From f545ad4928fa1f27a3075265182b38a4f939a5f7 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 17 Jan 2022 10:21:34 +0100 Subject: [PATCH] CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) The sunrpc function svcunix_create suffers from a stack-based buffer overflow with overlong pathname arguments. Reviewed-by: Siddhesh Poyarekar --- NEWS | 3 +++ sunrpc/Makefile | 2 +- sunrpc/svc_unix.c | 11 ++++------- sunrpc/tst-bug28768.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 50 insertions(+), 8 deletions(-) create mode 100644 sunrpc/tst-bug28768.c diff --git a/NEWS b/NEWS index 38a9ddb..38802f0 100644 --- a/NEWS +++ b/NEWS @@ -160,6 +160,9 @@ Security related changes: legacy function could result in a stack-based buffer overflow when using the "unix" protocol. Reported by Martin Sebor. + CVE-2022-23218: Passing an overlong file name to the svcunix_create + legacy function could result in a stack-based buffer overflow. + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/sunrpc/Makefile b/sunrpc/Makefile index 183ef3d..a79a719 100644 --- a/sunrpc/Makefile +++ b/sunrpc/Makefile @@ -65,7 +65,7 @@ shared-only-routines = $(routines) endif tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ - tst-udp-nonblocking tst-bug22542 + tst-udp-nonblocking tst-bug22542 tst-bug28768 xtests := tst-getmyaddr diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c index f2280b4..67177a2 100644 --- a/sunrpc/svc_unix.c +++ b/sunrpc/svc_unix.c @@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) SVCXPRT *xprt; struct unix_rendezvous *r; struct sockaddr_un addr; - socklen_t len = sizeof (struct sockaddr_in); + socklen_t len = sizeof (addr); + + if (__sockaddr_un_set (&addr, path) < 0) + return NULL; if (sock == RPC_ANYSOCK) { @@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path) } madesock = TRUE; } - memset (&addr, '\0', sizeof (addr)); - addr.sun_family = AF_UNIX; - len = strlen (path) + 1; - memcpy (addr.sun_path, path, len); - len += sizeof (addr.sun_family); - __bind (sock, (struct sockaddr *) &addr, len); if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c new file mode 100644 index 0000000..35a4b7b --- /dev/null +++ b/sunrpc/tst-bug28768.c @@ -0,0 +1,42 @@ +/* Test to verify that long path is rejected by svcunix_create (bug 28768). + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include + +/* svcunix_create does not have a default version in linkobj/libc.so. */ +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); + +static int +do_test (void) +{ + char pathname[109]; + memset (pathname, 'x', sizeof (pathname)); + pathname[sizeof (pathname) - 1] = '\0'; + + errno = 0; + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); + TEST_COMPARE (errno, EINVAL); + + return 0; +} + +#include -- 2.7.4