| From 226b46770c82899b555986583294b049c6ec9b40 Mon Sep 17 00:00:00 2001 |
| From: Florian Weimer <fweimer@redhat.com> |
| Date: Mon, 17 Jan 2022 10:21:34 +0100 |
| Subject: [PATCH] CVE-2022-23219: Buffer overflow in sunrpc clnt_create for |
| "unix" (bug 22542) |
| |
| Processing an overlong pathname in the sunrpc clnt_create function |
| results in a stack-based buffer overflow. |
| |
| Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=226b46770c82899b555986583294b049c6ec9b40] |
| CVE: CVE-2022-23219 |
| |
| Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> |
| Signed-off-by: Pgowda <pgowda.cve@gmail.com> |
| --- |
| NEWS | 4 +++- |
| sunrpc/clnt_gen.c | 10 +++++++--- |
| 2 files changed, 10 insertions(+), 4 deletions(-) |
| |
| diff --git a/NEWS b/NEWS |
| index ddd95a8329..38a9ddb2cf 100644 |
| --- a/NEWS |
| +++ b/NEWS |
| @@ -206,6 +206,10 @@ Security related changes: |
| CVE-2022-23218: Passing an overlong file name to the svcunix_create |
| legacy function could result in a stack-based buffer overflow. |
| |
| + CVE-2022-23219: Passing an overlong file name to the clnt_create |
| + legacy function could result in a stack-based buffer overflow when |
| + using the "unix" protocol. Reported by Martin Sebor. |
| + |
| The following bugs are resolved with this release: |
| |
| [4737] libc: fork is not async-signal-safe |
| diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c |
| index 13ced8994e..b44357cd88 100644 |
| --- a/sunrpc/clnt_gen.c |
| +++ b/sunrpc/clnt_gen.c |
| @@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_lon |
| |
| if (strcmp (proto, "unix") == 0) |
| { |
| - memset ((char *)&sun, 0, sizeof (sun)); |
| - sun.sun_family = AF_UNIX; |
| - strcpy (sun.sun_path, hostname); |
| + if (__sockaddr_un_set (&sun, hostname) < 0) |
| + { |
| + struct rpc_createerr *ce = &get_rpc_createerr (); |
| + ce->cf_stat = RPC_SYSTEMERROR; |
| + ce->cf_error.re_errno = errno; |
| + return NULL; |
| + } |
| sock = RPC_ANYSOCK; |
| client = clntunix_create (&sun, prog, vers, &sock, 0, 0); |
| if (client == NULL) |