A crafted XDR message containing a string or bytes entity with a particularly large size but no content could cause xdr_opaque to leak virtual memory. Since the memory is never accessed, physical pages are not mapped (unless sysctl vm.overcommit_memory=2 is in effect). This was discovered in the wake of CVE-2017-8779. Upstream issue: https://sourceware.org/bugzilla/show_bug.cgi?id=21461 Upstream patch: https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html CVE assignment: https://seclists.org/oss-sec/2017/q2/218
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1448796]
Per discussion on the libc-alpha mailing list (linked https://sourceware.org/bugzilla/show_bug.cgi?id=21461#c7), this is an application vulnerability rather than a flaw in glibc. Users of the sunrpc library routines must be careful to use XDR_FREE, even when deserialisation failure occurs.