Bug 22542 (CVE-2022-23219)

The clnt_create() function calls strcpy() to copy the string pointed to by the hostname argument to the sun_addr member array of a struct sockaddr_un object allocated on the stack.  When the string is longer than fits in the array the function corrupts the calling process' stack due to the buffer overflow.

I noticed this while developing the patch suggested here: https://sourceware.org/ml/libc-alpha/2017-11/msg00932.html.

$ cat d.c && gcc -Wall d.c && valgrind ./a.out

#include <errno.h>
#include <rpc/clnt.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <string.h>

int main ()
{
  char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2];
  memset (name, 'x', sizeof name - 1);
  name [sizeof name - 1] = '\0';

  CLIENT *clnt = clnt_create (name, 0, 0, "unix");

  if (clnt)
    clnt_destroy (clnt);
}
==18499== Memcheck, a memory error detector
==18499== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==18499== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==18499== Command: ./a.out
==18499== 
==18499== Source and destination overlap in strcpy(0xffefffcc2, 0xffefffd70)
==18499==    at 0x4C30E06: __GI_strcpy (vg_replace_strmem.c:507)
==18499==    by 0x4F6FE30: clnt_create (in /usr/lib64/libc-2.24.so)
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878780077: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499== 
==18499== Jump to the invalid address stated on the next line
==18499==    at 0x7878787878787878: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878780077: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==  Address 0x7878787878787878 is not stack'd, malloc'd or (recently) free'd
==18499== 
==18499== 
==18499== Process terminating with default action of signal 11 (SIGSEGV)
==18499==  Bad permissions for mapped region at address 0x7878787878787878
==18499==    at 0x7878787878787878: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878780077: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499==    by 0x7878787878787877: ???
==18499== 
==18499== HEAP SUMMARY:
==18499==     in use at exit: 0 bytes in 0 blocks
==18499==   total heap usage: 2 allocs, 2 frees, 272 bytes allocated
==18499== 
==18499== All heap blocks were freed -- no leaks are possible
==18499== 
==18499== For counts of detected and suppressed errors, rerun with: -v
==18499== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)