tests +tests-internal := \ + tst-sockaddr_un_set \ + # tests-internal + tests-time64 := \ tst-sockopt-time64 \ # tests diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c new file mode 100644 index 0000000000..0bd40dc34e --- /dev/null +++ b/socket/sockaddr_un_set.c @@ -0,0 +1,41 @@ +/* Set the sun_path member of struct sockaddr_un. + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <string.h> +#include <sys/socket.h> +#include <sys/un.h> + +int +__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname) +{ + size_t name_length = strlen (pathname); + + /* The kernel supports names of exactly sizeof (addr->sun_path) + bytes, without a null terminator, but userspace does not; see the + SUN_LEN macro. */ + if (name_length >= sizeof (addr->sun_path)) + { + __set_errno (EINVAL); /* Error code used by the kernel. */ + return -1; + } + + addr->sun_family = AF_UNIX; + memcpy (addr->sun_path, pathname, name_length + 1); + return 0; +} diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c new file mode 100644 index 0000000000..29c2a81afd --- /dev/null +++ b/socket/tst-sockaddr_un_set.c @@ -0,0 +1,62 @@ +/* Test the __sockaddr_un_set function. + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +/* Re-compile the function because the version in libc is not + exported. */ +#include "sockaddr_un_set.c" + +#include <support/check.h> + +static int +do_test (void) +{ + struct sockaddr_un sun; + + memset (&sun, 0xcc, sizeof (sun)); + __sockaddr_un_set (&sun, ""); + TEST_COMPARE (sun.sun_family, AF_UNIX); + TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0); + + memset (&sun, 0xcc, sizeof (sun)); + TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0); + TEST_COMPARE_STRING (sun.sun_path, "/example"); + + { + char pathname[108]; /* Length of sun_path (ABI constant). */ + memset (pathname, 'x', sizeof (pathname)); + pathname[sizeof (pathname) - 1] = '\0'; + memset (&sun, 0xcc, sizeof (sun)); + TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0); + TEST_COMPARE (sun.sun_family, AF_UNIX); + TEST_COMPARE_STRING (sun.sun_path, pathname); + } + + { + char pathname[109]; + memset (pathname, 'x', sizeof (pathname)); + pathname[sizeof (pathname) - 1] = '\0'; + memset (&sun, 0xcc, sizeof (sun)); + errno = 0; + TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1); + TEST_COMPARE (errno, EINVAL); + } + + return 0; +} + +#include <support/test-driver.c> -- 2.34.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 2/4] sunrpc: Fix buffer overflow in clnt_create for "unix" (bug 22542) 2022-01-12 17:00 [PATCH 0/4] Fix two sunrpc buffer overflows Florian Weimer 2022-01-12 17:00 ` [PATCH 1/4] socket: Add the __sockaddr_un_set function Florian Weimer @ 2022-01-12 17:01 ` Florian Weimer 2022-01-12 17:01 ` [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow " Florian Weimer 2022-01-12 17:01 ` [PATCH 4/4] sunrpc: Fix path buffer overflow in svcunix_create (bug 28768) Florian Weimer 3 siblings, 0 replies; 12+ messages in thread From: Florian Weimer @ 2022-01-12 17:01 UTC (permalink / raw) To: libc-alpha; +Cc: Martin Sebor --- NEWS | 4 +++- sunrpc/clnt_gen.c | 10 +++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index a957b19fdc..c1df8e1a0f 100644 --- a/NEWS +++ b/NEWS @@ -150,7 +150,9 @@ Changes to build and runtime requirements: Security related changes: - [Add security related changes here] + Passing an overlong file name to the clnt_create legacy function could + result in a stack-based buffer overflow when using the "unix" + protocol. Reported by Martin Sebor. The following bugs are resolved with this release: diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c index 13ced8994e..b44357cd88 100644 --- a/sunrpc/clnt_gen.c +++ b/sunrpc/clnt_gen.c @@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers, if (strcmp (proto, "unix") == 0) { - memset ((char *)&sun, 0, sizeof (sun)); - sun.sun_family = AF_UNIX; - strcpy (sun.sun_path, hostname); + if (__sockaddr_un_set (&sun, hostname) < 0) + { + struct rpc_createerr *ce = &get_rpc_createerr (); + ce->cf_stat = RPC_SYSTEMERROR; + ce->cf_error.re_errno = errno; + return NULL; + } sock = RPC_ANYSOCK; client = clntunix_create (&sun, prog, vers, &sock, 0, 0); if (client == NULL) -- 2.34.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) 2022-01-12 17:00 [PATCH 0/4] Fix two sunrpc buffer overflows Florian Weimer 2022-01-12 17:00 ` [PATCH 1/4] socket: Add the __sockaddr_un_set function Florian Weimer 2022-01-12 17:01 ` [PATCH 2/4] sunrpc: Fix buffer overflow in clnt_create for "unix" (bug 22542) Florian Weimer @ 2022-01-12 17:01 ` Florian Weimer 2022-01-12 17:01 ` [PATCH 4/4] sunrpc: Fix path buffer overflow in svcunix_create (bug 28768) Florian Weimer 3 siblings, 0 replies; 12+ messages in thread From: Florian Weimer @ 2022-01-12 17:01 UTC (permalink / raw) To: libc-alpha; +Cc: Martin Sebor From: Martin Sebor <msebor@redhat.com> --- sunrpc/Makefile | 5 ++++- sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 sunrpc/tst-bug22542.c diff --git a/sunrpc/Makefile b/sunrpc/Makefile index 9a31fe48b9..183ef3dc55 100644 --- a/sunrpc/Makefile +++ b/sunrpc/Makefile @@ -65,7 +65,8 @@ shared-only-routines = $(routines) endif tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ - tst-udp-nonblocking + tst-udp-nonblocking tst-bug22542 + xtests := tst-getmyaddr ifeq ($(have-thread-library),yes) @@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: $(common-objpfx)linkobj/libc.so $(objpfx)tst-udp-garbage: \ $(common-objpfx)linkobj/libc.so $(shared-thread-library) +$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so + else # !have-GLIBC_2.31 routines = $(routines-for-nss) diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c new file mode 100644 index 0000000000..d6cd79787b --- /dev/null +++ b/sunrpc/tst-bug22542.c @@ -0,0 +1,44 @@ +/* Test to verify that overlong hostname is rejected by clnt_create + and doesn't cause a buffer overflow (bug 22542). + + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <rpc/clnt.h> +#include <string.h> +#include <support/check.h> +#include <sys/socket.h> +#include <sys/un.h> + +static int +do_test (void) +{ + /* Create an arbitrary hostname that's longer than fits in sun_path. */ + char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; + memset (name, 'x', sizeof name - 1); + name [sizeof name - 1] = '\0'; + + errno = 0; + CLIENT *clnt = clnt_create (name, 0, 0, "unix"); + + TEST_VERIFY (clnt == NULL); + TEST_COMPARE (errno, EINVAL); + return 0; +} + +#include <support/test-driver.c> -- 2.34.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 4/4] sunrpc: Fix path buffer overflow in svcunix_create (bug 28768) 2022-01-12 17:00 [PATCH 0/4] Fix two sunrpc buffer overflows Florian Weimer ` (2 preceding siblings ...) 2022-01-12 17:01 ` [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow " Florian Weimer @ 2022-01-12 17:01 ` Florian Weimer 3 siblings, 0 replies; 12+ messages in thread From: Florian Weimer @ 2022-01-12 17:01 UTC (permalink / raw) To: libc-alpha; +Cc: Martin Sebor --- NEWS | 3 +++ sunrpc/Makefile | 2 +- sunrpc/svc_unix.c | 11 ++++------- sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 50 insertions(+), 8 deletions(-) create mode 100644 sunrpc/tst-bug28768.c diff --git a/NEWS b/NEWS index c1df8e1a0f..6a11bf8131 100644 --- a/NEWS +++ b/NEWS @@ -154,6 +154,9 @@ Security related changes: result in a stack-based buffer overflow when using the "unix" protocol. Reported by Martin Sebor. + Passing an overlong file name to the svcunix_create legacy function + could result in a stack-based buffer overflow. + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/sunrpc/Makefile b/sunrpc/Makefile index 183ef3dc55..a79a7195fc 100644 --- a/sunrpc/Makefile +++ b/sunrpc/Makefile @@ -65,7 +65,7 @@ shared-only-routines = $(routines) endif tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ - tst-udp-nonblocking tst-bug22542 + tst-udp-nonblocking tst-bug22542 tst-bug28768 xtests := tst-getmyaddr diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c index f2280b4c49..67177a2e78 100644 --- a/sunrpc/svc_unix.c +++ b/sunrpc/svc_unix.c @@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) SVCXPRT *xprt; struct unix_rendezvous *r; struct sockaddr_un addr; - socklen_t len = sizeof (struct sockaddr_in); + socklen_t len = sizeof (addr); + + if (__sockaddr_un_set (&addr, path) < 0) + return NULL; if (sock == RPC_ANYSOCK) { @@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) } madesock = TRUE; } - memset (&addr, '\0', sizeof (addr)); - addr.sun_family = AF_UNIX; - len = strlen (path) + 1; - memcpy (addr.sun_path, path, len); - len += sizeof (addr.sun_family); - __bind (sock, (struct sockaddr *) &addr, len); if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c new file mode 100644 index 0000000000..35a4b7b0b3 --- /dev/null +++ b/sunrpc/tst-bug28768.c @@ -0,0 +1,42 @@ +/* Test to verify that long path is rejected by svcunix_create (bug 28768). + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <rpc/svc.h> +#include <shlib-compat.h> +#include <string.h> +#include <support/check.h> + +/* svcunix_create does not have a default version in linkobj/libc.so. */ +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); + +static int +do_test (void) +{ + char pathname[109]; + memset (pathname, 'x', sizeof (pathname)); + pathname[sizeof (pathname) - 1] = '\0'; + + errno = 0; + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); + TEST_COMPARE (errno, EINVAL); + + return 0; +} + +#include <support/test-driver.c> -- 2.34.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH v2 0/4] CVE-2022-23218, CVE-2022-23219: sunrpc buffer overflows @ 2022-01-14 8:23 Florian Weimer 2022-01-14 8:24 ` [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) Florian Weimer 0 siblings, 1 reply; 12+ messages in thread From: Florian Weimer @ 2022-01-14 8:23 UTC (permalink / raw) To: libc-alpha The first one was reported by Martin Sebor in 2017, but we didn't fix it. Grepping for sun_path I found another similar one. v2: Add CVE IDs. Thanks, Florian Florian Weimer (3): socket: Add the __sockaddr_un_set function CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542) CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) Martin Sebor (1): sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) NEWS | 7 +++- include/sys/un.h | 12 +++++++ socket/Makefile | 6 +++- socket/sockaddr_un_set.c | 41 ++++++++++++++++++++++++ socket/tst-sockaddr_un_set.c | 62 ++++++++++++++++++++++++++++++++++++ sunrpc/Makefile | 5 ++- sunrpc/clnt_gen.c | 10 ++++-- sunrpc/svc_unix.c | 11 +++---- sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++ sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++ 10 files changed, 227 insertions(+), 13 deletions(-) create mode 100644 socket/sockaddr_un_set.c create mode 100644 socket/tst-sockaddr_un_set.c create mode 100644 sunrpc/tst-bug22542.c create mode 100644 sunrpc/tst-bug28768.c base-commit: a78e6a10d0b50d0ca80309775980fc99944b1727 -- 2.34.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) 2022-01-14 8:23 [PATCH v2 0/4] CVE-2022-23218, CVE-2022-23219: sunrpc buffer overflows Florian Weimer @ 2022-01-14 8:24 ` Florian Weimer 2022-01-17 3:31 ` Siddhesh Poyarekar 0 siblings, 1 reply; 12+ messages in thread From: Florian Weimer @ 2022-01-14 8:24 UTC (permalink / raw) To: libc-alpha From: Martin Sebor <msebor@redhat.com> --- sunrpc/Makefile | 5 ++++- sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 sunrpc/tst-bug22542.c diff --git a/sunrpc/Makefile b/sunrpc/Makefile index 9a31fe48b9..183ef3dc55 100644 --- a/sunrpc/Makefile +++ b/sunrpc/Makefile @@ -65,7 +65,8 @@ shared-only-routines = $(routines) endif tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ - tst-udp-nonblocking + tst-udp-nonblocking tst-bug22542 + xtests := tst-getmyaddr ifeq ($(have-thread-library),yes) @@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: $(common-objpfx)linkobj/libc.so $(objpfx)tst-udp-garbage: \ $(common-objpfx)linkobj/libc.so $(shared-thread-library) +$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so + else # !have-GLIBC_2.31 routines = $(routines-for-nss) diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c new file mode 100644 index 0000000000..d6cd79787b --- /dev/null +++ b/sunrpc/tst-bug22542.c @@ -0,0 +1,44 @@ +/* Test to verify that overlong hostname is rejected by clnt_create + and doesn't cause a buffer overflow (bug 22542). + + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <rpc/clnt.h> +#include <string.h> +#include <support/check.h> +#include <sys/socket.h> +#include <sys/un.h> + +static int +do_test (void) +{ + /* Create an arbitrary hostname that's longer than fits in sun_path. */ + char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; + memset (name, 'x', sizeof name - 1); + name [sizeof name - 1] = '\0'; + + errno = 0; + CLIENT *clnt = clnt_create (name, 0, 0, "unix"); + + TEST_VERIFY (clnt == NULL); + TEST_COMPARE (errno, EINVAL); + return 0; +} + +#include <support/test-driver.c> -- 2.34.1 ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) 2022-01-14 8:24 ` [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) Florian Weimer @ 2022-01-17 3:31 ` Siddhesh Poyarekar 2022-01-17 3:35 ` Siddhesh Poyarekar 0 siblings, 1 reply; 12+ messages in thread From: Siddhesh Poyarekar @ 2022-01-17 3:31 UTC (permalink / raw) To: Florian Weimer, libc-alpha On 14/01/2022 13:54, Florian Weimer via Libc-alpha wrote: > From: Martin Sebor <msebor@redhat.com> > > --- > sunrpc/Makefile | 5 ++++- > sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 48 insertions(+), 1 deletion(-) > create mode 100644 sunrpc/tst-bug22542.c LGTM. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > > diff --git a/sunrpc/Makefile b/sunrpc/Makefile > index 9a31fe48b9..183ef3dc55 100644 > --- a/sunrpc/Makefile > +++ b/sunrpc/Makefile > @@ -65,7 +65,8 @@ shared-only-routines = $(routines) > endif > > tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ > - tst-udp-nonblocking > + tst-udp-nonblocking tst-bug22542 > + > xtests := tst-getmyaddr > > ifeq ($(have-thread-library),yes) > @@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: $(common-objpfx)linkobj/libc.so > $(objpfx)tst-udp-garbage: \ > $(common-objpfx)linkobj/libc.so $(shared-thread-library) > > +$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so > + > else # !have-GLIBC_2.31 > > routines = $(routines-for-nss) > diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c > new file mode 100644 > index 0000000000..d6cd79787b > --- /dev/null > +++ b/sunrpc/tst-bug22542.c > @@ -0,0 +1,44 @@ > +/* Test to verify that overlong hostname is rejected by clnt_create > + and doesn't cause a buffer overflow (bug 22542). > + > + Copyright (C) 2022 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + <http://www.gnu.org/licenses/>. */ > + > +#include <errno.h> > +#include <rpc/clnt.h> > +#include <string.h> > +#include <support/check.h> > +#include <sys/socket.h> > +#include <sys/un.h> > + > +static int > +do_test (void) > +{ > + /* Create an arbitrary hostname that's longer than fits in sun_path. */ > + char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; > + memset (name, 'x', sizeof name - 1); > + name [sizeof name - 1] = '\0'; > + > + errno = 0; > + CLIENT *clnt = clnt_create (name, 0, 0, "unix"); > + > + TEST_VERIFY (clnt == NULL); > + TEST_COMPARE (errno, EINVAL); > + return 0; > +} > + > +#include <support/test-driver.c> ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) 2022-01-17 3:31 ` Siddhesh Poyarekar @ 2022-01-17 3:35 ` Siddhesh Poyarekar 2022-01-17 9:15 ` Florian Weimer 0 siblings, 1 reply; 12+ messages in thread From: Siddhesh Poyarekar @ 2022-01-17 3:35 UTC (permalink / raw) To: Florian Weimer, libc-alpha On 17/01/2022 09:01, Siddhesh Poyarekar wrote: > On 14/01/2022 13:54, Florian Weimer via Libc-alpha wrote: >> From: Martin Sebor <msebor@redhat.com> >> >> --- >> sunrpc/Makefile | 5 ++++- >> sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ >> 2 files changed, 48 insertions(+), 1 deletion(-) >> create mode 100644 sunrpc/tst-bug22542.c > > LGTM. > > Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Oh wait... > >> >> diff --git a/sunrpc/Makefile b/sunrpc/Makefile >> index 9a31fe48b9..183ef3dc55 100644 >> --- a/sunrpc/Makefile >> +++ b/sunrpc/Makefile >> @@ -65,7 +65,8 @@ shared-only-routines = $(routines) >> endif >> tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error >> tst-udp-timeout \ >> - tst-udp-nonblocking >> + tst-udp-nonblocking tst-bug22542 >> + >> xtests := tst-getmyaddr >> ifeq ($(have-thread-library),yes) >> @@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: >> $(common-objpfx)linkobj/libc.so >> $(objpfx)tst-udp-garbage: \ >> $(common-objpfx)linkobj/libc.so $(shared-thread-library) >> +$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so >> + >> else # !have-GLIBC_2.31 >> routines = $(routines-for-nss) >> diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c >> new file mode 100644 >> index 0000000000..d6cd79787b >> --- /dev/null >> +++ b/sunrpc/tst-bug22542.c >> @@ -0,0 +1,44 @@ >> +/* Test to verify that overlong hostname is rejected by clnt_create >> + and doesn't cause a buffer overflow (bug 22542). >> + >> + Copyright (C) 2022 Free Software Foundation, Inc. >> + This file is part of the GNU C Library. >> + >> + The GNU C Library is free software; you can redistribute it and/or >> + modify it under the terms of the GNU Lesser General Public >> + License as published by the Free Software Foundation; either >> + version 2.1 of the License, or (at your option) any later version. >> + >> + The GNU C Library is distributed in the hope that it will be useful, >> + but WITHOUT ANY WARRANTY; without even the implied warranty of >> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >> + Lesser General Public License for more details. >> + >> + You should have received a copy of the GNU Lesser General Public >> + License along with the GNU C Library; if not, see >> + <http://www.gnu.org/licenses/>. */ >> + >> +#include <errno.h> >> +#include <rpc/clnt.h> >> +#include <string.h> >> +#include <support/check.h> >> +#include <sys/socket.h> >> +#include <sys/un.h> >> + >> +static int >> +do_test (void) >> +{ >> + /* Create an arbitrary hostname that's longer than fits in >> sun_path. */ >> + char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; >> + memset (name, 'x', sizeof name - 1); >> + name [sizeof name - 1] = '\0'; >> + >> + errno = 0; >> + CLIENT *clnt = clnt_create (name, 0, 0, "unix"); Does this link? clnt_create doesn't have a default version in libc.so AFAICT. >> + >> + TEST_VERIFY (clnt == NULL); >> + TEST_COMPARE (errno, EINVAL); >> + return 0; >> +} >> + >> +#include <support/test-driver.c> > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) 2022-01-17 3:35 ` Siddhesh Poyarekar @ 2022-01-17 9:15 ` Florian Weimer 2022-01-17 9:30 ` Siddhesh Poyarekar 0 siblings, 1 reply; 12+ messages in thread From: Florian Weimer @ 2022-01-17 9:15 UTC (permalink / raw) To: Siddhesh Poyarekar; +Cc: libc-alpha * Siddhesh Poyarekar: > On 17/01/2022 09:01, Siddhesh Poyarekar wrote: >> On 14/01/2022 13:54, Florian Weimer via Libc-alpha wrote: >>> From: Martin Sebor <msebor@redhat.com> >>> >>> --- >>> sunrpc/Makefile | 5 ++++- >>> sunrpc/tst-bug22542.c | 44 +++++++++++++++++++++++++++++++++++++++++++ >>> 2 files changed, 48 insertions(+), 1 deletion(-) >>> create mode 100644 sunrpc/tst-bug22542.c >> LGTM. >> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > > Oh wait... > >> >>> >>> diff --git a/sunrpc/Makefile b/sunrpc/Makefile >>> index 9a31fe48b9..183ef3dc55 100644 >>> --- a/sunrpc/Makefile >>> +++ b/sunrpc/Makefile >>> @@ -65,7 +65,8 @@ shared-only-routines = $(routines) >>> endif >>> tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error >>> tst-udp-timeout \ >>> - tst-udp-nonblocking >>> + tst-udp-nonblocking tst-bug22542 >>> + >>> xtests := tst-getmyaddr >>> ifeq ($(have-thread-library),yes) >>> @@ -110,6 +111,8 @@ $(objpfx)tst-udp-nonblocking: >>> $(common-objpfx)linkobj/libc.so >>> $(objpfx)tst-udp-garbage: \ >>> $(common-objpfx)linkobj/libc.so $(shared-thread-library) >>> +$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so >>> + >>> else # !have-GLIBC_2.31 >>> routines = $(routines-for-nss) >>> diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c >>> new file mode 100644 >>> index 0000000000..d6cd79787b >>> --- /dev/null >>> +++ b/sunrpc/tst-bug22542.c >>> @@ -0,0 +1,44 @@ >>> +/* Test to verify that overlong hostname is rejected by clnt_create >>> + and doesn't cause a buffer overflow (bug 22542). >>> + >>> + Copyright (C) 2022 Free Software Foundation, Inc. >>> + This file is part of the GNU C Library. >>> + >>> + The GNU C Library is free software; you can redistribute it and/or >>> + modify it under the terms of the GNU Lesser General Public >>> + License as published by the Free Software Foundation; either >>> + version 2.1 of the License, or (at your option) any later version. >>> + >>> + The GNU C Library is distributed in the hope that it will be useful, >>> + but WITHOUT ANY WARRANTY; without even the implied warranty of >>> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >>> + Lesser General Public License for more details. >>> + >>> + You should have received a copy of the GNU Lesser General Public >>> + License along with the GNU C Library; if not, see >>> + <http://www.gnu.org/licenses/>. */ >>> + >>> +#include <errno.h> >>> +#include <rpc/clnt.h> >>> +#include <string.h> >>> +#include <support/check.h> >>> +#include <sys/socket.h> >>> +#include <sys/un.h> >>> + >>> +static int >>> +do_test (void) >>> +{ >>> + /* Create an arbitrary hostname that's longer than fits in >>> sun_path. */ >>> + char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2]; >>> + memset (name, 'x', sizeof name - 1); >>> + name [sizeof name - 1] = '\0'; >>> + >>> + errno = 0; >>> + CLIENT *clnt = clnt_create (name, 0, 0, "unix"); > > Does this link? clnt_create doesn't have a default version in libc.so > AFAICT. It has in linkobj/libc.so: $ eu-readelf --symbols=.dynsym linkobj/libc.so | grep clnt_create 3126: 000387a0 465 FUNC GLOBAL DEFAULT 14 clnt_create@@GLIBC_2.0 Thanks, Florian ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) 2022-01-17 9:15 ` Florian Weimer @ 2022-01-17 9:30 ` Siddhesh Poyarekar 2022-01-17 9:32 ` Florian Weimer 0 siblings, 1 reply; 12+ messages in thread From: Siddhesh Poyarekar @ 2022-01-17 9:30 UTC (permalink / raw) To: Florian Weimer; +Cc: libc-alpha On 17/01/2022 14:45, Florian Weimer wrote: > It has in linkobj/libc.so: > > $ eu-readelf --symbols=.dynsym linkobj/libc.so | grep clnt_create > 3126: 000387a0 465 FUNC GLOBAL DEFAULT 14 clnt_create@@GLIBC_2.0 That's weird, shouldn't it be non-default given that it is deprecated? Why is it needed for internal linking? For tests? Siddhesh ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) 2022-01-17 9:30 ` Siddhesh Poyarekar @ 2022-01-17 9:32 ` Florian Weimer 2022-01-17 9:42 ` Siddhesh Poyarekar 0 siblings, 1 reply; 12+ messages in thread From: Florian Weimer @ 2022-01-17 9:32 UTC (permalink / raw) To: Siddhesh Poyarekar; +Cc: libc-alpha * Siddhesh Poyarekar: > On 17/01/2022 14:45, Florian Weimer wrote: >> It has in linkobj/libc.so: >> $ eu-readelf --symbols=.dynsym linkobj/libc.so | grep clnt_create >> 3126: 000387a0 465 FUNC GLOBAL DEFAULT 14 clnt_create@@GLIBC_2.0 > > That's weird, shouldn't it be non-default given that it is deprecated? > Why is it needed for internal linking? For tests? Yes. linkobj/libc.so and libc.so are different. It's a compatibility symbol in libc.so. Thanks, Florian ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) 2022-01-17 9:32 ` Florian Weimer @ 2022-01-17 9:42 ` Siddhesh Poyarekar 0 siblings, 0 replies; 12+ messages in thread From: Siddhesh Poyarekar @ 2022-01-17 9:42 UTC (permalink / raw) To: Florian Weimer; +Cc: libc-alpha On 17/01/2022 15:02, Florian Weimer wrote: > * Siddhesh Poyarekar: > >> On 17/01/2022 14:45, Florian Weimer wrote: >>> It has in linkobj/libc.so: >>> $ eu-readelf --symbols=.dynsym linkobj/libc.so | grep clnt_create >>> 3126: 000387a0 465 FUNC GLOBAL DEFAULT 14 clnt_create@@GLIBC_2.0 >> >> That's weird, shouldn't it be non-default given that it is deprecated? >> Why is it needed for internal linking? For tests? > > Yes. linkobj/libc.so and libc.so are different. It's a compatibility > symbol in libc.so. OK then. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-01-17 9:42 UTC | newest] Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-01-12 17:00 [PATCH 0/4] Fix two sunrpc buffer overflows Florian Weimer 2022-01-12 17:00 ` [PATCH 1/4] socket: Add the __sockaddr_un_set function Florian Weimer 2022-01-12 17:01 ` [PATCH 2/4] sunrpc: Fix buffer overflow in clnt_create for "unix" (bug 22542) Florian Weimer 2022-01-12 17:01 ` [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow " Florian Weimer 2022-01-12 17:01 ` [PATCH 4/4] sunrpc: Fix path buffer overflow in svcunix_create (bug 28768) Florian Weimer 2022-01-14 8:23 [PATCH v2 0/4] CVE-2022-23218, CVE-2022-23219: sunrpc buffer overflows Florian Weimer 2022-01-14 8:24 ` [PATCH 3/4] sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542) Florian Weimer 2022-01-17 3:31 ` Siddhesh Poyarekar 2022-01-17 3:35 ` Siddhesh Poyarekar 2022-01-17 9:15 ` Florian Weimer 2022-01-17 9:30 ` Siddhesh Poyarekar 2022-01-17 9:32 ` Florian Weimer 2022-01-17 9:42 ` Siddhesh Poyarekar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).