Bug 1264345 (CVE-2015-7236) - CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT
Summary: CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-7236
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1186933 1264351 1283638 1283639 1283640 1283641
Blocks: 1172231 1203710 1255551 1264350
TreeView+ depends on / blocked
 
Reported: 2015-09-18 09:11 UTC by Adam Mariš
Modified: 2019-09-29 13:36 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote, unauthenticated attacker could possibly exploit this flaw to crash the rpcbind service (denial of service) by performing a series of UDP and TCP calls.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:01 UTC


Attachments (Terms of Use)
Proposed patch (658 bytes, patch)
2015-09-18 09:19 UTC, Adam Mariš
no flags Details | Diff
Proposed patch (2.83 KB, patch)
2015-09-18 14:57 UTC, Adam Mariš
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0005 normal SHIPPED_LIVE Moderate: rpcbind security update 2016-01-07 20:58:35 UTC

Description Adam Mariš 2015-09-18 09:11:24 UTC
A use-after-free vulnerability in rpcbind causing remotely triggerable crash was found. Rpcbind crashes in svc_dodestroy when trying to free a corrupted xprt->xp_netid pointer, which contains a sockaddr_in. Here's how it happens (as explained in http://www.spinics.net/lists/linux-nfs/msg53045.html ) :

 - A PMAP_CALLIT call comes in on IPv4 UDP

 - rpcbind duplicates the caller's address to a netbuf and stores
	it in FINFO[0].caller_addr. caller_addr->buf now points to a
    memory region A with a size of 16 bytes

 - rpcbind forwards the call to the local service, receives a reply

 - when processing the reply, it does this in xprt_set_caller:
     xprt->xp_rtaddr = *FINFO[0].caller_addr
   where xprt is the UDP transport on which it received the
   PMAP_CALLIT request.

   It sends out the reply, and then frees the netbuf caller_addr and
   caller_addr.buf.
   However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
   to memory region A, which is free.

 - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv
   will be called, which will set xp_rtaddr to the client's address.
   It will reuse the buffer inside xp_rtaddr, ie it will write a
   sockaddr_in to region A.

So, this explains how memory gets corrupted. Here's why that 
eventually lead to a crash in svc_dodestroy.

Some time down the road, an incoming TCP connection is accepted,
allocating a fresh SVCXPRT. The memory region A is inside the
new SVCXPRT

 - While processing the TCP call, another UDP call comes in, again
   overwriting region A with the client's address

 - TCP client closes connection. In svc_destroy, we now trip over
   the garbage left in region A

CVE assignment:

http://seclists.org/oss-sec/2015/q3/566

Comment 1 Adam Mariš 2015-09-18 09:19:07 UTC
Created attachment 1074748 [details]
Proposed patch

Source: http://www.spinics.net/lists/linux-nfs/msg53045.html

Comment 2 Adam Mariš 2015-09-18 09:22:00 UTC
Created rpcbind tracking bugs for this issue:

Affects: fedora-all [bug 1264351]

Comment 3 Adam Mariš 2015-09-18 14:57:24 UTC
Created attachment 1074949 [details]
Proposed patch

Comment 13 errata-xmlrpc 2016-01-07 15:58:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:0005 https://rhn.redhat.com/errata/RHSA-2016-0005.html

Comment 14 Product Security DevOps Team 2019-07-12 13:04:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-7236


Note You need to log in before you can comment on or make changes to this bug.