Overview

File clnt-create-unix-overflow.patch of Package glibc.22972

From 226b46770c82899b555986583294b049c6ec9b40 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 17 Jan 2022 10:21:34 +0100
Subject: [PATCH] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for
 "unix" (bug 22542)

Processing an overlong pathname in the sunrpc clnt_create function
results in a stack-based buffer overflow.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
 include/sys/un.h             | 12 +++++++
 socket/Makefile              |  6 +++-
 socket/sockaddr_un_set.c     | 41 ++++++++++++++++++++++++
 socket/tst-sockaddr_un_set.c | 62 ++++++++++++++++++++++++++++++++++++
 4 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 socket/sockaddr_un_set.c
 create mode 100644 socket/tst-sockaddr_un_set.c

Index: glibc-2.26/include/sys/un.h
===================================================================
--- glibc-2.26.orig/include/sys/un.h
+++ glibc-2.26/include/sys/un.h
@@ -1 +1,13 @@
 #include <socket/sys/un.h>
+
+#ifndef _ISOMAC
+
+/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME.
+   Return 0 on success or -1 on failure (due to overlong PATHNAME).
+   The caller should always use sizeof (struct sockaddr_un) as the
+   socket address length, disregaring the length of PATHNAME.
+   Only concrete (non-abstract) pathnames are supported.  */
+int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
+  attribute_hidden;
+
+#endif /* _ISOMAC */
Index: glibc-2.26/socket/Makefile
===================================================================
--- glibc-2.26.orig/socket/Makefile
+++ glibc-2.26/socket/Makefile
@@ -29,10 +29,14 @@ headers	:= sys/socket.h sys/un.h bits/so
 routines := accept bind connect getpeername getsockname getsockopt	\
 	    listen recv recvfrom recvmsg send sendmsg sendto		\
 	    setsockopt shutdown socket socketpair isfdtype opensock	\
-	    sockatmark accept4 recvmmsg sendmmsg
+	    sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set
 
 tests := tst-accept4
 
+tests-internal := \
+  tst-sockaddr_un_set \
+  # tests-internal
+
 aux	 := sa_len
 
 include ../Rules
Index: glibc-2.26/socket/sockaddr_un_set.c
===================================================================
--- /dev/null
+++ glibc-2.26/socket/sockaddr_un_set.c
@@ -0,0 +1,41 @@
+/* Set the sun_path member of struct sockaddr_un.
+   Copyright (C) 2022 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+int
+__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
+{
+  size_t name_length = strlen (pathname);
+
+  /* The kernel supports names of exactly sizeof (addr->sun_path)
+     bytes, without a null terminator, but userspace does not; see the
+     SUN_LEN macro.  */
+  if (name_length >= sizeof (addr->sun_path))
+    {
+      __set_errno (EINVAL);     /* Error code used by the kernel.  */
+      return -1;
+    }
+
+  addr->sun_family = AF_UNIX;
+  memcpy (addr->sun_path, pathname, name_length + 1);
+  return 0;
+}
Index: glibc-2.26/socket/tst-sockaddr_un_set.c
===================================================================
--- /dev/null
+++ glibc-2.26/socket/tst-sockaddr_un_set.c
@@ -0,0 +1,62 @@
+/* Test the __sockaddr_un_set function.
+   Copyright (C) 2022 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Re-compile the function because the version in libc is not
+   exported.  */
+#include "sockaddr_un_set.c"
+
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+  struct sockaddr_un sun;
+
+  memset (&sun, 0xcc, sizeof (sun));
+  __sockaddr_un_set (&sun, "");
+  TEST_VERIFY (sun.sun_family == AF_UNIX);
+  TEST_VERIFY (__sockaddr_un_set (&sun, "") == 0);
+
+  memset (&sun, 0xcc, sizeof (sun));
+  TEST_VERIFY (__sockaddr_un_set (&sun, "/example") == 0);
+  TEST_VERIFY (strcmp (sun.sun_path, "/example") == 0);
+
+  {
+    char pathname[108];         /* Length of sun_path (ABI constant).  */
+    memset (pathname, 'x', sizeof (pathname));
+    pathname[sizeof (pathname) - 1] = '\0';
+    memset (&sun, 0xcc, sizeof (sun));
+    TEST_VERIFY (__sockaddr_un_set (&sun, pathname) == 0);
+    TEST_VERIFY (sun.sun_family == AF_UNIX);
+    TEST_VERIFY (strcmp (sun.sun_path, pathname) == 0);
+  }
+
+  {
+    char pathname[109];
+    memset (pathname, 'x', sizeof (pathname));
+    pathname[sizeof (pathname) - 1] = '\0';
+    memset (&sun, 0xcc, sizeof (sun));
+    errno = 0;
+    TEST_VERIFY (__sockaddr_un_set (&sun, pathname) == -1);
+    TEST_VERIFY (errno == EINVAL);
+  }
+
+  return 0;
+}
+
+#include <support/test-driver.c>
Index: glibc-2.26/sunrpc/clnt_gen.c
===================================================================
--- glibc-2.26.orig/sunrpc/clnt_gen.c
+++ glibc-2.26/sunrpc/clnt_gen.c
@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_lon
 
   if (strcmp (proto, "unix") == 0)
     {
-      memset ((char *)&sun, 0, sizeof (sun));
-      sun.sun_family = AF_UNIX;
-      strcpy (sun.sun_path, hostname);
+      if (__sockaddr_un_set (&sun, hostname) < 0)
+	{
+	  struct rpc_createerr *ce = &get_rpc_createerr ();
+	  ce->cf_stat = RPC_SYSTEMERROR;
+	  ce->cf_error.re_errno = errno;
+	  return NULL;
+	}
       sock = RPC_ANYSOCK;
       client = clntunix_create (&sun, prog, vers, &sock, 0, 0);
       if (client == NULL)
openSUSE Build Service is sponsored by
Places