This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours

Bug 841298

Summary: pmcd leaks memory in DoFetch error path
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: pcpAssignee: Ken McDonell <kenj>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: kenj, mgoodwin, nathans, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcp-3.6.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-20 00:03:43 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 840765, 841704    
Attachments:
Description Flags
proposed patch for dofetch.c none

Description Florian Weimer 2012-07-18 11:21:46 EDT
This code path in DoFetch in src/pmcd/src/dofetch.c is problematic:

    sts = __pmDecodeFetch(pb, &ctxnum, &when, &nPmids, &pmidList);
    ...
    /* Check that a profile has been received from the specified context */
    if (ctxnum < 0 || ctxnum >= cip->szProfile ||
	cip->profile[ctxnum] == NULL) {
	__pmNotifyErr(LOG_ERR, "DoFetch: no profile for ctxnum = %d\n", ctxnum);
	return PM_ERR_NOPROFILE;
    }

__pmDecodeFetch pins the PDU buffer, but if the ctxnum is not valid, it is never unpinned.  This can be abused by unauthenticated pmcd clients to consume increasing amounts of memory, eventually crashing pmcd.
Comment 2 Mark Goodwin 2012-07-19 20:07:40 EDT
Ken requested assignment, thanks Ken!
Comment 3 Ken McDonell 2012-07-20 07:32:57 EDT
Created attachment 599366 [details]
proposed patch for dofetch.c

This one is done I believe.
Comment 4 Huzaifa S. Sidhpurwala 2012-08-16 00:09:31 EDT
Upstream patch:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=a7dc844d3586ea79887655a97c4252a79751fdae

This issue has been addressed in pcp-3.6.5