Bug 1264345 (CVE-2015-7236)

Summary: CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, knweiss, scorneli, slong, steved, tbowling, vanhoof
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote, unauthenticated attacker could possibly exploit this flaw to crash the rpcbind service (denial of service) by performing a series of UDP and TCP calls.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:04:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1186933, 1264351, 1283638, 1283639, 1283640, 1283641    
Bug Blocks: 1172231, 1203710, 1255551, 1264350    
Attachments:
Description Flags
Proposed patch
none
Proposed patch none

Description Adam Mariš 2015-09-18 09:11:24 UTC 
A use-after-free vulnerability in rpcbind causing remotely triggerable crash was found. Rpcbind crashes in svc_dodestroy when trying to free a corrupted xprt->xp_netid pointer, which contains a sockaddr_in. Here's how it happens (as explained in http://www.spinics.net/lists/linux-nfs/msg53045.html ) :

 - A PMAP_CALLIT call comes in on IPv4 UDP

 - rpcbind duplicates the caller's address to a netbuf and stores
	it in FINFO[0].caller_addr. caller_addr->buf now points to a
    memory region A with a size of 16 bytes

 - rpcbind forwards the call to the local service, receives a reply

 - when processing the reply, it does this in xprt_set_caller:
     xprt->xp_rtaddr = *FINFO[0].caller_addr
   where xprt is the UDP transport on which it received the
   PMAP_CALLIT request.

   It sends out the reply, and then frees the netbuf caller_addr and
   caller_addr.buf.
   However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
   to memory region A, which is free.

 - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv
   will be called, which will set xp_rtaddr to the client's address.
   It will reuse the buffer inside xp_rtaddr, ie it will write a
   sockaddr_in to region A.

So, this explains how memory gets corrupted. Here's why that 
eventually lead to a crash in svc_dodestroy.

Some time down the road, an incoming TCP connection is accepted,
allocating a fresh SVCXPRT. The memory region A is inside the
new SVCXPRT

 - While processing the TCP call, another UDP call comes in, again
   overwriting region A with the client's address

 - TCP client closes connection. In svc_destroy, we now trip over
   the garbage left in region A

CVE assignment:

http://seclists.org/oss-sec/2015/q3/566
Comment 1 Adam Mariš 2015-09-18 09:19:07 UTC 
Created attachment 1074748 [details]
Proposed patch

Source: http://www.spinics.net/lists/linux-nfs/msg53045.html
Comment 2 Adam Mariš 2015-09-18 09:22:00 UTC 
Created rpcbind tracking bugs for this issue:

Affects: fedora-all [bug 1264351]
Comment 3 Adam Mariš 2015-09-18 14:57:24 UTC 
Created attachment 1074949 [details]
Proposed patch
Comment 13 errata-xmlrpc 2016-01-07 15:58:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:0005 https://rhn.redhat.com/errata/RHSA-2016-0005.html
Comment 14 Product Security DevOps Team 2019-07-12 13:04:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-7236