diff options
Diffstat (limited to 'source/n/rpcbind')
16 files changed, 643 insertions, 253 deletions
diff --git a/source/n/rpcbind/0001-man-rpcibind.8-Clarify-state-file-usage-and-history.patch b/source/n/rpcbind/0001-man-rpcibind.8-Clarify-state-file-usage-and-history.patch new file mode 100644 index 00000000..9ea5870d --- /dev/null +++ b/source/n/rpcbind/0001-man-rpcibind.8-Clarify-state-file-usage-and-history.patch @@ -0,0 +1,39 @@ +From a89ba6d07832cb62a86601971380fda7130c6826 Mon Sep 17 00:00:00 2001 +From: "Patrick J. Volkerding" <volkerdi@slackware.com> +Date: Mon, 17 Jul 2017 23:09:36 -0500 +Subject: [PATCH 1/2] man/rpcibind.8: Clarify state file usage and history + +--- + man/rpcbind.8 | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/man/rpcbind.8 b/man/rpcbind.8 +index af6200f..bdfb1c8 100644 +--- a/man/rpcbind.8 ++++ b/man/rpcbind.8 +@@ -132,11 +132,20 @@ to connect to services from a privileged port. + .It Fl w + Cause + .Nm +-to do a "warm start" by read a state file when ++to do a "warm start" by attempting to read *.xdr state files from the ++state directory ++.%T /var/run/rpcbind ++when + .Nm +-starts up. The state file is created when ++starts up. The state files are created when + .Nm + terminates. ++.Pp ++This allows for restarting ++.Nm ++without the need to restart all RPC services that have previously registered. ++The state files serve a similar purpose to the files created/restored by the ++pmap_dump and pmap_set utilities distributed with the old portmap server package. + .El + .Sh NOTES + All RPC servers must be restarted if +-- +2.13.2 + diff --git a/source/n/rpcbind/0001-security.c-removed-warning.patch b/source/n/rpcbind/0001-security.c-removed-warning.patch deleted file mode 100644 index 6ca5b6d0..00000000 --- a/source/n/rpcbind/0001-security.c-removed-warning.patch +++ /dev/null @@ -1,29 +0,0 @@ -From de47f6323d8fb20feefee21d0195cf0529151e04 Mon Sep 17 00:00:00 2001 -From: Steve Dickson <steved@redhat.com> -Date: Thu, 17 Sep 2015 15:57:35 -0400 -Subject: [PATCH 1/4] security.c: removed warning - -src/security.c:100:8: warning: implicit declaration of function 'xlog' -[-Wimplicit-function-declaration] - -Signed-off-by: Steve Dickson <steved@redhat.com> ---- - src/security.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/security.c b/src/security.c -index 0c9453f..c54ce26 100644 ---- a/src/security.c -+++ b/src/security.c -@@ -17,6 +17,8 @@ - #include <syslog.h> - #include <netdb.h> - -+#include "xlog.h" -+ - /* - * XXX for special case checks in check_callit. - */ --- -2.6.4 - diff --git a/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch b/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch deleted file mode 100644 index 6a80742f..00000000 --- a/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch +++ /dev/null @@ -1,82 +0,0 @@ -From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001 -From: Olaf Kirch <okir@suse.de> -Date: Fri, 30 Oct 2015 10:18:20 -0400 -Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code - - - A PMAP_CALLIT call comes in on IPv4 UDP - - rpcbind duplicates the caller's address to a netbuf and stores it in - FINFO[0].caller_addr. caller_addr->buf now points to a memory region A - with a size of 16 bytes - - rpcbind forwards the call to the local service, receives a reply - - when processing the reply, it does this in xprt_set_caller: - xprt->xp_rtaddr = *FINFO[0].caller_addr - It sends out the reply, and then frees the netbuf caller_addr and - caller_addr.buf. - However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers - to memory region A, which is free. - - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will - be called, which will set xp_rtaddr to the client's address. - It will reuse the buffer inside xp_rtaddr, ie it will write a - sockaddr_in to region A - -Some time down the road, an incoming TCP connection is accepted, -allocating a fresh SVCXPRT. The memory region A is inside the -new SVCXPRT - - - While processing the TCP call, another UDP call comes in, again - overwriting region A with the client's address - - TCP client closes connection. In svc_destroy, we now trip over - the garbage left in region A - -We ran into the case where a commercial scanner was triggering -occasional rpcbind segfaults. The core file that was captured showed -a corrupted xprt->xp_netid pointer that was really a sockaddr_in. - -Signed-off-by: Olaf Kirch <okir@suse.de> -Signed-off-by: Steve Dickson <steved@redhat.com> ---- - src/rpcb_svc_com.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c -index ff9ce6b..4ae93f1 100644 ---- a/src/rpcb_svc_com.c -+++ b/src/rpcb_svc_com.c -@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds) - return (ncallbacks_found); - } - -+/* -+ * This is really a helper function defined in libtirpc, -+ * but unfortunately, it hasn't been exported yet. -+ */ -+static struct netbuf * -+__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len) -+{ -+ if (nb->len != len) { -+ if (nb->len) -+ mem_free(nb->buf, nb->len); -+ nb->buf = mem_alloc(len); -+ if (nb->buf == NULL) -+ return NULL; -+ -+ nb->maxlen = nb->len = len; -+ } -+ memcpy(nb->buf, ptr, len); -+ return nb; -+} -+ - static void - xprt_set_caller(SVCXPRT *xprt, struct finfo *fi) - { -+ const struct netbuf *caller = fi->caller_addr; - u_int32_t *xidp; - -- *(svc_getrpccaller(xprt)) = *(fi->caller_addr); -+ __rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len); - xidp = __rpcb_get_dg_xidp(xprt); - *xidp = fi->caller_xid; - } --- -2.6.4 - diff --git a/source/n/rpcbind/0002-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch b/source/n/rpcbind/0002-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch new file mode 100644 index 00000000..060614cc --- /dev/null +++ b/source/n/rpcbind/0002-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch @@ -0,0 +1,218 @@ +From 7ea36eeece56b59f98e469934e4c20b4da043346 Mon Sep 17 00:00:00 2001 +From: Doran Moppert <dmoppert@redhat.com> +Date: Thu, 11 May 2017 11:42:54 -0400 +Subject: [PATCH 2/6] rpcbind: pair all svc_getargs() calls with svc_freeargs() + to avoid memory leak + +This patch is to address CVE-2017-8779 "rpcbomb" in rpcbind, discussed +at [1], [2], [3]. The last link suggests this issue is actually a bug +in rpcbind, which led me here. + +The leak caused by the reproducer at [4] appears to come from +rpcb_service_4(), in the case where svc_getargs() returns false and the +function had an early return, rather than passing through the cleanup +path at done:, as would otherwise occur. + +It also addresses a couple of other locations where the same fault seems +to exist, though I haven't been able to exercise those. I hope someone +more intimate with rpc(3) can confirm my understanding is correct, and +that I haven't introduced any new bugs. + +Without this patch, using the reproducer (and variants) repeatedly +against rpcbind with a numBytes argument of 1_000_000_000, /proc/$(pidof +rpcbind)/status reports VmSize increase of 976564 kB each call, and +VmRSS increase of around 260 kB every 33 calls - the specific numbers +are probably an artifact of my rhel/glibc version. With the patch, +there is a small (~50 kB) VmSize increase with the first message, but +thereafter both VmSize and VmRSS remain steady. + +[1]: http://seclists.org/oss-sec/2017/q2/209 +[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1448124 +[3]: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html +[4]: https://github.com/guidovranken/rpcbomb/ + +Signed-off-by: Doran Moppert <dmoppert@redhat.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + src/pmap_svc.c | 56 +++++++++++++++++++++++++++++++++++++++++++++--------- + src/rpcb_svc.c | 2 +- + src/rpcb_svc_4.c | 2 +- + src/rpcb_svc_com.c | 8 ++++++++ + 4 files changed, 57 insertions(+), 11 deletions(-) + +diff --git a/src/pmap_svc.c b/src/pmap_svc.c +index 4c744fe..e926cdc 100644 +--- a/src/pmap_svc.c ++++ b/src/pmap_svc.c +@@ -175,6 +175,7 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long + long ans; + uid_t uid; + char uidbuf[32]; ++ int rc = TRUE; + + /* + * Can't use getpwnam here. We might end up calling ourselves +@@ -194,7 +195,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long + + if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { + svcerr_decode(xprt); +- return (FALSE); ++ rc = FALSE; ++ goto done; + } + #ifdef RPCBIND_DEBUG + if (debugging) +@@ -205,7 +207,8 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long + + if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) { + svcerr_weakauth(xprt); +- return (FALSE); ++ rc = (FALSE); ++ goto done; + } + + rpcbreg.r_prog = reg.pm_prog; +@@ -258,7 +261,16 @@ done_change: + rpcbs_set(RPCBVERS_2_STAT, ans); + else + rpcbs_unset(RPCBVERS_2_STAT, ans); +- return (TRUE); ++done: ++ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { ++ if (debugging) { ++ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); ++ if (doabort) { ++ rpcbind_abort(); ++ } ++ } ++ } ++ return (rc); + } + + /* ARGSUSED */ +@@ -272,15 +284,18 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + #ifdef RPCBIND_DEBUG + char *uaddr; + #endif ++ int rc = TRUE; + + if (!svc_getargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { + svcerr_decode(xprt); +- return (FALSE); ++ rc = FALSE; ++ goto done; + } + + if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) { + svcerr_weakauth(xprt); +- return FALSE; ++ rc = FALSE; ++ goto done; + } + + #ifdef RPCBIND_DEBUG +@@ -330,21 +345,34 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + pmap_ipprot2netid(reg.pm_prot) ?: "<unknown>", + port ? udptrans : ""); + +- return (TRUE); ++done: ++ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { ++ if (debugging) { ++ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); ++ if (doabort) { ++ rpcbind_abort(); ++ } ++ } ++ } ++ return (rc); + } + + /* ARGSUSED */ + static bool_t + pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + { ++ int rc = TRUE; ++ + if (!svc_getargs(xprt, (xdrproc_t)xdr_void, NULL)) { + svcerr_decode(xprt); +- return (FALSE); ++ rc = FALSE; ++ goto done; + } + + if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) { + svcerr_weakauth(xprt); +- return FALSE; ++ rc = FALSE; ++ goto done; + } + + if ((!svc_sendreply(xprt, (xdrproc_t) xdr_pmaplist_ptr, +@@ -354,7 +382,17 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + rpcbind_abort(); + } + } +- return (TRUE); ++ ++done: ++ if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) { ++ if (debugging) { ++ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); ++ if (doabort) { ++ rpcbind_abort(); ++ } ++ } ++ } ++ return (rc); + } + + int pmap_netid2ipprot(const char *netid) +diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c +index 709e3fb..091f530 100644 +--- a/src/rpcb_svc.c ++++ b/src/rpcb_svc.c +@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp) + svcerr_decode(transp); + if (debugging) + (void) xlog(LOG_DEBUG, "rpcbind: could not decode"); +- return; ++ goto done; + } + + if (rqstp->rq_proc == RPCBPROC_SET +diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c +index 5094879..eebbbbe 100644 +--- a/src/rpcb_svc_4.c ++++ b/src/rpcb_svc_4.c +@@ -218,7 +218,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp) + svcerr_decode(transp); + if (debugging) + (void) xlog(LOG_DEBUG, "rpcbind: could not decode\n"); +- return; ++ goto done; + } + + if (rqstp->rq_proc == RPCBPROC_SET +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index 5862c26..cb63afd 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -927,6 +927,14 @@ error: + if (call_msg.rm_xid != 0) + (void) free_slot_by_xid(call_msg.rm_xid); + out: ++ if (!svc_freeargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { ++ if (debugging) { ++ (void) xlog(LOG_DEBUG, "unable to free arguments\n"); ++ if (doabort) { ++ rpcbind_abort(); ++ } ++ } ++ } + if (local_uaddr) + free(local_uaddr); + if (buf_alloc) +-- +2.13.0 + diff --git a/source/n/rpcbind/0003-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch b/source/n/rpcbind/0003-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch deleted file mode 100644 index 9aa64791..00000000 --- a/source/n/rpcbind/0003-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9194122389f2a56b1cd1f935e64307e2e963c2da Mon Sep 17 00:00:00 2001 -From: Steve Dickson <steved@redhat.com> -Date: Mon, 2 Nov 2015 17:05:18 -0500 -Subject: [PATCH 3/4] handle_reply: Don't use the xp_auth pointer directly - -In the latest libtirpc version to access the xp_auth -one must use the SVC_XP_AUTH macro. To be backwards -compatible a couple ifdefs were added to use the -macro when it exists. - -Signed-off-by: Steve Dickson <steved@redhat.com> ---- - src/rpcb_svc_com.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c -index 4ae93f1..22d6c84 100644 ---- a/src/rpcb_svc_com.c -+++ b/src/rpcb_svc_com.c -@@ -1295,10 +1295,17 @@ handle_reply(int fd, SVCXPRT *xprt) - a.rmt_localvers = fi->versnum; - - xprt_set_caller(xprt, fi); -+#if defined(SVC_XP_AUTH) -+ SVC_XP_AUTH(xprt) = svc_auth_none; -+#else - xprt->xp_auth = &svc_auth_none; -+#endif - svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a); -+#if !defined(SVC_XP_AUTH) - SVCAUTH_DESTROY(xprt->xp_auth); - xprt->xp_auth = NULL; -+#endif -+ - done: - if (buffer) - free(buffer); --- -2.6.4 - diff --git a/source/n/rpcbind/0003-pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch b/source/n/rpcbind/0003-pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch new file mode 100644 index 00000000..6cf885ac --- /dev/null +++ b/source/n/rpcbind/0003-pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch @@ -0,0 +1,29 @@ +From c49a7ea639eb700823e174fd605bbbe183e229aa Mon Sep 17 00:00:00 2001 +From: Steve Dickson <steved@redhat.com> +Date: Wed, 17 May 2017 10:52:25 -0400 +Subject: [PATCH 3/6] pmapproc_dump: Fixed typo in memory leak patch + +commit 7ea36eee introduce a typo that caused +NIS (aka ypbind) to fail. + +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + src/pmap_svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pmap_svc.c b/src/pmap_svc.c +index e926cdc..26c31d0 100644 +--- a/src/pmap_svc.c ++++ b/src/pmap_svc.c +@@ -384,7 +384,7 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + } + + done: +- if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)NULL)) { ++ if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) { + if (debugging) { + (void) xlog(LOG_DEBUG, "unable to free arguments\n"); + if (doabort) { +-- +2.13.0 + diff --git a/source/n/rpcbind/0004-Delete-the-unix-socket-only-if-we-have-created-it.patch b/source/n/rpcbind/0004-Delete-the-unix-socket-only-if-we-have-created-it.patch deleted file mode 100644 index c54d542e..00000000 --- a/source/n/rpcbind/0004-Delete-the-unix-socket-only-if-we-have-created-it.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 3a664b1b5a310df39bd0f325b0edb1deb31c2249 Mon Sep 17 00:00:00 2001 -From: Laurent Bigonville <bigon@bigon.be> -Date: Wed, 18 Nov 2015 14:34:26 -0500 -Subject: [PATCH 4/4] Delete the unix socket only if we have created it - -From: Laurent Bigonville <bigon@bigon.be> - -If systemd has created the unix socket on our behalf, we shouldn't try -to delete it. - -https://bugzilla.redhat.com/show_bug.cgi?id=1279076 - -Signed-off-by: Laurent Bigonville <bigon@bigon.be -Signed-off-by: Steve Dickson <steved@redhat.com> ---- - src/rpcbind.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/rpcbind.c b/src/rpcbind.c -index 045daa1..c4265cd 100644 ---- a/src/rpcbind.c -+++ b/src/rpcbind.c -@@ -87,6 +87,7 @@ static inline void __nss_configure_lookup(const char *db, const char *s) {} - int debugging = 0; /* Tell me what's going on */ - int doabort = 0; /* When debugging, do an abort on errors */ - int dofork = 1; /* fork? */ -+int createdsocket = 0; /* Did I create the socket or systemd did it for me? */ - - rpcblist_ptr list_rbl; /* A list of version 3/4 rpcbind services */ - -@@ -445,6 +446,7 @@ init_transport(struct netconfig *nconf) - memset(&sun, 0, sizeof sun); - sun.sun_family = AF_LOCAL; - unlink(_PATH_RPCBINDSOCK); -+ createdsocket = 1; /* We are now in the process of creating the unix socket */ - strcpy(sun.sun_path, _PATH_RPCBINDSOCK); - addrlen = SUN_LEN(&sun); - sa = (struct sockaddr *)&sun; -@@ -846,7 +848,8 @@ static void - terminate(int dummy /*__unused*/) - { - close(rpcbindlockfd); -- unlink(_PATH_RPCBINDSOCK); -+ if(createdsocket) -+ unlink(_PATH_RPCBINDSOCK); - unlink(RPCBINDDLOCK); - #ifdef WARMSTART - write_warmstart(); /* Dump yourself */ --- -2.6.4 - diff --git a/source/n/rpcbind/0004-rpcbind-fix-building-without-enable-debug.patch b/source/n/rpcbind/0004-rpcbind-fix-building-without-enable-debug.patch new file mode 100644 index 00000000..f7c30794 --- /dev/null +++ b/source/n/rpcbind/0004-rpcbind-fix-building-without-enable-debug.patch @@ -0,0 +1,69 @@ +From c0e38c9fd1b2c6785af90c86b26a07724c2488e8 Mon Sep 17 00:00:00 2001 +From: Nick Alcock <nick.alcock@oracle.com> +Date: Thu, 25 May 2017 12:45:35 -0400 +Subject: [PATCH 4/6] rpcbind: fix building without --enable-debug + +All if (debugging) stanzas and their accompanying xlog()s and aborts +should be within #ifdef RPCBIND_DEBUG. + +Fixes a compilation failure due to non-inclusion of <syslog.h> in the +non-debugging case. + +Signed-off-by: Nick Alcock <nick.alcock@oracle.com> +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + src/pmap_svc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/pmap_svc.c b/src/pmap_svc.c +index 26c31d0..a53dd5f 100644 +--- a/src/pmap_svc.c ++++ b/src/pmap_svc.c +@@ -263,12 +263,14 @@ done_change: + rpcbs_unset(RPCBVERS_2_STAT, ans); + done: + if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { ++#ifdef RPCBIND_DEBUG + if (debugging) { + (void) xlog(LOG_DEBUG, "unable to free arguments\n"); + if (doabort) { + rpcbind_abort(); + } + } ++#endif + } + return (rc); + } +@@ -347,12 +349,14 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + + done: + if (!svc_freeargs(xprt, (xdrproc_t) xdr_pmap, (char *)®)) { ++#ifdef RPCBIND_DEBUG + if (debugging) { + (void) xlog(LOG_DEBUG, "unable to free arguments\n"); + if (doabort) { + rpcbind_abort(); + } + } ++#endif + } + return (rc); + } +@@ -385,12 +389,14 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + + done: + if (!svc_freeargs(xprt, (xdrproc_t) xdr_void, (char *)NULL)) { ++#ifdef RPCBIND_DEBUG + if (debugging) { + (void) xlog(LOG_DEBUG, "unable to free arguments\n"); + if (doabort) { + rpcbind_abort(); + } + } ++#endif + } + return (rc); + } +-- +2.13.0 + diff --git a/source/n/rpcbind/0005-rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch b/source/n/rpcbind/0005-rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch new file mode 100644 index 00000000..ff42c9e4 --- /dev/null +++ b/source/n/rpcbind/0005-rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch @@ -0,0 +1,96 @@ +From 7c7590ad536c0e24bef790cb1e65702fc54db566 Mon Sep 17 00:00:00 2001 +From: Steve Dickson <steved@redhat.com> +Date: Tue, 30 May 2017 11:27:22 -0400 +Subject: [PATCH 5/6] rpcbproc_callit_com: Stop freeing a static pointer + +commit 7ea36ee introduced a svc_freeargs() call +that ended up freeing static pointer. + +It turns out the allocations for the rmt_args +is not necessary . The xdr routines (xdr_bytes) will +handle the memory management and the largest +possible message size is UDPMSGSIZE (due to UDP only) +which is smaller than RPC_BUF_MAX + +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + src/rpcb_svc_com.c | 39 ++++++--------------------------------- + 1 file changed, 6 insertions(+), 33 deletions(-) + +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index cb63afd..1fc2229 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -612,9 +612,9 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + struct netconfig *nconf; + struct netbuf *caller; + struct r_rmtcall_args a; +- char *buf_alloc = NULL, *outbufp; ++ char *outbufp; + char *outbuf_alloc = NULL; +- char buf[RPC_BUF_MAX], outbuf[RPC_BUF_MAX]; ++ char outbuf[RPC_BUF_MAX]; + struct netbuf *na = (struct netbuf *) NULL; + struct rpc_msg call_msg; + int outlen; +@@ -635,36 +635,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + } + if (si.si_socktype != SOCK_DGRAM) + return; /* Only datagram type accepted */ +- sendsz = __rpc_get_t_size(si.si_af, si.si_proto, UDPMSGSIZE); +- if (sendsz == 0) { /* data transfer not supported */ +- if (reply_type == RPCBPROC_INDIRECT) +- svcerr_systemerr(transp); +- return; +- } +- /* +- * Should be multiple of 4 for XDR. +- */ +- sendsz = ((sendsz + 3) / 4) * 4; +- if (sendsz > RPC_BUF_MAX) { +-#ifdef notyet +- buf_alloc = alloca(sendsz); /* not in IDR2? */ +-#else +- buf_alloc = malloc(sendsz); +-#endif /* notyet */ +- if (buf_alloc == NULL) { +- if (debugging) +- xlog(LOG_DEBUG, +- "rpcbproc_callit_com: No Memory!\n"); +- if (reply_type == RPCBPROC_INDIRECT) +- svcerr_systemerr(transp); +- return; +- } +- a.rmt_args.args = buf_alloc; +- } else { +- a.rmt_args.args = buf; +- } ++ sendsz = UDPMSGSIZE; + + call_msg.rm_xid = 0; /* For error checking purposes */ ++ memset(&a, 0, sizeof(a)); /* Zero out the input buffer */ + if (!svc_getargs(transp, (xdrproc_t) xdr_rmtcall_args, (char *) &a)) { + if (reply_type == RPCBPROC_INDIRECT) + svcerr_decode(transp); +@@ -704,7 +678,8 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + if (rbl == (rpcblist_ptr)NULL) { + #ifdef RPCBIND_DEBUG + if (debugging) +- xlog(LOG_DEBUG, "not found\n"); ++ xlog(LOG_DEBUG, "prog %lu vers %lu: not found\n", ++ a.rmt_prog, a.rmt_vers); + #endif + if (reply_type == RPCBPROC_INDIRECT) + svcerr_noprog(transp); +@@ -937,8 +912,6 @@ out: + } + if (local_uaddr) + free(local_uaddr); +- if (buf_alloc) +- free(buf_alloc); + if (outbuf_alloc) + free(outbuf_alloc); + if (na) { +-- +2.13.2 + diff --git a/source/n/rpcbind/0006-rpcbproc_callit_com-No-need-to-allocate-output-buffe.patch b/source/n/rpcbind/0006-rpcbproc_callit_com-No-need-to-allocate-output-buffe.patch new file mode 100644 index 00000000..1a0aa6cf --- /dev/null +++ b/source/n/rpcbind/0006-rpcbproc_callit_com-No-need-to-allocate-output-buffe.patch @@ -0,0 +1,96 @@ +From 1e2ddd4ebd7a9266e6070f275fa35752752fdfd6 Mon Sep 17 00:00:00 2001 +From: Steve Dickson <steved@redhat.com> +Date: Tue, 30 May 2017 11:29:58 -0400 +Subject: [PATCH 6/6] rpcbproc_callit_com: No need to allocate output buffer + +Now that sendz is a fixed size (UDPMSGSIZE) which +is small then RPC_BUF_MAX, no need to check the +sendz size. + +Signed-off-by: Steve Dickson <steved@redhat.com> +--- + src/rpcb_svc_com.c | 33 +++++---------------------------- + 1 file changed, 5 insertions(+), 28 deletions(-) + +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index 1fc2229..d36b090 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -612,8 +612,6 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + struct netconfig *nconf; + struct netbuf *caller; + struct r_rmtcall_args a; +- char *outbufp; +- char *outbuf_alloc = NULL; + char outbuf[RPC_BUF_MAX]; + struct netbuf *na = (struct netbuf *) NULL; + struct rpc_msg call_msg; +@@ -674,7 +672,6 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + + rpcbs_rmtcall(versnum - 2, reply_type, a.rmt_prog, a.rmt_vers, + a.rmt_proc, transp->xp_netid, rbl); +- + if (rbl == (rpcblist_ptr)NULL) { + #ifdef RPCBIND_DEBUG + if (debugging) +@@ -793,24 +790,10 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + call_msg.rm_call.cb_rpcvers = RPC_MSG_VERSION; + call_msg.rm_call.cb_prog = a.rmt_prog; + call_msg.rm_call.cb_vers = a.rmt_vers; +- if (sendsz > RPC_BUF_MAX) { +-#ifdef notyet +- outbuf_alloc = alloca(sendsz); /* not in IDR2? */ +-#else +- outbuf_alloc = malloc(sendsz); +-#endif /* notyet */ +- if (outbuf_alloc == NULL) { +- if (reply_type == RPCBPROC_INDIRECT) +- svcerr_systemerr(transp); +- if (debugging) +- xlog(LOG_DEBUG, +- "rpcbproc_callit_com: No memory!\n"); +- goto error; +- } +- xdrmem_create(&outxdr, outbuf_alloc, sendsz, XDR_ENCODE); +- } else { +- xdrmem_create(&outxdr, outbuf, sendsz, XDR_ENCODE); +- } ++ ++ memset(outbuf, '\0', sendsz); /* Zero out the output buffer */ ++ xdrmem_create(&outxdr, outbuf, sendsz, XDR_ENCODE); ++ + if (!xdr_callhdr(&outxdr, &call_msg)) { + if (reply_type == RPCBPROC_INDIRECT) + svcerr_systemerr(transp); +@@ -875,10 +858,6 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + goto error; + } + outlen = (int) XDR_GETPOS(&outxdr); +- if (outbuf_alloc) +- outbufp = outbuf_alloc; +- else +- outbufp = outbuf; + + na = uaddr2taddr(nconf, local_uaddr); + if (!na) { +@@ -887,7 +866,7 @@ rpcbproc_callit_com(struct svc_req *rqstp, SVCXPRT *transp, + goto error; + } + +- if (sendto(fd, outbufp, outlen, 0, (struct sockaddr *)na->buf, na->len) ++ if (sendto(fd, outbuf, outlen, 0, (struct sockaddr *)na->buf, na->len) + != outlen) { + if (debugging) + xlog(LOG_DEBUG, +@@ -912,8 +891,6 @@ out: + } + if (local_uaddr) + free(local_uaddr); +- if (outbuf_alloc) +- free(outbuf_alloc); + if (na) { + free(na->buf); + free(na); +-- +2.13.2 + diff --git a/source/n/rpcbind/01.rpcbind-manpage-statefile-explanation.patch b/source/n/rpcbind/01.rpcbind-manpage-statefile-explanation.patch deleted file mode 100644 index 946dd1bd..00000000 --- a/source/n/rpcbind/01.rpcbind-manpage-statefile-explanation.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- rpcbind-0.2.3/man/rpcbind.8 2015-04-27 16:07:43.000000000 +0200 -+++ rpcbind-0.2.3/man/rpcbind.8 2015-09-22 16:25:40.000000000 +0200 -@@ -132,11 +132,20 @@ - .It Fl w - Cause - .Nm --to do a "warm start" by read a state file when -+to do a "warm start" by attempting to read *.xdr state files from the -+state directory -+.%T /var/state/rpcbind -+when - .Nm --starts up. The state file is created when -+starts up. The state files are created when - .Nm - terminates. -+.Pp -+This allows for restarting -+.Nm -+without the need to restart all RPC services that have previously registered. -+The state file serves similar purpose like the file created/restored by -+pmap_dump and pmap_set utilities, distributed with old portmap server package. - .El - .Sh NOTES - All RPC servers must be restarted if diff --git a/source/n/rpcbind/doinst.sh b/source/n/rpcbind/doinst.sh index 5f7dfaf5..67027941 100644 --- a/source/n/rpcbind/doinst.sh +++ b/source/n/rpcbind/doinst.sh @@ -21,4 +21,5 @@ preserve_perms() { config $NEW } +config etc/default/rpc.new preserve_perms etc/rc.d/rc.rpc.new diff --git a/source/n/rpcbind/rc.rpc b/source/n/rpcbind/rc.rpc index c850c556..a140d569 100644 --- a/source/n/rpcbind/rc.rpc +++ b/source/n/rpcbind/rc.rpc @@ -9,15 +9,36 @@ # To run an NFS server, starting these is mandatory. # +# Source default settings: +if [ -r /etc/default/rpc ]; then + . /etc/default/rpc +fi + rpc_start() { if [ -x /sbin/rpcbind -a -x /sbin/rpc.statd ]; then + # Set up port for lockd: + if [ -n "$LOCKD_TCP_PORT" ]; then + /sbin/sysctl -w "fs.nfs.nlm_tcpport=$LOCKD_TCP_PORT" >/dev/null 2>&1 + fi + if [ -n "$LOCKD_UDP_PORT" ]; then + /sbin/sysctl -w "fs.nfs.nlm_udpport=$LOCKD_UDP_PORT" >/dev/null 2>&1 + fi if ! ps axc | grep -q rpcbind ; then - echo "Starting RPC portmapper: /sbin/rpcbind -l $1" - /sbin/rpcbind -l $1 + echo "Starting RPC portmapper: /sbin/rpcbind -l $* $RPCBIND_OPTS" + /sbin/rpcbind -l "$@" $RPCBIND_OPTS fi if ! ps axc | grep -q rpc.statd ; then - echo "Starting RPC NSM (Network Status Monitor): /sbin/rpc.statd" - /sbin/rpc.statd + if [ -n "$RPC_STATD_HOSTNAME" ]; then + RPC_STATD_OPTS="$RPC_STATD_OPTS -n $RPC_STATD_HOSTNAME" + fi + if [ -n "$RPC_STATD_PORT" ]; then + RPC_STATD_OPTS="$RPC_STATD_OPTS -p $RPC_STATD_PORT" + fi + if [ -n "$RPC_STATD_OUTGOING_PORT" ]; then + RPC_STATD_OPTS="$RPC_STATD_OPTS -o $RPC_STATD_OUTGOING_PORT" + fi + echo "Starting RPC NSM (Network Status Monitor): /sbin/rpc.statd $RPC_STATD_OPTS" + /sbin/rpc.statd $RPC_STATD_OPTS fi else echo "WARNING: Cannot start RPC daemons needed for NFS. One or more of" diff --git a/source/n/rpcbind/rpc.default b/source/n/rpcbind/rpc.default new file mode 100644 index 00000000..e820fae8 --- /dev/null +++ b/source/n/rpcbind/rpc.default @@ -0,0 +1,29 @@ +# See also /etc/default/nfs + +# Optional arguments passed to rpcbind. See rpcbind(8) +#RPCBIND_OPTS="" +# +# Optional arguments passed to rpc.statd. See rpc.statd(8) +#RPC_STATD_OPTS="" +# Optional hostname to start rpc.statd with. +#RPC_STATD_HOSTNAME="darkstar" +# Port rpc.statd should listen on. +#RPC_STATD_PORT=32766 +# Outgoing port rpc.statd should use. +#RPC_STATD_OUTGOING_PORT=32765 +# +# Optional options passed to rquotad. See rquotad(8) +#RPC_RQUOTAD_OPTS="" +# Optional port rquotad should listen on: +#RPC_RQUOTAD_PORT=32769 +# +# TCP port rpc.lockd should listen on: +#LOCKD_TCP_PORT=32768 +# UDP port rpc.lockd should listen on: +#LOCKD_UDP_PORT=32768 +# +# Optional arguments passed to rpc.mountd. See rpc.mountd(8) +#RPC_MOUNTD_OPTS="" +# Port rpc.mountd should listen on: +#RPC_MOUNTD_PORT=32767 +# diff --git a/source/n/rpcbind/rpcbind.SlackBuild b/source/n/rpcbind/rpcbind.SlackBuild index d10f5852..4006dfd7 100755 --- a/source/n/rpcbind/rpcbind.SlackBuild +++ b/source/n/rpcbind/rpcbind.SlackBuild @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash -# Copyright 2015 Patrick J. Volkerding, Sebeka, Minnesota, USA +# Copyright 2015, 2018 Patrick J. Volkerding, Sebeka, Minnesota, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -20,10 +20,11 @@ # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +cd $(dirname $0) ; CWD=$(pwd) PKGNAM=rpcbind -VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-4} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -36,6 +37,14 @@ if [ -z "$ARCH" ]; then export ARCH fi +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + NUMJOBS=${NUMJOBS:-" -j7 "} if [ "$ARCH" = "i386" ]; then @@ -64,7 +73,6 @@ else LIBDIRSUFFIX="" fi -CWD=$(pwd) TMP=${TMP:-/tmp} PKG=$TMP/package-$PKGNAM @@ -73,18 +81,25 @@ mkdir -p $TMP $PKG cd $TMP rm -rf $PKGNAM-$VERSION -tar xvf $CWD/$PKGNAM-$VERSION.tar.?z* || exit 1 +tar xvf $CWD/$PKGNAM-$VERSION.tar.?z || exit 1 cd $PKGNAM-$VERSION || exit 1 -zcat $CWD/0001-security.c-removed-warning.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/0003-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/0004-Delete-the-unix-socket-only-if-we-have-created-it.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/01.rpcbind-manpage-statefile-explanation.patch.gz | patch -p1 --verbose || exit 1 +# CVE-2017-8779 +zcat $CWD/0002-rpcbind-pair-all-svc_getargs-calls-with-svc_freeargs.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/0003-pmapproc_dump-Fixed-typo-in-memory-leak-patch.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/0004-rpcbind-fix-building-without-enable-debug.patch.gz | patch -p1 --verbose || exit 1 + +# Fixes from git master +zcat $CWD/0005-rpcbproc_callit_com-Stop-freeing-a-static-pointer.patch.gz | patch -p1 --verbose || exit 1 +zcat $CWD/0006-rpcbproc_callit_com-No-need-to-allocate-output-buffe.patch.gz | patch -p1 --verbose || exit 1 + +zcat $CWD/0001-man-rpcibind.8-Clarify-state-file-usage-and-history.patch | patch -p1 --verbose || exit 1 zcat $CWD/rpcbind.lwrap.needs.lnsl.diff.gz | patch -p1 --verbose || exit 1 -# This is needed after the patch above: + +# This is needed after the libwrap patch above: autoreconf -vif || exit 1 +./autogen.sh chown -R root:root . find . \ @@ -103,8 +118,8 @@ CFLAGS="$SLKCFLAGS" \ --mandir=/usr/man \ --enable-libwrap \ --enable-warmstarts \ - --with-statedir=/var/state/rpcbind \ - --with-rpcuser=bin \ + --with-statedir=/var/run/rpcbind \ + --with-rpcuser=rpc \ --with-nss-modules="files" \ --without-systemdsystemunitdir \ --build=$ARCH-slackware-linux || exit 1 @@ -113,14 +128,18 @@ CFLAGS="$SLKCFLAGS" \ make $NUMJOBS || make || exit 1 make install DESTDIR=$PKG || exit 1 -# Make state directory: -mkdir -p $PKG/var/state/rpcbind -chown bin:root $PKG/var/state/rpcbind +# Make state directory (not really needed as rpcbind does this on startup) +mkdir -p $PKG/var/run/rpcbind +chown rpc:root $PKG/var/run/rpcbind # Install init script: mkdir -p $PKG/etc/rc.d zcat $CWD/rc.rpc.gz > $PKG/etc/rc.d/rc.rpc.new +# Install defaults file: +mkdir -p $PKG/etc/default +cat $CWD/rpc.default > $PKG/etc/default/rpc.new + # Strip binaries: ( cd $PKG find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null diff --git a/source/n/rpcbind/slack-desc b/source/n/rpcbind/slack-desc index 70adeb78..48c27820 100644 --- a/source/n/rpcbind/slack-desc +++ b/source/n/rpcbind/slack-desc @@ -1,8 +1,8 @@ # HOW TO EDIT THIS FILE: -# The "handy ruler" below makes it easier to edit a package description. Line +# The "handy ruler" below makes it easier to edit a package description. Line # up the first '|' above the ':' following the base package name, and the '|' -# on the right side marks the last column you can put a character in. You must -# make exactly 11 lines for the formatting to be correct. It's also +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also # customary to leave one space after the ':'. |-----handy-ruler------------------------------------------------------| @@ -10,10 +10,10 @@ rpcbind: rpcbind (a daemon to manage RPC connections) rpcbind: rpcbind: This is a network daemon used to manage connections to RPC services. rpcbind: It is meant as a replacement for the 'rpc.portmap' server from the -rpcbind: 'portmap' package. Daemons that offer RPC services (such as the +rpcbind: 'portmap' package. Daemons that offer RPC services (such as the rpcbind: daemons for NFS) tell the rpcbind on what port they listen. rpcbind: RPC network port numbers may change each time the system is booted. rpcbind: rpcbind: This package is required to use NFS or other RPC services. rpcbind: -rpcbind: Homepage: http://sourceforge.net/projects/rpcbind/ +rpcbind: Homepage: http://sourceforge.net/projects/rpcbind/ |