Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
aports
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Monitor
Service Desk
Analyze
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
alpine
aports
Commits
22515e63
Verified
Commit
22515e63
authored
2 years ago
by
alice
Browse files
Options
Downloads
Patches
Plain Diff
main/libtirpc: fix CVE-2021-46828
parent
7bda4820
No related branches found
No related tags found
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
main/libtirpc/APKBUILD
+12
-4
12 additions, 4 deletions
main/libtirpc/APKBUILD
main/libtirpc/CVE-2021-46828.patch
+181
-0
181 additions, 0 deletions
main/libtirpc/CVE-2021-46828.patch
with
193 additions
and
4 deletions
main/libtirpc/APKBUILD
+
12
−
4
View file @
22515e63
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname
=
libtirpc
pkgver
=
1.3.1
pkgrel
=
0
pkgrel
=
1
pkgdesc
=
"Transport Independent RPC library (SunRPC replacement)"
url
=
"https://sourceforge.net/projects/libtirpc"
arch
=
"all"
...
...
@@ -11,17 +11,22 @@ depends="$pkgname-conf"
depends_dev
=
"krb5-dev bsd-compat-headers"
makedepends
=
"
$depends_dev
autoconf automake libtool linux-headers"
subpackages
=
"
$pkgname
-dbg
$pkgname
-static
$pkgname
-dev
$pkgname
-doc
$pkgname
-dbg
$pkgname
-conf::noarch
$pkgname
-nokrb
"
source
=
"https://sourceforge.net/projects/libtirpc/files/libtirpc/
$pkgver
/libtirpc-
$pkgver
.tar.bz2
soname-suffix.patch
CVE-2021-46828.patch
"
# secfixes:
# 1.3.1-r1:
# - CVE-2021-46828
prepare
()
{
default_prepare
autoreconf
-fi
...
...
@@ -63,5 +68,8 @@ nokrb() {
amove usr/lib/libtirpc-nokrb.
*
}
sha512sums
=
"131f746800ac7280cc3900597018fc8dbc8da50c14e29dbaccf36a6d110eded117351108c6b069eaac90d77cfec17014b08e9afddcf153fda2d780ba64260cbc libtirpc-1.3.1.tar.bz2
8bd50cab1e34a88f4f82ae722bdd60839212173a0ac6ceef21dee4dceea37a9fa2953b8a40068918b3c0d95b476111f0d7f19830efd3e4bff1ec5e72a5f9fade soname-suffix.patch"
sha512sums
=
"
131f746800ac7280cc3900597018fc8dbc8da50c14e29dbaccf36a6d110eded117351108c6b069eaac90d77cfec17014b08e9afddcf153fda2d780ba64260cbc libtirpc-1.3.1.tar.bz2
8bd50cab1e34a88f4f82ae722bdd60839212173a0ac6ceef21dee4dceea37a9fa2953b8a40068918b3c0d95b476111f0d7f19830efd3e4bff1ec5e72a5f9fade soname-suffix.patch
6dd683c5c83772de71918c3f5e61500e7455bb55d68e4ea55592fc64bb3f42bfc5275f56e835aa61cd21a1a3a8e76d5c2ec68809c404839e5d04f6f86263566d CVE-2021-46828.patch
"
This diff is collapsed.
Click to expand it.
main/libtirpc/CVE-2021-46828.patch
0 → 100644
+
181
−
0
View file @
22515e63
Patch-Source: https://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed
garbage trimmed
---
From 86529758570cef4c73fb9b9c4104fdc510f701ed Mon Sep 17 00:00:00 2001
From: Dai Ngo <dai.ngo@oracle.com>
Date: Sat, 21 Aug 2021 13:16:23 -0400
Subject: [PATCH 1/1] Fix DoS vulnerability in libtirpc
Currently svc_run does not handle poll timeout and rendezvous_request
does not handle EMFILE error returned from accept(2 as it used to.
These two missing functionality were removed by commit b2c9430f46c4.
The effect of not handling poll timeout allows idle TCP conections
to remain ESTABLISHED indefinitely. When the number of connections
reaches the limit of the open file descriptors (ulimit -n) then
accept(2) fails with EMFILE. Since there is no handling of EMFILE
error this causes svc_run() to get in a tight loop calling accept(2).
This resulting in the RPC service of svc_run is being down, it's
no longer able to service any requests.
RPC service rpcbind, statd and mountd are effected by this
problem.
Fix by enhancing rendezvous_request to keep the number of
SVCXPRT conections to 4/5 of the size of the file descriptor
table. When this thresold is reached, it destroys the idle
TCP connections or destroys the least active connection if
no idle connnction was found.
Fixes: 44bf15b8 rpcbind: don't use obsolete svc_fdset interface of libtirpc
Signed-off-by: dai.ngo@oracle.com
Signed-off-by: Steve Dickson <steved@redhat.com>
---
INSTALL | 371 +----------------------------------------------------------
src/svc.c | 17 ++-
src/svc_vc.c | 62 +++++++++-
3 files changed, 78 insertions(+), 372 deletions(-)
mode change 100644 => 120000 INSTALL
diff --git a/src/svc.c b/src/svc.c
index 6db164b..3a8709f 100644
--- a/src/svc.c
+++ b/src/svc.c
@@ -57,7 +57,7 @@
#define max(a, b) (a > b ? a : b)
-static SVCXPRT **__svc_xports;
+SVCXPRT **__svc_xports;
int __svc_maxrec;
/*
@@ -194,6 +194,21 @@
__xprt_do_unregister (xprt, dolock)
rwlock_unlock (&svc_fd_lock);
}
+int
+svc_open_fds()
+{
+ int ix;
+ int nfds = 0;
+
+ rwlock_rdlock (&svc_fd_lock);
+ for (ix = 0; ix < svc_max_pollfd; ++ix) {
+ if (svc_pollfd[ix].fd != -1)
+ nfds++;
+ }
+ rwlock_unlock (&svc_fd_lock);
+ return (nfds);
+}
+
/*
* Add a service program to the callout list.
* The dispatch routine will be called when a rpc request for this
diff --git a/src/svc_vc.c b/src/svc_vc.c
index f1d9f00..3dc8a75 100644
--- a/src/svc_vc.c
+++ b/src/svc_vc.c
@@ -64,6 +64,8 @@
extern rwlock_t svc_fd_lock;
+extern SVCXPRT **__svc_xports;
+extern int svc_open_fds();
static SVCXPRT *makefd_xprt(int, u_int, u_int);
static bool_t rendezvous_request(SVCXPRT *, struct rpc_msg *);
@@ -82,6 +84,7 @@
static void svc_vc_ops(SVCXPRT *);
static bool_t svc_vc_control(SVCXPRT *xprt, const u_int rq, void *in);
static bool_t svc_vc_rendezvous_control (SVCXPRT *xprt, const u_int rq,
void *in);
+static int __svc_destroy_idle(int timeout);
struct cf_rendezvous { /* kept in xprt->xp_p1 for rendezvouser */
u_int sendsize;
@@ -313,13 +316,14 @@
done:
return (xprt);
}
+
/*ARGSUSED*/
static bool_t
rendezvous_request(xprt, msg)
SVCXPRT *xprt;
struct rpc_msg *msg;
{
- int sock, flags;
+ int sock, flags, nfds, cnt;
struct cf_rendezvous *r;
struct cf_conn *cd;
struct sockaddr_storage addr;
@@ -379,6 +383,16 @@
again:
gettimeofday(&cd->last_recv_time, NULL);
+ nfds = svc_open_fds();
+ if (nfds >= (_rpc_dtablesize() / 5) * 4) {
+ /* destroy idle connections */
+ cnt = __svc_destroy_idle(15);
+ if (cnt == 0) {
+ /* destroy least active */
+ __svc_destroy_idle(0);
+ }
+ }
+
return (FALSE); /* there is never an rpc msg to be processed */
}
@@ -820,3 +834,49 @@
__svc_clean_idle(fd_set *fds, int timeout, bool_t cleanblock)
{
return FALSE;
}
+
+static int
+__svc_destroy_idle(int timeout)
+{
+ int i, ncleaned = 0;
+ SVCXPRT *xprt, *least_active;
+ struct timeval tv, tdiff, tmax;
+ struct cf_conn *cd;
+
+ gettimeofday(&tv, NULL);
+ tmax.tv_sec = tmax.tv_usec = 0;
+ least_active = NULL;
+ rwlock_wrlock(&svc_fd_lock);
+
+ for (i = 0; i <= svc_max_pollfd; i++) {
+ if (svc_pollfd[i].fd == -1)
+ continue;
+ xprt = __svc_xports[i];
+ if (xprt == NULL || xprt->xp_ops == NULL ||
+ xprt->xp_ops->xp_recv != svc_vc_recv)
+ continue;
+ cd = (struct cf_conn *)xprt->xp_p1;
+ if (!cd->nonblock)
+ continue;
+ if (timeout == 0) {
+ timersub(&tv, &cd->last_recv_time, &tdiff);
+ if (timercmp(&tdiff, &tmax, >)) {
+ tmax = tdiff;
+ least_active = xprt;
+ }
+ continue;
+ }
+ if (tv.tv_sec - cd->last_recv_time.tv_sec > timeout) {
+ __xprt_unregister_unlocked(xprt);
+ __svc_vc_dodestroy(xprt);
+ ncleaned++;
+ }
+ }
+ if (timeout == 0 && least_active != NULL) {
+ __xprt_unregister_unlocked(least_active);
+ __svc_vc_dodestroy(least_active);
+ ncleaned++;
+ }
+ rwlock_unlock(&svc_fd_lock);
+ return (ncleaned);
+}
--
1.8.3.1
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment