Bug 840822
| Summary: | Crash in __pmDecodeCreds decoding crafted PDUs | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> | ||||||
| Component: | pcp | Assignee: | Nathan Scott <nathans> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 16 | CC: | fche, kenj, mgoodwin, nathans, security-response-team, vdanen | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | pcp-3.6.5 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-08-20 03:52:18 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 840765, 841698 | ||||||||
| Attachments: |
|
||||||||
|
Description
Florian Weimer
2012-07-17 09:59:48 UTC
Created attachment 598767 [details]
preliminary patch to __pmDecodeCreds to fix this
Attached preliminary patch from Nathan Scott (upstream). Has been tested
against the reproducer script.
(In reply to comment #8) > Created attachment 598767 [details] > preliminary patch to __pmDecodeCreds to fix this > > > Attached preliminary patch from Nathan Scott (upstream). Has been tested > against the reproducer script. This calculation can overflow: need = sizeof(creds_t) + ((numcred-1) * sizeof(__pmCred)); There should be a check *before* the calculation that this cannot happen, something like numcred < (INT_MAX - sizeof(creds_t))/sizeof(__pmCred). Created attachment 599108 [details]
Updated patch to address pcp credentials pdu buffer overflow exploit
Incorporates an additional check to guard against malloc size overflow. Uses a tighter restriction than the MAXINT-based suggestion, based on current uses and likely future uses of this PDU.
Ressign to Nathan since he is following thru and this seems to be the way to go for these bugs. I have a pcpqa test (513) which uses Florian's initial test case to exercise this change. I'll hang onto it privately until we get a/ confirmation on permission to make use of this, and b/ public knowledge of the issue. thanks! (In reply to comment #10) > Created attachment 599108 [details] > Updated patch to address pcp credentials pdu buffer overflow exploit > > Incorporates an additional check to guard against malloc size overflow. > Uses a tighter restriction than the MAXINT-based suggestion, based on > current uses and likely future uses of this PDU. This looks good, thanks. Upstream patch: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=cced6012b4b93bfb640a9678589ced5416743910 This issue has been addressed in pcp-3.6.5 This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6 |