commit: 15f37371c962d5d28081841062dcf925c6a0914c Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Sun Jul 24 00:36:45 2022 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Sun Jul 24 00:38:21 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15f37371
net-libs/libtirpc: backport security fixes Bug: https://bugs.gentoo.org/859634 Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org> net-libs/libtirpc/files/libtirpc-1.3.2-dos.patch | 178 +++++++++++++++++++++ .../files/libtirpc-1.3.2-memory-leak.patch | 52 ++++++ .../files/libtirpc-1.3.2-use-after-free.patch | 31 ++++ net-libs/libtirpc/libtirpc-1.3.2-r1.ebuild | 65 ++++++++ 4 files changed, 326 insertions(+) diff --git a/net-libs/libtirpc/files/libtirpc-1.3.2-dos.patch b/net-libs/libtirpc/files/libtirpc-1.3.2-dos.patch new file mode 100644 index 000000000000..88b6f5719f41 --- /dev/null +++ b/net-libs/libtirpc/files/libtirpc-1.3.2-dos.patch @@ -0,0 +1,178 @@ +From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001 +From: Dai Ngo <[email protected]> +Date: Sat, 21 Aug 2021 13:16:23 -0400 +Subject: [PATCH] Fix DoS vulnerability in libtirpc + +Currently svc_run does not handle poll timeout and rendezvous_request +does not handle EMFILE error returned from accept(2 as it used to. +These two missing functionality were removed by commit b2c9430f46c4. + +The effect of not handling poll timeout allows idle TCP conections +to remain ESTABLISHED indefinitely. When the number of connections +reaches the limit of the open file descriptors (ulimit -n) then +accept(2) fails with EMFILE. Since there is no handling of EMFILE +error this causes svc_run() to get in a tight loop calling accept(2). +This resulting in the RPC service of svc_run is being down, it's +no longer able to service any requests. + +RPC service rpcbind, statd and mountd are effected by this +problem. + +Fix by enhancing rendezvous_request to keep the number of +SVCXPRT conections to 4/5 of the size of the file descriptor +table. When this thresold is reached, it destroys the idle +TCP connections or destroys the least active connection if +no idle connnction was found. + +Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc +Signed-off-by: [email protected] +Signed-off-by: Steve Dickson <[email protected]> +--- + INSTALL | 371 +---------------------------------------------------------- + src/svc.c | 17 ++- + src/svc_vc.c | 62 +++++++++- + 3 files changed, 78 insertions(+), 372 deletions(-) + mode change 100644 => 120000 INSTALL + +diff --git a/src/svc.c b/src/svc.c +index 6db164b..3a8709f 100644 +--- a/src/svc.c ++++ b/src/svc.c +@@ -57,7 +57,7 @@ + + #define max(a, b) (a > b ? a : b) + +-static SVCXPRT **__svc_xports; ++SVCXPRT **__svc_xports; + int __svc_maxrec; + + /* +@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock) + rwlock_unlock (&svc_fd_lock); + } + ++int ++svc_open_fds() ++{ ++ int ix; ++ int nfds = 0; ++ ++ rwlock_rdlock (&svc_fd_lock); ++ for (ix = 0; ix < svc_max_pollfd; ++ix) { ++ if (svc_pollfd[ix].fd != -1) ++ nfds++; ++ } ++ rwlock_unlock (&svc_fd_lock); ++ return (nfds); ++} ++ + /* + * Add a service program to the callout list. + * The dispatch routine will be called when a rpc request for this +diff --git a/src/svc_vc.c b/src/svc_vc.c +index f1d9f00..3dc8a75 100644 +--- a/src/svc_vc.c ++++ b/src/svc_vc.c +@@ -64,6 +64,8 @@ + + + extern rwlock_t svc_fd_lock; ++extern SVCXPRT **__svc_xports; ++extern int svc_open_fds(); + + static SVCXPRT *makefd_xprt(int, u_int, u_int); + static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *); +@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *); + static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in); + static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq, + void *in); ++static int __svc_destroy_idle(int timeout); + + struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */ + u_int sendsize; +@@ -313,13 +316,14 @@ done: + return (xprt); + } + ++ + /*ARGSUSED*/ + static bool_t + rendezvous_request(xprt, msg) + SVCXPRT *xprt; + struct rpc_msg *msg; + { +- int sock, flags; ++ int sock, flags, nfds, cnt; + struct cf_rendezvous *r; + struct cf_conn *cd; + struct sockaddr_storage addr; +@@ -379,6 +383,16 @@ again: + + gettimeofday(&cd->last_recv_time, NULL); + ++ nfds = svc_open_fds(); ++ if (nfds >= (_rpc_dtablesize() / 5) * 4) { ++ /* destroy idle connections */ ++ cnt = __svc_destroy_idle(15); ++ if (cnt == 0) { ++ /* destroy least active */ ++ __svc_destroy_idle(0); ++ } ++ } ++ + return (FALSE); /* there is never an rpc msg to be processed */ + } + +@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock) + { + return FALSE; + } ++ ++static int ++__svc_destroy_idle(int timeout) ++{ ++ int i, ncleaned = 0; ++ SVCXPRT *xprt, *least_active; ++ struct timeval tv, tdiff, tmax; ++ struct cf_conn *cd; ++ ++ gettimeofday(&tv, NULL); ++ tmax.tv_sec = tmax.tv_usec = 0; ++ least_active = NULL; ++ rwlock_wrlock(&svc_fd_lock); ++ ++ for (i = 0; i <= svc_max_pollfd; i++) { ++ if (svc_pollfd[i].fd == -1) ++ continue; ++ xprt = __svc_xports[i]; ++ if (xprt == NULL || xprt->xp_ops == NULL || ++ xprt->xp_ops->xp_recv != svc_vc_recv) ++ continue; ++ cd = (struct cf_conn *)xprt->xp_p1; ++ if (!cd->nonblock) ++ continue; ++ if (timeout == 0) { ++ timersub(&tv, &cd->last_recv_time, &tdiff); ++ if (timercmp(&tdiff, &tmax, >)) { ++ tmax = tdiff; ++ least_active = xprt; ++ } ++ continue; ++ } ++ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) { ++ __xprt_unregister_unlocked(xprt); ++ __svc_vc_dodestroy(xprt); ++ ncleaned++; ++ } ++ } ++ if (timeout == 0 && least_active != NULL) { ++ __xprt_unregister_unlocked(least_active); ++ __svc_vc_dodestroy(least_active); ++ ncleaned++; ++ } ++ rwlock_unlock(&svc_fd_lock); ++ return (ncleaned); ++} +-- +1.8.3.1 + diff --git a/net-libs/libtirpc/files/libtirpc-1.3.2-memory-leak.patch b/net-libs/libtirpc/files/libtirpc-1.3.2-memory-leak.patch new file mode 100644 index 000000000000..8ce864a2950c --- /dev/null +++ b/net-libs/libtirpc/files/libtirpc-1.3.2-memory-leak.patch @@ -0,0 +1,52 @@ +From 63f3b9e883231ca08cf9c3cd8f5d582584412d94 Mon Sep 17 00:00:00 2001 +From: Ali Abdallah <[email protected]> +Date: Thu, 14 Jul 2022 13:47:32 -0400 +Subject: [PATCH] Fix potential memory leak of parms.r_addr + +During some valgrind test, the following is observed + +==11391== 64 bytes in 4 blocks are definitely lost in loss record 11 of 16 +==11391== at 0x4C2A2AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) +==11391== by 0x50ECED9: strdup (in /lib64/libc-2.22.so) +==11391== by 0x4E4AFBF: getclnthandle (in /lib64/libtirpc.so.3.0.0) +==11391== by 0x4E4BD8A: __rpcb_findaddr_timed (in /lib64/libtirpc.so.3.0.0) +==11391== by 0x4E443AF: clnt_tp_create_timed (in /lib64/libtirpc.so.3.0.0) +==11391== by 0x4E44580: clnt_create_timed (in /lib64/libtirpc.so.3.0.0) +==11391== by 0x400755: main (in /local/02/xdtadti/tirpc-test/client) + +Signed-off-by: Steve Dickson <[email protected]> +--- + INSTALL | 369 +------------------------------------------------------- + src/rpcb_clnt.c | 8 ++ + 2 files changed, 9 insertions(+), 368 deletions(-) + mode change 100644 => 120000 INSTALL + +diff --git a/src/rpcb_clnt.c b/src/rpcb_clnt.c +index 0c34cb7..1a23cb1 100644 +--- a/src/rpcb_clnt.c ++++ b/src/rpcb_clnt.c +@@ -798,6 +798,10 @@ __try_protocol_version_2(program, version, nconf, host, tp) + pmapaddress->len = pmapaddress->maxlen = remote.len; + + CLNT_DESTROY(client); ++ ++ if (parms.r_addr != NULL && parms.r_addr != nullstring) ++ free(parms.r_addr); ++ + return pmapaddress; + + error: +@@ -806,6 +810,10 @@ error: + client = NULL; + + } ++ ++ if (parms.r_addr != NULL && parms.r_addr != nullstring) ++ free(parms.r_addr); ++ + return (NULL); + + } +-- +1.8.3.1 + diff --git a/net-libs/libtirpc/files/libtirpc-1.3.2-use-after-free.patch b/net-libs/libtirpc/files/libtirpc-1.3.2-use-after-free.patch new file mode 100644 index 000000000000..8e85a564f29a --- /dev/null +++ b/net-libs/libtirpc/files/libtirpc-1.3.2-use-after-free.patch @@ -0,0 +1,31 @@ +From d0dc59e27263c6b53435d770010dcc6f397d58ee Mon Sep 17 00:00:00 2001 +From: Frank Sorenson <[email protected]> +Date: Mon, 17 Jan 2022 13:33:13 -0500 +Subject: [PATCH] libtirpc: Fix use-after-free accessing the error number + +Free the cbuf after obtaining the error number. + +Signed-off-by: Frank Sorenson <[email protected]> +Signed-off-by: Steve Dickson <[email protected]> +--- + src/clnt_dg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/clnt_dg.c b/src/clnt_dg.c +index e1255de..b3d82e7 100644 +--- a/src/clnt_dg.c ++++ b/src/clnt_dg.c +@@ -456,9 +456,9 @@ get_reply: + cmsg = CMSG_NXTHDR (&msg, cmsg)) + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) + { +- mem_free(cbuf, (outlen + 256)); + e = (struct sock_extended_err *) CMSG_DATA(cmsg); + cu->cu_error.re_errno = e->ee_errno; ++ mem_free(cbuf, (outlen + 256)); + release_fd_lock(cu->cu_fd_lock, mask); + return (cu->cu_error.re_status = RPC_CANTRECV); + } +-- +1.8.3.1 + diff --git a/net-libs/libtirpc/libtirpc-1.3.2-r1.ebuild b/net-libs/libtirpc/libtirpc-1.3.2-r1.ebuild new file mode 100644 index 000000000000..fe750fb291d8 --- /dev/null +++ b/net-libs/libtirpc/libtirpc-1.3.2-r1.ebuild @@ -0,0 +1,65 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit multilib-minimal usr-ldscript + +DESCRIPTION="Transport Independent RPC library (SunRPC replacement)" +HOMEPAGE="https://sourceforge.net/projects/libtirpc/"; +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2 + mirror://gentoo/${PN}-glibc-nfs.tar.xz" + +LICENSE="BSD BSD-2 BSD-4 LGPL-2.1+" +SLOT="0/3" # subslot matches SONAME major +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" +IUSE="ipv6 kerberos static-libs" + +RDEPEND="kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )" +DEPEND="${RDEPEND} + elibc_musl? ( sys-libs/queue-standalone )" +BDEPEND=" + app-arch/xz-utils + virtual/pkgconfig" + +src_prepare() { + local PATCHES=( + "${FILESDIR}"/libtirpc-1.3.2-dos.patch + "${FILESDIR}"/libtirpc-1.3.2-use-after-free.patch + "${FILESDIR}"/libtirpc-1.3.2-memory-leak.patch + ) + cp -r "${WORKDIR}"/tirpc "${S}"/ || die + default +} + +multilib_src_configure() { + local myeconfargs=( + $(use_enable ipv6) + $(use_enable kerberos gssapi) + $(use_enable static-libs static) + ) + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" +} + +multilib_src_install() { + default + + # libtirpc replaces rpc support in glibc, so we need it in / + gen_usr_ldscript -a tirpc +} + +multilib_src_install_all() { + einstalldocs + + insinto /etc + doins doc/netconfig + + insinto /usr/include/tirpc + doins -r "${WORKDIR}"/tirpc/* + + # makes sure that the linking order for nfs-utils is proper, as + # libtool would inject a libgssglue dependency in the list. + if ! use static-libs ; then + find "${ED}" -name "*.la" -delete || die + fi +}
