Bug 841319

Summary: In-band signalling in __pmGetPDU leads to pmcd memory leak
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: pcpAssignee: Ken McDonell <kenj>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: kenj, mgoodwin, nathans, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcp-3.6.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-20 04:03:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 840765, 841704    
Attachments:
Description Flags
proposed patch for pdu.c none

Description Florian Weimer 2012-07-18 16:41:03 UTC 
The return value of __pmGetPDU is both an error code and the value of the type field of the PDU.  A negative type value is treated as an error by HandleClientInput, and the PDU is never unpinned, even though it was pinned by __pmGetPDU because there was no error.  This leads to a memory leak and eventual pmcd crash.

I think one possible fix would be to reject negative type values in __pmGetPDU.
Comment 2 Mark Goodwin 2012-07-19 02:25:02 UTC 
[this is a test] Ken tried to comment on this BZ but got an error
Comment 3 Ken McDonell 2012-07-19 04:35:43 UTC 
I'll work on this one.  Florian's suggested fix seems correct and robust.
Comment 4 Ken McDonell 2012-07-19 08:58:00 UTC 
Fix is in commit 49b9bd1e5d1df6f7115fec79bd09e2dc99df7fd9.
QA 511 added to verify bug and fix.
Comment 5 Ken McDonell 2012-07-20 06:36:40 UTC 
Created attachment 599314 [details]
proposed patch for pdu.c

This is Florian's fix.  I've backed out the commit in my git tree as per the agreed process for handling these issues.
Comment 6 Huzaifa S. Sidhpurwala 2012-08-16 04:10:18 UTC 
Upstream patch:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=68fb968b4ee635bb301dc9ab64e633b0d66d27b4

This issue has been addressed in pcp-3.6.5
Comment 7 Huzaifa S. Sidhpurwala 2012-08-20 04:03:38 UTC 
This issue was addressed in Fedora and EPEL via the following security updates:

Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16
Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17
Rawhide:   https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18

EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5
EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6