Bug#799307: rpcbind: CVE-2015-7236: remote triggerable use-after-free in rpcbind

[Salvatore Bonaccorso]

Hi Anibal,

On Thu, Sep 17, 2015 at 08:14:59PM +0200, Salvatore Bonaccorso wrote:
> Source: rpcbind
> Version: 0.2.0-4.1
> Severity: grave
> Tags: security upstream patch
> Justification: user security hole
> 
> Hi,
> 
> the following vulnerability was published for rpcbind.
> 
> CVE-2015-7236[0]:
> remote triggerable use-after-free in rpcbind
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2015-7236
> [1] http://www.spinics.net/lists/linux-nfs/msg53045.html
> [2] https://bugzilla.suse.com/show_bug.cgi?id=946204

Attached is proposed debdiff (which matches what I uploaded to
security-master, but not yet released). Do you handle the upload to
unstable yourself? I can otherwise do a NMU with attached debdiff.

Regards,
Salvatore

diff -Nru rpcbind-0.2.1/debian/changelog rpcbind-0.2.1/debian/changelog
--- rpcbind-0.2.1/debian/changelog      2014-08-18 11:46:29.000000000 +0200
+++ rpcbind-0.2.1/debian/changelog      2015-09-23 16:33:51.000000000 +0200
@@ -1,3 +1,12 @@
+rpcbind (0.2.1-6.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2015-7236.patch patch.
+    CVE-2015-7236: Memory corruption in PMAP_CALLIT code leading to denial
+    of service. (Closes: #799307)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Wed, 23 Sep 2015 16:33:12 +0200
+
 rpcbind (0.2.1-6) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru rpcbind-0.2.1/debian/patches/CVE-2015-7236.patch 
rpcbind-0.2.1/debian/patches/CVE-2015-7236.patch
--- rpcbind-0.2.1/debian/patches/CVE-2015-7236.patch    1970-01-01 
01:00:00.000000000 +0100
+++ rpcbind-0.2.1/debian/patches/CVE-2015-7236.patch    2015-09-23 
16:33:51.000000000 +0200
@@ -0,0 +1,78 @@
+commit 06f7ebb1dade2f0dbf872ea2bedf17cff4734bdd
+Author: Olaf Kirch <okir () suse de>
+Date:   Thu Aug 6 16:27:20 2015 +0200
+
+    Fix memory corruption in PMAP_CALLIT code
+    
+     - A PMAP_CALLIT call comes in on IPv4 UDP
+     - rpcbind duplicates the caller's address to a netbuf and stores it in
+       FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
+       with a size of 16 bytes
+     - rpcbind forwards the call to the local service, receives a reply
+     - when processing the reply, it does this in xprt_set_caller:
+         xprt->xp_rtaddr = *FINFO[0].caller_addr
+       It sends out the reply, and then frees the netbuf caller_addr and
+       caller_addr.buf.
+       However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
+       to memory region A, which is free.
+     - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
+       be called, which will set xp_rtaddr to the client's address.
+       It will reuse the buffer inside xp_rtaddr, ie it will write a
+       sockaddr_in to region A
+    
+    Some time down the road, an incoming TCP connection is accepted,
+    allocating a fresh SVCXPRT. The memory region A is inside the
+    new SVCXPRT
+    
+     - While processing the TCP call, another UDP call comes in, again
+       overwriting region A with the client's address
+     - TCP client closes connection. In svc_destroy, we now trip over
+       the garbage left in region A
+    
+    We ran into the case where a commercial scanner was triggering
+    occasional rpcbind segfaults. The core file that was captured showed
+    a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
+    
+    Signed-off-by: Olaf Kirch <okir () suse de>
+
+---
+ src/rpcb_svc_com.c |   23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -1204,12 +1204,33 @@ check_rmtcalls(struct pollfd *pfds, int
+       return (ncallbacks_found);
+ }
+ 
++/*
++ * This is really a helper function defined in libtirpc, but unfortunately, 
it hasn't
++ * been exported yet.
++ */
++static struct netbuf *
++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
++{
++      if (nb->len != len) {
++              if (nb->len)
++                      mem_free(nb->buf, nb->len);
++              nb->buf = mem_alloc(len);
++              if (nb->buf == NULL)
++                      return NULL;
++
++              nb->maxlen = nb->len = len;
++      }
++      memcpy(nb->buf, ptr, len);
++      return nb;
++}
++
+ static void
+ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
++      const struct netbuf *caller = fi->caller_addr;
+       u_int32_t *xidp;
+ 
+-      *(svc_getrpccaller(xprt)) = *(fi->caller_addr);
++      __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
+       xidp = __rpcb_get_dg_xidp(xprt);
+       *xidp = fi->caller_xid;
+ }
diff -Nru rpcbind-0.2.1/debian/patches/series 
rpcbind-0.2.1/debian/patches/series
--- rpcbind-0.2.1/debian/patches/series 2013-12-31 00:32:11.000000000 +0100
+++ rpcbind-0.2.1/debian/patches/series 2015-09-23 16:33:51.000000000 +0200
@@ -2,3 +2,4 @@
 03-563971-warmstart-error-msg.patch
 04-610718-non-linux.patch
 run-migration
+CVE-2015-7236.patch