Control: tags 1015873 + patch Control: tags 1015873 + pending
Dear maintainer, I've prepared an NMU for libtirpc (versioned as 1.3.2-2.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. The corresponding merge request is at https://salsa.debian.org/debian/libtirpc/-/merge_requests/1 . Regards, Salvatore
diff -Nru libtirpc-1.3.2/debian/changelog libtirpc-1.3.2/debian/changelog --- libtirpc-1.3.2/debian/changelog 2021-08-17 17:16:38.000000000 +0200 +++ libtirpc-1.3.2/debian/changelog 2022-08-01 16:26:18.000000000 +0200 @@ -1,3 +1,10 @@ +libtirpc (1.3.2-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix DoS vulnerability in libtirpc (CVE-2021-46828) (Closes: #1015873) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 01 Aug 2022 16:26:18 +0200 + libtirpc (1.3.2-2) unstable; urgency=medium * Upload to unstable diff -Nru libtirpc-1.3.2/debian/patches/Fix-DoS-vulnerability-in-libtirpc.patch libtirpc-1.3.2/debian/patches/Fix-DoS-vulnerability-in-libtirpc.patch --- libtirpc-1.3.2/debian/patches/Fix-DoS-vulnerability-in-libtirpc.patch 1970-01-01 01:00:00.000000000 +0100 +++ libtirpc-1.3.2/debian/patches/Fix-DoS-vulnerability-in-libtirpc.patch 2022-08-01 16:26:18.000000000 +0200 @@ -0,0 +1,180 @@ +From: Dai Ngo <dai....@oracle.com> +Date: Sat, 21 Aug 2021 13:16:23 -0400 +Subject: Fix DoS vulnerability in libtirpc +Origin: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed +Bug-Debian: https://bugs.debian.org/1015873 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-46828 + +Currently svc_run does not handle poll timeout and rendezvous_request +does not handle EMFILE error returned from accept(2 as it used to. +These two missing functionality were removed by commit b2c9430f46c4. + +The effect of not handling poll timeout allows idle TCP conections +to remain ESTABLISHED indefinitely. When the number of connections +reaches the limit of the open file descriptors (ulimit -n) then +accept(2) fails with EMFILE. Since there is no handling of EMFILE +error this causes svc_run() to get in a tight loop calling accept(2). +This resulting in the RPC service of svc_run is being down, it's +no longer able to service any requests. + +RPC service rpcbind, statd and mountd are effected by this +problem. + +Fix by enhancing rendezvous_request to keep the number of +SVCXPRT conections to 4/5 of the size of the file descriptor +table. When this thresold is reached, it destroys the idle +TCP connections or destroys the least active connection if +no idle connnction was found. + +Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc +Signed-off-by: dai....@oracle.com +Signed-off-by: Steve Dickson <ste...@redhat.com> +--- + INSTALL | 371 +-------------------------------------------------- + src/svc.c | 17 ++- + src/svc_vc.c | 62 ++++++++- + 3 files changed, 78 insertions(+), 372 deletions(-) + mode change 100644 => 120000 INSTALL + +diff --git a/src/svc.c b/src/svc.c +index 6db164bbd76b..3a8709fe375c 100644 +--- a/src/svc.c ++++ b/src/svc.c +@@ -57,7 +57,7 @@ + + #define max(a, b) (a > b ? a : b) + +-static SVCXPRT **__svc_xports; ++SVCXPRT **__svc_xports; + int __svc_maxrec; + + /* +@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock) + rwlock_unlock (&svc_fd_lock); + } + ++int ++svc_open_fds() ++{ ++ int ix; ++ int nfds = 0; ++ ++ rwlock_rdlock (&svc_fd_lock); ++ for (ix = 0; ix < svc_max_pollfd; ++ix) { ++ if (svc_pollfd[ix].fd != -1) ++ nfds++; ++ } ++ rwlock_unlock (&svc_fd_lock); ++ return (nfds); ++} ++ + /* + * Add a service program to the callout list. + * The dispatch routine will be called when a rpc request for this +diff --git a/src/svc_vc.c b/src/svc_vc.c +index f1d9f001fcdc..3dc8a75787e1 100644 +--- a/src/svc_vc.c ++++ b/src/svc_vc.c +@@ -64,6 +64,8 @@ + + + extern rwlock_t svc_fd_lock; ++extern SVCXPRT **__svc_xports; ++extern int svc_open_fds(); + + static SVCXPRT *makefd_xprt(int, u_int, u_int); + static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *); +@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *); + static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in); + static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq, + void *in); ++static int __svc_destroy_idle(int timeout); + + struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */ + u_int sendsize; +@@ -313,13 +316,14 @@ done: + return (xprt); + } + ++ + /*ARGSUSED*/ + static bool_t + rendezvous_request(xprt, msg) + SVCXPRT *xprt; + struct rpc_msg *msg; + { +- int sock, flags; ++ int sock, flags, nfds, cnt; + struct cf_rendezvous *r; + struct cf_conn *cd; + struct sockaddr_storage addr; +@@ -379,6 +383,16 @@ again: + + gettimeofday(&cd->last_recv_time, NULL); + ++ nfds = svc_open_fds(); ++ if (nfds >= (_rpc_dtablesize() / 5) * 4) { ++ /* destroy idle connections */ ++ cnt = __svc_destroy_idle(15); ++ if (cnt == 0) { ++ /* destroy least active */ ++ __svc_destroy_idle(0); ++ } ++ } ++ + return (FALSE); /* there is never an rpc msg to be processed */ + } + +@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock) + { + return FALSE; + } ++ ++static int ++__svc_destroy_idle(int timeout) ++{ ++ int i, ncleaned = 0; ++ SVCXPRT *xprt, *least_active; ++ struct timeval tv, tdiff, tmax; ++ struct cf_conn *cd; ++ ++ gettimeofday(&tv, NULL); ++ tmax.tv_sec = tmax.tv_usec = 0; ++ least_active = NULL; ++ rwlock_wrlock(&svc_fd_lock); ++ ++ for (i = 0; i <= svc_max_pollfd; i++) { ++ if (svc_pollfd[i].fd == -1) ++ continue; ++ xprt = __svc_xports[i]; ++ if (xprt == NULL || xprt->xp_ops == NULL || ++ xprt->xp_ops->xp_recv != svc_vc_recv) ++ continue; ++ cd = (struct cf_conn *)xprt->xp_p1; ++ if (!cd->nonblock) ++ continue; ++ if (timeout == 0) { ++ timersub(&tv, &cd->last_recv_time, &tdiff); ++ if (timercmp(&tdiff, &tmax, >)) { ++ tmax = tdiff; ++ least_active = xprt; ++ } ++ continue; ++ } ++ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) { ++ __xprt_unregister_unlocked(xprt); ++ __svc_vc_dodestroy(xprt); ++ ncleaned++; ++ } ++ } ++ if (timeout == 0 && least_active != NULL) { ++ __xprt_unregister_unlocked(least_active); ++ __svc_vc_dodestroy(least_active); ++ ncleaned++; ++ } ++ rwlock_unlock(&svc_fd_lock); ++ return (ncleaned); ++} +-- +2.36.1 + diff -Nru libtirpc-1.3.2/debian/patches/series libtirpc-1.3.2/debian/patches/series --- libtirpc-1.3.2/debian/patches/series 2021-08-17 17:16:38.000000000 +0200 +++ libtirpc-1.3.2/debian/patches/series 2022-08-01 16:26:18.000000000 +0200 @@ -1,3 +1,4 @@ 03-kfreebsd.diff 05-hurd-port.diff 06-hurd-client-port.diff +Fix-DoS-vulnerability-in-libtirpc.patch
