From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aurelien@aurel32.net>
Received: from hall.aurel32.net (hall.aurel32.net [IPv6:2001:bc8:30d7:100::1])
 by sourceware.org (Postfix) with ESMTPS id 810813858D39;
 Tue, 18 Jan 2022 20:13:43 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 810813858D39
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=aurel32.net
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=aurel32.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net
 ; s=202004.hall;
 h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Content-Type:From:Reply-To:
 Subject:Content-ID:Content-Description:X-Debbugs-Cc;
 bh=e1/bhDFPhicjoLc4mNv+qtuvEoVx73gYpnZE1TOMO0U=; b=LFUnhPFcIOUWNip4yVU+PwckYL
 QHE8lHT9kjY5IOeKXXD6MvpSo/YhBvAl+Q3+Hq8GWPd0+TGRJWMhs9MIB659aDHUKIGS874Cp/kj5
 QfW+0XiBuKzQ2vO4f5tW6zJPedQmxow6Xa391SzG4lnQlbOoeGZWHbflkev6ifwdyoXYDTAJHExld
 irWg5s+MkmXghBd44AqagI4aZOCQ6vD79+aRML3pxaK+cDH33xCXYz5HaD+oKX1bRnMeWZ1Hn7nM4
 p+1rJxrjPc1nTbL9GEm8RZmjQRIERH2tu+sCHKf3F2bnWMDesuEx55l4eNPL9ndiS4BwfLPY4XxU7
 XjnTi0dA==;
Received: from [2a01:e34:ec5d:a741:8a4c:7c4e:dc4c:1787] (helo=ohm.rr44.fr)
 by hall.aurel32.net with esmtpsa (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <aurelien@aurel32.net>)
 id 1n9urN-00BAJN-Vi; Tue, 18 Jan 2022 21:13:41 +0100
Received: from aurel32 by ohm.rr44.fr with local (Exim 4.95)
 (envelope-from <aurelien@aurel32.net>) id 1n9urN-004ZIo-IW;
 Tue, 18 Jan 2022 21:13:41 +0100
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-stable@sourceware.org
Cc: Florian Weimer <fweimer@redhat.com>,
 Siddhesh Poyarekar <siddhesh@sourceware.org>
Subject: [COMMITTED 2.31 2/3] CVE-2022-23219: Buffer overflow in sunrpc
 clnt_create for "unix" (bug 22542)
Date: Tue, 18 Jan 2022 21:13:34 +0100
Message-Id: <20220118201335.1088166-2-aurelien@aurel32.net>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220118201335.1088166-1-aurelien@aurel32.net>
References: <20220118201335.1088166-1-aurelien@aurel32.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-13.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_PASS, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: libc-stable@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-stable mailing list <libc-stable.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-stable/>
List-Help: <mailto:libc-stable-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-stable>,
 <mailto:libc-stable-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 20:13:45 -0000

From: Florian Weimer <fweimer@redhat.com>

Processing an overlong pathname in the sunrpc clnt_create function
results in a stack-based buffer overflow.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 226b46770c82899b555986583294b049c6ec9b40)
---
 NEWS              |  5 +++++
 sunrpc/clnt_gen.c | 10 +++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 4d52ccfaa0..ba7b0cc511 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,7 @@ The following bugs are resolved with this release:
     (CVE-2016-10228)
   [20019] NULL pointer dereference in libc.so.6 IFUNC due to uninitialized GOT
   [20543] Please move from .gnu.linkonce to comdat
+  [22542] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix"
   [23296] Data race in setting function descriptor during lazy binding
   [24973] iconv encounters segmentation fault when converting 0x00 0xfe in
     EUC-KR to UTF-8 (CVE-2019-25013)
@@ -67,6 +68,10 @@ Security related changes:
 
   CVE-2020-29562: An assertion failure has been fixed in the iconv function
   when invoked with UCS4 input containing an invalid character.
+
+  CVE-2022-23219: Passing an overlong file name to the clnt_create
+  legacy function could result in a stack-based buffer overflow when
+  using the "unix" protocol.  Reported by Martin Sebor.
 
 Version 2.31
 
diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c
index 13ced8994e..b44357cd88 100644
--- a/sunrpc/clnt_gen.c
+++ b/sunrpc/clnt_gen.c
@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers,
 
   if (strcmp (proto, "unix") == 0)
     {
-      memset ((char *)&sun, 0, sizeof (sun));
-      sun.sun_family = AF_UNIX;
-      strcpy (sun.sun_path, hostname);
+      if (__sockaddr_un_set (&sun, hostname) < 0)
+	{
+	  struct rpc_createerr *ce = &get_rpc_createerr ();
+	  ce->cf_stat = RPC_SYSTEMERROR;
+	  ce->cf_error.re_errno = errno;
+	  return NULL;
+	}
       sock = RPC_ANYSOCK;
       client = clntunix_create (&sun, prog, vers, &sock, 0, 0);
       if (client == NULL)
-- 
2.34.1