Slackware 14.2slackware-14.2

Thu Jun 30 20:26:57 UTC 2016
Slackware 14.2 x86_64 stable is released!

The long development cycle (the Linux community has lately been living in
"interesting times", as they say) is finally behind us, and we're proud to
announce the release of Slackware 14.2.  The new release brings many updates
and modern tools, has switched from udev to eudev (no systemd), and adds
well over a hundred new packages to the system.  Thanks to the team, the
upstream developers, the dedicated Slackware community, and everyone else
who pitched in to help make this release a reality.

The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided
32-bit/64-bit x86/x86_64 DVD.  Please consider supporting the Slackware
project by picking up a copy from store.slackware.com.  We're taking
pre-orders now, and offer a discount if you sign up for a subscription.

Have fun!  :-)

1 files changed, 82 insertions, 0 deletions

diff --git a/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch b/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
new file mode 100644
index 000000000..6a80742f0
--- /dev/null
+++ b/source/n/rpcbind/0002-Fix-memory-corruption-in-PMAP_CALLIT-code.patch
@@ -0,0 +1,82 @@
+From d5dace219953c45d26ae42db238052b68540649a Mon Sep 17 00:00:00 2001
+From: Olaf Kirch <okir@suse.de>
+Date: Fri, 30 Oct 2015 10:18:20 -0400
+Subject: [PATCH 2/4] Fix memory corruption in PMAP_CALLIT code
+
+ - A PMAP_CALLIT call comes in on IPv4 UDP
+ - rpcbind duplicates the caller's address to a netbuf and stores it in
+   FINFO[0].caller_addr. caller_addr->buf now points to a memory region A
+   with a size of 16 bytes
+ - rpcbind forwards the call to the local service, receives a reply
+ - when processing the reply, it does this in xprt_set_caller:
+    xprt->xp_rtaddr = *FINFO[0].caller_addr
+   It sends out the reply, and then frees the netbuf caller_addr and
+   caller_addr.buf.
+   However, it does not clear xp_rtaddr, so xp_rtaddr.buf now refers
+   to memory region A, which is free.
+ - When the next call comes in on the UDP/IPv4 socket, svc_dg_recv will
+   be called, which will set xp_rtaddr to the client's address.
+   It will reuse the buffer inside xp_rtaddr, ie it will write a
+   sockaddr_in to region A
+
+Some time down the road, an incoming TCP connection is accepted,
+allocating a fresh SVCXPRT. The memory region A is inside the
+new SVCXPRT
+
+ - While processing the TCP call, another UDP call comes in, again
+   overwriting region A with the client's address
+ - TCP client closes connection. In svc_destroy, we now trip over
+   the garbage left in region A
+
+We ran into the case where a commercial scanner was triggering
+occasional rpcbind segfaults. The core file that was captured showed
+a corrupted xprt->xp_netid pointer that was really a sockaddr_in.
+
+Signed-off-by: Olaf Kirch <okir@suse.de>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/rpcb_svc_com.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c
+index ff9ce6b..4ae93f1 100644
+--- a/src/rpcb_svc_com.c
++++ b/src/rpcb_svc_com.c
+@@ -1183,12 +1183,33 @@ check_rmtcalls(struct pollfd *pfds, int nfds)
+ 	return (ncallbacks_found);
+ }
+ 
++/*
++ * This is really a helper function defined in libtirpc, 
++ * but unfortunately, it hasn't been exported yet.
++ */
++static struct netbuf *
++__rpc_set_netbuf(struct netbuf *nb, const void *ptr, size_t len)
++{
++	if (nb->len != len) {
++		if (nb->len)
++			mem_free(nb->buf, nb->len);
++		nb->buf = mem_alloc(len);
++		if (nb->buf == NULL)
++			return NULL;
++
++		nb->maxlen = nb->len = len;
++	}
++	memcpy(nb->buf, ptr, len);
++	return nb;
++}
++
+ static void
+ xprt_set_caller(SVCXPRT *xprt, struct finfo *fi)
+ {
++	const struct netbuf *caller = fi->caller_addr;
+ 	u_int32_t *xidp;
+ 
+-	*(svc_getrpccaller(xprt)) = *(fi->caller_addr);
++	__rpc_set_netbuf(svc_getrpccaller(xprt), caller->buf, caller->len);
+ 	xidp = __rpcb_get_dg_xidp(xprt);
+ 	*xidp = fi->caller_xid;
+ }
+-- 
+2.6.4
+