Message ID | 4e87feed87235e9143778454147e04469a1e7380.1642148513.git.fweimer@redhat.com |
---|---|
State | New |
Headers | show |
Series | CVE-2022-23218, CVE-2022-23219: sunrpc buffer overflows | expand |
On 14/01/2022 13:54, Florian Weimer via Libc-alpha wrote: > The sunrpc function svcunix_create suffers from a stack-based buffer > overflow with overlong pathname arguments. > --- > NEWS | 3 +++ > sunrpc/Makefile | 2 +- > sunrpc/svc_unix.c | 11 ++++------- > sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 50 insertions(+), 8 deletions(-) > create mode 100644 sunrpc/tst-bug28768.c > LGTM. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > diff --git a/NEWS b/NEWS > index 94248b580d..85ec7e4c6a 100644 > --- a/NEWS > +++ b/NEWS > @@ -154,6 +154,9 @@ Security related changes: > legacy function could result in a stack-based buffer overflow when > using the "unix" protocol. Reported by Martin Sebor. > > + CVE-2022-23218: Passing an overlong file name to the svcunix_create > + legacy function could result in a stack-based buffer overflow. > + > The following bugs are resolved with this release: > > [The release manager will add the list generated by > diff --git a/sunrpc/Makefile b/sunrpc/Makefile > index 183ef3dc55..a79a7195fc 100644 > --- a/sunrpc/Makefile > +++ b/sunrpc/Makefile > @@ -65,7 +65,7 @@ shared-only-routines = $(routines) > endif > > tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ > - tst-udp-nonblocking tst-bug22542 > + tst-udp-nonblocking tst-bug22542 tst-bug28768 > > xtests := tst-getmyaddr > > diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c > index f2280b4c49..67177a2e78 100644 > --- a/sunrpc/svc_unix.c > +++ b/sunrpc/svc_unix.c > @@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) > SVCXPRT *xprt; > struct unix_rendezvous *r; > struct sockaddr_un addr; > - socklen_t len = sizeof (struct sockaddr_in); > + socklen_t len = sizeof (addr); > + > + if (__sockaddr_un_set (&addr, path) < 0) > + return NULL; > > if (sock == RPC_ANYSOCK) > { > @@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) > } > madesock = TRUE; > } > - memset (&addr, '\0', sizeof (addr)); > - addr.sun_family = AF_UNIX; > - len = strlen (path) + 1; > - memcpy (addr.sun_path, path, len); > - len += sizeof (addr.sun_family); > - > __bind (sock, (struct sockaddr *) &addr, len); > > if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 > diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c > new file mode 100644 > index 0000000000..35a4b7b0b3 > --- /dev/null > +++ b/sunrpc/tst-bug28768.c > @@ -0,0 +1,42 @@ > +/* Test to verify that long path is rejected by svcunix_create (bug 28768). > + Copyright (C) 2022 Free Software Foundation, Inc. > + This file is part of the GNU C Library. > + > + The GNU C Library is free software; you can redistribute it and/or > + modify it under the terms of the GNU Lesser General Public > + License as published by the Free Software Foundation; either > + version 2.1 of the License, or (at your option) any later version. > + > + The GNU C Library is distributed in the hope that it will be useful, > + but WITHOUT ANY WARRANTY; without even the implied warranty of > + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > + Lesser General Public License for more details. > + > + You should have received a copy of the GNU Lesser General Public > + License along with the GNU C Library; if not, see > + <http://www.gnu.org/licenses/>. */ > + > +#include <errno.h> > +#include <rpc/svc.h> > +#include <shlib-compat.h> > +#include <string.h> > +#include <support/check.h> > + > +/* svcunix_create does not have a default version in linkobj/libc.so. */ > +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); > + > +static int > +do_test (void) > +{ > + char pathname[109]; > + memset (pathname, 'x', sizeof (pathname)); > + pathname[sizeof (pathname) - 1] = '\0'; > + > + errno = 0; > + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); > + TEST_COMPARE (errno, EINVAL); > + > + return 0; > +} > + > +#include <support/test-driver.c>
diff --git a/NEWS b/NEWS index 94248b580d..85ec7e4c6a 100644 --- a/NEWS +++ b/NEWS @@ -154,6 +154,9 @@ Security related changes: legacy function could result in a stack-based buffer overflow when using the "unix" protocol. Reported by Martin Sebor. + CVE-2022-23218: Passing an overlong file name to the svcunix_create + legacy function could result in a stack-based buffer overflow. + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/sunrpc/Makefile b/sunrpc/Makefile index 183ef3dc55..a79a7195fc 100644 --- a/sunrpc/Makefile +++ b/sunrpc/Makefile @@ -65,7 +65,7 @@ shared-only-routines = $(routines) endif tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ - tst-udp-nonblocking tst-bug22542 + tst-udp-nonblocking tst-bug22542 tst-bug28768 xtests := tst-getmyaddr diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c index f2280b4c49..67177a2e78 100644 --- a/sunrpc/svc_unix.c +++ b/sunrpc/svc_unix.c @@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) SVCXPRT *xprt; struct unix_rendezvous *r; struct sockaddr_un addr; - socklen_t len = sizeof (struct sockaddr_in); + socklen_t len = sizeof (addr); + + if (__sockaddr_un_set (&addr, path) < 0) + return NULL; if (sock == RPC_ANYSOCK) { @@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) } madesock = TRUE; } - memset (&addr, '\0', sizeof (addr)); - addr.sun_family = AF_UNIX; - len = strlen (path) + 1; - memcpy (addr.sun_path, path, len); - len += sizeof (addr.sun_family); - __bind (sock, (struct sockaddr *) &addr, len); if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c new file mode 100644 index 0000000000..35a4b7b0b3 --- /dev/null +++ b/sunrpc/tst-bug28768.c @@ -0,0 +1,42 @@ +/* Test to verify that long path is rejected by svcunix_create (bug 28768). + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <rpc/svc.h> +#include <shlib-compat.h> +#include <string.h> +#include <support/check.h> + +/* svcunix_create does not have a default version in linkobj/libc.so. */ +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); + +static int +do_test (void) +{ + char pathname[109]; + memset (pathname, 'x', sizeof (pathname)); + pathname[sizeof (pathname) - 1] = '\0'; + + errno = 0; + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); + TEST_COMPARE (errno, EINVAL); + + return 0; +} + +#include <support/test-driver.c>