Bug 948378 (CVE-2013-1950)

Summary: CVE-2013-1950 libtirpc: invalid pointer free leads to rpcbind daemon crash
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlayton, jlieskov, jrusnack, myllynen, pmatouse, rhack, security-response-team, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-30 20:23:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 953735, 953736, 955211    
Bug Blocks: 948388    

Description Vincent Danen 2013-04-04 17:07:40 UTC 
The Nessus plugin for Sun RPC XDR xdrmem_getbytes Function Remote Overflow [1] causes rpcbind to crash due to freeing an invalid pointer.

*** glibc detected *** /sbin/rpcbind: free(): invalid pointer: 0xbf7f494c ***
poll returned read fds < 6 >
======= Backtrace: =========
/lib/libc.so.6(-0xff84c1cf)[0x240e31]
/lib/libtirpc.so.1(xdr_bytes+0x9f)[0xb3ca9f]
/sbin/rpcbind(+0x5714)[0x631714]
/lib/libtirpc.so.1(+0x14ea4)[0xb36ea4]
/lib/libtirpc.so.1(+0x14e6e)[0xb36e6e]
/sbin/rpcbind(+0x591e)[0x63191e]
/sbin/rpcbind(pmap_service+0x174)[0x6344e4]
/lib/libtirpc.so.1(svc_getreq_common+0x2ae)[0xb3600e]
/lib/libtirpc.so.1(svc_getreq_poll+0x8f)[0xb360bf]
/sbin/rpcbind(+0x509b)[0x63109b]
/sbin/rpcbind(main+0x4dc)[0x62fd3c]
/lib/libc.so.6(__libc_start_main+0xe6)[0x1e6ce6]
/sbin/rpcbind(+0x21c1)[0x62e1c1]
======= Memory map: ========
001d0000-00360000 r-xp 00000000 08:03 131950     /lib/libc-2.12.so
00360000-00361000 ---p 00190000 08:03 131950     /lib/libc-2.12.so
00361000-00363000 r--p 00190000 08:03 131950     /lib/libc-2.12.so
00363000-00364000 rw-p 00192000 08:03 131950     /lib/libc-2.12.so
00364000-00367000 rw-p 00000000 00:00 0 
0056e000-00585000 r-xp 00000000 08:03 137050     /lib/libnsl-2.12.so
00585000-00586000 r--p 00016000 08:03 137050     /lib/libnsl-2.12.so
00586000-00587000 rw-p 00017000 08:03 137050     /lib/libnsl-2.12.so
00587000-00589000 rw-p 00000000 00:00 0 
0062c000-00639000 r-xp 00000000 08:03 394181     /sbin/rpcbind
00639000-0063a000 rw-p 0000d000 08:03 394181     /sbin/rpcbind
00688000-00690000 r-xp 00000000 08:03 137055     /lib/libwrap.so.0.7.6
00690000-00691000 r--p 00007000 08:03 137055     /lib/libwrap.so.0.7.6
00691000-00692000 rw-p 00008000 08:03 137055     /lib/libwrap.so.0.7.6
0076f000-00786000 r-xp 00000000 08:03 131977     /lib/libpthread-2.12.so
00786000-00787000 r--p 00016000 08:03 131977     /lib/libpthread-2.12.so
00787000-00788000 rw-p 00017000 08:03 131977     /lib/libpthread-2.12.so
00788000-0078a000 rw-p 00000000 00:00 0 
008bb000-008bc000 r-xp 00000000 00:00 0          [vdso]
008ef000-008fb000 r-xp 00000000 08:03 137169     /lib/libnss_files-2.12.so
008fb000-008fc000 r--p 0000b000 08:03 137169     /lib/libnss_files-2.12.so
008fc000-008fd000 rw-p 0000c000 08:03 137169     /lib/libnss_files-2.12.so
0099f000-009bd000 r-xp 00000000 08:03 131584     /lib/ld-2.12.so
009bd000-009be000 r--p 0001d000 08:03 131584     /lib/ld-2.12.so
009be000-009bf000 rw-p 0001e000 08:03 131584     /lib/ld-2.12.so
009d6000-009de000 r-xp 00000000 08:03 136753     /lib/libgssglue.so.1.0.0
009de000-009df000 rw-p 00007000 08:03 136753     /lib/libgssglue.so.1.0.0
00ad9000-00af6000 r-xp 00000000 08:03 136736     /lib/libgcc_s-4.4.7-20120601.so.1
00af6000-00af7000 rw-p 0001d000 08:03 136736     /lib/libgcc_s-4.4.7-20120601.so.1
00b22000-00b48000 r-xp 00000000 08:03 131852     /lib/libtirpc.so.1.0.10
00b48000-00b49000 rw-p 00026000 08:03 131852     /lib/libtirpc.so.1.0.10
00e35000-00e38000 r-xp 00000000 08:03 132420     /lib/libdl-2.12.so
00e38000-00e39000 r--p 00002000 08:03 132420     /lib/libdl-2.12.so
00e39000-00e3a000 rw-p 00003000 08:03 132420     /lib/libdl-2.12.so
014aa000-014cb000 rw-p 00000000 00:00 0          [heap]
b770f000-b7712000 rw-p 00000000 00:00 0 
b772d000-b7730000 rw-p 00000000 00:00 0 
bf7e3000-bf808000 rw-p 00000000 00:00 0          [stack]
rpcbind debugging enabled.

This is not the same flaw as CVE-2003-0028 (what the plugin was written for).

The above observed on a Red Hat Enterprise Linux 6 host.

[1] http://www.tenable.com/plugins/index.php?view=single&id=11420
Comment 10 Steve Dickson 2013-04-18 17:39:17 UTC 
It looks like the problem is libtirpc. Its a regression from:
    commit 82cc2e6129c872c8be09381055f2fb5641c5e6fe
    Author: Matthew N. Dodd <matthew.nygard.dodd>
    Date:   Mon Jun 20 13:34:56 2011 -0400

           SVCAUTH_WRAP/SVCAUTH_UNWRAP

The following code as added to svc_dg_getargs()
@@ -264,7 +282,12 @@ svc_dg_getargs(xprt, xdr_args, args_ptr)
 	xdrproc_t xdr_args;
 	void *args_ptr;
 {
-	return (*xdr_args)(&(su_data(xprt)->su_xdrs), args_ptr);
+	if (! SVCAUTH_UNWRAP(xprt->xp_auth, &(su_data(xprt)->su_xdrs),
+			     xdr_args, args_ptr)) {
+		(void)svc_freeargs(xprt, xdr_args, args_ptr);
+		return FALSE;
+	}
+	return TRUE;
 }
That svc_freeargs() should not exist.
Comment 13 Jan Lieskovsky 2013-04-22 14:22:46 UTC 
An invalid pointer free flaw was found in the way server side code implementation for connectionless RPC requests of libtirpc, a library implementing Transport-Independent RPC (TI-RPC), (previously) performed arguments retrieval (due to a regression in commit 82cc2e61 svc_dg_getargs() routine callers would crash with invalid pointer free). A remote attacker could issue a specially-crafted Sun RPC request that, when processed would lead to rpcbind daemon crash.

A different vulnerability than CVE-2003-0028.

Relevant upstream patch:
[1] http://git.infradead.org/users/steved/libtirpc.git/commitdiff/a9f437119d79a438cb12e510f3cadd4060102c9f
Comment 14 Jan Lieskovsky 2013-04-22 14:42:21 UTC 
Created libtirpc tracking bugs for this issue

Affects: fedora-all [bug 955211]
Comment 15 Jan Lieskovsky 2013-04-22 14:44:59 UTC 
This issue affects the version of the libtirpc package, as shipped with Red Hat Enterprise Linux 6.
Comment 17 Vincent Danen 2013-04-25 16:28:03 UTC 
Acknowledgements:

Red Hat would like to thank Michael Armstrong for reporting this issue.
Comment 22 errata-xmlrpc 2013-05-30 18:30:46 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0884 https://rhn.redhat.com/errata/RHSA-2013-0884.html