Bug 1264345 - (CVE-2015-7236) CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT
CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT
Status: RELEASE_PENDING
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150806,repor...
: Security
Depends On: 1186933 1264351 1283638 1283639 1283640 1283641
Blocks: 1172231 1203710 1255551 1264350
  Show dependency treegraph
 
Reported: 2015-09-18 05:11 EDT by Adam Mariš
Modified: 2016-11-08 11:13 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote, unauthenticated attacker could possibly exploit this flaw to crash the rpcbind service (denial of service) by performing a series of UDP and TCP calls.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (658 bytes, patch)
2015-09-18 05:19 EDT, Adam Mariš
no flags Details | Diff
Proposed patch (2.83 KB, patch)
2015-09-18 10:57 EDT, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2015-09-18 05:11:24 EDT
A use-after-free vulnerability in rpcbind causing remotely triggerable crash was found. Rpcbind crashes in svc_dodestroy when trying to free a corrupted xprt->xp_netid pointer, which contains a sockaddr_in. Here's how it happens (as explained in http://www.spinics.net/lists/linux-nfs/msg53045.html ) :

 - A PMAP_CALLIT call comes in on IPv4 UDP

 - rpcbind duplicates the caller's address to a netbuf and stores
	it in FINFO[0].caller_addr. caller_addr->buf now points to a
    memory region A with a size of 16 bytes

 - rpcbind forwards the call to the local service, receives a reply

 - when processing the reply, it does this in xprt_set_caller:
     xprt->xp_rtaddr = *FINFO[0].caller_addr
   where xprt is the UDP transport on which it received the
   PMAP_CALLIT request.

   It sends out the reply, and then frees the netbuf caller_addr and
   caller_addr.buf.
   However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
   to memory region A, which is free.

 - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv
   will be called, which will set xp_rtaddr to the client's address.
   It will reuse the buffer inside xp_rtaddr, ie it will write a
   sockaddr_in to region A.

So, this explains how memory gets corrupted. Here's why that 
eventually lead to a crash in svc_dodestroy.

Some time down the road, an incoming TCP connection is accepted,
allocating a fresh SVCXPRT. The memory region A is inside the
new SVCXPRT

 - While processing the TCP call, another UDP call comes in, again
   overwriting region A with the client's address

 - TCP client closes connection. In svc_destroy, we now trip over
   the garbage left in region A

CVE assignment:

http://seclists.org/oss-sec/2015/q3/566
Comment 1 Adam Mariš 2015-09-18 05:19:07 EDT
Created attachment 1074748 [details]
Proposed patch

Source: http://www.spinics.net/lists/linux-nfs/msg53045.html
Comment 2 Adam Mariš 2015-09-18 05:22:00 EDT
Created rpcbind tracking bugs for this issue:

Affects: fedora-all [bug 1264351]
Comment 3 Adam Mariš 2015-09-18 10:57:24 EDT
Created attachment 1074949 [details]
Proposed patch
Comment 13 errata-xmlrpc 2016-01-07 10:58:50 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:0005 https://rhn.redhat.com/errata/RHSA-2016-0005.html

Note You need to log in before you can comment on or make changes to this bug.