https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=f545ad4928fa1f27a3075265182b38a4f939a5f7 From: Florian Weimer Date: Mon, 17 Jan 2022 09:21:34 +0000 (+0100) Subject: CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) X-Git-Tag: glibc-2.35~68 X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=f545ad4928fa1f27a3075265182b38a4f939a5f7 CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768) The sunrpc function svcunix_create suffers from a stack-based buffer overflow with overlong pathname arguments. Reviewed-by: Siddhesh Poyarekar --- diff -Naur glibc-2.33/sunrpc/Makefile glibc-2.33_patched/sunrpc/Makefile --- glibc-2.33/sunrpc/Makefile 2021-02-01 20:15:33.000000000 +0300 +++ glibc-2.33_patched/sunrpc/Makefile 2022-12-02 14:23:29.124970662 +0300 @@ -65,7 +65,7 @@ endif tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \ - tst-udp-nonblocking + tst-udp-nonblocking tst-bug28768 xtests := tst-getmyaddr ifeq ($(have-thread-library),yes) diff -Naur glibc-2.33/sunrpc/svc_unix.c glibc-2.33_patched/sunrpc/svc_unix.c --- glibc-2.33/sunrpc/svc_unix.c 2022-12-02 13:59:22.503767402 +0300 +++ glibc-2.33_patched/sunrpc/svc_unix.c 2022-12-02 13:53:04.979423000 +0300 @@ -154,7 +154,10 @@ SVCXPRT *xprt; struct unix_rendezvous *r; struct sockaddr_un addr; - socklen_t len = sizeof (struct sockaddr_in); + socklen_t len = sizeof (addr); + + if (__sockaddr_un_set (&addr, path) < 0) + return NULL; if (sock == RPC_ANYSOCK) { @@ -165,12 +168,6 @@ } madesock = TRUE; } - memset (&addr, '\0', sizeof (addr)); - addr.sun_family = AF_UNIX; - len = strlen (path) + 1; - memcpy (addr.sun_path, path, len); - len += sizeof (addr.sun_family); - __bind (sock, (struct sockaddr *) &addr, len); if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0 diff -Naur glibc-2.33/sunrpc/tst-bug28768.c glibc-2.33_patched/sunrpc/tst-bug28768.c --- glibc-2.33/sunrpc/tst-bug28768.c 1970-01-01 03:00:00.000000000 +0300 +++ glibc-2.33_patched/sunrpc/tst-bug28768.c 2022-12-02 13:53:04.979423000 +0300 @@ -0,0 +1,42 @@ +/* Test to verify that long path is rejected by svcunix_create (bug 28768). + Copyright (C) 2022 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include + +/* svcunix_create does not have a default version in linkobj/libc.so. */ +compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1); + +static int +do_test (void) +{ + char pathname[109]; + memset (pathname, 'x', sizeof (pathname)); + pathname[sizeof (pathname) - 1] = '\0'; + + errno = 0; + TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL); + TEST_COMPARE (errno, EINVAL); + + return 0; +} + +#include