diff options
Diffstat (limited to 'poky/meta/recipes-extended/rpcbind')
8 files changed, 526 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch b/poky/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch new file mode 100644 index 000000000..bf7aaef5a --- /dev/null +++ b/poky/meta/recipes-extended/rpcbind/rpcbind/0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch @@ -0,0 +1,221 @@ +From 7ea36eeece56b59f98e469934e4c20b4da043346 Mon Sep 17 00:00:00 2001 +From: Doran Moppert <dmoppert@redhat.com> +Date: Thu, 11 May 2017 11:42:54 -0400 +Subject: [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to + avoid memory leak + +This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed +at [1], [2], [3]. The last link suggests this issue is actually a bug +in rpcbind, which led me here. + +The leak caused by the reproducer at [4] appears to come from +rpcb_service_4(), in the case where svc_getargs() returns false and the +function had an early return, rather than passing through the cleanup +path at done:, as would otherwise occur. + +It also addresses a couple of other locations where the same fault seems +to exist, though I haven't been able to exercise those. I hope someone +more intimate with rpc(3) can confirm my understanding is correct, and +that I haven't introduced any new bugs. + +Without this patch, using the reproducer (and variants) repeatedly +against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof +rpcbind)/status reports VmSize increase of 976564 kB each call, and +VmRSS increase of around 260 kB every 33 calls - the specific numbers +are probably an artifact of my rhel/glibc version. With the patch, +there is a small (~50 kB) VmSize increase with the first message, but +thereafter both VmSize and VmRSS remain steady. + +[1]: http://seclists.org/oss-sec/2017/q2/209 +[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124 +[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html +[4]: https://github.com/guidovranken/rpcbomb/ + + +CVE: CVE-2017-8779 +Upstream-Status: Backport + +Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com> +--- + src/pmap_svc.c | 56 +++++++++++++++++++++++++++++++++++++++++++++--------- + src/rpcb_svc.c | 2 +- + src/rpcb_svc_4.c | 2 +- + src/rpcb_svc_com.c | 8 ++++++++ + 4 files changed, 57 insertions(+), 11 deletions(-) + +diff --git a/src/pmap_svc.c b/src/pmap_svc.c +index 4c744fe..e926cdc 100644 +--- a/src/pmap_svc.c ++++ b/src/pmap_svc.c +@@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long + long ans; + uid_t uid; + char uidbuf[32]; ++ int rc = TRUE; + + /* + * Can't use getpwnam here. We might end up calling ourselves +@@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long + + if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { + svcerr_decode(xprt); +- return (FALSE); ++ rc = FALSE; ++ goto done; + } + #ifdef RPCBIND_DEBUG + if (debugging) +@@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long + + if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) { + svcerr_weakauth(xprt); +- return (FALSE); ++ rc = (FALSE); ++ goto done; + } + + rpcbreg.r_prog = reg.pm_prog; +@@ -258,7 +261,16 @@ done_change: + rpcbs_set(RPCBVERS_2_STAT, ans); + else + rpcbs_unset(RPCBVERS_2_STAT, ans); +- return (TRUE); ++done: ++ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { ++ if (debugging) { ++ /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/ ++ if (doabort) { ++ rpcbind_abort(); ++ } ++ } ++ } ++ return (rc); + } + + /* ARGSUSED */ +@@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + #ifdef RPCBIND_DEBUG + char *uaddr; + #endif ++ int rc = TRUE; + + if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { + svcerr_decode(xprt); +- return (FALSE); ++ rc = FALSE; ++ goto done; + } + + if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) { + svcerr_weakauth(xprt); +- return FALSE; ++ rc = FALSE; ++ goto done; + } + + #ifdef RPCBIND_DEBUG +@@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>", + port ? udptrans : ""); + +- return (TRUE); ++done: ++ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { ++ if (debugging) { ++ /* (void) xlog(LOG_DEBUG, "unable to free arguments\n");*/ ++ if (doabort) { ++ rpcbind_abort(); ++ } ++ } ++ } ++ return (rc); + } + + /* ARGSUSED */ + static bool_t + pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + { ++ int rc = TRUE; ++ + if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) { + svcerr_decode(xprt); +- return (FALSE); ++ rc = FALSE; ++ goto done; + } + + if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) { + svcerr_weakauth(xprt); +- return FALSE; ++ rc = FALSE; ++ goto done; + } + + if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr, +@@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + rpcbind_abort(); + } + } +- return (TRUE); ++ ++done: ++ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) { ++ if (debugging) { ++ /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/ ++ if (doabort) { ++ rpcbind_abort(); ++ } ++ } ++ } ++ return (rc); + } + + int pmap_netid2ipprot(const char *netid) +diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c +index 709e3fb..091f530 100644 +--- a/src/rpcb_svc.c ++++ b/src/rpcb_svc.c +@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp) + svcerr_decode(transp); + if (debugging) + (void) xlog(LOG_DEBUG, "rpcbind: could not decode"); +- return; ++ goto done; + } + + if (rqstp->rq_proc == RPCBPROC_SET +diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c +index 5094879..eebbbbe 100644 +--- a/src/rpcb_svc_4.c ++++ b/src/rpcb_svc_4.c +@@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp) + svcerr_decode(transp); + if (debugging) + (void) xlog(LOG_DEBUG, "rpcbind: could not decode\n"); +- return; ++ goto done; + } + + if (rqstp->rq_proc == RPCBPROC_SET +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index 5862c26..cb63afd 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -927,6 +927,14 @@ error: + if (call_msg.rm_xid != 0) + (void) free_slot_by_xid(call_msg.rm_xid); + out: ++ if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { ++ if (debugging) { ++ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); ++ if (doabort) { ++ rpcbind_abort(); ++ } ++ } ++ } + if (local_uaddr) + free(local_uaddr); + if (buf_alloc) +-- +1.9.1 + diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind/init.d b/poky/meta/recipes-extended/rpcbind/rpcbind/init.d new file mode 100644 index 000000000..67499aa82 --- /dev/null +++ b/poky/meta/recipes-extended/rpcbind/rpcbind/init.d @@ -0,0 +1,87 @@ +#!/bin/sh +# +# start/stop rpcbind daemon. + +### BEGIN INIT INFO +# Provides: rpcbind +# Required-Start: $network +# Required-Stop: $network +# Default-Start: S 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: RPC portmapper replacement +# Description: rpcbind is a server that converts RPC (Remote +# Procedure Call) program numbers into DARPA +# protocol port numbers. It must be running in +# order to make RPC calls. Services that use +# RPC include NFS and NIS. +### END INIT INFO + +# Source function library. +. /etc/init.d/functions + +test -f /sbin/rpcbind || exit 0 + +OPTIONS="" +if [ -f /etc/default/rpcbind ] +then + . /etc/default/rpcbind +elif [ -f /etc/rpcbind.conf ] +then + . /etc/rpcbind.conf +fi + +start () +{ + echo -n "Starting rpcbind daemon..." + if pidof /sbin/rpcbind >/dev/null; then + echo "already running." + exit 0 + fi + start-stop-daemon --start --quiet --exec /sbin/rpcbind -- "$@" + if [ $? -eq 0 ]; then + echo "done." + else + echo "failed." + fi +} + +stop () +{ + echo "Stopping rpcbind daemon..." + if ! pidof /sbin/rpcbind >/dev/null; then + echo "not running." + return 0 + fi + start-stop-daemon --stop --quiet --exec /sbin/rpcbind + if [ $? -eq 0 ]; then + echo "done." + else + echo "failed." + fi +} + +case "$1" in + start) + start $OPTIONS + ;; + stop) + stop + ;; + force-reload) + stop + start $OPTIONS + ;; + restart) + stop + start $OPTIONS + ;; + status) + status /sbin/rpcbind + ;; + *) + echo "Usage: /etc/init.d/rpcbind {start|stop|force-reload|restart|status}" + exit 1 + ;; +esac + +exit $? diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch b/poky/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch new file mode 100644 index 000000000..4c23ee01c --- /dev/null +++ b/poky/meta/recipes-extended/rpcbind/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch @@ -0,0 +1,30 @@ +From c49a7ea639eb700823e174fd605bbbe183e229aa Mon Sep 17 00:00:00 2001 +From: Steve Dickson <steved@redhat.com> +Date: Wed, 17 May 2017 10:52:25 -0400 +Subject: [PATCH] pmapproc_dump: Fixed typo in memory leak patch + +commit 7ea36eee introduce a typo that caused +NIS (aka ypbind) to fail. + +Signed-off-by: Steve Dickson <steved@redhat.com> + +Upstream-Status: Backport + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + src/pmap_svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: rpcbind-0.2.4/src/pmap_svc.c +=================================================================== +--- rpcbind-0.2.4.orig/src/pmap_svc.c ++++ rpcbind-0.2.4/src/pmap_svc.c +@@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__ + } + + done: +- if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) { ++ if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) { + if (debugging) { + /*(void) xlog(LOG_DEBUG, "unable to free arguments\n");*/ + if (doabort) { diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.conf b/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.conf new file mode 100644 index 000000000..2a4dfbcfb --- /dev/null +++ b/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.conf @@ -0,0 +1,3 @@ +# Optional arguments passed to rpcbind. +# +RPCBIND_OPTS="" diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.service b/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.service new file mode 100644 index 000000000..9cdade495 --- /dev/null +++ b/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.service @@ -0,0 +1,12 @@ +[Unit] +Description=RPC Bind Service +Requires=rpcbind.socket + +[Service] +Type=forking +EnvironmentFile=-@SYSCONFDIR@/rpcbind.conf +ExecStart=@SBINDIR@/rpcbind $RPCBIND_OPTS +SuccessExitStatus=2 + +[Install] +Also=rpcbind.socket diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.socket b/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.socket new file mode 100644 index 000000000..d63c1d972 --- /dev/null +++ b/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbind.socket @@ -0,0 +1,8 @@ +[Unit] +Description=RPCbind Server Activation Socket + +[Socket] +ListenStream=/var/run/rpcbind.sock + +[Install] +WantedBy=sockets.target diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch b/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch new file mode 100644 index 000000000..9a000d028 --- /dev/null +++ b/poky/meta/recipes-extended/rpcbind/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch @@ -0,0 +1,100 @@ +From 7c7590ad536c0e24bef790cb1e65702fc54db566 Mon Sep 17 00:00:00 2001 +From: Steve Dickson <steved@redhat.com> +Date: Tue, 30 May 2017 11:27:22 -0400 +Subject: [PATCH] rpcbproc_callit_com: Stop freeing a static pointer + +commit 7ea36ee introduced a svc_freeargs() call +that ended up freeing static pointer. + +It turns out the allocations for the rmt_args +is not necessary . The xdr routines (xdr_bytes) will +handle the memory management and the largest +possible message size is UDPMSGSIZE (due to UDP only) +which is smaller than RPC_BUF_MAX + +Signed-off-by: Steve Dickson <steved@redhat.com> + +Upstream-Status: Backport + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + src/rpcb_svc_com.c | 39 ++++++--------------------------------- + 1 file changed, 6 insertions(+), 33 deletions(-) + +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index cb63afd..1fc2229 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -612,9 +612,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + struct netconfig *nconf; + struct netbuf *caller; + struct r_rmtcall_args a; +- char *buf_alloc = NULL, *outbufp; ++ char *outbufp; + char *outbuf_alloc = NULL; +- char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX]; ++ char outbuf[RPC_BUF_MAX]; + struct netbuf *na = (struct netbuf *) NULL; + struct rpc_msg call_msg; + int outlen; +@@ -635,36 +635,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + } + if (si.si_socktype != SOCK_DGRAM) + return; /* Only datagram type accepted */ +- sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE); +- if (sendsz == 0) { /* data transfer not supported */ +- if (reply_type == RPCBPROC_INDIRECT) +- svcerr_systemerr(transp); +- return; +- } +- /* +- * Should be multiple of 4 for XDR. +- */ +- sendsz = ((sendsz + 3) / 4) * 4; +- if (sendsz > RPC_BUF_MAX) { +-#ifdef notyet +- buf_alloc = alloca(sendsz); /* not in IDR2? */ +-#else +- buf_alloc = malloc(sendsz); +-#endif /* notyet */ +- if (buf_alloc == NULL) { +- if (debugging) +- xlog(LOG_DEBUG, +- "rpcbproc_callit_com: No Memory!\n"); +- if (reply_type == RPCBPROC_INDIRECT) +- svcerr_systemerr(transp); +- return; +- } +- a.rmt_args.args = buf_alloc; +- } else { +- a.rmt_args.args = buf; +- } ++ sendsz = UDPMSGSIZE; + + call_msg.rm_xid = 0; /* For error checking purposes */ ++ memset(&a, 0, sizeof(a)); /* Zero out the input buffer */ + if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { + if (reply_type == RPCBPROC_INDIRECT) + svcerr_decode(transp); +@@ -704,7 +678,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + if (rbl == (rpcblist_ptr)NULL) { + #ifdef RPCBIND_DEBUG + if (debugging) +- xlog(LOG_DEBUG, "not found\n"); ++ xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n", ++ a.rmt_prog, a.rmt_vers); + #endif + if (reply_type == RPCBPROC_INDIRECT) + svcerr_noprog(transp); +@@ -937,8 +912,6 @@ out: + } + if (local_uaddr) + free(local_uaddr); +- if (buf_alloc) +- free(buf_alloc); + if (outbuf_alloc) + free(outbuf_alloc); + if (na) { +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb b/poky/meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb new file mode 100644 index 000000000..dcdee6c46 --- /dev/null +++ b/poky/meta/recipes-extended/rpcbind/rpcbind_0.2.4.bb @@ -0,0 +1,65 @@ +SUMMARY = "Universal Addresses to RPC Program Number Mapper" +DESCRIPTION = "The rpcbind utility is a server that converts RPC \ + program numbers into universal addresses." +SECTION = "console/network" +HOMEPAGE = "http://sourceforge.net/projects/rpcbind/" +BUGTRACKER = "http://sourceforge.net/tracker/?group_id=201237&atid=976751" +DEPENDS = "libtirpc quota" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://COPYING;md5=b46486e4c4a416602693a711bb5bfa39 \ + file://src/rpcinfo.c;beginline=1;endline=27;md5=f8a8cd2cb25ac5aa16767364fb0e3c24" + +SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \ + file://init.d \ + file://rpcbind.conf \ + file://rpcbind.socket \ + file://rpcbind.service \ + file://0001-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch \ + file://pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch \ + file://rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch \ + " +SRC_URI[md5sum] = "cf10cd41ed8228fc54c316191c1f07fe" +SRC_URI[sha256sum] = "074a9a530dc7c11e0d905aa59bcb0847c009313f02e98d3d798aa9568f414c66" + +inherit autotools update-rc.d systemd pkgconfig + +PACKAGECONFIG ??= "tcp-wrappers" +PACKAGECONFIG[tcp-wrappers] = "--enable-libwrap,--disable-libwrap,tcp-wrappers" + +INITSCRIPT_NAME = "rpcbind" +INITSCRIPT_PARAMS = "start 12 2 3 4 5 . stop 60 0 1 6 ." + +SYSTEMD_SERVICE_${PN} = "rpcbind.service" + +inherit useradd + +USERADD_PACKAGES = "${PN}" +USERADD_PARAM_${PN} = "--system --no-create-home --home-dir / \ + --shell /bin/false --user-group rpc" + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, \ + --without-systemdsystemunitdir, \ + systemd \ +" + +EXTRA_OECONF += " --enable-warmstarts --with-rpcuser=rpc" + +do_install_append () { + mv ${D}${bindir} ${D}${sbindir} + + install -d ${D}${sysconfdir}/init.d + sed -e 's,/etc/,${sysconfdir}/,g' \ + -e 's,/sbin/,${sbindir}/,g' \ + ${WORKDIR}/init.d > ${D}${sysconfdir}/init.d/rpcbind + chmod 0755 ${D}${sysconfdir}/init.d/rpcbind + + install -m 0755 ${WORKDIR}/rpcbind.conf ${D}${sysconfdir} + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/rpcbind.socket ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/rpcbind.service ${D}${systemd_unitdir}/system + sed -i -e 's,@SBINDIR@,${sbindir},g' \ + -e 's,@SYSCONFDIR@,${sysconfdir},g' \ + ${D}${systemd_unitdir}/system/rpcbind.service +} |
