From bdaa9eb015d20e4539353d48dc00a624bfb2797c Mon Sep 17 00:00:00 2001 From: Henrik Riomar Date: Thu, 21 Mar 2019 23:13:18 +0100 Subject: [PATCH] main/rpcbind: upgrade to 1.2.5 --- ...01-rpcinfo-Fix-stack-buffer-overflow.patch | 69 ++++++ main/rpcbind/APKBUILD | 17 +- main/rpcbind/CVE-2017-8779.patch | 218 ------------------ ...dump-Fixed-typo-in-memory-leak-patch.patch | 29 --- ...it_com-Stop-freeing-a-static-pointer.patch | 96 -------- 5 files changed, 76 insertions(+), 353 deletions(-) create mode 100644 main/rpcbind/0001-rpcinfo-Fix-stack-buffer-overflow.patch delete mode 100644 main/rpcbind/CVE-2017-8779.patch delete mode 100644 main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch delete mode 100644 main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch diff --git a/main/rpcbind/0001-rpcinfo-Fix-stack-buffer-overflow.patch b/main/rpcbind/0001-rpcinfo-Fix-stack-buffer-overflow.patch new file mode 100644 index 00000000000..77937b73f41 --- /dev/null +++ b/main/rpcbind/0001-rpcinfo-Fix-stack-buffer-overflow.patch @@ -0,0 +1,69 @@ +From 0bc1c0ae7ce61a7ac8a8e9a9b2086268f011abf0 Mon Sep 17 00:00:00 2001 +From: Steve Dickson +Date: Tue, 9 Oct 2018 09:19:50 -0400 +Subject: [PATCH] rpcinfo: Fix stack buffer overflow + +*** buffer overflow detected ***: rpcinfo terminated +======= Backtrace: ========= +/lib64/libc.so.6(+0x721af)[0x7ff24c4451af] +/lib64/libc.so.6(__fortify_fail+0x37)[0x7ff24c4ccdc7] +/lib64/libc.so.6(+0xf8050)[0x7ff24c4cb050] +rpcinfo(+0x435f)[0xef3be2635f] +rpcinfo(+0x1c62)[0xef3be23c62] +/lib64/libc.so.6(__libc_start_main+0xf5)[0x7ff24c3f36e5] +rpcinfo(+0x2739)[0xef3be24739] +======= Memory map: ======== +... +The patch below fixes it. + +Reviewed-by: Chuck Lever +Signed-off-by: Thomas Blume +Signed-off-by: Steve Dickson +--- + src/rpcinfo.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/src/rpcinfo.c b/src/rpcinfo.c +index 9b46864..cfdba88 100644 +--- a/src/rpcinfo.c ++++ b/src/rpcinfo.c +@@ -973,6 +973,7 @@ rpcbdump (dumptype, netid, argc, argv) + (" program version(s) netid(s) service owner\n"); + for (rs = rs_head; rs; rs = rs->next) + { ++ size_t netidmax = sizeof(buf) - 1; + char *p = buf; + + printf ("%10ld ", rs->prog); +@@ -985,12 +986,22 @@ rpcbdump (dumptype, netid, argc, argv) + } + printf ("%-10s", buf); + buf[0] = '\0'; +- for (nl = rs->nlist; nl; nl = nl->next) +- { +- strcat (buf, nl->netid); +- if (nl->next) +- strcat (buf, ","); +- } ++ ++ for (nl = rs->nlist; nl; nl = nl->next) ++ { ++ strncat (buf, nl->netid, netidmax); ++ if (strlen (nl->netid) < netidmax) ++ netidmax -= strlen(nl->netid); ++ else ++ break; ++ ++ if (nl->next && netidmax > 1) ++ { ++ strncat (buf, ",", netidmax); ++ netidmax --; ++ } ++ } ++ + printf ("%-32s", buf); + rpc = getrpcbynumber (rs->prog); + if (rpc) +-- +2.21.0 + diff --git a/main/rpcbind/APKBUILD b/main/rpcbind/APKBUILD index a0edc87327c..497e421e400 100644 --- a/main/rpcbind/APKBUILD +++ b/main/rpcbind/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa pkgname=rpcbind -pkgver=0.2.4 -pkgrel=1 +pkgver=1.2.5 +pkgrel=0 pkgdesc="portmap replacement which supports RPC over various protocols" url="http://rpcbind.sourceforge.net" arch="all" @@ -10,11 +10,9 @@ license="BSD-3-Clause" depends= install="$pkgname.pre-install $pkgname.pre-upgrade" makedepends="libtirpc-dev autoconf automake bsd-compat-headers" -subpackages="$pkgname-dbg $pkgname-doc" +subpackages="$pkgname-dbg $pkgname-doc $pkgname-openrc" source="https://downloads.sourceforge.net/project/rpcbind/rpcbind/$pkgver/rpcbind-$pkgver.tar.bz2 - CVE-2017-8779.patch - pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch - rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch + 0001-rpcinfo-Fix-stack-buffer-overflow.patch rpcbind.initd rpcbind.confd " @@ -39,6 +37,7 @@ build() { --host=$CHOST \ --prefix=/usr \ --bindir=/sbin \ + --sbindir=/sbin \ --enable-warmstarts \ --with-statedir=/var/lib/rpcbind \ --with-rpcuser=rpc \ @@ -54,9 +53,7 @@ package() { install -Dm644 "$srcdir"/rpcbind.confd "$pkgdir"/etc/conf.d/rpcbind install -D -m644 COPYING "$pkgdir"/usr/share/licenses/rpcbind/COPYING } -sha512sums="f3966a7284e94bdf120a9b3f0dd66efa1fe8761df2313545a031f77b7c06e27d7955d2780469943deb537d34f95c4cf3f30de523ec9fab9f571322d7224b210c rpcbind-0.2.4.tar.bz2 -cc3b7d72299279f6c7e7ce0329d29a8bc0c44a9e99c241cbbe8f34eba71ca16da7e87683a66e36565422dde9a3b03be8d6e345264495c6e2070f97116da32244 CVE-2017-8779.patch -1ecce48807b276381ff3199916e0b85880b948086e7891aa35df8a10f9188641253572c330e5fee35afa69c5ce3965ebead14fbe8ef20c49a4e9047345e63c5e pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch -a0125bd24a533366d7fcaed68e6671df65e3e39a4b18be2265f987602944d358666edef954f8707d24453331f7e96341739e5346bc1b233380c618b34a4014e2 rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch +sha512sums="e884c4757950ccead0f9a07f50625a63e6f18f9bfae9fcfffa3e5fa4b7a66c3a99d9fa303061848fe8211509d5456f24ff26e4579af6e161a35522268f3ef3e4 rpcbind-1.2.5.tar.bz2 +84289e99b918fd138e6327a39481e74c80581746087d2e7e55d0c0bdbe068875b6136a6296c0d24a1be01d54b38a9d446794a3d08b53e7d884804a2b375519a2 0001-rpcinfo-Fix-stack-buffer-overflow.patch 1cd655d86226a45fa3e927f8ac2bb580537644d2fb3684e0f4a956bf3721c95d95b8b8c1d9a2a742fb714eeba9277e0400a7493bf1bf676466d70adb2b35a88e rpcbind.initd 0641087162ebc8fb10c5cb329105261d77cad073daed3f9a6c92574177298cd8a19a87b62dde14161cc554b5e68680cfd870b5334f3cfd8d6074ec8a43f4dfe3 rpcbind.confd" diff --git a/main/rpcbind/CVE-2017-8779.patch b/main/rpcbind/CVE-2017-8779.patch deleted file mode 100644 index d8fcfa113f0..00000000000 --- a/main/rpcbind/CVE-2017-8779.patch +++ /dev/null @@ -1,218 +0,0 @@ -From 7ea36eeece56b59f98e469934e4c20b4da043346 Mon Sep 17 00:00:00 2001 -From: Doran Moppert -Date: Thu, 11 May 2017 11:42:54 -0400 -Subject: [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to - avoid memory leak - -This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed -at [1], [2], [3]. The last link suggests this issue is actually a bug -in rpcbind, which led me here. - -The leak caused by the reproducer at [4] appears to come from -rpcb_service_4(), in the case where svc_getargs() returns false and the -function had an early return, rather than passing through the cleanup -path at done:, as would otherwise occur. - -It also addresses a couple of other locations where the same fault seems -to exist, though I haven't been able to exercise those. I hope someone -more intimate with rpc(3) can confirm my understanding is correct, and -that I haven't introduced any new bugs. - -Without this patch, using the reproducer (and variants) repeatedly -against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof -rpcbind)/status reports VmSize increase of 976564 kB each call, and -VmRSS increase of around 260 kB every 33 calls - the specific numbers -are probably an artifact of my rhel/glibc version. With the patch, -there is a small (~50 kB) VmSize increase with the first message, but -thereafter both VmSize and VmRSS remain steady. - -[1]: http://seclists.org/oss-sec/2017/q2/209 -[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124 -[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html -[4]: https://github.com/guidovranken/rpcbomb/ - -Signed-off-by: Doran Moppert -Signed-off-by: Steve Dickson ---- - src/pmap_svc.c | 56 +++++++++++++++++++++++++++++++++++++++++++++--------- - src/rpcb_svc.c | 2 +- - src/rpcb_svc_4.c | 2 +- - src/rpcb_svc_com.c | 8 ++++++++ - 4 files changed, 57 insertions(+), 11 deletions(-) - -diff --git a/src/pmap_svc.c b/src/pmap_svc.c -index 4c744fe..e926cdc 100644 ---- a/src/pmap_svc.c -+++ b/src/pmap_svc.c -@@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long - long ans; - uid_t uid; - char uidbuf[32]; -+ int rc = TRUE; - - /* - * Can't use getpwnam here. We might end up calling ourselves -@@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long - - if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { - svcerr_decode(xprt); -- return (FALSE); -+ rc = FALSE; -+ goto done; - } - #ifdef RPCBIND_DEBUG - if (debugging) -@@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long - - if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) { - svcerr_weakauth(xprt); -- return (FALSE); -+ rc = (FALSE); -+ goto done; - } - - rpcbreg.r_prog = reg.pm_prog; -@@ -258,7 +261,16 @@ done_change: - rpcbs_set(RPCBVERS_2_STAT, ans); - else - rpcbs_unset(RPCBVERS_2_STAT, ans); -- return (TRUE); -+done: -+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { -+ if (debugging) { -+ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); -+ if (doabort) { -+ rpcbind_abort(); -+ } -+ } -+ } -+ return (rc); - } - - /* ARGSUSED */ -@@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) - #ifdef RPCBIND_DEBUG - char *uaddr; - #endif -+ int rc = TRUE; - - if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { - svcerr_decode(xprt); -- return (FALSE); -+ rc = FALSE; -+ goto done; - } - - if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) { - svcerr_weakauth(xprt); -- return FALSE; -+ rc = FALSE; -+ goto done; - } - - #ifdef RPCBIND_DEBUG -@@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) - pmap_ipprot2netid(reg.pm_prot) ?: "", - port ? udptrans : ""); - -- return (TRUE); -+done: -+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { -+ if (debugging) { -+ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); -+ if (doabort) { -+ rpcbind_abort(); -+ } -+ } -+ } -+ return (rc); - } - - /* ARGSUSED */ - static bool_t - pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) - { -+ int rc = TRUE; -+ - if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) { - svcerr_decode(xprt); -- return (FALSE); -+ rc = FALSE; -+ goto done; - } - - if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) { - svcerr_weakauth(xprt); -- return FALSE; -+ rc = FALSE; -+ goto done; - } - - if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr, -@@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) - rpcbind_abort(); - } - } -- return (TRUE); -+ -+done: -+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) { -+ if (debugging) { -+ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); -+ if (doabort) { -+ rpcbind_abort(); -+ } -+ } -+ } -+ return (rc); - } - - int pmap_netid2ipprot(const char *netid) -diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c -index 709e3fb..091f530 100644 ---- a/src/rpcb_svc.c -+++ b/src/rpcb_svc.c -@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp) - svcerr_decode(transp); - if (debugging) - (void) xlog(LOG_DEBUG, "rpcbind: could not decode"); -- return; -+ goto done; - } - - if (rqstp->rq_proc == RPCBPROC_SET -diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c -index 5094879..eebbbbe 100644 ---- a/src/rpcb_svc_4.c -+++ b/src/rpcb_svc_4.c -@@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp) - svcerr_decode(transp); - if (debugging) - (void) xlog(LOG_DEBUG, "rpcbind: could not decode\n"); -- return; -+ goto done; - } - - if (rqstp->rq_proc == RPCBPROC_SET -diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c -index 5862c26..cb63afd 100644 ---- a/src/rpcb_svc_com.c -+++ b/src/rpcb_svc_com.c -@@ -927,6 +927,14 @@ error: - if (call_msg.rm_xid != 0) - (void) free_slot_by_xid(call_msg.rm_xid); - out: -+ if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { -+ if (debugging) { -+ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); -+ if (doabort) { -+ rpcbind_abort(); -+ } -+ } -+ } - if (local_uaddr) - free(local_uaddr); - if (buf_alloc) --- -1.8.3.1 - diff --git a/main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch b/main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch deleted file mode 100644 index fbe70d231e4..00000000000 --- a/main/rpcbind/pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c49a7ea639eb700823e174fd605bbbe183e229aa Mon Sep 17 00:00:00 2001 -From: Steve Dickson -Date: Wed, 17 May 2017 10:52:25 -0400 -Subject: [PATCH] pmapproc_dump: Fixed typo in memory leak patch - -commit 7ea36eee introduce a typo that caused -NIS (aka ypbind) to fail. - -Signed-off-by: Steve Dickson ---- - src/pmap_svc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/pmap_svc.c b/src/pmap_svc.c -index e926cdc..26c31d0 100644 ---- a/src/pmap_svc.c -+++ b/src/pmap_svc.c -@@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) - } - - done: -- if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) { -+ if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) { - if (debugging) { - (void) xlog(LOG_DEBUG, "unable to free arguments\n"); - if (doabort) { --- -1.8.3.1 - diff --git a/main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch b/main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch deleted file mode 100644 index e907f0a9a20..00000000000 --- a/main/rpcbind/rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 7c7590ad536c0e24bef790cb1e65702fc54db566 Mon Sep 17 00:00:00 2001 -From: Steve Dickson -Date: Tue, 30 May 2017 11:27:22 -0400 -Subject: [PATCH] rpcbproc_callit_com: Stop freeing a static pointer - -commit 7ea36ee introduced a svc_freeargs() call -that ended up freeing static pointer. - -It turns out the allocations for the rmt_args -is not necessary . The xdr routines (xdr_bytes) will -handle the memory management and the largest -possible message size is UDPMSGSIZE (due to UDP only) -which is smaller than RPC_BUF_MAX - -Signed-off-by: Steve Dickson ---- - src/rpcb_svc_com.c | 39 ++++++--------------------------------- - 1 file changed, 6 insertions(+), 33 deletions(-) - -diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c -index cb63afd..1fc2229 100644 ---- a/src/rpcb_svc_com.c -+++ b/src/rpcb_svc_com.c -@@ -612,9 +612,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, - struct netconfig *nconf; - struct netbuf *caller; - struct r_rmtcall_args a; -- char *buf_alloc = NULL, *outbufp; -+ char *outbufp; - char *outbuf_alloc = NULL; -- char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX]; -+ char outbuf[RPC_BUF_MAX]; - struct netbuf *na = (struct netbuf *) NULL; - struct rpc_msg call_msg; - int outlen; -@@ -635,36 +635,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, - } - if (si.si_socktype != SOCK_DGRAM) - return; /* Only datagram type accepted */ -- sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE); -- if (sendsz == 0) { /* data transfer not supported */ -- if (reply_type == RPCBPROC_INDIRECT) -- svcerr_systemerr(transp); -- return; -- } -- /* -- * Should be multiple of 4 for XDR. -- */ -- sendsz = ((sendsz + 3) / 4) * 4; -- if (sendsz > RPC_BUF_MAX) { --#ifdef notyet -- buf_alloc = alloca(sendsz); /* not in IDR2? */ --#else -- buf_alloc = malloc(sendsz); --#endif /* notyet */ -- if (buf_alloc == NULL) { -- if (debugging) -- xlog(LOG_DEBUG, -- "rpcbproc_callit_com: No Memory!\n"); -- if (reply_type == RPCBPROC_INDIRECT) -- svcerr_systemerr(transp); -- return; -- } -- a.rmt_args.args = buf_alloc; -- } else { -- a.rmt_args.args = buf; -- } -+ sendsz = UDPMSGSIZE; - - call_msg.rm_xid = 0; /* For error checking purposes */ -+ memset(&a, 0, sizeof(a)); /* Zero out the input buffer */ - if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { - if (reply_type == RPCBPROC_INDIRECT) - svcerr_decode(transp); -@@ -704,7 +678,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, - if (rbl == (rpcblist_ptr)NULL) { - #ifdef RPCBIND_DEBUG - if (debugging) -- xlog(LOG_DEBUG, "not found\n"); -+ xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n", -+ a.rmt_prog, a.rmt_vers); - #endif - if (reply_type == RPCBPROC_INDIRECT) - svcerr_noprog(transp); -@@ -937,8 +912,6 @@ out: - } - if (local_uaddr) - free(local_uaddr); -- if (buf_alloc) -- free(buf_alloc); - if (outbuf_alloc) - free(outbuf_alloc); - if (na) { --- -1.8.3.1 -