From 14bc93a967e62abf8cf2704725b6f76619399f83 Mon Sep 17 00:00:00 2001
From: Jeff Law <law@redhat.com>
Date: Wed, 28 Nov 2012 14:12:28 -0700
Subject: [PATCH]        [BZ #14889]         * sunrpc/rpc/svc.h
 (__svc_accept_failed): New prototype.         * sunrpc/svc.c: Include time.h.
         (__svc_accept_failed): New function.         * sunrpc/svc_tcp.c
 (rendezvous_request): If the accept fails for         any reason other than
 EINTR, call __svc_accept_failed.         * sunrpc/svc_udp.c (svcudp_recv):
 Similarly.         * sunrpc/svc_unix.c (rendezvous_request): Similarly.

---
 ChangeLog         | 12 ++++++++++++
 NEWS              |  6 +++++-
 sunrpc/rpc/svc.h  | 18 ++++++++++++++++++
 sunrpc/svc.c      | 33 +++++++++++++++++++++++++++++++++
 sunrpc/svc_tcp.c  | 18 ++++++++++++++++++
 sunrpc/svc_udp.c  | 25 +++++++++++++++++++++++--
 sunrpc/svc_unix.c | 18 ++++++++++++++++++
 7 files changed, 127 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 14f8136..b74cde7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2012-11-28  Jeff Law <law@redhat.com>
+	    Martin Osvald <mosvald@redhat.com>
+
+	[BZ #14889]
+	* sunrpc/rpc/svc.h (__svc_accept_failed): New prototype.
+	* sunrpc/svc.c: Include time.h.
+	(__svc_accept_failed): New function.
+	* sunrpc/svc_tcp.c (rendezvous_request): If the accept fails for
+	any reason other than EINTR, call __svc_accept_failed.
+	* sunrpc/svc_udp.c (svcudp_recv): Similarly.
+	* sunrpc/svc_unix.c (rendezvous_request): Similarly.
+
 2012-11-28  Andreas Schwab  <schwab@suse.de>
 
 	* scripts/abilist.awk: Also handle indirect functions in .opd
diff --git a/NEWS b/NEWS
index eb35f9d..4a17295 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,11 @@ Version 2.17
   14621, 14638, 14645, 14648, 14652, 14660, 14661, 14669, 14672, 14683,
   14694, 14716, 14719, 14743, 14767, 14783, 14784, 14785, 14793, 14796,
   14797, 14801, 14805, 14807, 14811, 14815, 14821, 14822, 14824, 14828,
-  14831, 14835, 14838, 14856, 14863, 14865, 14866, 14868, 14869, 14871.
+  14831, 14835, 14838, 14856, 14863, 14865, 14866, 14868, 14869, 14871,
+  14889.
+
+* CVE-2011-4609 svc_run() produces high cpu usage when accept fails with
+  EMFILE has been fixed (Bugzilla #14889).
 
 * The add-on ports collection is now distributed in the "ports" subdirectory
   of the main GNU C Library distribution, rather than separately.
diff --git a/sunrpc/rpc/svc.h b/sunrpc/rpc/svc.h
index 54d1ac1..58a5f7d 100644
--- a/sunrpc/rpc/svc.h
+++ b/sunrpc/rpc/svc.h
@@ -1,6 +1,23 @@
 /*
  * svc.h, Server-side remote procedure call interface.
  *
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ * This file is part of the GNU C Library.
+ *
+ * The GNU C Library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * The GNU C Library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with the GNU C Library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
  * Copyright (c) 2010, Oracle America, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -316,4 +333,5 @@ extern SVCXPRT *svcunix_create (int __sock, u_int __sendsize, u_int __recvsize,
 
 __END_DECLS
 
+extern void __svc_accept_failed (void) attribute_hidden;
 #endif /* rpc/svc.h */
diff --git a/sunrpc/svc.c b/sunrpc/svc.c
index 103770a..736d4a9 100644
--- a/sunrpc/svc.c
+++ b/sunrpc/svc.c
@@ -4,6 +4,23 @@
  * There are two sets of procedures here.  The xprt routines are
  * for handling transport handles.  The svc routines handle the
  * list of service routines.
+ *  Copyright (C) 2002-2012 Free Software Foundation, Inc.
+ *  This file is part of the GNU C Library.
+ *  Contributed by Ulrich Drepper <drepper@redhat.com>, 2002.
+ *
+ *  The GNU C Library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  The GNU C Library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with the GNU C Library; if not, see
+ *  <http://www.gnu.org/licenses/>.
  *
  * Copyright (c) 2010, Oracle America, Inc.
  *
@@ -41,6 +58,7 @@
 #include <rpc/svc.h>
 #include <rpc/pmap_clnt.h>
 #include <sys/poll.h>
+#include <time.h>
 
 #ifdef _RPC_THREAD_SAFE_
 #define xports RPC_THREAD_VARIABLE(svc_xports_s)
@@ -544,6 +562,21 @@ svc_getreq_common (const int fd)
 }
 libc_hidden_nolink_sunrpc (svc_getreq_common, GLIBC_2_2)
 
+/* If there are no file descriptors available, then accept will fail.
+   We want to delay here so the connection request can be dequeued;
+   otherwise we can bounce between polling and accepting, never giving the
+   request a chance to dequeue and eating an enormous amount of cpu time
+   in svc_run if we're polling on many file descriptors.  */
+void
+__svc_accept_failed (void)
+{
+  if (errno == EMFILE)
+    {
+      struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+      __nanosleep (&ts, NULL);
+    }
+}
+
 #ifdef _RPC_THREAD_SAFE_
 
 void
diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c
index eb61549..1fdb0ad 100644
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -1,6 +1,23 @@
 /*
  * svc_tcp.c, Server side for TCP/IP based RPC.
  *
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ * This file is part of the GNU C Library.
+ *
+ * The GNU C Library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * The GNU C Library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with the GNU C Library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
  * Copyright (c) 2010, Oracle America, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -247,6 +264,7 @@ again:
     {
       if (errno == EINTR)
 	goto again;
+      __svc_accept_failed ();
       return FALSE;
     }
   /*
diff --git a/sunrpc/svc_udp.c b/sunrpc/svc_udp.c
index 6c4d75a..3324e2a 100644
--- a/sunrpc/svc_udp.c
+++ b/sunrpc/svc_udp.c
@@ -3,6 +3,23 @@
  * Server side for UDP/IP based RPC.  (Does some caching in the hopes of
  * achieving execute-at-most-once semantics.)
  *
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ * This file is part of the GNU C Library.
+ *
+ * The GNU C Library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * The GNU C Library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with the GNU C Library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
  * Copyright (c) 2010, Oracle America, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -277,8 +294,12 @@ again:
 		       (int) su->su_iosz, 0,
 		       (struct sockaddr *) &(xprt->xp_raddr), &len);
   xprt->xp_addrlen = len;
-  if (rlen == -1 && errno == EINTR)
-    goto again;
+  if (rlen == -1)
+    {
+      if (errno == EINTR)
+	goto again;
+      __svc_accept_failed ();
+    }
   if (rlen < 16)		/* < 4 32-bit ints? */
     return FALSE;
   xdrs->x_op = XDR_DECODE;
diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
index 94507b2..5c3184a 100644
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -1,6 +1,23 @@
 /*
  * svc_unix.c, Server side for TCP/IP based RPC.
  *
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ * This file is part of the GNU C Library.
+ *
+ * The GNU C Library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * The GNU C Library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with the GNU C Library; if not, see
+ * <http://www.gnu.org/licenses/>.
+ *
  * Copyright (c) 2010, Oracle America, Inc.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -244,6 +261,7 @@ again:
     {
       if (errno == EINTR)
 	goto again;
+      __svc_accept_failed ();
       return FALSE;
     }
   /*
-- 
2.7.4