All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to avoid memory leak
@ 2017-05-11  6:05 Doran Moppert
  2017-05-11 15:49 ` Steve Dickson
  0 siblings, 1 reply; 2+ messages in thread
From: Doran Moppert @ 2017-05-11  6:05 UTC (permalink / raw)
  To: linux-nfs

This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
at [1], [2], [3].  The last link suggests this issue is actually a bug
in rpcbind, which led me here.

The leak caused by the reproducer at [4] appears to come from
rpcb_service_4(), in the case where svc_getargs() returns false and the
function had an early return, rather than passing through the cleanup
path at done:, as would otherwise occur.

It also addresses a couple of other locations where the same fault seems
to exist, though I haven't been able to exercise those.  I hope someone
more intimate with rpc(3) can confirm my understanding is correct, and
that I haven't introduced any new bugs.

Without this patch, using the reproducer (and variants) repeatedly
against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
rpcbind)/status reports VmSize increase of 976564 kB each call, and
VmRSS increase of around 260 kB every 33 calls - the specific numbers
are probably an artifact of my rhel/glibc version.  With the patch,
there is a small (~50 kB) VmSize increase with the first message, but
thereafter both VmSize and VmRSS remain steady.


[1]: http://seclists.org/oss-sec/2017/q2/209
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
[4]: https://github.com/guidovranken/rpcbomb/


Signed-off-by: Doran Moppert <dmoppert@redhat.com>
---
 src/pmap_svc.c     | 56 +++++++++++++++++++++++++++++++++++++++++++++---------
 src/rpcb_svc.c     |  2 +-
 src/rpcb_svc_4.c   |  2 +-
 src/rpcb_svc_com.c |  8 ++++++++
 4 files changed, 57 insertions(+), 11 deletions(-)

diff --git a/src/pmap_svc.c b/src/pmap_svc.c
index 4c744fe..e926cdc 100644
--- a/src/pmap_svc.c
+++ b/src/pmap_svc.c
@@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
 	long ans;
 	uid_t uid;
 	char uidbuf[32];
+	int rc = TRUE;
 
 	/*
 	 * Can't use getpwnam here. We might end up calling ourselves
@@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
 
 	if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
 		svcerr_decode(xprt);
-		return (FALSE);
+		rc = FALSE;
+		goto done;
 	}
 #ifdef RPCBIND_DEBUG
 	if (debugging)
@@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
 
 	if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) {
 		svcerr_weakauth(xprt);
-		return (FALSE);
+		rc = (FALSE);
+		goto done;
 	}
 
 	rpcbreg.r_prog = reg.pm_prog;
@@ -258,7 +261,16 @@ done_change:
 		rpcbs_set(RPCBVERS_2_STAT, ans);
 	else
 		rpcbs_unset(RPCBVERS_2_STAT, ans);
-	return (TRUE);
+done:
+	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
+		if (debugging) {
+			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
+			if (doabort) {
+				rpcbind_abort();
+			}
+		}
+	}
+	return (rc);
 }
 
 /* ARGSUSED */
@@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
 #ifdef RPCBIND_DEBUG
 	char *uaddr;
 #endif
+	int rc = TRUE;
 
 	if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
 		svcerr_decode(xprt);
-		return (FALSE);
+		rc = FALSE;
+		goto done;
 	}
 
 	if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) {
 		svcerr_weakauth(xprt);
-		return FALSE;
+		rc = FALSE;
+		goto done;
 	}
 
 #ifdef RPCBIND_DEBUG
@@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
 		pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>",
 		port ? udptrans : "");
 
-	return (TRUE);
+done:
+	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
+		if (debugging) {
+			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
+			if (doabort) {
+				rpcbind_abort();
+			}
+		}
+	}
+	return (rc);
 }
 
 /* ARGSUSED */
 static bool_t
 pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
 {
+	int rc = TRUE;
+
 	if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) {
 		svcerr_decode(xprt);
-		return (FALSE);
+		rc = FALSE;
+		goto done;
 	}
 
 	if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) {
 		svcerr_weakauth(xprt);
-		return FALSE;
+		rc = FALSE;
+		goto done;
 	}
 	
 	if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr,
@@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
 			rpcbind_abort();
 		}
 	}
-	return (TRUE);
+
+done:
+	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
+		if (debugging) {
+			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
+			if (doabort) {
+				rpcbind_abort();
+			}
+		}
+	}
+	return (rc);
 }
 
 int pmap_netid2ipprot(const char *netid)
diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c
index 709e3fb..091f530 100644
--- a/src/rpcb_svc.c
+++ b/src/rpcb_svc.c
@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp)
 		svcerr_decode(transp);
 		if (debugging)
 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode");
-		return;
+		goto done;
 	}
 
 	if (rqstp->rq_proc == RPCBPROC_SET
diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c
index 5094879..eebbbbe 100644
--- a/src/rpcb_svc_4.c
+++ b/src/rpcb_svc_4.c
@@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp)
 		svcerr_decode(transp);
 		if (debugging)
 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode\n");
-		return;
+		goto done;
 	}
 
 	if (rqstp->rq_proc == RPCBPROC_SET
diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
index 5862c26..cb63afd 100644
--- a/src/rpcb_svc_com.c
+++ b/src/rpcb_svc_com.c
@@ -927,6 +927,14 @@ error:
 	if (call_msg.rm_xid != 0)
 		(void) free_slot_by_xid(call_msg.rm_xid);
 out:
+	if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
+		if (debugging) {
+			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
+			if (doabort) {
+				rpcbind_abort();
+			}
+		}
+	}
 	if (local_uaddr)
 		free(local_uaddr);
 	if (buf_alloc)
-- 
1.8.3.1

-- 
Doran Moppert
Red Hat Product Security

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to avoid memory leak
  2017-05-11  6:05 [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to avoid memory leak Doran Moppert
@ 2017-05-11 15:49 ` Steve Dickson
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Dickson @ 2017-05-11 15:49 UTC (permalink / raw)
  To: Doran Moppert, linux-nfs



On 05/11/2017 02:05 AM, Doran Moppert wrote:
> This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed
> at [1], [2], [3].  The last link suggests this issue is actually a bug
> in rpcbind, which led me here.
> 
> The leak caused by the reproducer at [4] appears to come from
> rpcb_service_4(), in the case where svc_getargs() returns false and the
> function had an early return, rather than passing through the cleanup
> path at done:, as would otherwise occur.
> 
> It also addresses a couple of other locations where the same fault seems
> to exist, though I haven't been able to exercise those.  I hope someone
> more intimate with rpc(3) can confirm my understanding is correct, and
> that I haven't introduced any new bugs.
> 
> Without this patch, using the reproducer (and variants) repeatedly
> against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof
> rpcbind)/status reports VmSize increase of 976564 kB each call, and
> VmRSS increase of around 260 kB every 33 calls - the specific numbers
> are probably an artifact of my rhel/glibc version.  With the patch,
> there is a small (~50 kB) VmSize increase with the first message, but
> thereafter both VmSize and VmRSS remain steady.
> 
> 
> [1]: http://seclists.org/oss-sec/2017/q2/209
> [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124
> [3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html
> [4]: https://github.com/guidovranken/rpcbomb/
> 
> 
> Signed-off-by: Doran Moppert <dmoppert@redhat.com>
Committed... 

steved.

> ---
>  src/pmap_svc.c     | 56 +++++++++++++++++++++++++++++++++++++++++++++---------
>  src/rpcb_svc.c     |  2 +-
>  src/rpcb_svc_4.c   |  2 +-
>  src/rpcb_svc_com.c |  8 ++++++++
>  4 files changed, 57 insertions(+), 11 deletions(-)
> 
> diff --git a/src/pmap_svc.c b/src/pmap_svc.c
> index 4c744fe..e926cdc 100644
> --- a/src/pmap_svc.c
> +++ b/src/pmap_svc.c
> @@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
>  	long ans;
>  	uid_t uid;
>  	char uidbuf[32];
> +	int rc = TRUE;
>  
>  	/*
>  	 * Can't use getpwnam here. We might end up calling ourselves
> @@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
>  
>  	if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
>  		svcerr_decode(xprt);
> -		return (FALSE);
> +		rc = FALSE;
> +		goto done;
>  	}
>  #ifdef RPCBIND_DEBUG
>  	if (debugging)
> @@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long
>  
>  	if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) {
>  		svcerr_weakauth(xprt);
> -		return (FALSE);
> +		rc = (FALSE);
> +		goto done;
>  	}
>  
>  	rpcbreg.r_prog = reg.pm_prog;
> @@ -258,7 +261,16 @@ done_change:
>  		rpcbs_set(RPCBVERS_2_STAT, ans);
>  	else
>  		rpcbs_unset(RPCBVERS_2_STAT, ans);
> -	return (TRUE);
> +done:
> +	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
> +		if (debugging) {
> +			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
> +			if (doabort) {
> +				rpcbind_abort();
> +			}
> +		}
> +	}
> +	return (rc);
>  }
>  
>  /* ARGSUSED */
> @@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
>  #ifdef RPCBIND_DEBUG
>  	char *uaddr;
>  #endif
> +	int rc = TRUE;
>  
>  	if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
>  		svcerr_decode(xprt);
> -		return (FALSE);
> +		rc = FALSE;
> +		goto done;
>  	}
>  
>  	if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) {
>  		svcerr_weakauth(xprt);
> -		return FALSE;
> +		rc = FALSE;
> +		goto done;
>  	}
>  
>  #ifdef RPCBIND_DEBUG
> @@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
>  		pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>",
>  		port ? udptrans : "");
>  
> -	return (TRUE);
> +done:
> +	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)&reg)) {
> +		if (debugging) {
> +			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
> +			if (doabort) {
> +				rpcbind_abort();
> +			}
> +		}
> +	}
> +	return (rc);
>  }
>  
>  /* ARGSUSED */
>  static bool_t
>  pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
>  {
> +	int rc = TRUE;
> +
>  	if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) {
>  		svcerr_decode(xprt);
> -		return (FALSE);
> +		rc = FALSE;
> +		goto done;
>  	}
>  
>  	if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) {
>  		svcerr_weakauth(xprt);
> -		return FALSE;
> +		rc = FALSE;
> +		goto done;
>  	}
>  	
>  	if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr,
> @@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt)
>  			rpcbind_abort();
>  		}
>  	}
> -	return (TRUE);
> +
> +done:
> +	if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) {
> +		if (debugging) {
> +			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
> +			if (doabort) {
> +				rpcbind_abort();
> +			}
> +		}
> +	}
> +	return (rc);
>  }
>  
>  int pmap_netid2ipprot(const char *netid)
> diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c
> index 709e3fb..091f530 100644
> --- a/src/rpcb_svc.c
> +++ b/src/rpcb_svc.c
> @@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp)
>  		svcerr_decode(transp);
>  		if (debugging)
>  			(void) xlog(LOG_DEBUG, "rpcbind: could not decode");
> -		return;
> +		goto done;
>  	}
>  
>  	if (rqstp->rq_proc == RPCBPROC_SET
> diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c
> index 5094879..eebbbbe 100644
> --- a/src/rpcb_svc_4.c
> +++ b/src/rpcb_svc_4.c
> @@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp)
>  		svcerr_decode(transp);
>  		if (debugging)
>  			(void) xlog(LOG_DEBUG, "rpcbind: could not decode\n");
> -		return;
> +		goto done;
>  	}
>  
>  	if (rqstp->rq_proc == RPCBPROC_SET
> diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
> index 5862c26..cb63afd 100644
> --- a/src/rpcb_svc_com.c
> +++ b/src/rpcb_svc_com.c
> @@ -927,6 +927,14 @@ error:
>  	if (call_msg.rm_xid != 0)
>  		(void) free_slot_by_xid(call_msg.rm_xid);
>  out:
> +	if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) {
> +		if (debugging) {
> +			(void) xlog(LOG_DEBUG, "unable to free arguments\n");
> +			if (doabort) {
> +				rpcbind_abort();
> +			}
> +		}
> +	}
>  	if (local_uaddr)
>  		free(local_uaddr);
>  	if (buf_alloc)
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-11 15:49 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-11  6:05 [PATCH] rpcbind: pair all svc_getargs() calls with svc_freeargs() to avoid memory leak Doran Moppert
2017-05-11 15:49 ` Steve Dickson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.