#! /bin/sh -e # DP: Fixes security vulnerability in xdr-array.c as reported by CERT if [ $# -ne 2 ]; then echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" exit 1 fi case "$1" in -patch) patch -d "$2" -f --no-backup-if-mismatch -p0 < $0;; -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p0 < $0;; *) echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" exit 1 esac exit 0 Hello Folks, The CERT/CC has been made aware of a buffer overflow vulnerability in the Sun RPC implementation. The information we have is that this vulnerability will be discussed this Wednesday at Black Hat. We are tracking this report as VU#192995. Please include this reference number in the subject field of any email you send to us concerning this issue. Currently available information is included below. We will most likely release a Vulnerability Note at least, so please provide status/patch information when possible. Regards, - Art Art Manion +1 412-268-7090 CERT Coordination Center http://www.cert.org/ Software Engineering Institute Carnegie Mellon University 8FE3 1F95 94BE FDE7 9BEE 9206 D735 ACF5 ====================================================================== Sun RPC XDR buffer overflow information ====================================================================== The implementation of xdr_array can be tricked into writing beyond the buffers it allocated when deserializing the XDR stream. The number of array elements "c" is taken from the XDR stream and the required bufferspace is calculated as nodesize = c * elsize; ("elsize" is specified by the program). Since all variables are unsigned ints, c*elsize can overflow if elsize > 1. This results in *addrp = target = (caddr_t)mem_alloc(nodesize); allocating too little memory for the unpack loop for (i = 0; (i < c) && stat; i++) { stat = (*elproc)(xdrs, target); target += elsize; } And thus a possible heap-overflow. There are a number of RPC services using xdr_array() with elsize > 1 which are enabled by default and run as root, hence this is a *buf* security problem. --- sunrpc/xdr_array.c~ Tue May 21 12:34:05 2002 +++ sunrpc/xdr_array.c Tue May 21 12:33:58 2002 @@ -45,6 +45,7 @@ #include #include #include +#include #ifdef USE_IN_LIBIO # include @@ -81,7 +82,9 @@ return FALSE; } c = *sizep; - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) + + /* Make sure that "c * elsize" doesn't overflow */ + if ((c > maxsize || UINT_MAX/elsize < c) && (xdrs->x_op != XDR_FREE)) { return FALSE; }