Changes committed to git://oss.sgi.com/pcp/pcp.git master
CHANGELOG | 40 ++++++++--
build/rpm/pcp.spec.in | 4 -
debian/changelog | 6 +
man/man1/pmcd.1 | 4 -
src/libpcp/src/logutil.c | 10 +-
src/libpcp/src/p_creds.c | 18 +++-
src/libpcp/src/p_desc.c | 12 +++
src/libpcp/src/p_error.c | 25 ++++--
src/libpcp/src/p_fetch.c | 23 ++++-
src/libpcp/src/p_instance.c | 57 +++++++++++---
src/libpcp/src/p_lcontrol.c | 51 ++++++++++--
src/libpcp/src/p_lrequest.c | 6 +
src/libpcp/src/p_lstatus.c | 5 +
src/libpcp/src/p_pmns.c | 115 ++++++++++++++++++++++------
src/libpcp/src/p_profile.c | 65 ++++++++++++----
src/libpcp/src/p_result.c | 167 +++++++++++++++++++++++++++++++-----------
src/libpcp/src/p_text.c | 17 ++++
src/libpcp/src/pdu.c | 38 +++++++++
src/libpcp/src/pmns.c | 7 +
src/libpcp_trace/src/p_ack.c | 6 +
src/libpcp_trace/src/p_data.c | 23 ++++-
src/pmcd/src/dofetch.c | 6 +
src/pmcd/src/dopdus.c | 34 +++-----
src/pmdas/trace/src/trace.c | 6 -
24 files changed, 577 insertions(+), 168 deletions(-)
commit fe51067ae869a4d59f350ac319b09edcb77ac8e6
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Tue Aug 14 11:42:49 2012 +1000
Update changelogs for pcp 3.6.5 release.
commit 3d5e11bf6a3680c048be9d524a82f35370eb0ad4
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:46 2012 +1000
Correct buffer unpinning logic in a PMNS traversal error path
This triggers an assertion failure in pminfo. Redhat bugzilla
bug #847314, reported by Florian Weimer of the Redhat Security
team.
commit d08105f0f36c24e3f6d1e28e6d2289001e03f589
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:46 2012 +1000
Fix a recent regression in log record decoding
The routines for decoding log records stored in PCP archives
share some code with the live host PDU decoding logic. They
make use of __pmDecodeResult, in particular. So, before this
change (and with the result decoding fixes), they no longer
function because the buffer they pass in for decoding does
not have a proper PDU header.
Previously this was not a problem, but now the decode routine
looks at the PDU header to determine the size of the buffer
being decoded. The fix is straight-forward - simply ensure
those header fields are initialised appropriately.
commit 9ba85dca940de976176ce196fd5e3c4170936354
Author: Ken McDonell <kenj@xxxxxxxxxxx>
Date: Mon Aug 13 11:28:46 2012 +1000
Resolve event-driven programming flaw in pmcd
Fix an issue where a misbehaving client could prevent pmcd from
responding to other legitimate requests. Now uses a dead-hand
timer to ensure a client does not feed tiny pieces of PDUs into
pmcd, preventing service to genuine clients.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841706.
Security advisory CVE-2012-3421.
commit 68fb968b4ee635bb301dc9ab64e633b0d66d27b4
Author: Ken McDonell <kenj@xxxxxxxxxxx>
Date: Mon Aug 13 11:28:46 2012 +1000
Fix in-band signalling in __pmGetPDU resulting in memory leak
The return value of __pmGetPDU is both an error code and the value of
the type field of the PDU. A negative type value is treated as an error
by HandleClientInput, and the PDU is never unpinned, even though it was
pinned by __pmGetPDU because there was no error. This leads to a memory
leak and eventual pmcd crash.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841319.
Security advisory CVE-2012-3420.
commit eeb31d44e274ddab4409d7afb3d1da0153eb2fb1
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:46 2012 +1000
Minor cleanup in the result PDU decoding routine
Remove unused variables, needlessly initialised variables, and
a spurious long-forgotten call to __pmLastVersionIPC where the
result is never used.
commit 49c679c44425915a8d6aa4af5f90b35384843c12
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:46 2012 +1000
Resolve multiple issues in PCP result PDU decoding routine
The value of numpmid was not validated against the overall PDU size.
Processing a crafted PDU could read past the end of the PDU, crashing
the process or disclosing information.
The embedded numval counts are not checked, either, with similar results.
In the valfmt != PM_VAL_INSITU case, the extracted pointer may point
outside the area which holds such values. This can result in crashes
or information disclosure. The length field inside the value is not
validated against the PDU size. Values could be made to overlap with
each other or with other parts of the PDU, which is also a problem.
pmcd uses __pmDecodeResult, but only after store authorization, so the
function is only exposed to localhost in the default configuration.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841159.
Security advisory CVE-2012-3418.
commit a7dc844d3586ea79887655a97c4252a79751fdae
Author: Ken McDonell <kenj@xxxxxxxxxxx>
Date: Mon Aug 13 11:28:45 2012 +1000
Fix memory leak in pmcd DoFetch error path
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841298.
Security advisory CVE-2012-3420.
commit 9673dc36b2acf29cf2b99ad5bf9d814feb833c39
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:45 2012 +1000
Harden the error PDU decoding
Ensure the PDU length field matches size of the receiving struct.
commit b9f41448621b01988f72bd41d4764a5570e606ba
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:45 2012 +1000
Add missing PDU length checks in __pmDecodeLogControl routine
__pmDecodeLogControl did not check the c_numpmid and v_numval fields
against the size of the PDU. Due to the way the sizes passed to malloc
are calculated, heap objects could be allocated which are too small,
leading to a heap-based buffer overflow.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841290.
Security advisory CVE-2012-3418.
commit 5b97cdc78c83e308a88462ba77ca392258577efb
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:45 2012 +1000
Harden the trace data PDU decoding
Ensure the PDU length field matches size of the receiving struct.
Also validate tag length field, and rearrange the tag string mem
allocation to match intended use (correct buffer pinning model).
commit 44b80ccf43dbccd7db5cbea0011c98f9046ec1e9
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:45 2012 +1000
Harden the trace ack PDU decoding
Ensure the PDU length field matches size of the receiving struct.
commit 5b06d263c942f30a34da3f29679472f41593bf9e
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:44 2012 +1000
Harden the log status PDU decoding
Ensure the PDU length field matches size of the receiving struct.
commit b5e249172429e0305404b4bbd942a2efee2b95d4
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:44 2012 +1000
Harden the log request PDU decoding
Ensure the PDU length field matches size of the receiving struct.
commit 9f4e392c97ce42744ec73f82268ce6c815fdca0e
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:44 2012 +1000
Fix heap overflow in __pmDecodeText routine
__pmDecodeText does not check the buflen field against the PDU
length, leading to a read overflow. Furthermore, buflen is not
validated prior to a malloc call.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841249.
Security advisory CVE-2012-3418.
commit b33b3fe43b89ab2cdd488f6ecb0f876530fa953e
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:44 2012 +1000
Harden the text request PDU decoding
Ensure the PDU length field matches size of the receiving struct.
commit f190942b552aa80d59bbe718866aa00b8e3fd5cc
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:44 2012 +1000
Fix heap buffer overflow in __pmDecodeInstanceReq routine
__pmDecodeInstanceReq does not check the namelen field against the
PDU length, leading to a read overflow. Furthermore, namelen is not
validated prior to a malloc call.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security Team. Red Hat bugzilla bug #841240.
Security advisory CVE-2012-3418.
commit babd6c5c527f87ec838c13a1b4eba612af6ea27c
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:43 2012 +1000
Add field validation to PCP instance PDU decoding
__pmDecodeInstance does not check the numinst and namelen values against
the length of the PDU. As a result, an application which decodes crafted
PDU_INSTANCE packets can crash.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841284.
Security advisory CVE-2012-3418.
commit bfb3ab8c6b3d75b1a6580feee76a7d0925a3633c
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:43 2012 +1000
Fix buffer overflow in __pmDecodeNameReq routine
DecodeNameReq does not check the namelen field against the PDU size.
This can lead to a crash.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841180.
Security advisory CVE-2012-3418.
commit b441980d53be1835b25f0cd6bcc0062da82032dd
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:43 2012 +1000
Add missing check againt PDU size in __pmDecodeIDList routine
__pmDecodeIDList did not check that the incoming PDU actually contains
room for numids elements. This could result in a client crash (read
buffer overflow, not exploitable for code execution) should a server
send too few IDs.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841112.
Security advisory CVE-2012-3418.
commit f0eaefe046b1061797f45b0c20bb2ac371b504a5
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:43 2012 +1000
Resolve buffer overflows in __pmDecodeNameList routine
__pmDecodeNameList fetches the number of bytes to allocate for storing
the incoming name strings from the PDU. The function does not check if
the strings provided later actually fit into the buffer, leading to a
heap-based buffer overflow.
In addition, __pmDecodeNameList does not properly check the length
of the status and names arrays against the PDU length, and does not
guard against integer overflow when calculating the malloc argument.
This leads to another heap-based buffer overflow.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #840920.
Security advisory CVE-2012-3418.
commit 7eb479b91ef12bf89a15b078af2107c8c4746a4a
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:43 2012 +1000
Add missing namelen checks in __pmDecodeFetch routine
pmcd crashes when processing a crafted PDU_FETCH request because of a
missing length check in __pmDecodeFetch. Code execution through this
bug appears unlikely because the loop which runs past the end of the
PDU only performs byte swapping (on little-endian architectures).
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841183.
Security advisory CVE-2012-3418.
commit e4faa1f0ba29151340920d975fc7639adf8371d5
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:43 2012 +1000
Add missing PDU length checks in __pmDecodeProfile routine
__pmDecodeProfile did not check whether the PDU actually contains room for
profile_len elements of type __pmInDomProfile, or instances_len elemeents
of type int. This leads to a read buffer overflow and crash in pmcd.
On 32-bit architectures, the malloc size calculations can overflow,
leading to a heap-based buffer overflow when the code writes past the
end of the allocated buffer.
Original report and fixes reviewed by Florian Weimer of the Red Hat
Security team. Red Hat bugzilla bug #841126.
Security advisory CVE-2012-3418.
commit 46961420c503e0d1218e0c8b465ca9d2d06cbd36
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:43 2012 +1000
Harden the descriptor PDU decoding
Ensure the PDU length field matches size of the receiving struct.
Covers both descriptor and descriptor request PDU decoding.
commit cced6012b4b93bfb640a9678589ced5416743910
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Mon Aug 13 11:28:42 2012 +1000
Fix crash in __pmDecodeCreds handling corrupt PDUs
Resolve problem decoding the credentials PDU where the numcreds field
exceeds the number of elements actually contained in the PDU.
On 32-bit architectures, the size passed to malloc can be too small,
leading to a heap-based buffer overflow. On 64-bit architectures,
the multiplication is performed with 64 bits, so no overflow occurs,
and the crash happens because __pmDecodeCreds reads beyond the end of
an allocated buffer.
Original report and patch review by Florian Weimer with the Red Hat
Security Team. Red Hat bugzilla bug #840822.
Security advisory CVE-2012-3418.
|