__pmDecodeInstanceReq does not check the namelen field against the PDU length, leading to a read overflow. Furthermore, if namelen is 0xFFFFFFFF, malloc(0) is called, followed by a strncpy() call to that pointer. The copied string is controlled by the attacker. This is exposed through pmcd without authentication.
Ken requested assignment, thanks.
Created attachment 600703 [details] Resolve issues in decoding PCP instreq PDUs
(In reply to comment #3) > Created attachment 600703 [details] > Resolve issues in decoding PCP instreq PDUs I think this is okay. The expression sizeof(instance_req_t) - sizeof(pp->name) + namelen looks a bit suspecious with regards to wraparound, but the namelen > pp->hdr.len before should cover that.
Integration testing revealed that src/pmcd/src/dopdus.c:DoInstance() does not check for the error return from __pmDecodeInstanceReq: int DoInstance(ClientInfo *cp, __pmPDU* pb) { int sts = 0, s; __pmTimeval when; pmInDom indom; int inst; char *name; __pmInResult *inresult = NULL; AgentInfo *ap; int fdfail = -1; __pmDecodeInstanceReq(pb, &when, &indom, &inst, &name); if (when.tv_sec != 0 || when.tv_usec != 0) { This can lead to crashes further down.
Created attachment 603365 [details] Revised PCP instance request PDU decoding patch Excellent catch, thanks! I've also audited all of the other __pmDecode* call sites, to ensure they check their return codes. There are a few __pmDecodeError calls which are currently safe, and the remainder do check. cheers.
Upstream patch: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=f190942b552aa80d59bbe718866aa00b8e3fd5cc This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6