From patchwork Fri Dec 4 16:00:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Liebler X-Patchwork-Id: 1411156 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=8.43.85.97; helo=sourceware.org; envelope-from=libc-alpha-bounces@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=sourceware.org Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=YlS8ePvB; dkim-atps=neutral Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Cncqx0SzMz9sWQ for ; Sat, 5 Dec 2020 03:00:45 +1100 (AEDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id A96ED397A009; Fri, 4 Dec 2020 16:00:41 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A96ED397A009 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1607097641; bh=6eRF0d0UF2GdFeRLqcl4d9AnerMbM1SFdKQzJAZO8Xk=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=YlS8ePvBix1GHxeaXo0XrP/IyfZG+Zt/xjWsrkYCBGCXf0RReEOwbemtOxwbs9Msl JwvHGwOZK5snZ7JyZmxBFM9uFAnGKXsx3ix6/W4Jr10WIWYJieOsb7zf+QmN/Rqm+3 yKAn1aQR95W+uR9ceNus+A61p08lxmosE4EQhLTI= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by sourceware.org (Postfix) with ESMTPS id 13303397A000 for ; Fri, 4 Dec 2020 16:00:39 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 13303397A000 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 0B4Fcm4u045773 for ; Fri, 4 Dec 2020 11:00:38 -0500 Received: from ppma03ams.nl.ibm.com (62.31.33a9.ip4.static.sl-reverse.com [169.51.49.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 357ppx2ya6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 04 Dec 2020 11:00:38 -0500 Received: from pps.filterd (ppma03ams.nl.ibm.com [127.0.0.1]) by ppma03ams.nl.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 0B4Fvrue010461 for ; Fri, 4 Dec 2020 16:00:36 GMT Received: from b06avi18626390.portsmouth.uk.ibm.com (b06avi18626390.portsmouth.uk.ibm.com [9.149.26.192]) by ppma03ams.nl.ibm.com with ESMTP id 3573v9rxvf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 04 Dec 2020 16:00:36 +0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06avi18626390.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 0B4G0Xjf58065224 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 4 Dec 2020 16:00:33 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BC83711C04C; Fri, 4 Dec 2020 16:00:33 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9792011C064; Fri, 4 Dec 2020 16:00:33 +0000 (GMT) Received: from t35lp56.lnxne.boe (unknown [9.152.108.100]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 4 Dec 2020 16:00:33 +0000 (GMT) To: libc-alpha@sourceware.org Subject: [PATCH v2] Handle out-of-memory case in svc_tcp.c/svc_unix.c:rendezvous_request. Date: Fri, 4 Dec 2020 17:00:27 +0100 Message-Id: <20201204160027.3844260-1-stli@linux.ibm.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-04_05:2020-12-04, 2020-12-04 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 adultscore=0 spamscore=0 clxscore=1015 suspectscore=1 mlxlogscore=397 bulkscore=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012040088 X-Spam-Status: No, score=-11.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Stefan Liebler via Libc-alpha From: Stefan Liebler Reply-To: Stefan Liebler Cc: Stefan Liebler Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" If glibc is build with -O3 on at least 390 (-m31) or x86 (-m32), gcc 11 dumps this warning: svc_tcp.c: In function 'rendezvous_request': svc_tcp.c:274:3: error: 'memcpy' offset [0, 15] is out of the bounds [0, 0] [-Werror=array-bounds] 274 | memcpy (&xprt->xp_raddr, &addr, sizeof (addr)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors In out-of-memory case, if one of the mallocs in makefd_xprt function returns NULL, a message is dumped, makefd_xprt returns NULL and the subsequent memcpy would copy to NULL. Instead of a segfaulting, we delay a bit (see also __svc_accept_failed and Bug 14889 (CVE-2011-4609) - svc_run() produces high cpu usage when accept() fails with EMFILE (CVE-2011-4609). The same applies to svc_unix.c. Reviewed-by: Adhemerval Zanella --- include/rpc/svc.h | 1 + sunrpc/svc.c | 10 ++++++++-- sunrpc/svc_tcp.c | 8 ++++++++ sunrpc/svc_unix.c | 8 ++++++++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/include/rpc/svc.h b/include/rpc/svc.h index 465bf4427d..d9c0e8fbca 100644 --- a/include/rpc/svc.h +++ b/include/rpc/svc.h @@ -38,6 +38,7 @@ libc_hidden_proto (svc_getreq_common) libc_hidden_proto (svc_getreq_poll) extern void __svc_accept_failed (void) attribute_hidden; +extern void __svc_wait_on_error (void) attribute_hidden; # endif /* !_ISOMAC */ #endif diff --git a/sunrpc/svc.c b/sunrpc/svc.c index 917e9a311c..3ed6cee09e 100644 --- a/sunrpc/svc.c +++ b/sunrpc/svc.c @@ -545,6 +545,13 @@ svc_getreq_common (const int fd) } libc_hidden_nolink_sunrpc (svc_getreq_common, GLIBC_2_2) +void +__svc_wait_on_error (void) +{ + struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 }; + __nanosleep (&ts, NULL); +} + /* If there are no file descriptors available, then accept will fail. We want to delay here so the connection request can be dequeued; otherwise we can bounce between polling and accepting, never giving the @@ -555,8 +562,7 @@ __svc_accept_failed (void) { if (errno == EMFILE) { - struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 }; - __nanosleep (&ts, NULL); + __svc_wait_on_error (); } } diff --git a/sunrpc/svc_tcp.c b/sunrpc/svc_tcp.c index efbdd22548..12de60f605 100644 --- a/sunrpc/svc_tcp.c +++ b/sunrpc/svc_tcp.c @@ -271,6 +271,14 @@ again: * make a new transporter (re-uses xprt) */ xprt = makefd_xprt (sock, r->sendsize, r->recvsize); + + /* If we are out of memory, makefd_xprt has already dumped an error. */ + if (xprt == NULL) + { + __svc_wait_on_error (); + return FALSE; + } + memcpy (&xprt->xp_raddr, &addr, sizeof (addr)); xprt->xp_addrlen = len; return FALSE; /* there is never an rpc msg to be processed */ diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c index e01afeabe6..3decea427c 100644 --- a/sunrpc/svc_unix.c +++ b/sunrpc/svc_unix.c @@ -270,6 +270,14 @@ again: memset (&in_addr, '\0', sizeof (in_addr)); in_addr.sin_family = AF_UNIX; xprt = makefd_xprt (sock, r->sendsize, r->recvsize); + + /* If we are out of memory, makefd_xprt has already dumped an error. */ + if (xprt == NULL) + { + __svc_wait_on_error (); + return FALSE; + } + memcpy (&xprt->xp_raddr, &in_addr, sizeof (in_addr)); xprt->xp_addrlen = len; return FALSE; /* there is never an rpc msg to be processed */