This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] [BZ 17542] sunrpc: conditional jump depends on uninitialised value in svc_getreq_common
- From: Brad Hubbard <bhubbard at redhat dot com>
- To: libc-alpha at sourceware dot org
- Date: Wed, 05 Nov 2014 11:07:52 +1000
- Subject: [PATCH] [BZ 17542] sunrpc: conditional jump depends on uninitialised value in svc_getreq_common
- Authentication-results: sourceware.org; auth=none
- Reply-to: bhubbard at redhat dot com
If xports is NULL in xprt_register we malloc it but if sock >
_rpc_dtablesize() that memory does not get initialised and may in theory
contain any value. Later we make a conditional jump in svc_getreq_common
based on the uninitialised memory and this caused a general protection
fault in rpc.statd on an older version of glibc but this code has not
changed since that version.
Following is the valgrind warning.
==26802== Conditional jump or move depends on uninitialised value(s)
==26802== at 0x5343A25: svc_getreq_common (in /lib64/libc-2.5.so)
==26802== by 0x534357B: svc_getreqset (in /lib64/libc-2.5.so)
==26802== by 0x10DE1F: ??? (in /sbin/rpc.statd)
==26802== by 0x10D0EF: main (in /sbin/rpc.statd)
==26802== Uninitialised value was created by a heap allocation
==26802== at 0x4C2210C: malloc (vg_replace_malloc.c:195)
==26802== by 0x53438BE: xprt_register (in /lib64/libc-2.5.so)
==26802== by 0x53450DF: svcudp_bufcreate (in /lib64/libc-2.5.so)
==26802== by 0x10FE32: ??? (in /sbin/rpc.statd)
==26802== by 0x10D13E: main (in /sbin/rpc.statd)
I believe the solution here is to change the malloc call to a calloc
call and the attached patch does that. The GPF could not be reproduced
with the patched glibc.
2014-11-05 Brad Hubbard <bhubbard@redhat.com>
* sunrpc/svc.c: Resolve uninitialised xports in xprt_register
---
sunrpc/svc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sunrpc/svc.c b/sunrpc/svc.c
index ccf0902..30c3a93 100644
--- a/sunrpc/svc.c
+++ b/sunrpc/svc.c
@@ -97,8 +97,8 @@ xprt_register (SVCXPRT *xprt)
if (xports == NULL)
{
- xports = (SVCXPRT **) malloc (_rpc_dtablesize () * sizeof (SVCXPRT *));
- if (xports == NULL) /* DonÂt add handle */
+ xports = (SVCXPRT **) calloc (_rpc_dtablesize (), sizeof (SVCXPRT *));
+ if (xports == NULL) /* Don't add handle */
return;
}