From 43f63738e14a8084e09f87cc928f77f04188853eefc284bf342f153e1ac13313 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Fri, 19 Aug 2022 15:32:17 +0000 Subject: [PATCH] - update to 1.3.3 (bsc#1201680, CVE-2021-46828): * Fix DoS vulnerability in libtirpc * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr * rpcb_clnt.c add mechanism to try v2 protocol first * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c OBS-URL: https://build.opensuse.org/package/show/Base:System/libtirpc?expand=0&rev=99 --- 0001-Fix-DoS-vulnerability-in-libtirpc.patch | 180 ------------------- libtirpc-1.3.2.tar.bz2 | 3 - libtirpc-1.3.3.tar.bz2 | 3 + libtirpc.changes | 16 ++ libtirpc.spec | 5 +- 5 files changed, 21 insertions(+), 186 deletions(-) delete mode 100644 0001-Fix-DoS-vulnerability-in-libtirpc.patch delete mode 100644 libtirpc-1.3.2.tar.bz2 create mode 100644 libtirpc-1.3.3.tar.bz2 diff --git a/0001-Fix-DoS-vulnerability-in-libtirpc.patch b/0001-Fix-DoS-vulnerability-in-libtirpc.patch deleted file mode 100644 index f7c2d87..0000000 --- a/0001-Fix-DoS-vulnerability-in-libtirpc.patch +++ /dev/null @@ -1,180 +0,0 @@ -From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001 -From: Dai Ngo -Date: Sat, 21 Aug 2021 13:16:23 -0400 -Subject: [PATCH] Fix DoS vulnerability in libtirpc - -Currently svc_run does not handle poll timeout and rendezvous_request -does not handle EMFILE error returned from accept(2 as it used to. -These two missing functionality were removed by commit b2c9430f46c4. - -The effect of not handling poll timeout allows idle TCP conections -to remain ESTABLISHED indefinitely. When the number of connections -reaches the limit of the open file descriptors (ulimit -n) then -accept(2) fails with EMFILE. Since there is no handling of EMFILE -error this causes svc_run() to get in a tight loop calling accept(2). -This resulting in the RPC service of svc_run is being down, it's -no longer able to service any requests. - -RPC service rpcbind, statd and mountd are effected by this -problem. - -Fix by enhancing rendezvous_request to keep the number of -SVCXPRT conections to 4/5 of the size of the file descriptor -table. When this thresold is reached, it destroys the idle -TCP connections or destroys the least active connection if -no idle connnction was found. - -Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc -Signed-off-by: dai.ngo@oracle.com -Signed-off-by: Steve Dickson -[ pvorel: removed INSTALL file change as not related ] -Signed-off-by: Petr Vorel -[ upstream status: 8652975 ("Fix DoS vulnerability in libtirpc") ] ---- - src/svc.c | 17 ++- - src/svc_vc.c | 62 ++++++++- - 3 files changed, 78 insertions(+), 372 deletions(-) - mode change 100644 => 120000 INSTALL - -diff --git a/src/svc.c b/src/svc.c -index 6db164b..3a8709f 100644 ---- a/src/svc.c -+++ b/src/svc.c -@@ -57,7 +57,7 @@ - - #define max(a, b) (a > b ? a : b) - --static SVCXPRT **__svc_xports; -+SVCXPRT **__svc_xports; - int __svc_maxrec; - - /* -@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock) - rwlock_unlock (&svc_fd_lock); - } - -+int -+svc_open_fds() -+{ -+ int ix; -+ int nfds = 0; -+ -+ rwlock_rdlock (&svc_fd_lock); -+ for (ix = 0; ix < svc_max_pollfd; ++ix) { -+ if (svc_pollfd[ix].fd != -1) -+ nfds++; -+ } -+ rwlock_unlock (&svc_fd_lock); -+ return (nfds); -+} -+ - /* - * Add a service program to the callout list. - * The dispatch routine will be called when a rpc request for this -diff --git a/src/svc_vc.c b/src/svc_vc.c -index f1d9f00..3dc8a75 100644 ---- a/src/svc_vc.c -+++ b/src/svc_vc.c -@@ -64,6 +64,8 @@ - - - extern rwlock_t svc_fd_lock; -+extern SVCXPRT **__svc_xports; -+extern int svc_open_fds(); - - static SVCXPRT *makefd_xprt(int, u_int, u_int); - static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *); -@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *); - static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in); - static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq, - void *in); -+static int __svc_destroy_idle(int timeout); - - struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */ - u_int sendsize; -@@ -313,13 +316,14 @@ done: - return (xprt); - } - -+ - /*ARGSUSED*/ - static bool_t - rendezvous_request(xprt, msg) - SVCXPRT *xprt; - struct rpc_msg *msg; - { -- int sock, flags; -+ int sock, flags, nfds, cnt; - struct cf_rendezvous *r; - struct cf_conn *cd; - struct sockaddr_storage addr; -@@ -379,6 +383,16 @@ again: - - gettimeofday(&cd->last_recv_time, NULL); - -+ nfds = svc_open_fds(); -+ if (nfds >= (_rpc_dtablesize() / 5) * 4) { -+ /* destroy idle connections */ -+ cnt = __svc_destroy_idle(15); -+ if (cnt == 0) { -+ /* destroy least active */ -+ __svc_destroy_idle(0); -+ } -+ } -+ - return (FALSE); /* there is never an rpc msg to be processed */ - } - -@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock) - { - return FALSE; - } -+ -+static int -+__svc_destroy_idle(int timeout) -+{ -+ int i, ncleaned = 0; -+ SVCXPRT *xprt, *least_active; -+ struct timeval tv, tdiff, tmax; -+ struct cf_conn *cd; -+ -+ gettimeofday(&tv, NULL); -+ tmax.tv_sec = tmax.tv_usec = 0; -+ least_active = NULL; -+ rwlock_wrlock(&svc_fd_lock); -+ -+ for (i = 0; i <= svc_max_pollfd; i++) { -+ if (svc_pollfd[i].fd == -1) -+ continue; -+ xprt = __svc_xports[i]; -+ if (xprt == NULL || xprt->xp_ops == NULL || -+ xprt->xp_ops->xp_recv != svc_vc_recv) -+ continue; -+ cd = (struct cf_conn *)xprt->xp_p1; -+ if (!cd->nonblock) -+ continue; -+ if (timeout == 0) { -+ timersub(&tv, &cd->last_recv_time, &tdiff); -+ if (timercmp(&tdiff, &tmax, >)) { -+ tmax = tdiff; -+ least_active = xprt; -+ } -+ continue; -+ } -+ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) { -+ __xprt_unregister_unlocked(xprt); -+ __svc_vc_dodestroy(xprt); -+ ncleaned++; -+ } -+ } -+ if (timeout == 0 && least_active != NULL) { -+ __xprt_unregister_unlocked(least_active); -+ __svc_vc_dodestroy(least_active); -+ ncleaned++; -+ } -+ rwlock_unlock(&svc_fd_lock); -+ return (ncleaned); -+} --- -2.33.0 - diff --git a/libtirpc-1.3.2.tar.bz2 b/libtirpc-1.3.2.tar.bz2 deleted file mode 100644 index 757f777..0000000 --- a/libtirpc-1.3.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e24eb88b8ce7db3b7ca6eb80115dd1284abc5ec32a8deccfed2224fc2532b9fd -size 513151 diff --git a/libtirpc-1.3.3.tar.bz2 b/libtirpc-1.3.3.tar.bz2 new file mode 100644 index 0000000..33f76bc --- /dev/null +++ b/libtirpc-1.3.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3 +size 562812 diff --git a/libtirpc.changes b/libtirpc.changes index 3bc006c..406fdb0 100644 --- a/libtirpc.changes +++ b/libtirpc.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Fri Aug 19 15:27:29 UTC 2022 - Dirk Müller + +- update to 1.3.3 (bsc#1201680, CVE-2021-46828): + * Fix DoS vulnerability in libtirpc + * _rpc_dtablesize: use portable system call + * libtirpc: Fix use-after-free accessing the error number + * Fix potential memory leak of parms.r_addr + * rpcb_clnt.c add mechanism to try v2 protocol first + * Eliminate deadlocks in connects with an MT environment + * clnt_dg_freeres() uncleared set active state may deadlock + * thread safe clnt destruction + * SUNRPC: mutexed access blacklist_read state variable + * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c +- drop 0001-Fix-DoS-vulnerability-in-libtirpc.patch (upstream) + ------------------------------------------------------------------- Wed Sep 15 05:35:58 UTC 2021 - Petr Vorel diff --git a/libtirpc.spec b/libtirpc.spec index d43b012..782bdcf 100644 --- a/libtirpc.spec +++ b/libtirpc.spec @@ -1,7 +1,7 @@ # # spec file for package libtirpc # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define debug_package_requires libtirpc3 = %{version}-%{release} Name: libtirpc -Version: 1.3.2 +Version: 1.3.3 Release: 0 Summary: Transport Independent RPC Library License: BSD-3-Clause @@ -26,7 +26,6 @@ Group: Development/Libraries/C and C++ URL: https://sourceforge.net/projects/libtirpc/ Source: https://download.sourceforge.net/libtirpc/%{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch1: 0001-Fix-DoS-vulnerability-in-libtirpc.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(krb5)