DoS in RPC implementation (CVE-2011-4069)

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

DoS in RPC implementation (CVE-2011-4069)

Aurelien Jarno
I have been informed that Debian eglibc is vulnerable to CVE-2011-4069,
a DoS in RPC implementation. I have been provided the following patch,
originating from Red Hat [1] and Ubuntu [2].

Instead of having this patch in every distribution, it might be a good
idea to merge that directly upstream. Unfortunately I don't know who to
give the credit to, so I don't know how to write the changelog in that
case.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=767299
[2] https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901716


Index: b/sunrpc/svc_tcp.c
===================================================================
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -44,6 +44,7 @@
 #include <sys/poll.h>
 #include <errno.h>
 #include <stdlib.h>
+#include <time.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -243,6 +244,11 @@ again:
     {
       if (errno == EINTR)
  goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
       return FALSE;
     }
   /*
Index: b/sunrpc/svc_udp.c
===================================================================
--- a/sunrpc/svc_udp.c
+++ b/sunrpc/svc_udp.c
@@ -40,6 +40,7 @@
 #include <sys/socket.h>
 #include <errno.h>
 #include <libintl.h>
+#include <time.h>
 
 #ifdef IP_PKTINFO
 #include <sys/uio.h>
@@ -272,8 +273,16 @@ again:
        (int) su->su_iosz, 0,
        (struct sockaddr *) &(xprt->xp_raddr), &len);
   xprt->xp_addrlen = len;
-  if (rlen == -1 && errno == EINTR)
-    goto again;
+  if (rlen == -1)
+    {
+      if (errno == EINTR)
+        goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
+    }
   if (rlen < 16) /* < 4 32-bit ints? */
     return FALSE;
   xdrs->x_op = XDR_DECODE;
Index: b/sunrpc/svc_unix.c
===================================================================
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -46,6 +46,7 @@
 #include <errno.h>
 #include <stdlib.h>
 #include <libintl.h>
+#include <time.h>
 
 #ifdef USE_IN_LIBIO
 # include <wchar.h>
@@ -245,6 +246,11 @@ again:
     {
       if (errno == EINTR)
  goto again;
+      if (errno == EMFILE)
+        {
+          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+          __nanosleep(&ts , NULL);
+        }
       return FALSE;
     }
   /*

--
Aurelien Jarno                          GPG: 1024D/F1BCDB73
[hidden email]                 http://www.aurel32.net
Reply | Threaded
Open this post in threaded view
|

Re: DoS in RPC implementation (CVE-2011-4069)

Carlos O'Donell-4
On 6/2/2012 4:19 PM, Aurelien Jarno wrote:
> I have been informed that Debian eglibc is vulnerable to CVE-2011-4069,
> a DoS in RPC implementation. I have been provided the following patch,
> originating from Red Hat [1] and Ubuntu [2].
>
> Instead of having this patch in every distribution, it might be a good
> idea to merge that directly upstream. Unfortunately I don't know who to
> give the credit to, so I don't know how to write the changelog in that
> case.

Aurelien,

You need copyright assignment.

The patch was uploaded by Vincent Danen on the RH bugzilla in [1].

I don't see Danen explicitly in the FSF's copyright.list, but he might be covered under his employer.

I believe that Vincent works for Red Hat, but I don't have an email for him.

Jeff,

Does Vincent work at Red Hat?

If he does can you find out if he is actually the author of the patch in [1] please?

I'd like to see this kind of CVE get fixed upstream quickly, but obviously without copyright it hampers review.

> [1] https://bugzilla.redhat.com/show_bug.cgi?id=767299
> [2] https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901716

Cheers,
Carlos
--
Carlos O'Donell
Mentor Graphics / CodeSourcery
[hidden email]
[hidden email]
+1 (613) 963 1026
Reply | Threaded
Open this post in threaded view
|

Re: DoS in RPC implementation (CVE-2011-4069)

Siddhesh Poyarekar-3
On Sun, 3 Jun 2012 18:48:14 -0400, Carlos wrote:

> The patch was uploaded by Vincent Danen on the RH bugzilla in [1].
>
> I don't see Danen explicitly in the FSF's copyright.list, but he
> might be covered under his employer.
>
> I believe that Vincent works for Red Hat, but I don't have an email
> for him.
>
> Jeff,
>
> Does Vincent work at Red Hat?
>
> If he does can you find out if he is actually the author of the patch
> in [1] please?
>

Vincent Danen does work for Red Hat, but the original author of the
patch is Martin Osvald <[hidden email]>.

--
Siddhesh
Reply | Threaded
Open this post in threaded view
|

Re: DoS in RPC implementation (CVE-2011-4069)

Carlos O'Donell-4
On 6/4/2012 2:44 AM, Siddhesh Poyarekar wrote:

> On Sun, 3 Jun 2012 18:48:14 -0400, Carlos wrote:
>> The patch was uploaded by Vincent Danen on the RH bugzilla in [1].
>>
>> I don't see Danen explicitly in the FSF's copyright.list, but he
>> might be covered under his employer.
>>
>> I believe that Vincent works for Red Hat, but I don't have an email
>> for him.
>>
>> Jeff,
>>
>> Does Vincent work at Red Hat?
>>
>> If he does can you find out if he is actually the author of the patch
>> in [1] please?
>>
>
> Vincent Danen does work for Red Hat, but the original author of the
> patch is Martin Osvald <[hidden email]>.

Siddhesh,

Thanks for digging this out. Given that Martin works for Red Hat
this is covered under the blanket Red Hat copyright.

Aurelien,

Could you please re-submit the patch with the proper copyright
assignment?

Then we can find someone to review the patch.

Cheers,
Carlos.
--
Carlos O'Donell
Mentor Graphics / CodeSourcery
[hidden email]
[hidden email]
+1 (613) 963 1026
Reply | Threaded
Open this post in threaded view
|

Re: DoS in RPC implementation (CVE-2011-4069)

Jeff Law
In reply to this post by Carlos O'Donell-4
On 06/03/2012 04:48 PM, Carlos O'Donell wrote:
>>
> I don't see Danen explicitly in the FSF's copyright.list, but he might be covered under his employer.
>
> I believe that Vincent works for Red Hat, but I don't have an email for him.
>
> Jeff,
>
> Does Vincent work at Red Hat?
He does, which I believe Siddhesh has already confirmed as well as the
patch's original author.  FWIW, if you hover over someone's name in the
RH bugzilla database, it'll show their email.

I'm not sure why this issue was never addressed in the master glibc
sources; it may have simply slipped through the cracks as I was coming
up to speed on the state of RH's glibc tree.

We've got two Red Hat Enterprise Linux updates in the pipeline right
now; I'm planning to have Patsy review all the bugs in each release and
flag those which might have fallen through the cracks in terms of
getting the fixes pushed upstream.


jeff
Reply | Threaded
Open this post in threaded view
|

Re: DoS in RPC implementation (CVE-2011-4069)

Carlos O'Donell-4
On 6/5/2012 1:23 PM, Jeff Law wrote:

> On 06/03/2012 04:48 PM, Carlos O'Donell wrote:
>>>
>> I don't see Danen explicitly in the FSF's copyright.list, but he
>> might be covered under his employer.
>>
>> I believe that Vincent works for Red Hat, but I don't have an email
>> for him.
>>
>> Jeff,
>>
>> Does Vincent work at Red Hat?
> He does, which I believe Siddhesh has already confirmed as well as
> the patch's original author.  FWIW, if you hover over someone's name
> in the RH bugzilla database, it'll show their email.
>
> I'm not sure why this issue was never addressed in the master glibc
> sources; it may have simply slipped through the cracks as I was
> coming up to speed on the state of RH's glibc tree.
>
> We've got two Red Hat Enterprise Linux updates in the pipeline right
> now; I'm planning to have Patsy review all the bugs in each release
> and flag those which might have fallen through the cracks in terms of
> getting the fixes pushed upstream.

Thanks Jeff!

Cheers,
Carlos.
--
Carlos O'Donell
Mentor Graphics / CodeSourcery
[hidden email]
[hidden email]
+1 (613) 963 1026
Reply | Threaded
Open this post in threaded view
|

Re: DoS in RPC implementation (CVE-2011-4069)

Aurelien Jarno
In reply to this post by Carlos O'Donell-4
On Mon, Jun 04, 2012 at 11:28:15AM -0400, Carlos O'Donell wrote:

> On 6/4/2012 2:44 AM, Siddhesh Poyarekar wrote:
> > On Sun, 3 Jun 2012 18:48:14 -0400, Carlos wrote:
> >> The patch was uploaded by Vincent Danen on the RH bugzilla in [1].
> >>
> >> I don't see Danen explicitly in the FSF's copyright.list, but he
> >> might be covered under his employer.
> >>
> >> I believe that Vincent works for Red Hat, but I don't have an email
> >> for him.
> >>
> >> Jeff,
> >>
> >> Does Vincent work at Red Hat?
> >>
> >> If he does can you find out if he is actually the author of the patch
> >> in [1] please?
> >>
> >
> > Vincent Danen does work for Red Hat, but the original author of the
> > patch is Martin Osvald <[hidden email]>.
>
> Siddhesh,
>
> Thanks for digging this out. Given that Martin works for Red Hat
> this is covered under the blanket Red Hat copyright.
>
> Aurelien,
>
> Could you please re-submit the patch with the proper copyright
> assignment?
>

Here it is. It's basically the same patch as included in the RedHat
package, rebased on the current git, and with the indentation fixed.

The goal of this patch is to fix a denial of service flaw found in the
remote procedure call (RPC) implementation in glibc. A remote attacker
able to open a large number of connections to an RPC service that is
using the RPC implementation from glibc, could use this flaw to make
that service use an excessive amount of CPU time.

2012-06-06  Martin Osvald  <[hidden email]>

        * sunrpc/svc_tcp.c: Include <time.h>.
        (rendezvous_request): Sleep 50ms when no file descriptor are
        available.
        * sunrpc/svc_unix.c: Ditto.
        * sunrpc/svc_udp.c: Include <time.h>.
        (svcudp_recv): Sleep 50ms when no file descriptor are available.

diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c
index eb61549..cc39090 100644
--- a/sunrpc/svc_tcp.c
+++ b/sunrpc/svc_tcp.c
@@ -44,6 +44,7 @@
 #include <sys/poll.h>
 #include <errno.h>
 #include <stdlib.h>
+#include <time.h>
 
 #include <wchar.h>
 #include <libio/iolibio.h>
@@ -247,6 +248,11 @@ again:
     {
       if (errno == EINTR)
  goto again;
+      if (errno == EMFILE)
+ {
+  struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+  __nanosleep(&ts , NULL);
+ }
       return FALSE;
     }
   /*
diff --git a/sunrpc/svc_udp.c b/sunrpc/svc_udp.c
index 6c4d75a..0da120b 100644
--- a/sunrpc/svc_udp.c
+++ b/sunrpc/svc_udp.c
@@ -40,6 +40,7 @@
 #include <sys/socket.h>
 #include <errno.h>
 #include <libintl.h>
+#include <time.h>
 
 #ifdef IP_PKTINFO
 #include <sys/uio.h>
@@ -277,8 +278,16 @@ again:
        (int) su->su_iosz, 0,
        (struct sockaddr *) &(xprt->xp_raddr), &len);
   xprt->xp_addrlen = len;
-  if (rlen == -1 && errno == EINTR)
-    goto again;
+  if (rlen == -1)
+    {
+      if (errno == EINTR)
+ goto again;
+      if (errno == EMFILE)
+ {
+  struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+  __nanosleep(&ts , NULL);
+ }
+    }
   if (rlen < 16) /* < 4 32-bit ints? */
     return FALSE;
   xdrs->x_op = XDR_DECODE;
diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
index 94507b2..a8929cc 100644
--- a/sunrpc/svc_unix.c
+++ b/sunrpc/svc_unix.c
@@ -47,6 +47,7 @@
 #include <stdlib.h>
 #include <libintl.h>
 #include <wchar.h>
+#include <time.h>
 
 /*
  * Ops vector for AF_UNIX based rpc service handle
@@ -244,6 +245,11 @@ again:
     {
       if (errno == EINTR)
  goto again;
+      if (errno == EMFILE)
+ {
+  struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
+  __nanosleep(&ts , NULL);
+ }
       return FALSE;
     }
   /*

--
Aurelien Jarno                          GPG: 1024D/F1BCDB73
[hidden email]                 http://www.aurel32.net
Reply | Threaded
Open this post in threaded view
|

Re: DoS in RPC implementation (CVE-2011-4069)

Roland McGrath-4
You're missing a space before paren in each __nanosleep call.

I think it would be better to have all those tail-call a common function
for "accept failed".  Then that one function can contain the common code,
and a verbose comment explaining its rationale.


Thanks,
Roland
Reply | Threaded
Open this post in threaded view
|

Re: DoS in RPC implementation (CVE-2011-4069)

Siddhesh Poyarekar-3
In reply to this post by Aurelien Jarno
On Wed, 6 Jun 2012 18:25:21 +0200, Aurelien wrote:
> Here it is. It's basically the same patch as included in the RedHat
> package, rebased on the current git, and with the indentation fixed.
>
> The goal of this patch is to fix a denial of service flaw found in the
> remote procedure call (RPC) implementation in glibc. A remote attacker
> able to open a large number of connections to an RPC service that is
> using the RPC implementation from glibc, could use this flaw to make
> that service use an excessive amount of CPU time.

Aurelien, can you please follow up on Roland's comments on this:

http://sourceware.org/ml/libc-alpha/2012-06/msg00207.html


Thanks,
Siddhesh