gentoo auto-resync : 24:07:2022 - 08:52:43

author: V3n3RiX <venerix@koprulu.sector> 2022-07-24 08:52:43 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2022-07-24 08:52:43 +0100
commit: 28267a5e528b273fbd1b0f5f52ecaab4b03016ab (patch)
tree: f2c2ddc5cf19fcbc848cc9fe427df5abd8ac0339 /net-libs/libtirpc/files
parent: e19b21c73e5feac42ade97baf3eeb45c58a2f234 (diff)
3 files changed, 261 insertions, 0 deletions
diff --git a/net-libs/libtirpc/files/libtirpc-1.3.2-dos.patch b/net-libs/libtirpc/files/libtirpc-1.3.2-dos.patch
new file mode 100644
index 000000000000..88b6f5719f41
--- /dev/null
+++ b/net-libs/libtirpc/files/libtirpc-1.3.2-dos.patch
@@ -0,0 +1,178 @@
+From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001
+From: Dai Ngo <dai.ngo@oracle.com>
+Date: Sat, 21 Aug 2021 13:16:23 -0400
+Subject: [PATCH] Fix DoS vulnerability in libtirpc
+
+Currently svc_run does not handle poll timeout and rendezvous_request
+does not handle EMFILE error returned from accept(2 as it used to.
+These two missing functionality were removed by commit b2c9430f46c4.
+
+The effect of not handling poll timeout allows idle TCP conections
+to remain ESTABLISHED indefinitely. When the number of connections
+reaches the limit of the open file descriptors (ulimit -n) then
+accept(2) fails with EMFILE. Since there is no handling of EMFILE
+error this causes svc_run() to get in a tight loop calling accept(2).
+This resulting in the RPC service of svc_run is being down, it's
+no longer able to service any requests.
+
+RPC service rpcbind, statd and mountd are effected by this
+problem.
+
+Fix by enhancing rendezvous_request to keep the number of
+SVCXPRT conections to 4/5 of the size of the file descriptor
+table. When this thresold is reached, it destroys the idle
+TCP connections or destroys the least active connection if
+no idle connnction was found.
+
+Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
+Signed-off-by: dai.ngo@oracle.com
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ INSTALL      | 371 +----------------------------------------------------------
+ src/svc.c    |  17 ++-
+ src/svc_vc.c |  62 +++++++++-
+ 3 files changed, 78 insertions(+), 372 deletions(-)
+ mode change 100644 => 120000 INSTALL
+
+diff --git a/src/svc.c b/src/svc.c
+index 6db164b..3a8709f 100644
+--- a/src/svc.c
++++ b/src/svc.c
+@@ -57,7 +57,7 @@
+ 
+ #define max(a, b) (a > b ? a : b)
+ 
+-static SVCXPRT **__svc_xports;
++SVCXPRT **__svc_xports;
+ int __svc_maxrec;
+ 
+ /*
+@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock)
+     rwlock_unlock (&svc_fd_lock);
+ }
+ 
++int
++svc_open_fds()
++{
++	int ix;
++	int nfds = 0;
++
++	rwlock_rdlock (&svc_fd_lock);
++	for (ix = 0; ix < svc_max_pollfd; ++ix) {
++		if (svc_pollfd[ix].fd != -1)
++			nfds++;
++	}
++	rwlock_unlock (&svc_fd_lock);
++	return (nfds);
++}
++
+ /*
+  * Add a service program to the callout list.
+  * The dispatch routine will be called when a rpc request for this
+diff --git a/src/svc_vc.c b/src/svc_vc.c
+index f1d9f00..3dc8a75 100644
+--- a/src/svc_vc.c
++++ b/src/svc_vc.c
+@@ -64,6 +64,8 @@
+ 
+ 
+ extern rwlock_t svc_fd_lock;
++extern SVCXPRT **__svc_xports;
++extern int svc_open_fds();
+ 
+ static SVCXPRT *makefd_xprt(int, u_int, u_int);
+ static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
+@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *);
+ static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
+ static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
+ 				   	     void *in);
++static int __svc_destroy_idle(int timeout);
+ 
+ struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
+ 	u_int sendsize;
+@@ -313,13 +316,14 @@ done:
+ 	return (xprt);
+ }
+ 
++
+ /*ARGSUSED*/
+ static bool_t
+ rendezvous_request(xprt, msg)
+ 	SVCXPRT *xprt;
+ 	struct rpc_msg *msg;
+ {
+-	int sock, flags;
++	int sock, flags, nfds, cnt;
+ 	struct cf_rendezvous *r;
+ 	struct cf_conn *cd;
+ 	struct sockaddr_storage addr;
+@@ -379,6 +383,16 @@ again:
+ 
+ 	gettimeofday(&cd->last_recv_time, NULL);
+ 
++	nfds = svc_open_fds();
++	if (nfds >= (_rpc_dtablesize() / 5) * 4) {
++		/* destroy idle connections */
++		cnt = __svc_destroy_idle(15);
++		if (cnt == 0) {
++			/* destroy least active */
++			__svc_destroy_idle(0);
++		}
++	}
++
+ 	return (FALSE); /* there is never an rpc msg to be processed */
+ }
+ 
+@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock)
+ {
+ 	return FALSE;
+ }
++
++static int
++__svc_destroy_idle(int timeout)
++{
++	int i, ncleaned = 0;
++	SVCXPRT *xprt, *least_active;
++	struct timeval tv, tdiff, tmax;
++	struct cf_conn *cd;
++
++	gettimeofday(&tv, NULL);
++	tmax.tv_sec = tmax.tv_usec = 0;
++	least_active = NULL;
++	rwlock_wrlock(&svc_fd_lock);
++
++	for (i = 0; i <= svc_max_pollfd; i++) {
++		if (svc_pollfd[i].fd == -1)
++			continue;
++		xprt = __svc_xports[i];
++		if (xprt == NULL || xprt->xp_ops == NULL ||
++			xprt->xp_ops->xp_recv != svc_vc_recv)
++			continue;
++		cd = (struct cf_conn *)xprt->xp_p1;
++		if (!cd->nonblock)
++			continue;
++		if (timeout == 0) {
++			timersub(&tv, &cd->last_recv_time, &tdiff);
++			if (timercmp(&tdiff, &tmax, >)) {
++				tmax = tdiff;
++				least_active = xprt;
++			}
++			continue;
++		}
++		if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
++			__xprt_unregister_unlocked(xprt);
++			__svc_vc_dodestroy(xprt);
++			ncleaned++;
++		}
++	}
++	if (timeout == 0 && least_active != NULL) {
++		__xprt_unregister_unlocked(least_active);
++		__svc_vc_dodestroy(least_active);
++		ncleaned++;
++	}
++	rwlock_unlock(&svc_fd_lock);
++	return (ncleaned);
++}
+-- 
+1.8.3.1
+
diff --git a/net-libs/libtirpc/files/libtirpc-1.3.2-memory-leak.patch b/net-libs/libtirpc/files/libtirpc-1.3.2-memory-leak.patch
new file mode 100644
index 000000000000..8ce864a2950c
--- /dev/null
+++ b/net-libs/libtirpc/files/libtirpc-1.3.2-memory-leak.patch
@@ -0,0 +1,52 @@
+From 63f3b9e883231ca08cf9c3cd8f5d582584412d94 Mon Sep 17 00:00:00 2001
+From: Ali Abdallah <ali.abdallah@suse.com>
+Date: Thu, 14 Jul 2022 13:47:32 -0400
+Subject: [PATCH] Fix potential memory leak of parms.r_addr
+
+During some valgrind test, the following is observed
+
+==11391== 64 bytes in 4 blocks are definitely lost in loss record 11 of 16
+==11391==    at 0x4C2A2AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+==11391==    by 0x50ECED9: strdup (in /lib64/libc-2.22.so)
+==11391==    by 0x4E4AFBF: getclnthandle (in /lib64/libtirpc.so.3.0.0)
+==11391==    by 0x4E4BD8A: __rpcb_findaddr_timed (in /lib64/libtirpc.so.3.0.0)
+==11391==    by 0x4E443AF: clnt_tp_create_timed (in /lib64/libtirpc.so.3.0.0)
+==11391==    by 0x4E44580: clnt_create_timed (in /lib64/libtirpc.so.3.0.0)
+==11391==    by 0x400755: main (in /local/02/xdtadti/tirpc-test/client)
+
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ INSTALL         | 369 +-------------------------------------------------------
+ src/rpcb_clnt.c |   8 ++
+ 2 files changed, 9 insertions(+), 368 deletions(-)
+ mode change 100644 => 120000 INSTALL
+
+diff --git a/src/rpcb_clnt.c b/src/rpcb_clnt.c
+index 0c34cb7..1a23cb1 100644
+--- a/src/rpcb_clnt.c
++++ b/src/rpcb_clnt.c
+@@ -798,6 +798,10 @@ __try_protocol_version_2(program, version, nconf, host, tp)
+ 	pmapaddress->len = pmapaddress->maxlen = remote.len;
+ 
+ 	CLNT_DESTROY(client);
++
++	if (parms.r_addr != NULL && parms.r_addr != nullstring)
++		free(parms.r_addr);
++
+ 	return pmapaddress;
+ 
+ error:
+@@ -806,6 +810,10 @@ error:
+ 		client = NULL;
+ 
+ 	}
++
++	if (parms.r_addr != NULL && parms.r_addr != nullstring)
++		free(parms.r_addr);
++
+ 	return (NULL);
+ 
+ }
+-- 
+1.8.3.1
+
diff --git a/net-libs/libtirpc/files/libtirpc-1.3.2-use-after-free.patch b/net-libs/libtirpc/files/libtirpc-1.3.2-use-after-free.patch
new file mode 100644
index 000000000000..8e85a564f29a
--- /dev/null
+++ b/net-libs/libtirpc/files/libtirpc-1.3.2-use-after-free.patch
@@ -0,0 +1,31 @@
+From d0dc59e27263c6b53435d770010dcc6f397d58ee Mon Sep 17 00:00:00 2001
+From: Frank Sorenson <sorenson@redhat.com>
+Date: Mon, 17 Jan 2022 13:33:13 -0500
+Subject: [PATCH] libtirpc: Fix use-after-free accessing the error number
+
+Free the cbuf after obtaining the error number.
+
+Signed-off-by: Frank Sorenson <sorenson@redhat.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/clnt_dg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/clnt_dg.c b/src/clnt_dg.c
+index e1255de..b3d82e7 100644
+--- a/src/clnt_dg.c
++++ b/src/clnt_dg.c
+@@ -456,9 +456,9 @@ get_reply:
+ 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
+ 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+ 		{
+-		  mem_free(cbuf, (outlen + 256));
+ 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ 		  cu->cu_error.re_errno = e->ee_errno;
++		  mem_free(cbuf, (outlen + 256));
+ 		  release_fd_lock(cu->cu_fd_lock, mask);
+ 		  return (cu->cu_error.re_status = RPC_CANTRECV);
+ 		}
+-- 
+1.8.3.1
+
author	V3n3RiX <venerix@koprulu.sector>	2022-07-24 08:52:43 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2022-07-24 08:52:43 +0100
commit	28267a5e528b273fbd1b0f5f52ecaab4b03016ab (patch)
tree	f2c2ddc5cf19fcbc848cc9fe427df5abd8ac0339 /net-libs/libtirpc/files
parent	e19b21c73e5feac42ade97baf3eeb45c58a2f234 (diff)