From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aurelien@aurel32.net>
Received: from hall.aurel32.net (hall.aurel32.net [IPv6:2001:bc8:30d7:100::1])
 by sourceware.org (Postfix) with ESMTPS id 3E3723858019;
 Tue, 18 Jan 2022 06:49:32 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 3E3723858019
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=aurel32.net
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=aurel32.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net
 ; s=202004.hall;
 h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Content-Type:From:Reply-To:
 Subject:Content-ID:Content-Description:X-Debbugs-Cc;
 bh=isEd/O8tqX/7aK9JweQ4WHfuxb4gtnnjdNuzZFbx5ZE=; b=K+AIHyVdE2FMwerLSVlluA8kpM
 5iVShFMZYKvog7RI6IUCa0O6XvO40Jo72cB+4P6TBh7N6YnmEpVJxl7GnbXlUHJnxh1+cFIoB7Bh5
 oeC+8KZgYYJlx237/Ht3RjJOHwggVFxoNZiGQi0iDkQeeqBW7K6cLiWucmyFQINoThae/gGz1lPze
 8yvS0fR7M5aF3lWSpyFERH88PZjHG9rRYnREMqMUJP+8Tw2xtrYXo8zgEEgwiR4pcvjTZzRz0YcT+
 sVena0mp6i3KU2o0oE7A3+GF4oSZ2x+BIh1J4tGWYw/avzqnExbBVo8BXkrpLVdhcbG0CnLvNMN1j
 4EPN2LZQ==;
Received: from [2a01:e34:ec5d:a741:8a4c:7c4e:dc4c:1787] (helo=ohm.rr44.fr)
 by hall.aurel32.net with esmtpsa (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <aurelien@aurel32.net>)
 id 1n9iJ9-00AmHr-5Q; Tue, 18 Jan 2022 07:49:31 +0100
Received: from aurel32 by ohm.rr44.fr with local (Exim 4.95)
 (envelope-from <aurelien@aurel32.net>) id 1n9iJ8-004ryM-Pj;
 Tue, 18 Jan 2022 07:49:30 +0100
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-stable@sourceware.org
Cc: Florian Weimer <fweimer@redhat.com>,
 Siddhesh Poyarekar <siddhesh@sourceware.org>
Subject: [COMMITTED 2.33 2/3] CVE-2022-23219: Buffer overflow in sunrpc
 clnt_create for "unix" (bug 22542)
Date: Tue, 18 Jan 2022 07:49:25 +0100
Message-Id: <20220118064926.1160592-2-aurelien@aurel32.net>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220118064926.1160592-1-aurelien@aurel32.net>
References: <20220118064926.1160592-1-aurelien@aurel32.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-13.1 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_PASS, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 06:49:33 -0000

From: Florian Weimer <fweimer@redhat.com>

Processing an overlong pathname in the sunrpc clnt_create function
results in a stack-based buffer overflow.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 226b46770c82899b555986583294b049c6ec9b40)
---
 NEWS              |  5 +++++
 sunrpc/clnt_gen.c | 10 +++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 6e4221ca86..71bc4932a0 100644
--- a/NEWS
+++ b/NEWS
@@ -19,10 +19,15 @@ Security related changes:
   issue when using a notification type of SIGEV_THREAD and a thread
   attribute with a non-default affinity mask.
 
+  CVE-2022-23219: Passing an overlong file name to the clnt_create
+  legacy function could result in a stack-based buffer overflow when
+  using the "unix" protocol.  Reported by Martin Sebor.
+
 The following bugs are resolved with this release:
 
   [15271] dlfcn function failure after dlmopen terminates process
   [18435] pthread_once hangs when init routine throws an exception
+  [22542] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix"
   [23462] Static binary with dynamic string tokens ($LIB, $PLATFORM, $ORIGIN)
     crashes
   [27304] pthread_cond_destroy does not pass private flag to futex system calls
diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c
index 13ced8994e..b44357cd88 100644
--- a/sunrpc/clnt_gen.c
+++ b/sunrpc/clnt_gen.c
@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers,
 
   if (strcmp (proto, "unix") == 0)
     {
-      memset ((char *)&sun, 0, sizeof (sun));
-      sun.sun_family = AF_UNIX;
-      strcpy (sun.sun_path, hostname);
+      if (__sockaddr_un_set (&sun, hostname) < 0)
+	{
+	  struct rpc_createerr *ce = &get_rpc_createerr ();
+	  ce->cf_stat = RPC_SYSTEMERROR;
+	  ce->cf_error.re_errno = errno;
+	  return NULL;
+	}
       sock = RPC_ANYSOCK;
       client = clntunix_create (&sun, prog, vers, &sock, 0, 0);
       if (client == NULL)
-- 
2.34.1