forked from pool/libtirpc
Accepting request 919032 from home:pevik:branches:Base:System
- Backport DoS vulnerability fix 0001-Fix-DoS-vulnerability-in-libtirpc.patch - Replace %setup with %autosetup OBS-URL: https://build.opensuse.org/request/show/919032 OBS-URL: https://build.opensuse.org/package/show/Base:System/libtirpc?expand=0&rev=98
This commit is contained in:
parent
b1ced23b7f
commit
89743d5eb6
180
0001-Fix-DoS-vulnerability-in-libtirpc.patch
Normal file
180
0001-Fix-DoS-vulnerability-in-libtirpc.patch
Normal file
@ -0,0 +1,180 @@
|
|||||||
|
From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dai Ngo <dai.ngo@oracle.com>
|
||||||
|
Date: Sat, 21 Aug 2021 13:16:23 -0400
|
||||||
|
Subject: [PATCH] Fix DoS vulnerability in libtirpc
|
||||||
|
|
||||||
|
Currently svc_run does not handle poll timeout and rendezvous_request
|
||||||
|
does not handle EMFILE error returned from accept(2 as it used to.
|
||||||
|
These two missing functionality were removed by commit b2c9430f46c4.
|
||||||
|
|
||||||
|
The effect of not handling poll timeout allows idle TCP conections
|
||||||
|
to remain ESTABLISHED indefinitely. When the number of connections
|
||||||
|
reaches the limit of the open file descriptors (ulimit -n) then
|
||||||
|
accept(2) fails with EMFILE. Since there is no handling of EMFILE
|
||||||
|
error this causes svc_run() to get in a tight loop calling accept(2).
|
||||||
|
This resulting in the RPC service of svc_run is being down, it's
|
||||||
|
no longer able to service any requests.
|
||||||
|
|
||||||
|
RPC service rpcbind, statd and mountd are effected by this
|
||||||
|
problem.
|
||||||
|
|
||||||
|
Fix by enhancing rendezvous_request to keep the number of
|
||||||
|
SVCXPRT conections to 4/5 of the size of the file descriptor
|
||||||
|
table. When this thresold is reached, it destroys the idle
|
||||||
|
TCP connections or destroys the least active connection if
|
||||||
|
no idle connnction was found.
|
||||||
|
|
||||||
|
Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
|
||||||
|
Signed-off-by: dai.ngo@oracle.com
|
||||||
|
Signed-off-by: Steve Dickson <steved@redhat.com>
|
||||||
|
[ pvorel: removed INSTALL file change as not related ]
|
||||||
|
Signed-off-by: Petr Vorel <pvorel@suse.cz>
|
||||||
|
[ upstream status: 8652975 ("Fix DoS vulnerability in libtirpc") ]
|
||||||
|
---
|
||||||
|
src/svc.c | 17 ++-
|
||||||
|
src/svc_vc.c | 62 ++++++++-
|
||||||
|
3 files changed, 78 insertions(+), 372 deletions(-)
|
||||||
|
mode change 100644 => 120000 INSTALL
|
||||||
|
|
||||||
|
diff --git a/src/svc.c b/src/svc.c
|
||||||
|
index 6db164b..3a8709f 100644
|
||||||
|
--- a/src/svc.c
|
||||||
|
+++ b/src/svc.c
|
||||||
|
@@ -57,7 +57,7 @@
|
||||||
|
|
||||||
|
#define max(a, b) (a > b ? a : b)
|
||||||
|
|
||||||
|
-static SVCXPRT **__svc_xports;
|
||||||
|
+SVCXPRT **__svc_xports;
|
||||||
|
int __svc_maxrec;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock)
|
||||||
|
rwlock_unlock (&svc_fd_lock);
|
||||||
|
}
|
||||||
|
|
||||||
|
+int
|
||||||
|
+svc_open_fds()
|
||||||
|
+{
|
||||||
|
+ int ix;
|
||||||
|
+ int nfds = 0;
|
||||||
|
+
|
||||||
|
+ rwlock_rdlock (&svc_fd_lock);
|
||||||
|
+ for (ix = 0; ix < svc_max_pollfd; ++ix) {
|
||||||
|
+ if (svc_pollfd[ix].fd != -1)
|
||||||
|
+ nfds++;
|
||||||
|
+ }
|
||||||
|
+ rwlock_unlock (&svc_fd_lock);
|
||||||
|
+ return (nfds);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Add a service program to the callout list.
|
||||||
|
* The dispatch routine will be called when a rpc request for this
|
||||||
|
diff --git a/src/svc_vc.c b/src/svc_vc.c
|
||||||
|
index f1d9f00..3dc8a75 100644
|
||||||
|
--- a/src/svc_vc.c
|
||||||
|
+++ b/src/svc_vc.c
|
||||||
|
@@ -64,6 +64,8 @@
|
||||||
|
|
||||||
|
|
||||||
|
extern rwlock_t svc_fd_lock;
|
||||||
|
+extern SVCXPRT **__svc_xports;
|
||||||
|
+extern int svc_open_fds();
|
||||||
|
|
||||||
|
static SVCXPRT *makefd_xprt(int, u_int, u_int);
|
||||||
|
static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
|
||||||
|
@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *);
|
||||||
|
static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
|
||||||
|
static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
|
||||||
|
void *in);
|
||||||
|
+static int __svc_destroy_idle(int timeout);
|
||||||
|
|
||||||
|
struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
|
||||||
|
u_int sendsize;
|
||||||
|
@@ -313,13 +316,14 @@ done:
|
||||||
|
return (xprt);
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
/*ARGSUSED*/
|
||||||
|
static bool_t
|
||||||
|
rendezvous_request(xprt, msg)
|
||||||
|
SVCXPRT *xprt;
|
||||||
|
struct rpc_msg *msg;
|
||||||
|
{
|
||||||
|
- int sock, flags;
|
||||||
|
+ int sock, flags, nfds, cnt;
|
||||||
|
struct cf_rendezvous *r;
|
||||||
|
struct cf_conn *cd;
|
||||||
|
struct sockaddr_storage addr;
|
||||||
|
@@ -379,6 +383,16 @@ again:
|
||||||
|
|
||||||
|
gettimeofday(&cd->last_recv_time, NULL);
|
||||||
|
|
||||||
|
+ nfds = svc_open_fds();
|
||||||
|
+ if (nfds >= (_rpc_dtablesize() / 5) * 4) {
|
||||||
|
+ /* destroy idle connections */
|
||||||
|
+ cnt = __svc_destroy_idle(15);
|
||||||
|
+ if (cnt == 0) {
|
||||||
|
+ /* destroy least active */
|
||||||
|
+ __svc_destroy_idle(0);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return (FALSE); /* there is never an rpc msg to be processed */
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock)
|
||||||
|
{
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+__svc_destroy_idle(int timeout)
|
||||||
|
+{
|
||||||
|
+ int i, ncleaned = 0;
|
||||||
|
+ SVCXPRT *xprt, *least_active;
|
||||||
|
+ struct timeval tv, tdiff, tmax;
|
||||||
|
+ struct cf_conn *cd;
|
||||||
|
+
|
||||||
|
+ gettimeofday(&tv, NULL);
|
||||||
|
+ tmax.tv_sec = tmax.tv_usec = 0;
|
||||||
|
+ least_active = NULL;
|
||||||
|
+ rwlock_wrlock(&svc_fd_lock);
|
||||||
|
+
|
||||||
|
+ for (i = 0; i <= svc_max_pollfd; i++) {
|
||||||
|
+ if (svc_pollfd[i].fd == -1)
|
||||||
|
+ continue;
|
||||||
|
+ xprt = __svc_xports[i];
|
||||||
|
+ if (xprt == NULL || xprt->xp_ops == NULL ||
|
||||||
|
+ xprt->xp_ops->xp_recv != svc_vc_recv)
|
||||||
|
+ continue;
|
||||||
|
+ cd = (struct cf_conn *)xprt->xp_p1;
|
||||||
|
+ if (!cd->nonblock)
|
||||||
|
+ continue;
|
||||||
|
+ if (timeout == 0) {
|
||||||
|
+ timersub(&tv, &cd->last_recv_time, &tdiff);
|
||||||
|
+ if (timercmp(&tdiff, &tmax, >)) {
|
||||||
|
+ tmax = tdiff;
|
||||||
|
+ least_active = xprt;
|
||||||
|
+ }
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
|
||||||
|
+ __xprt_unregister_unlocked(xprt);
|
||||||
|
+ __svc_vc_dodestroy(xprt);
|
||||||
|
+ ncleaned++;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (timeout == 0 && least_active != NULL) {
|
||||||
|
+ __xprt_unregister_unlocked(least_active);
|
||||||
|
+ __svc_vc_dodestroy(least_active);
|
||||||
|
+ ncleaned++;
|
||||||
|
+ }
|
||||||
|
+ rwlock_unlock(&svc_fd_lock);
|
||||||
|
+ return (ncleaned);
|
||||||
|
+}
|
||||||
|
--
|
||||||
|
2.33.0
|
||||||
|
|
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 15 05:35:58 UTC 2021 - Petr Vorel <pvorel@suse.cz>
|
||||||
|
|
||||||
|
- Backport DoS vulnerability fix 0001-Fix-DoS-vulnerability-in-libtirpc.patch
|
||||||
|
- Replace %setup with %autosetup
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun May 16 09:17:01 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
Sun May 16 09:17:01 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
@ -26,6 +26,7 @@ Group: Development/Libraries/C and C++
|
|||||||
URL: https://sourceforge.net/projects/libtirpc/
|
URL: https://sourceforge.net/projects/libtirpc/
|
||||||
Source: https://download.sourceforge.net/libtirpc/%{name}-%{version}.tar.bz2
|
Source: https://download.sourceforge.net/libtirpc/%{name}-%{version}.tar.bz2
|
||||||
Source1: baselibs.conf
|
Source1: baselibs.conf
|
||||||
|
Patch1: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: pkgconfig(krb5)
|
BuildRequires: pkgconfig(krb5)
|
||||||
|
|
||||||
@ -67,7 +68,7 @@ This implementation allows the support of other transports than UDP and
|
|||||||
TCP over IPv4.
|
TCP over IPv4.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%autosetup -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
sed -i -e 's|${includedir}/tirpc|${includedir}|g' libtirpc.pc.in
|
sed -i -e 's|${includedir}/tirpc|${includedir}|g' libtirpc.pc.in
|
||||||
|
Loading…
Reference in New Issue
Block a user