Bug 841298 - pmcd leaks memory in DoFetch error path
pmcd leaks memory in DoFetch error path
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pcp (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Ken McDonell
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: 840765 CVE-2012-3420
  Show dependency treegraph
 
Reported: 2012-07-18 11:21 EDT by Florian Weimer
Modified: 2012-08-20 00:03 EDT (History)
4 users (show)

See Also:
Fixed In Version: pcp-3.6.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-20 00:03:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch for dofetch.c (700 bytes, patch)
2012-07-20 07:32 EDT, Ken McDonell
no flags Details | Diff

  None (edit)
Description Florian Weimer 2012-07-18 11:21:46 EDT
This code path in DoFetch in src/pmcd/src/dofetch.c is problematic:

    sts = __pmDecodeFetch(pb, &ctxnum, &when, &nPmids, &pmidList);
    ...
    /* Check that a profile has been received from the specified context */
    if (ctxnum < 0 || ctxnum >= cip->szProfile ||
	cip->profile[ctxnum] == NULL) {
	__pmNotifyErr(LOG_ERR, "DoFetch: no profile for ctxnum = %d\n", ctxnum);
	return PM_ERR_NOPROFILE;
    }

__pmDecodeFetch pins the PDU buffer, but if the ctxnum is not valid, it is never unpinned.  This can be abused by unauthenticated pmcd clients to consume increasing amounts of memory, eventually crashing pmcd.
Comment 2 Mark Goodwin 2012-07-19 20:07:40 EDT
Ken requested assignment, thanks Ken!
Comment 3 Ken McDonell 2012-07-20 07:32:57 EDT
Created attachment 599366 [details]
proposed patch for dofetch.c

This one is done I believe.
Comment 4 Huzaifa S. Sidhpurwala 2012-08-16 00:09:31 EDT
Upstream patch:

http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=a7dc844d3586ea79887655a97c4252a79751fdae

This issue has been addressed in pcp-3.6.5

Note You need to log in before you can comment on or make changes to this bug.