Bug 841298
| Summary: | pmcd leaks memory in DoFetch error path | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> | ||||
| Component: | pcp | Assignee: | Ken McDonell <kenj> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 16 | CC: | kenj, mgoodwin, nathans, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pcp-3.6.5 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-08-20 04:03:43 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 840765, 841704 | ||||||
| Attachments: |
|
||||||
Ken requested assignment, thanks Ken! Created attachment 599366 [details]
proposed patch for dofetch.c
This one is done I believe.
Upstream patch: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=a7dc844d3586ea79887655a97c4252a79751fdae This issue has been addressed in pcp-3.6.5 This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6 |
This code path in DoFetch in src/pmcd/src/dofetch.c is problematic: sts = __pmDecodeFetch(pb, &ctxnum, &when, &nPmids, &pmidList); ... /* Check that a profile has been received from the specified context */ if (ctxnum < 0 || ctxnum >= cip->szProfile || cip->profile[ctxnum] == NULL) { __pmNotifyErr(LOG_ERR, "DoFetch: no profile for ctxnum = %d\n", ctxnum); return PM_ERR_NOPROFILE; } __pmDecodeFetch pins the PDU buffer, but if the ctxnum is not valid, it is never unpinned. This can be abused by unauthenticated pmcd clients to consume increasing amounts of memory, eventually crashing pmcd.