From 1abcad92193f0830afdb313f9ad215d0eaa8a99a0977c7a245ba1059742f1d39 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 22 Feb 2016 15:04:42 +0000 Subject: [PATCH] Accepting request 360882 from home:kukuk:branches:network - Add 0006-don-t-use-svc_fdset.patch: don't use the svc_fdset interface for libtirpc, which is limited to 1024 connections. - Sync with current git: - Replace 0002-revert-auth.patch with 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch - Add 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch to fix problems with activation via sockets by systemd - Replace 0032-CVE-2015-7236.patch with 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch - Add 0005-security.c-removed-warning.patch to fix compiler warnings - Temporary remove 099-poll.patch - Disable 0030-systemd-fix-rmtcall.patch, needs the other disabled patches. - Submit for SLE12SP2 [FATE#320393] - Add patch 0032-CVE-2015-7236.patch to fix a segfault on certain remote scans [CVE-2015-7236, bsc#940191, bsc#946204] - Document how to restrict addresses that rpcbind will listen on [bsc#935102] Added 0031-rpcbind-manpage.patch - Add patch 0030-systemd-fix-rmtcall.patch to fix rmtcall forwarding (bnc#932423) OBS-URL: https://build.opensuse.org/request/show/360882 OBS-URL: https://build.opensuse.org/package/show/network/rpcbind?expand=0&rev=58 --- ...n-t-use-the-xp_auth-pointer-directly.patch | 40 +++++++++ 0002-revert-auth.patch | 35 -------- ...ix-socket-only-if-we-have-created-it.patch | 51 ++++++++++++ ...emory-corruption-in-PMAP_CALLIT-code.patch | 82 +++++++++++++++++++ 0005-security.c-removed-warning.patch | 29 +++++++ ...ll.patch => 0006-don-t-use-svc_fdset.patch | 51 ++++++++++-- 0030-systemd-fix-rmtcall.patch | 21 +++++ 0031-rpcbind-manpage.patch | 52 ++++++++++++ rpcbind.changes | 45 ++++++++++ rpcbind.spec | 20 +++-- 10 files changed, 379 insertions(+), 47 deletions(-) create mode 100644 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch delete mode 100644 0002-revert-auth.patch create mode 100644 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch create mode 100644 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch create mode 100644 0005-security.c-removed-warning.patch rename 099-poll.patch => 0006-don-t-use-svc_fdset.patch (56%) create mode 100644 0030-systemd-fix-rmtcall.patch create mode 100644 0031-rpcbind-manpage.patch diff --git a/0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch b/0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch new file mode 100644 index 0000000..16d0dc1 --- /dev/null +++ b/0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch @@ -0,0 +1,40 @@ +From 9194122389f2a56b1cd1f935e64307e2e963c2da Mon Sep 17 00:00:00 2001 +From: Steve Dickson +Date: Mon, 2 Nov 2015 17:05:18 -0500 +Subject: [PATCH 3/4] handle_reply: Don't use the xp_auth pointer directly + +In the latest libtirpc version to access the xp_auth +one must use the SVC_XP_AUTH macro. To be backwards +compatible a couple ifdefs were added to use the +macro when it exists. + +Signed-off-by: Steve Dickson +--- + src/rpcb_svc_com.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index 4ae93f1..22d6c84 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt) + a.rmt_localvers = fi->versnum; + + xprt_set_caller(xprt, fi); ++#if defined(SVC_XP_AUTH) ++ SVC_XP_AUTH(xprt) = svc_auth_none; ++#else + xprt->xp_auth = &svc_auth_none; ++#endif + svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a); ++#if !defined(SVC_XP_AUTH) + SVCAUTH_DESTROY(xprt->xp_auth); + xprt->xp_auth = NULL; ++#endif ++ + done: + if (buffer) + free(buffer); +-- +1.8.5.6 + diff --git a/0002-revert-auth.patch b/0002-revert-auth.patch deleted file mode 100644 index 08965b2..0000000 --- a/0002-revert-auth.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit 86036582c001e99075f4d74cb3829df39f2a9ddf -Author: Frank Hirtz -Date: Tue Oct 23 11:38:20 2012 -0400 - - rpcbind is "swallowing" broadcast RPC replies - - If xp_auth is NULL, the transport routines will not send - the reply. This patch fixes that problem. - - Signed-off-by: Steve Dickson - -diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c -index 5bb9a44..f6bd6bd 100644 ---- a/src/rpcb_svc_com.c -+++ b/src/rpcb_svc_com.c -@@ -1227,6 +1227,8 @@ send_svcsyserr(SVCXPRT *xprt, struct finfo *fi) - return; - } - -+extern SVCAUTH svc_auth_none; -+ - static void - handle_reply(int fd, SVCXPRT *xprt) - { -@@ -1293,7 +1295,10 @@ handle_reply(int fd, SVCXPRT *xprt) - a.rmt_localvers = fi->versnum; - - xprt_set_caller(xprt, fi); -+ xprt->xp_auth = &svc_auth_none; - svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a); -+ SVCAUTH_DESTROY(xprt->xp_auth); -+ xprt->xp_auth = NULL; - done: - if (buffer) - free(buffer); diff --git a/0003-Delete-the-unix-socket-only-if-we-have-created-it.patch b/0003-Delete-the-unix-socket-only-if-we-have-created-it.patch new file mode 100644 index 0000000..0228975 --- /dev/null +++ b/0003-Delete-the-unix-socket-only-if-we-have-created-it.patch @@ -0,0 +1,51 @@ +From 3a664b1b5a310df39bd0f325b0edb1deb31c2249 Mon Sep 17 00:00:00 2001 +From: Laurent Bigonville +Date: Wed, 18 Nov 2015 14:34:26 -0500 +Subject: [PATCH] Delete the unix socket only if we have created it + +From: Laurent Bigonville + +If systemd has created the unix socket on our behalf, we shouldn't try +to delete it. + +https://bugzilla.redhat.com/show_bug.cgi?id=1279076 + +Signed-off-by: Laurent Bigonville +--- + src/rpcbind.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/rpcbind.c b/src/rpcbind.c +index 045daa1..c4265cd 100644 +--- a/src/rpcbind.c ++++ b/src/rpcbind.c +@@ -87,6 +87,7 @@ static inline void __nss_configure_lookup(const char *db, const char *s) {} + int debugging = 0; /* Tell me what's going on */ + int doabort = 0; /* When debugging, do an abort on errors */ + int dofork = 1; /* fork? */ ++int createdsocket = 0; /* Did I create the socket or systemd did it for me? */ + + rpcblist_ptr list_rbl; /* A list of version 3/4 rpcbind services */ + +@@ -445,6 +446,7 @@ init_transport(struct netconfig *nconf) + memset(&sun, 0, sizeof sun); + sun.sun_family = AF_LOCAL; + unlink(_PATH_RPCBINDSOCK); ++ createdsocket = 1; /* We are now in the process of creating the unix socket */ + strcpy(sun.sun_path, _PATH_RPCBINDSOCK); + addrlen = SUN_LEN(&sun); + sa = (struct sockaddr *)&sun; +@@ -846,7 +848,8 @@ static void + terminate(int dummy /*__unused*/) + { + close(rpcbindlockfd); +- unlink(_PATH_RPCBINDSOCK); ++ if(createdsocket) ++ unlink(_PATH_RPCBINDSOCK); + unlink(RPCBINDDLOCK); + #ifdef WARMSTART + write_warmstart(); /* Dump yourself */ +-- +1.8.5.6 + diff --git a/0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch b/0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch new file mode 100644 index 0000000..dc9d9d5 --- /dev/null +++ b/0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch @@ -0,0 +1,82 @@ +From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001 +From: Olaf Kirch +Date: Fri, 30 Oct 2015 10:18:20 -0400 +Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code + + - A PMAP_CALLIT call comes in on IPv4 UDP + - rpcbind duplicates the caller's address to a netbuf and stores it in + FINFO[0].caller_addr. caller_addr->buf now points to a memory region A + with a size of 16 bytes + - rpcbind forwards the call to the local service, receives a reply + - when processing the reply, it does this in xprt_set_caller: + xprt->xp_rtaddr = *FINFO[0].caller_addr + It sends out the reply, and then frees the netbuf caller_addr and + caller_addr.buf. + However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers + to memory region A, which is free. + - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will + be called, which will set xp_rtaddr to the client's address. + It will reuse the buffer inside xp_rtaddr, ie it will write a + sockaddr_in to region A + +Some time down the road, an incoming TCP connection is accepted, +allocating a fresh SVCXPRT. The memory region A is inside the +new SVCXPRT + + - While processing the TCP call, another UDP call comes in, again + overwriting region A with the client's address + - TCP client closes connection. In svc_destroy, we now trip over + the garbage left in region A + +We ran into the case where a commercial scanner was triggering +occasional rpcbind segfaults. The core file that was captured showed +a corrupted xprt->xp_netid pointer that was really a sockaddr_in. + +Signed-off-by: Olaf Kirch +Signed-off-by: Steve Dickson +--- + src/rpcb_svc_com.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index ff9ce6b..4ae93f1 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds) + return (ncallbacks_found); + } + ++/* ++ * This is really a helper function defined in libtirpc, ++ * but unfortunately, it hasn't been exported yet. ++ */ ++static struct netbuf * ++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len) ++{ ++ if (nb->len != len) { ++ if (nb->len) ++ mem_free(nb->buf, nb->len); ++ nb->buf = mem_alloc(len); ++ if (nb->buf == NULL) ++ return NULL; ++ ++ nb->maxlen = nb->len = len; ++ } ++ memcpy(nb->buf, ptr, len); ++ return nb; ++} ++ + static void + xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) + { ++ const struct netbuf *caller = fi->caller_addr; + u_int32_t *xidp; + +- *(svc_getrpccaller(xprt)) = *(fi->caller_addr); ++ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len); + xidp = __rpcb_get_dg_xidp(xprt); + *xidp = fi->caller_xid; + } +-- +1.8.5.6 + diff --git a/0005-security.c-removed-warning.patch b/0005-security.c-removed-warning.patch new file mode 100644 index 0000000..759a8f6 --- /dev/null +++ b/0005-security.c-removed-warning.patch @@ -0,0 +1,29 @@ +From de47f6323d8fb20feefee21d0195cf0529151e04 Mon Sep 17 00:00:00 2001 +From: Steve Dickson +Date: Thu, 17 Sep 2015 15:57:35 -0400 +Subject: [PATCH 1/4] security.c: removed warning + +src/security.c:100:8: warning: implicit declaration of function 'xlog' +[-Wimplicit-function-declaration] + +Signed-off-by: Steve Dickson +--- + src/security.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/security.c b/src/security.c +index 0c9453f..c54ce26 100644 +--- a/src/security.c ++++ b/src/security.c +@@ -17,6 +17,8 @@ + #include + #include + ++#include "xlog.h" ++ + /* + * XXX for special case checks in check_callit. + */ +-- +1.8.5.6 + diff --git a/099-poll.patch b/0006-don-t-use-svc_fdset.patch similarity index 56% rename from 099-poll.patch rename to 0006-don-t-use-svc_fdset.patch index 457f512..368430a 100644 --- a/099-poll.patch +++ b/0006-don-t-use-svc_fdset.patch @@ -1,8 +1,42 @@ +From e97a3d42704ac83453cc85d09ed48eb9755696a5 Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk +Date: Fri, 19 Feb 2016 15:55:38 +0100 +Subject: [PATCH 1/1] rpcbind and libtirpc are both using poll in svc_run(), + but rpcbind used the old svc_fdset interface for this. This limits the + possible connections to 1024, while both could handle much more. rpcbind is + now accessing directly the svc_pollfd data of libtirpc. + +Signed-off-by: Thorsten Kukuk +--- + src/rpcb_svc_com.c | 48 ++++++++++++++++-------------------------------- + 1 file changed, 16 insertions(+), 32 deletions(-) + diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c -index ff9ce6b..d675eda 100644 +index 22d6c84..148fe42 100644 --- a/src/rpcb_svc_com.c +++ b/src/rpcb_svc_com.c -@@ -1097,35 +1097,28 @@ netbuffree(struct netbuf *ap) +@@ -536,10 +536,6 @@ create_rmtcall_fd(struct netconfig *nconf) + rmttail->next = rmt; + rmttail = rmt; + } +- /* XXX not threadsafe */ +- if (fd > svc_maxfd) +- svc_maxfd = fd; +- FD_SET(fd, &svc_fdset); + return (fd); + } + +@@ -1056,9 +1052,6 @@ free_slot_by_index(int index) + fi = &FINFO[index]; + if (fi->flag & FINFO_ACTIVE) { + netbuffree(fi->caller_addr); +- /* XXX may be too big, but can't access xprt array here */ +- if (fi->forward_fd >= svc_maxfd) +- svc_maxfd--; + free(fi->uaddr); + fi->flag &= ~FINFO_ACTIVE; + rpcb_rmtcalls--; +@@ -1097,35 +1090,28 @@ netbuffree(struct netbuf *ap) } @@ -38,8 +72,7 @@ index ff9ce6b..d675eda 100644 + + if (svc_max_pollfd == 0 && svc_pollfd == NULL) + return; - -- switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) { ++ + + for (i = 0; i < svc_max_pollfd; ++i) + { @@ -47,12 +80,13 @@ index ff9ce6b..d675eda 100644 + my_pollfd[i].events = svc_pollfd[i].events; + my_pollfd[i].revents = 0; + } -+ + +- switch (poll_ret = poll(pollfds, nfds, 30 * 1000)) { + switch (poll_ret = poll(my_pollfd, svc_max_pollfd, 30 * 1000)) { case -1: /* * We ignore all errors, continuing with the assumption -@@ -1133,8 +1126,6 @@ my_svc_run() +@@ -1133,8 +1119,6 @@ my_svc_run() * other outside event) and not caused by poll(). */ case 0: @@ -61,7 +95,7 @@ index ff9ce6b..d675eda 100644 continue; default: /* -@@ -1144,10 +1135,10 @@ my_svc_run() +@@ -1144,10 +1128,10 @@ my_svc_run() * don't call svc_getreq_poll. Otherwise, there * must be another so we must call svc_getreq_poll. */ @@ -74,3 +108,6 @@ index ff9ce6b..d675eda 100644 } } } +-- +1.8.5.6 + diff --git a/0030-systemd-fix-rmtcall.patch b/0030-systemd-fix-rmtcall.patch new file mode 100644 index 0000000..c66bc9b --- /dev/null +++ b/0030-systemd-fix-rmtcall.patch @@ -0,0 +1,21 @@ +The init_transport changes broke rmtcall forwarding. Fix it. + +--- + src/rpcbind.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: rpcbind-0.2.1_rc4/src/rpcbind.c +=================================================================== +--- rpcbind-0.2.1_rc4.orig/src/rpcbind.c ++++ rpcbind-0.2.1_rc4/src/rpcbind.c +@@ -837,6 +837,10 @@ init_transports_systemd() + rpcbind_log_error("unable to create transport for socket fd %d", fd); + exit(1); + } ++ ++ if (nconf->nc_semantics == NC_TPI_CLTS && create_rmtcall_fd(nconf) < 0) { ++ rpcbind_log_error("unable to create rmtcall fd for %s", nconf->nc_netid); ++ } + } + + if (nc_handle) diff --git a/0031-rpcbind-manpage.patch b/0031-rpcbind-manpage.patch new file mode 100644 index 0000000..2b7f7f3 --- /dev/null +++ b/0031-rpcbind-manpage.patch @@ -0,0 +1,52 @@ +De-emphasize the -h option and refer people to systemd instead + +--- + man/rpcbind.8 | 34 ++++++++++++++-------------------- + 1 file changed, 14 insertions(+), 20 deletions(-) + +Index: rpcbind-0.2.1_rc4/man/rpcbind.8 +=================================================================== +--- rpcbind-0.2.1_rc4.orig/man/rpcbind.8 ++++ rpcbind-0.2.1_rc4/man/rpcbind.8 +@@ -86,27 +86,21 @@ checks are shown in detail. + Do not fork and become a background process. + .It Fl h + Specify specific IP addresses to bind to for UDP requests. +-This option +-may be specified multiple times and is typically necessary when running +-on a multi-homed host. +-If no +-.Fl h +-option is specified, +-.Nm +-will bind to +-.Dv INADDR_ANY , +-which could lead to problems on a multi-homed host due to ++This option may be specified multiple times and can be used to ++restrict the interfaces rpcbind will respond to. ++Note that when + .Nm +-returning a UDP packet from a different IP address than it was +-sent to. +-Note that when specifying IP addresses with +-.Fl h , +-.Nm +-will automatically add +-.Li 127.0.0.1 +-and if IPv6 is enabled, +-.Li ::1 +-to the list. ++is controlled via systemd's socket activation, ++the ++.Fl h ++option is ignored. In this case, you need to edit ++the ++.Nm ListenStream ++and ++.Nm ListenDgram ++definitions in ++.Nm /usr/lib/systemd/system/rpcbind.socket ++instead. + .It Fl i + .Dq Insecure + mode. diff --git a/rpcbind.changes b/rpcbind.changes index 488754a..7d9a52c 100644 --- a/rpcbind.changes +++ b/rpcbind.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Fri Feb 19 16:00:46 CET 2016 - kukuk@suse.de + +- Add 0006-don-t-use-svc_fdset.patch: don't use the svc_fdset + interface for libtirpc, which is limited to 1024 connections. + +------------------------------------------------------------------- +Fri Feb 12 16:18:30 CET 2016 - kukuk@suse.de + +- Sync with current git: + - Replace 0002-revert-auth.patch with + 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch + - Add 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch + to fix problems with activation via sockets by systemd + - Replace 0032-CVE-2015-7236.patch with + 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch + - Add 0005-security.c-removed-warning.patch to fix compiler warnings +- Temporary remove 099-poll.patch + +------------------------------------------------------------------- +Wed Jan 27 15:08:00 CET 2016 - kukuk@suse.de + +- Disable 0030-systemd-fix-rmtcall.patch, needs the other disabled + patches. +- Submit for SLE12SP2 [FATE#320393] + ------------------------------------------------------------------- Tue Nov 17 14:20:28 CET 2015 - kukuk@suse.de @@ -5,11 +31,30 @@ Tue Nov 17 14:20:28 CET 2015 - kukuk@suse.de with libtirpc 1.0.1 (http://sourceforge.net/p/libtirpc/mailman/message/34585439/) +------------------------------------------------------------------- +Mon Sep 21 13:51:41 UTC 2015 - okir@suse.com + +- Add patch 0032-CVE-2015-7236.patch to fix a segfault on certain + remote scans [CVE-2015-7236, bsc#940191, bsc#946204] + +------------------------------------------------------------------- +Mon Jul 27 08:27:14 UTC 2015 - okir@suse.com + +- Document how to restrict addresses that rpcbind will listen on + [bsc#935102] + Added 0031-rpcbind-manpage.patch + ------------------------------------------------------------------- Tue Jul 14 16:52:03 CEST 2015 - kukuk@suse.de - Add 099-poll.patch: use libtirpc with poll() implementation +------------------------------------------------------------------- +Wed May 27 08:38:26 UTC 2015 - okir@suse.com + +- Add patch 0030-systemd-fix-rmtcall.patch to fix rmtcall + forwarding (bnc#932423) + ------------------------------------------------------------------- Thu Apr 30 09:36:21 CEST 2015 - kukuk@suse.de diff --git a/rpcbind.spec b/rpcbind.spec index a0be732..b63d8b6 100644 --- a/rpcbind.spec +++ b/rpcbind.spec @@ -1,7 +1,7 @@ # # spec file for package rpcbind # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -36,13 +36,18 @@ BuildRequires: pkgconfig(libsystemd-daemon) PreReq: %fillup_prereq Requires(pre): /usr/sbin/useradd Patch1: 0001-systemd-unit-files.patch -Patch2: 0002-revert-auth.patch +Patch2: 0002-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch +Patch3: 0003-Delete-the-unix-socket-only-if-we-have-created-it.patch +Patch4: 0004-Fix-memory-corruption-in-PMAP_CALLIT-code.patch +Patch5: 0005-security.c-removed-warning.patch +Patch6: 0006-don-t-use-svc_fdset.patch Patch8: 0008-First-part-of-init_transport-refactoring.patch Patch9: 0009-init_transport-move-the-registration-code-into-a-sep.patch Patch10: 0010-Fix-the-behavior-when-specifying-the-h-option.patch Patch11: 0011-Clean-up-the-way-we-handle-the-h-option-in-init_tran.patch Patch14: 0014-When-using-systemd-redirect-syslog-calls-to-the-syst.patch -Patch99: 099-poll.patch +Patch30: 0030-systemd-fix-rmtcall.patch +Patch31: 0031-rpcbind-manpage.patch %define statefile /var/lib/portmap.state %{?systemd_requires} @@ -59,13 +64,18 @@ regards to portmap. %setup -q cp %{SOURCE4} . %patch1 -p1 -%patch2 -p1 -R +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 #%patch8 -p1 #%patch9 -p1 #%patch10 -p1 #%patch11 -p1 #%patch14 -p1 -%patch99 -p1 +#%patch30 -p1 +%patch31 -p1 %build autoreconf -fiv