Bug 21461 (CVE-2017-8804) - DISPUTED: sunrpc: Memory leak after deserialization failure in xdr_bytes, xdr_string (CVE-2017-8804)
Summary: DISPUTED: sunrpc: Memory leak after deserialization failure in xdr_bytes, xdr...
Status: RESOLVED INVALID
Alias: CVE-2017-8804
Product: glibc
Classification: Unclassified
Component: network (show other bugs)
Version: 2.25
: P2 normal
Target Milestone: ---
Assignee: Florian Weimer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-05 09:51 UTC by Florian Weimer
Modified: 2018-06-06 06:55 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Weimer 2017-05-05 09:51:09 UTC 
Reported by Marcus Meissner here:

http://openwall.com/lists/oss-security/2017/05/05/1

“
We also saw glibc affected.

https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7

That said, your reproducer allocates virtual memory, and on systems with overcommit
there is only neglible impact on overall memory pressure.

The rpc service will however likely crash at some point though when there is no virtual
address space left for it.
”
Comment 1 Florian Weimer 2017-05-05 10:53:31 UTC 
CVE-2017-8779 is related, but may not have been assigned to this flaw specifically.
Comment 2 Florian Weimer 2017-05-06 15:52:47 UTC 
Patch posted: https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html
Comment 3 Andreas Schwab 2017-05-16 08:52:07 UTC 
I think the caller is supposed to always call xdr_string with XDR_FREE, even if XDR_DECODE failed.  That needs a test case to demonstrate that this isn't the case here.
Comment 4 Florian Weimer 2017-05-16 08:58:46 UTC 
(In reply to Andreas Schwab from comment #3)
> I think the caller is supposed to always call xdr_string with XDR_FREE, even
> if XDR_DECODE failed.  That needs a test case to demonstrate that this isn't
> the case here.

Except when the caller supplied the buffer, I assume.

Should we fix this as a non-security QoI issue?
Comment 5 Andreas Schwab 2017-05-16 09:28:06 UTC 
Note that other XDR functions like xdr_array and xdr_reference have the same issue.
Comment 6 Andreas Schwab 2017-05-17 09:13:03 UTC 
I have verified that this patch for rpcbind fixes the issue:

Index: rpcbind-0.2.3/src/rpcb_svc.c
===================================================================
--- rpcbind-0.2.3.orig/src/rpcb_svc.c
+++ rpcbind-0.2.3/src/rpcb_svc.c
@@ -166,7 +166,7 @@ rpcb_service_3(struct svc_req *rqstp, SV
 		svcerr_decode(transp);
 		if (debugging)
 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode");
-		return;
+		goto done;
 	}
 
 	if (rqstp->rq_proc == RPCBPROC_SET
Index: rpcbind-0.2.3/src/rpcb_svc_4.c
===================================================================
--- rpcbind-0.2.3.orig/src/rpcb_svc_4.c
+++ rpcbind-0.2.3/src/rpcb_svc_4.c
@@ -220,7 +220,7 @@ rpcb_service_4(struct svc_req *rqstp, SV
 		svcerr_decode(transp);
 		if (debugging)
 			(void) xlog(LOG_DEBUG, "rpcbind: could not decode\n");
-		return;
+		goto done;
 	}
 
 	if (rqstp->rq_proc == RPCBPROC_SET

A similar patch is needed for svc_simple.c.
Comment 7 Florian Weimer 2018-06-06 06:55:31 UTC 
Based on the libc-alpha discussion here:

https://sourceware.org/ml/libc-alpha/2017-05/msg00128.html
https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html

this an application bug and not a glibc vulnerability.