Accepting request 919033 from Base:System

OBS-URL: https://build.opensuse.org/request/show/919033 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libtirpc?expand=0&rev=58
2021-09-21 19:12:12 +00:00 · 2021-09-21 19:12:12 +00:00 · 7aa38e42f9
commit 7aa38e42f9
parent 48f59a0b07 89743d5eb6
3 changed files with 188 additions and 1 deletions
--- a/0001-Fix-DoS-vulnerability-in-libtirpc.patch
+++ b/0001-Fix-DoS-vulnerability-in-libtirpc.patch
@ -0,0 +1,180 @@
+From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001
+From: Dai Ngo <dai.ngo@oracle.com>
+Date: Sat, 21 Aug 2021 13:16:23 -0400
+Subject: [PATCH] Fix DoS vulnerability in libtirpc
+
+Currently svc_run does not handle poll timeout and rendezvous_request
+does not handle EMFILE error returned from accept(2 as it used to.
+These two missing functionality were removed by commit b2c9430f46c4.
+
+The effect of not handling poll timeout allows idle TCP conections
+to remain ESTABLISHED indefinitely. When the number of connections
+reaches the limit of the open file descriptors (ulimit -n) then
+accept(2) fails with EMFILE. Since there is no handling of EMFILE
+error this causes svc_run() to get in a tight loop calling accept(2).
+This resulting in the RPC service of svc_run is being down, it's
+no longer able to service any requests.
+
+RPC service rpcbind, statd and mountd are effected by this
+problem.
+
+Fix by enhancing rendezvous_request to keep the number of
+SVCXPRT conections to 4/5 of the size of the file descriptor
+table. When this thresold is reached, it destroys the idle
+TCP connections or destroys the least active connection if
+no idle connnction was found.
+
+Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
+Signed-off-by: dai.ngo@oracle.com
+Signed-off-by: Steve Dickson <steved@redhat.com>
+[ pvorel: removed INSTALL file change as not related ]
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+[ upstream status: 8652975 ("Fix DoS vulnerability in libtirpc") ]
+---
+ src/svc.c    |  17 ++-
+ src/svc_vc.c |  62 ++++++++-
+ 3 files changed, 78 insertions(+), 372 deletions(-)
+ mode change 100644 => 120000 INSTALL
+
+diff --git a/src/svc.c b/src/svc.c
+index 6db164b..3a8709f 100644
+--- a/src/svc.c
+++ b/src/svc.c
+@@ -57,7 +57,7 @@
+ 
+ #define max(a, b) (a > b ? a : b)
+ 
+-static SVCXPRT **__svc_xports;
+SVCXPRT **__svc_xports;
+ int __svc_maxrec;
+ 
+ /*
+@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock)
+     rwlock_unlock (&svc_fd_lock);
+ }
+ 
+int
+svc_open_fds()
+{
+	int ix;
+	int nfds = 0;
+
+	rwlock_rdlock (&svc_fd_lock);
+	for (ix = 0; ix < svc_max_pollfd; ++ix) {
+		if (svc_pollfd[ix].fd != -1)
+			nfds++;
+	}
+	rwlock_unlock (&svc_fd_lock);
+	return (nfds);
+}
+
+ /*
+  * Add a service program to the callout list.
+  * The dispatch routine will be called when a rpc request for this
+diff --git a/src/svc_vc.c b/src/svc_vc.c
+index f1d9f00..3dc8a75 100644
+--- a/src/svc_vc.c
+++ b/src/svc_vc.c
+@@ -64,6 +64,8 @@
+ 
+ 
+ extern rwlock_t svc_fd_lock;
+extern SVCXPRT **__svc_xports;
+extern int svc_open_fds();
+ 
+ static SVCXPRT *makefd_xprt(int, u_int, u_int);
+ static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
+@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *);
+ static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
+ static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
+ 				   	     void *in);
+static int __svc_destroy_idle(int timeout);
+ 
+ struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
+ 	u_int sendsize;
+@@ -313,13 +316,14 @@ done:
+ 	return (xprt);
+ }
+ 
+
+ /*ARGSUSED*/
+ static bool_t
+ rendezvous_request(xprt, msg)
+ 	SVCXPRT *xprt;
+ 	struct rpc_msg *msg;
+ {
+-	int sock, flags;
+	int sock, flags, nfds, cnt;
+ 	struct cf_rendezvous *r;
+ 	struct cf_conn *cd;
+ 	struct sockaddr_storage addr;
+@@ -379,6 +383,16 @@ again:
+ 
+ 	gettimeofday(&cd->last_recv_time, NULL);
+ 
+	nfds = svc_open_fds();
+	if (nfds >= (_rpc_dtablesize() / 5) * 4) {
+		/* destroy idle connections */
+		cnt = __svc_destroy_idle(15);
+		if (cnt == 0) {
+			/* destroy least active */
+			__svc_destroy_idle(0);
+		}
+	}
+
+ 	return (FALSE); /* there is never an rpc msg to be processed */
+ }
+ 
+@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock)
+ {
+ 	return FALSE;
+ }
+
+static int
+__svc_destroy_idle(int timeout)
+{
+	int i, ncleaned = 0;
+	SVCXPRT *xprt, *least_active;
+	struct timeval tv, tdiff, tmax;
+	struct cf_conn *cd;
+
+	gettimeofday(&tv, NULL);
+	tmax.tv_sec = tmax.tv_usec = 0;
+	least_active = NULL;
+	rwlock_wrlock(&svc_fd_lock);
+
+	for (i = 0; i <= svc_max_pollfd; i++) {
+		if (svc_pollfd[i].fd == -1)
+			continue;
+		xprt = __svc_xports[i];
+		if (xprt == NULL || xprt->xp_ops == NULL ||
+			xprt->xp_ops->xp_recv != svc_vc_recv)
+			continue;
+		cd = (struct cf_conn *)xprt->xp_p1;
+		if (!cd->nonblock)
+			continue;
+		if (timeout == 0) {
+			timersub(&tv, &cd->last_recv_time, &tdiff);
+			if (timercmp(&tdiff, &tmax, >)) {
+				tmax = tdiff;
+				least_active = xprt;
+			}
+			continue;
+		}
+		if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
+			__xprt_unregister_unlocked(xprt);
+			__svc_vc_dodestroy(xprt);
+			ncleaned++;
+		}
+	}
+	if (timeout == 0 && least_active != NULL) {
+		__xprt_unregister_unlocked(least_active);
+		__svc_vc_dodestroy(least_active);
+		ncleaned++;
+	}
+	rwlock_unlock(&svc_fd_lock);
+	return (ncleaned);
+}
+-- 
+2.33.0
+
--- a/libtirpc.changes
+++ b/libtirpc.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Sep 15 05:35:58 UTC 2021 - Petr Vorel <pvorel@suse.cz>
+
+- Backport DoS vulnerability fix 0001-Fix-DoS-vulnerability-in-libtirpc.patch
+- Replace %setup with %autosetup
+
 -------------------------------------------------------------------
 Sun May 16 09:17:01 UTC 2021 - Dirk Müller <dmueller@suse.com>

--- a/libtirpc.spec
+++ b/libtirpc.spec
@ -26,6 +26,7 @@ Group:          Development/Libraries/C and C++
 URL:            https://sourceforge.net/projects/libtirpc/
 Source:         https://download.sourceforge.net/libtirpc/%{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
+Patch1:         0001-Fix-DoS-vulnerability-in-libtirpc.patch
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(krb5)

@ -67,7 +68,7 @@ This implementation allows the support of other transports than UDP and
 TCP over IPv4.

 %prep
-%setup -q
+%autosetup -p1

 %build
 sed -i -e 's|${includedir}/tirpc|${includedir}|g' libtirpc.pc.in