From patchwork Wed Nov 5 01:07:52 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Brad Hubbard X-Patchwork-Id: 406850 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 8EBEA1400A3 for ; Wed, 5 Nov 2014 12:08:03 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:reply-to:mime-version:to :subject:content-type:content-transfer-encoding; q=dns; s= default; b=AVnZT/ZmpQJ9bPinqNSFOV1O3XfW6F6xFFQQFtNzdNVDv2J7zU76Z 7R5w5vPdy1NxAsS/8x2BQfFGjYmIz7bnqGfyxOMZkgwAei0VAlclXRkWeMdvcVuw OnKGbQ0CvWhjRadikI6igjVSIV4WMt7SB9Ewa+wcaJTpoaLly7f8x4= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:reply-to:mime-version:to :subject:content-type:content-transfer-encoding; s=default; bh=K pj5O7HGk2t7Oj3oGO7B2ePotqk=; b=RHwQXnP7UWwNSSR8Ys8NgqipavsnXIQxj Aik/qwwtDy4rsAvv8OSIA5cHw2d6leqiggO8rlH71obiBd9DhNZ3TraPwXKcstfB 6VYsVRH0cRAavctaZlpqd/NTVcZ4rnmklCKH0lf9W3u6fJFeBdHhjaif5iogWqrW afttQE4xRQ= Received: (qmail 20403 invoked by alias); 5 Nov 2014 01:07:58 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 20393 invoked by uid 89); 5 Nov 2014 01:07:57 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=BAYES_00, RP_MATCHES_RCVD, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Message-ID: <54597868.3060408@redhat.com> Date: Wed, 05 Nov 2014 11:07:52 +1000 From: Brad Hubbard Reply-To: bhubbard@redhat.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: libc-alpha@sourceware.org Subject: [PATCH] [BZ 17542] sunrpc: conditional jump depends on uninitialised value in svc_getreq_common If xports is NULL in xprt_register we malloc it but if sock > _rpc_dtablesize() that memory does not get initialised and may in theory contain any value. Later we make a conditional jump in svc_getreq_common based on the uninitialised memory and this caused a general protection fault in rpc.statd on an older version of glibc but this code has not changed since that version. Following is the valgrind warning. ==26802== Conditional jump or move depends on uninitialised value(s) ==26802== at 0x5343A25: svc_getreq_common (in /lib64/libc-2.5.so) ==26802== by 0x534357B: svc_getreqset (in /lib64/libc-2.5.so) ==26802== by 0x10DE1F: ??? (in /sbin/rpc.statd) ==26802== by 0x10D0EF: main (in /sbin/rpc.statd) ==26802== Uninitialised value was created by a heap allocation ==26802== at 0x4C2210C: malloc (vg_replace_malloc.c:195) ==26802== by 0x53438BE: xprt_register (in /lib64/libc-2.5.so) ==26802== by 0x53450DF: svcudp_bufcreate (in /lib64/libc-2.5.so) ==26802== by 0x10FE32: ??? (in /sbin/rpc.statd) ==26802== by 0x10D13E: main (in /sbin/rpc.statd) I believe the solution here is to change the malloc call to a calloc call and the attached patch does that. The GPF could not be reproduced with the patched glibc. 2014-11-05 Brad Hubbard * sunrpc/svc.c: Resolve uninitialised xports in xprt_register --- sunrpc/svc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sunrpc/svc.c b/sunrpc/svc.c index ccf0902..30c3a93 100644 --- a/sunrpc/svc.c +++ b/sunrpc/svc.c @@ -97,8 +97,8 @@ xprt_register (SVCXPRT *xprt) if (xports == NULL) { - xports = (SVCXPRT **) malloc (_rpc_dtablesize () * sizeof (SVCXPRT *)); - if (xports == NULL) /* DonĀ“t add handle */ + xports = (SVCXPRT **) calloc (_rpc_dtablesize (), sizeof (SVCXPRT *)); + if (xports == NULL) /* Don't add handle */ return; }