Bug 841306

Summary: libpcp additional decoder hardening
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: pcpAssignee: Nathan Scott <nathans>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: kenj, mgoodwin, nathans, nathans, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-16 20:36:24 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 840765    
Description Flags
Ensure ident is always initialized in text PDU decoder none

Description Florian Weimer 2012-07-18 12:05:01 EDT
The following appear to be minor issues, not leading to crashes or worse (at most information disclosure due to limited buffer over-reading).

__pmGetPDU should enforce minimum PDU lengths, based on a table of per-type minimum values.  This way, individual length checks won't have to be added to decoding functions for constant-size PDUs (such as __pmDecodeLogStatus, __pmDecodeTextReq, __pmDecodeError).

__pmDecodeTextReq should initialize *ident in all cases.

__pmEncodeResult seems to produce vlen fields for non-PM_VAL_INSITU values which are too large in some cases.  Truncating strings at the first NUL byte during decoding appears to hide this.  This is visible with proc.psinfo.cmd, for instance.
Comment 1 Nathan Scott 2012-08-16 00:26:05 EDT
Somehow, I only just came across this bugzilla entry today.

There are three issues here: for the first, we went the other way to Florian's table-based suggestion (i.e. checking sizes in individual handlers).  So that went out with 3.6.5, but spread across the many individual patches for each PDU type.

For the second issue, related to *ident not being initialized, that is fixed by the patch coming shortly.  Its minor though, can't see anything exposed there, will go into pcp-3.6.6.

I'll have to look a bit deeper into the result encoding issue and report back later.
Comment 2 Mark Goodwin 2012-08-16 00:31:56 EDT
assigned to nathan (this one fell thru the cracks), but all seem to agree the 
security implications are not severe.
Comment 3 Nathan Scott 2012-08-16 00:47:14 EDT
Created attachment 604783 [details]
Ensure ident is always initialized in text PDU decoder

Resolves the missing case where ident could be returned without initialisation, and with a return code indicating success in __pmDecodeText.
Comment 4 Nathan Scott 2012-08-16 01:49:14 EDT
OK, I understand the third case now.  The encode function is a bit misleading - it contains code that is marked #ifdef PCP_DEBUG, that initialises the parts of the buffer which I think Florian is calling out here.  It turns out that in all builds of PCP, this "debug" macro is always set.  So these parts of the passed out buffer are in fact initialised (with "~" character) after all, always.

I believe the patch I posted earlier is all we will need for this issue now, and I concur fully with Florian's assessment of these ones being minor issues that are not critical to push immediately.  The patch I posted earlier will go with the pcp-3.6.6 release, which will likely happen with the next two weeks.
Comment 5 Huzaifa S. Sidhpurwala 2012-08-16 02:08:49 EDT
Upstream commit (dev branch):


This patch will be a part of pcp-3.6.6
Comment 6 Fedora Update System 2012-08-28 19:47:19 EDT
pcp-3.6.6-1.fc16 has been submitted as an update for Fedora 16.
Comment 7 Fedora Update System 2012-08-28 19:47:32 EDT
pcp-3.6.6-1.fc17 has been submitted as an update for Fedora 17.
Comment 8 Fedora Update System 2012-08-28 19:47:43 EDT
pcp-3.6.6-1.el5 has been submitted as an update for Fedora EPEL 5.
Comment 9 Fedora Update System 2012-08-28 19:47:53 EDT
pcp-3.6.6-1.fc18 has been submitted as an update for Fedora 18.
Comment 10 Fedora Update System 2012-08-28 19:48:03 EDT
pcp-3.6.6-1.el6 has been submitted as an update for Fedora EPEL 6.
Comment 11 Fedora Update System 2012-08-29 14:45:00 EDT
Package pcp-3.6.6-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pcp-3.6.6-1.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 12 Nathan Scott 2012-09-16 20:36:24 EDT
Bugzilla maint - this issue has been resolved in Fedora for awhile.
Comment 13 Fedora Update System 2012-09-17 19:04:51 EDT
pcp-3.6.6-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-09-18 15:59:35 EDT
pcp-3.6.8-1.fc16 has been submitted as an update for Fedora 16.
Comment 15 Fedora Update System 2012-09-18 16:00:58 EDT
pcp-3.6.8-1.fc17 has been submitted as an update for Fedora 17.
Comment 16 Fedora Update System 2012-10-25 18:18:16 EDT
pcp-3.6.9-1.el5 has been submitted as an update for Fedora EPEL 5.
Comment 17 Fedora Update System 2012-10-25 18:18:47 EDT
pcp-3.6.9-1.fc18 has been submitted as an update for Fedora 18.
Comment 18 Fedora Update System 2012-10-25 18:19:14 EDT
pcp-3.6.9-1.fc16 has been submitted as an update for Fedora 16.
Comment 19 Fedora Update System 2012-10-25 18:19:42 EDT
pcp-3.6.9-1.el6 has been submitted as an update for Fedora EPEL 6.
Comment 20 Fedora Update System 2012-10-25 18:20:16 EDT
pcp-3.6.9-1.fc17 has been submitted as an update for Fedora 17.