Bug 840822 - Crash in __pmDecodeCreds decoding crafted PDUs
Crash in __pmDecodeCreds decoding crafted PDUs
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pcp (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Nathan Scott
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: 840765 CVE-2012-3418
  Show dependency treegraph
 
Reported: 2012-07-17 05:59 EDT by Florian Weimer
Modified: 2012-08-19 23:52 EDT (History)
6 users (show)

See Also:
Fixed In Version: pcp-3.6.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-19 23:52:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
preliminary patch to __pmDecodeCreds to fix this (854 bytes, patch)
2012-07-17 20:30 EDT, Mark Goodwin
no flags Details | Diff
Updated patch to address pcp credentials pdu buffer overflow exploit (1.45 KB, patch)
2012-07-19 06:18 EDT, Nathan Scott
no flags Details | Diff

  None (edit)
Description Florian Weimer 2012-07-17 05:59:48 EDT
pmcd (and probably others) in pcp-3.6.3 crash when decoding crafted PDUs where the numcreds field exceeds the number of elements actually contained in the PDU.

On 32-bit architectures, the size passed to malloc can be too small, leading to a heap-based buffer overflow.  On 64-bit architectures, the multiplication is performed with 64 bits, so no overflow occurs, and the crash happens because __pmDecodeCreds reads beyond the end of an allocated buffer.

pmcd runs with root privileges and starts automatically when the pcp package is installed.  It listens on 0.0.0.0 and does not require authentication.
Comment 8 Mark Goodwin 2012-07-17 20:30:25 EDT
Created attachment 598767 [details]
preliminary patch to __pmDecodeCreds to fix this


Attached preliminary patch from Nathan Scott (upstream). Has been tested
against the reproducer script.
Comment 9 Florian Weimer 2012-07-18 02:54:43 EDT
(In reply to comment #8)
> Created attachment 598767 [details]
> preliminary patch to __pmDecodeCreds to fix this
> 
> 
> Attached preliminary patch from Nathan Scott (upstream). Has been tested
> against the reproducer script.

This calculation can overflow:

  need = sizeof(creds_t) + ((numcred-1) * sizeof(__pmCred));

There should be a check *before* the calculation that this cannot happen, something like numcred < (INT_MAX - sizeof(creds_t))/sizeof(__pmCred).
Comment 10 Nathan Scott 2012-07-19 06:18:37 EDT
Created attachment 599108 [details]
Updated patch to address pcp credentials pdu buffer overflow exploit

Incorporates an additional check to guard against malloc size overflow.  Uses a tighter restriction than the MAXINT-based suggestion, based on current uses and likely future uses of this PDU.
Comment 11 Mark Goodwin 2012-07-19 06:23:23 EDT
Ressign to Nathan since he is following thru and this seems to be the way
to go for these bugs.
Comment 12 Nathan Scott 2012-07-19 06:25:03 EDT
I have a pcpqa test (513) which uses Florian's initial test case to exercise this change.  I'll hang onto it privately until we get a/ confirmation on permission to make use of this, and b/ public knowledge of the issue.

thanks!
Comment 13 Florian Weimer 2012-07-19 07:33:00 EDT
(In reply to comment #10)
> Created attachment 599108 [details]
> Updated patch to address pcp credentials pdu buffer overflow exploit
> 
> Incorporates an additional check to guard against malloc size overflow. 
> Uses a tighter restriction than the MAXINT-based suggestion, based on
> current uses and likely future uses of this PDU.

This looks good, thanks.
Comment 14 Huzaifa S. Sidhpurwala 2012-08-15 23:41:32 EDT
Upstream patch:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=cced6012b4b93bfb640a9678589ced5416743910

This issue has been addressed in pcp-3.6.5

Note You need to log in before you can comment on or make changes to this bug.