commit libtirpc for openSUSE:Factory

Tue, 21 Sep 2021 12:12:27 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libtirpc for openSUSE:Factory 
checked in at 2021-09-21 21:12:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libtirpc (Old)
 and      /work/SRC/openSUSE:Factory/.libtirpc.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "libtirpc"

Tue Sep 21 21:12:12 2021 rev:58 rq:919033 version:1.3.2

Changes:
--------
--- /work/SRC/openSUSE:Factory/libtirpc/libtirpc.changes        2021-05-20 
19:23:30.694330060 +0200
+++ /work/SRC/openSUSE:Factory/.libtirpc.new.1899/libtirpc.changes      
2021-09-21 21:12:16.202579425 +0200
@@ -1,0 +2,6 @@
+Wed Sep 15 05:35:58 UTC 2021 - Petr Vorel <[email protected]>
+
+- Backport DoS vulnerability fix 0001-Fix-DoS-vulnerability-in-libtirpc.patch
+- Replace %setup with %autosetup
+
+-------------------------------------------------------------------

New:
----
  0001-Fix-DoS-vulnerability-in-libtirpc.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libtirpc.spec ++++++
--- /var/tmp/diff_new_pack.jiwZKn/_old  2021-09-21 21:12:16.778580076 +0200
+++ /var/tmp/diff_new_pack.jiwZKn/_new  2021-09-21 21:12:16.782580081 +0200
@@ -26,6 +26,7 @@
 URL:            https://sourceforge.net/projects/libtirpc/
 Source:         
https://download.sourceforge.net/libtirpc/%{name}-%{version}.tar.bz2
 Source1:        baselibs.conf
+Patch1:         0001-Fix-DoS-vulnerability-in-libtirpc.patch
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(krb5)
 
@@ -67,7 +68,7 @@
 TCP over IPv4.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 sed -i -e 's|${includedir}/tirpc|${includedir}|g' libtirpc.pc.in

++++++ 0001-Fix-DoS-vulnerability-in-libtirpc.patch ++++++
>From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001
From: Dai Ngo <[email protected]>
Date: Sat, 21 Aug 2021 13:16:23 -0400
Subject: [PATCH] Fix DoS vulnerability in libtirpc

Currently svc_run does not handle poll timeout and rendezvous_request
does not handle EMFILE error returned from accept(2 as it used to.
These two missing functionality were removed by commit b2c9430f46c4.

The effect of not handling poll timeout allows idle TCP conections
to remain ESTABLISHED indefinitely. When the number of connections
reaches the limit of the open file descriptors (ulimit -n) then
accept(2) fails with EMFILE. Since there is no handling of EMFILE
error this causes svc_run() to get in a tight loop calling accept(2).
This resulting in the RPC service of svc_run is being down, it's
no longer able to service any requests.

RPC service rpcbind, statd and mountd are effected by this
problem.

Fix by enhancing rendezvous_request to keep the number of
SVCXPRT conections to 4/5 of the size of the file descriptor
table. When this thresold is reached, it destroys the idle
TCP connections or destroys the least active connection if
no idle connnction was found.

Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
Signed-off-by: [email protected]
Signed-off-by: Steve Dickson <[email protected]>
[ pvorel: removed INSTALL file change as not related ]
Signed-off-by: Petr Vorel <[email protected]>
[ upstream status: 8652975 ("Fix DoS vulnerability in libtirpc") ]
---
 src/svc.c    |  17 ++-
 src/svc_vc.c |  62 ++++++++-
 3 files changed, 78 insertions(+), 372 deletions(-)
 mode change 100644 => 120000 INSTALL

diff --git a/src/svc.c b/src/svc.c
index 6db164b..3a8709f 100644
--- a/src/svc.c
+++ b/src/svc.c
@@ -57,7 +57,7 @@
 
 #define max(a, b) (a > b ? a : b)
 
-static SVCXPRT **__svc_xports;
+SVCXPRT **__svc_xports;
 int __svc_maxrec;
 
 /*
@@ -194,6 +194,21 @@ __xprt_do_unregister (xprt, dolock)
     rwlock_unlock (&svc_fd_lock);
 }
 
+int
+svc_open_fds()
+{
+       int ix;
+       int nfds = 0;
+
+       rwlock_rdlock (&svc_fd_lock);
+       for (ix = 0; ix < svc_max_pollfd; ++ix) {
+               if (svc_pollfd[ix].fd != -1)
+                       nfds++;
+       }
+       rwlock_unlock (&svc_fd_lock);
+       return (nfds);
+}
+
 /*
  * Add a service program to the callout list.
  * The dispatch routine will be called when a rpc request for this
diff --git a/src/svc_vc.c b/src/svc_vc.c
index f1d9f00..3dc8a75 100644
--- a/src/svc_vc.c
+++ b/src/svc_vc.c
@@ -64,6 +64,8 @@
 
 
 extern rwlock_t svc_fd_lock;
+extern SVCXPRT **__svc_xports;
+extern int svc_open_fds();
 
 static SVCXPRT *makefd_xprt(int, u_int, u_int);
 static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
@@ -82,6 +84,7 @@ static void svc_vc_ops(SVCXPRT *);
 static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
 static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
                                             void *in);
+static int __svc_destroy_idle(int timeout);
 
 struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
        u_int sendsize;
@@ -313,13 +316,14 @@ done:
        return (xprt);
 }
 
+
 /*ARGSUSED*/
 static bool_t
 rendezvous_request(xprt, msg)
        SVCXPRT *xprt;
        struct rpc_msg *msg;
 {
-       int sock, flags;
+       int sock, flags, nfds, cnt;
        struct cf_rendezvous *r;
        struct cf_conn *cd;
        struct sockaddr_storage addr;
@@ -379,6 +383,16 @@ again:
 
        gettimeofday(&cd->last_recv_time, NULL);
 
+       nfds = svc_open_fds();
+       if (nfds >= (_rpc_dtablesize() / 5) * 4) {
+               /* destroy idle connections */
+               cnt = __svc_destroy_idle(15);
+               if (cnt == 0) {
+                       /* destroy least active */
+                       __svc_destroy_idle(0);
+               }
+       }
+
        return (FALSE); /* there is never an rpc msg to be processed */
 }
 
@@ -820,3 +834,49 @@ __svc_clean_idle(fd_set *fds, int timeout, bool_t 
cleanblock)
 {
        return FALSE;
 }
+
+static int
+__svc_destroy_idle(int timeout)
+{
+       int i, ncleaned = 0;
+       SVCXPRT *xprt, *least_active;
+       struct timeval tv, tdiff, tmax;
+       struct cf_conn *cd;
+
+       gettimeofday(&tv, NULL);
+       tmax.tv_sec = tmax.tv_usec = 0;
+       least_active = NULL;
+       rwlock_wrlock(&svc_fd_lock);
+
+       for (i = 0; i <= svc_max_pollfd; i++) {
+               if (svc_pollfd[i].fd == -1)
+                       continue;
+               xprt = __svc_xports[i];
+               if (xprt == NULL || xprt->xp_ops == NULL ||
+                       xprt->xp_ops->xp_recv != svc_vc_recv)
+                       continue;
+               cd = (struct cf_conn *)xprt->xp_p1;
+               if (!cd->nonblock)
+                       continue;
+               if (timeout == 0) {
+                       timersub(&tv, &cd->last_recv_time, &tdiff);
+                       if (timercmp(&tdiff, &tmax, >)) {
+                               tmax = tdiff;
+                               least_active = xprt;
+                       }
+                       continue;
+               }
+               if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
+                       __xprt_unregister_unlocked(xprt);
+                       __svc_vc_dodestroy(xprt);
+                       ncleaned++;
+               }
+       }
+       if (timeout == 0 && least_active != NULL) {
+               __xprt_unregister_unlocked(least_active);
+               __svc_vc_dodestroy(least_active);
+               ncleaned++;
+       }
+       rwlock_unlock(&svc_fd_lock);
+       return (ncleaned);
+}
-- 
2.33.0

Reply via email to