sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115]

After commit bc779a1a5b
(CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call
[BZ #20112]), ancillary data is stored on the heap,
but it is accessed after it has been freed.

The test case must be run under a heap debugger such as valgrind
to observe the invalid access.  A malloc implementation which
immediately calls munmap on free would catch this bug as well.
This commit is contained in:
Florian Weimer 2017-02-27 19:05:13 +01:00
parent 963394a22b
commit d42eed4a04
4 changed files with 73 additions and 2 deletions

View File

@ -1,3 +1,11 @@
2017-02-27 Florian Weimer <fweimer@redhat.com>
[BZ #21115]
* sunrpc/clnt_udp.c (clntudp_call): Free ancillary data later.
* sunrpc/Makefile (tests): Add tst-udp-error.
(tst-udp-error): Link against libc.so explicitly.
* sunrpc/tst-udp-error: New file.
2017-02-25 Zack Weinberg <zackw@panix.com>
* sysdeps/generic/math_private.h: Use __BIG_ENDIAN and

View File

@ -93,7 +93,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \
extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs))
others += rpcgen
tests = tst-xdrmem tst-xdrmem2 test-rpcent
tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error
xtests := tst-getmyaddr
ifeq ($(have-thread-library),yes)
@ -155,6 +155,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS)
$(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so
$(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so
$(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so
$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so
$(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs))

View File

@ -421,9 +421,9 @@ send_again:
cmsg = CMSG_NXTHDR (&msg, cmsg))
if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
{
free (cbuf);
e = (struct sock_extended_err *) CMSG_DATA(cmsg);
cu->cu_error.re_errno = e->ee_errno;
free (cbuf);
return (cu->cu_error.re_status = RPC_CANTRECV);
}
free (cbuf);

62
sunrpc/tst-udp-error.c Normal file
View File

@ -0,0 +1,62 @@
/* Check for use-after-free in clntudp_call (bug 21115).
Copyright (C) 2017 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#include <netinet/in.h>
#include <rpc/clnt.h>
#include <rpc/svc.h>
#include <support/check.h>
#include <support/namespace.h>
#include <support/xsocket.h>
#include <unistd.h>
static int
do_test (void)
{
support_become_root ();
support_enter_network_namespace ();
/* Obtain a likely-unused port number. */
struct sockaddr_in sin =
{
.sin_family = AF_INET,
.sin_addr.s_addr = htonl (INADDR_LOOPBACK),
};
{
int fd = xsocket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0);
xbind (fd, (struct sockaddr *) &sin, sizeof (sin));
socklen_t sinlen = sizeof (sin);
xgetsockname (fd, (struct sockaddr *) &sin, &sinlen);
/* Close the socket, so that we will receive an error below. */
close (fd);
}
int sock = RPC_ANYSOCK;
CLIENT *clnt = clntudp_create
(&sin, 1, 2, (struct timeval) { 1, 0 }, &sock);
TEST_VERIFY_EXIT (clnt != NULL);
TEST_VERIFY (clnt_call (clnt, 3,
(xdrproc_t) xdr_void, NULL,
(xdrproc_t) xdr_void, NULL,
((struct timeval) { 3, 0 }))
== RPC_CANTRECV);
clnt_destroy (clnt);
return 0;
}
#include <support/test-driver.c>