From owner-freebsd-security@freebsd.org Tue Sep 29 18:39:42 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BE32A0C94A for ; Tue, 29 Sep 2015 18:39:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 57CFB15B7; Tue, 29 Sep 2015 18:39:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 569F311FD; Tue, 29 Sep 2015 18:39:42 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20150929183942.569F311FD@freefall.freebsd.org> Date: Tue, 29 Sep 2015 18:39:42 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2015 18:39:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:24.rpcbind Security Advisory The FreeBSD Project Topic: rpcbind(8) remote denial of service Category: core Module: rpcbind Announced: 2015-09-29 Affects: All supported versions of FreeBSD. Corrected: 2015-09-29 18:06:27 UTC (stable/10, 10.2-STABLE) 2015-09-29 18:07:18 UTC (releng/10.2, 10.2-RELEASE-p4) 2015-09-29 18:07:18 UTC (releng/10.1, 10.1-RELEASE-p21) 2015-09-29 18:06:27 UTC (stable/9, 9.3-STABLE) 2015-09-29 18:07:18 UTC (releng/9.3, 9.3-RELEASE-p27) CVE Name: CVE-2015-7236 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Sun RPC is a remote procedure call framework which allows clients to invoke procedures in a server process over a network transparently. The rpcbind(8) utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. The Sun RPC framework uses a netbuf structure to represent the transport specific form of a universal transport address. The structure is expected to be opaque to consumers. In the current implementation, the structure contains a pointer to a buffer that holds the actual address. II. Problem Description In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon. III. Impact A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition. IV. Workaround No workaround is available, but systems that do not provide the rpcbind(8) service to untrusted systems, or do not provide any RPC services are not vulnerable. On FreeBSD, typical RPC based services includes NIS and NFS. Alternatively, rpcbind(8) can be configured to bind on specific IP address(es) by using the '-h' option. This may be used to reduce the attack vector when the system has multiple network interfaces and when some of them would face an untrusted network. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart the applicable daemons, or reboot the system. Because rpcbind(8) is an essential service to all RPC service daemons, these daemons may also need to be restarted. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart the applicable daemons, or reboot the system. Because rpcbind(8) is an essential service to all RPC service daemons, these daemons may also need to be restarted. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch.asc # gpg --verify rpcbind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r288384 releng/9.3/ r288385 stable/10/ r288384 releng/10.1/ r288385 releng/10.2/ r288385 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWCtQJAAoJEO1n7NZdz2rnqrcQAMpVQGhgOE2Qz7seLSeKyorU lYjMQteAxsYFF7t6BCQxMcfnKVYS9fTUwega6bvBMVQqG7bWg3IKr/esH/pExC22 XbVemdOKot63Qvu+qdQ33DMr0mb4B9NqWQDV4cFu2sj1yHtZjwufFsvTDC8B89Za OfJsKrdxFbR57uOPnm1jhbb/m46O2q6HnD0GsPCXAA9SWAAk6hrjtVsRURjs654e iuHa6umSADKeVj0FYiFOyrBM0FgyxmSpBikJD3aaLJa1qCFTPDrGG29283krtSlp JgbWm0+dj9O6pl9NapuE2dKtXmp/bdjLzWKnj2qDWMpsX31uqLFSzcP6/AxxiIiI S9Uvb9ucQJRqidJ5jgQkicLd7IIM20HWXOltA4uMovoqF8xOVkCyLZ5Nyg4Yiueg vsjQ5lQipsOJQBtDO11HjLhZTm4a8c3pHASt0HadvxstNYjB0Kqtm2YySQGdk9H/ /mvjsWE227fJkqwayBlmUviOX39Cz/9AzpkPtaQYsYKNUEOy0hr04i/yIF40RH/Z wIChfTR10KkRvr4dAWT7Kg2bm2Xd0Gs6bEI5YX3PE3aROVwnwmVWCd/rpdkrnVsV Pi5MWtPHNATPwRa2UmKbYtwB9mF3GXuBOSssW3K+DfPS+0/ZfYa5CedyeHA3aDGW f5ih6/YFCvSB/NURgvcU =WO98 -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Wed Sep 30 18:47:35 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C185FA0CB3E for ; Wed, 30 Sep 2015 18:47:35 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) Received: from mta3.alb.inoc.net (mta3.alb.inoc.net [IPv6:2607:f058:110:2::1:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 88DCD1C4E for ; Wed, 30 Sep 2015 18:47:35 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inoc.net; s=201501; h=To:References:Message-Id:Content-Transfer-Encoding:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=LCWiEetlCK1twD5BDQStwRtPM4Jwmjhp6LYxHhKC6U8=; b=jbumG4zDUVMbnmXPmOjjqvq71l 0zbCO5JLEAXAUvfI96bb822lKV4kIMCulSQkQ5ieg7Giak6oDWPDDICdpYRE7QUvlV9//R4xWXWri UWVSZdZI/MxidmrB5MVrrIuXn1GqmtvJRXUlGOayH9Fso4otwTTHuZiu1h43hBAM8HK+sxR5zGSDb atGlZ0dOduZisU4xrISUdIAINMyASW7RZnK0CcAeH7uCFLMtm/mDylYS7QH1Bvz9wSFR5zDhnqTr5 5keCzhCT/2sObP2hEVcLIvAjlD6OsFC7I2W5G9gEsbR5BcIkdR60whsS/niVwRHcfWWecSqMOV5JW RJWFnnlw==; Received: from [64.246.135.7] (helo=void.ops.inoc.net) by mail.inoc.net with ESMTPA (Exim 4.86) (envelope-from ) id 1ZhMPe-000Jnz-4B by authid for freebsd-security@freebsd.org; Wed, 30 Sep 2015 18:47:34 +0000 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind From: Robert Blayzor In-Reply-To: <20150929183942.569F311FD@freefall.freebsd.org> Date: Wed, 30 Sep 2015 14:47:30 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150929183942.569F311FD@freefall.freebsd.org> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.2104) X-Auth-Info: cmJsYXl6b3JAaW5vYy5uZXQ= X-Virus-Scanned: ClamAV 0.98.7/20949/Wed Sep 30 14:30:18 2015 X-Anti-Abuse: Please report to abuse@inoc.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 18:47:36 -0000 Was this regression tested or missing more info? After updating and = rebooting seeing a ton of problems with rpcbind core dumping at start.. = lock manager fails to start, etc. dmesg da0: quirks=3D0x40 SMP: AP CPU #1 Launched! Trying to mount root from ufs:/dev/da0p2 [rw].. pid 367 (rpcbind), uid 0: exited on signal 6 (core dumped) NLM: failed to contact remote rpcbind, stat =3D 5, port =3D 28416 NLM: failed to contact remote rpcbind, stat =3D 0, port =3D 0 Can't start NLM - unable to contact NSM NLM: failed to contact remote rpcbind, stat =3D 0, port =3D 0 NLM: failed to contact remote rpcbind, stat =3D 0, port =3D 0 Can't start NLM - unable to contact NSM [~] egrep rpc\|nis /etc/rc.conf rpcbind_enable=3D"YES" rpc_lockd_enable=3D"YES" rpc_lockd_flags=3D"-p 4045" rpc_statd_enable=3D"YES" rpc_statd_flags=3D"-p 4046" nis_client_enable=3D=E2=80=9CYES" nis_server_enable=3D=E2=80=9CYES" [~] uname -a FreeBSD 10.2-RELEASE-p4 FreeBSD 10.2-RELEASE-p4 #0 r288419: Wed Sep 30 = 18:33:40 UTC 2015 amd64 No problems prior to patching. -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu > On Sep 29, 2015, at 2:39 PM, FreeBSD Security Advisories = wrote: >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-SA-15:24.rpcbind Security = Advisory > The FreeBSD = Project >=20 > Topic: rpcbind(8) remote denial of service >=20 > Category: core > Module: rpcbind > Announced: 2015-09-29 > Affects: All supported versions of FreeBSD. > Corrected: 2015-09-29 18:06:27 UTC (stable/10, 10.2-STABLE) > 2015-09-29 18:07:18 UTC (releng/10.2, 10.2-RELEASE-p4) > 2015-09-29 18:07:18 UTC (releng/10.1, 10.1-RELEASE-p21) > 2015-09-29 18:06:27 UTC (stable/9, 9.3-STABLE) > 2015-09-29 18:07:18 UTC (releng/9.3, 9.3-RELEASE-p27) > CVE Name: CVE-2015-7236 From owner-freebsd-security@freebsd.org Wed Sep 30 19:10:54 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26120A0BCB7 for ; Wed, 30 Sep 2015 19:10:54 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C7CE1A4D for ; Wed, 30 Sep 2015 19:10:54 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 0287D24908; Wed, 30 Sep 2015 12:10:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1443640253; x=1443654653; bh=mWrUBDrqXH5TloZn9xMxqwxseT7HIau7UUy63JRHnh8=; h=Reply-To:Subject:References:To:From:Date:In-Reply-To; b=L2+gChkp6VHaAO6pIm2G+RDY82repCZbVOtG089/Hm7hNs7MY/06vJUU77gbLzNus W5E6TO8EQ+ETwdsTlCATd0n6/laosdTikH4P5JhLXXAWIDd6EVJc1L8Ffpr2aeMBVg qVq8JDInk5/eIMLYwzCTI9rqbQZaKbZ45kUL5ixI= Reply-To: d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind References: <20150929183942.569F311FD@freefall.freebsd.org> To: Robert Blayzor , freebsd-security@freebsd.org From: Xin Li Organization: The FreeBSD Project Message-ID: <560C33B7.70100@delphij.net> Date: Wed, 30 Sep 2015 12:10:47 -0700 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3BUJmE5FwhcnNn5fV3Sbbt91JOCJLG2KA" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 19:10:54 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3BUJmE5FwhcnNn5fV3Sbbt91JOCJLG2KA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, On 09/30/15 11:47, Robert Blayzor via freebsd-security wrote: > Was this regression tested or missing more info? After updating and reb= ooting seeing a ton of problems with rpcbind core dumping at start.. lock= manager fails to start, etc. Yes, this was tested specifically with NFS scenario for some time and was reviewed by several developers. > dmesg > da0: quirks=3D0x40 > SMP: AP CPU #1 Launched! > Trying to mount root from ufs:/dev/da0p2 [rw].. > pid 367 (rpcbind), uid 0: exited on signal 6 (core dumped) Will it be possible for you to get a backtrace from the coredump? Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --3BUJmE5FwhcnNn5fV3Sbbt91JOCJLG2KA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWDDO7AAoJEJW2GBstM+nsVPAP/jFrDfYUo+iXBlUaZqJUjtBX 7udpCu1RBYKFn1h92gMOtlTAD3IhdSENKPVws5voW1J+3vV8qcAJXGQAGcK3b2eB ddF9xLMyCDNH/as0hmlWNt3EVWXJte2bbWTXXCo3waRpVUrOhSJwWUq+qjVkmnKw uisX0l8kIRln9wkELHJui4x/LwFyPfwmwoXrIODvKXhItzFwn7KVdAGetRX00vXq 0BY2Ss2j8msNKmTicu4ABwfMlIIapTeQouuM18V9s9qs8zrtqort/ezUT9qHlQjk pbnWVb0Kf3gUhJLlF97/vog6CJPzDIExmSb+UsuDT7iNlEQaH5OQH8Fni74jEoUP WUdQgoaDNf2L2BB6FO210FeKuhFnlQwWCmjawz7M8PfmanroL2rEp7D2KLb081oT VGH4RGbYCv0GaoA6VjGfBkAst8T1Y4b+VKQzPhEeZkFZtwRYWC2SIVw5LRp3tGvY 3Uf3letP1oMZEQClsbynkvFAd3YySQKT1SpiHAV+9nFRAMyMHdRyTJWnF1R8aZfm /OJBTsKaGbD+20GltfAD8jwUBhEnK6C2Qk4g51vrL0jH9WHHuZduVhW/ZRUVsVj1 5nbGLV6QnQZz644xSWcurQuUhHojbJcVS6KwOxfP/84uZVHxJ2tVvujMcGYwbb1G PM3RVFvBUd4/vJYQeaIF =WNEs -----END PGP SIGNATURE----- --3BUJmE5FwhcnNn5fV3Sbbt91JOCJLG2KA-- From owner-freebsd-security@freebsd.org Wed Sep 30 19:12:50 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E514A0BFCE for ; Wed, 30 Sep 2015 19:12:50 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) Received: from mta0.alb.inoc.net (mta0.alb.inoc.net [IPv6:2607:f058:110:2::1:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 15AEF1D60 for ; Wed, 30 Sep 2015 19:12:50 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inoc.net; s=201501; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=ugoJuFR2LSA1wvPiIaOTmsoVxzDIjX2gHGpNrcFoABY=; b=0WKx9d6DC3VQCpJUoYrzFUCIiH XBkUPO45t0cMwP31ocsc+sc2eHnLylRmnhITmacqK3Ht4NaWOtf9jR2Tykp0aRlmZXLXeXGvvYOhw PowDNge6djTe98WNkanSBJQevZQwcWTBr5ix3tNnlwu14mNeLgjVUpv3P+h5D6wSHuGIQpU16jLBY A88MtJVLwA2c9ZzIO14tg6c05zkSf96fXSICpGoDaOmTQAfxbwp8QGZ4yeAwF+oyGgHKI0pCbzFYb 8WFrg6AQkZEVT/jOLca7+pmm6U5ZpCqiclesk0UdCKMSWDQvYVILgXuS1nuim8uGvgOO55PUJMhKU 2xzrhceg==; Received: from [64.246.135.7] (helo=void.ops.inoc.net) by mail.inoc.net with ESMTPA (Exim 4.86) (envelope-from ) id 1ZhMo4-000IhG-US by authid ; Wed, 30 Sep 2015 19:12:48 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind From: Robert Blayzor In-Reply-To: <560C33B7.70100@delphij.net> Date: Wed, 30 Sep 2015 15:12:44 -0400 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.2104) X-Auth-Info: cmJsYXl6b3JAaW5vYy5uZXQ= X-Virus-Scanned: ClamAV 0.98.7/20949/Wed Sep 30 14:30:18 2015 X-Anti-Abuse: Please report to abuse@inoc.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 19:12:50 -0000 On Sep 30, 2015, at 3:10 PM, Xin Li wrote: >=20 > Will it be possible for you to get a backtrace from the coredump? >=20 > Cheers, GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you = are welcome to change it and/or distribute copies of it under certain = conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for = details. This GDB was configured as "amd64-marcel-freebsd"...(no debugging = symbols found)... Core was generated by `rpcbind'. Program terminated with signal 6, Aborted. Reading symbols from /usr/lib/libwrap.so.6...(no debugging symbols = found)...done. Loaded symbols for /usr/lib/libwrap.so.6 Reading symbols from /lib/libutil.so.9...(no debugging symbols = found)...done. Loaded symbols for /lib/libutil.so.9 Reading symbols from /lib/libc.so.7...(no debugging symbols = found)...done. Loaded symbols for /lib/libc.so.7 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols = found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x0000000800d0164a in thr_kill () from /lib/libc.so.7 (gdb) bt #0 0x0000000800d0164a in thr_kill () from /lib/libc.so.7 #1 0x0000000800d01636 in raise () from /lib/libc.so.7 #2 0x0000000800d015b9 in abort () from /lib/libc.so.7 #3 0x0000000800d67f31 in __assert () from /lib/libc.so.7 #4 0x000000000040739a in ?? () #5 0x0000000000404075 in ?? () #6 0x000000000040303f in ?? () #7 0x000000080062a000 in ?? () #8 0x0000000000000000 in ?? () -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu From owner-freebsd-security@freebsd.org Wed Sep 30 19:22:14 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC3E5A0C98B for ; Wed, 30 Sep 2015 19:22:14 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) Received: from mta2.alb.inoc.net (mta2.alb.inoc.net [IPv6:2607:f058:110:2::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B40241889 for ; Wed, 30 Sep 2015 19:22:14 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inoc.net; s=201501; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=jnKQQL6NoYLmKmbmQDG8Bn2XT9FuvK766v06jvAC9f8=; b=UY1PrG3B0F21Ct0lhdGSF9UYt/ 68ewuK7fRZoBueOdnrMZN6OouUjBXbrqL8wfTVsgO4/KSDEt2BR2B1Fa3c5tsAWT/r9faTUprP0Zu hM4KTwm0A0YLlIY4AJtoyiQ6fGs0baMHmwI+W23sbmONsGPqASByrA2jkpOn5LmbpRNWL2FSMrtDF EodDMa0EaT0q6q/KcsgC9GBW0Q7xO/6QTdWXvWa71z3WadttYSirrpgPH/AwHoUjRqb1bCuUheN6w NPs75Y+DiCSMP9EDTCKJrpvf5HHnDLtaFm2eE1Uap9n/GjI7xP7bepQgBY5RbxZeTz8o8UTJUGpRL F/h5bUQg==; Received: from [64.246.135.7] (helo=void.ops.inoc.net) by mail.inoc.net with ESMTPA (Exim 4.86) (envelope-from ) id 1ZhMxB-000J8m-O8 by authid ; Wed, 30 Sep 2015 19:22:13 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind From: Robert Blayzor In-Reply-To: <560C33B7.70100@delphij.net> Date: Wed, 30 Sep 2015 15:22:08 -0400 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.2104) X-Auth-Info: cmJsYXl6b3JAaW5vYy5uZXQ= X-Virus-Scanned: ClamAV 0.98.7/20949/Wed Sep 30 14:30:18 2015 X-Anti-Abuse: Please report to abuse@inoc.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 19:22:15 -0000 On Sep 30, 2015, at 3:10 PM, Xin Li wrote: >> Was this regression tested or missing more info? After updating and = rebooting seeing a ton of problems with rpcbind core dumping at start.. = lock manager fails to start, etc. >=20 > Yes, this was tested specifically with NFS scenario for some time and > was reviewed by several developers. I appear to have traced this back to when ypserv starts. rpcbind starts first, when ypserv starts, rpcbind core dumps. -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu From owner-freebsd-security@freebsd.org Wed Sep 30 19:26:43 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 554BDA0CD52 for ; Wed, 30 Sep 2015 19:26:43 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 36F781B82 for ; Wed, 30 Sep 2015 19:26:42 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 7989F24A6F; Wed, 30 Sep 2015 12:26:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1443641202; x=1443655602; bh=+MuMhDUyeHYwpDwsdKhnBEl8jDUCqD4CdfJ40XGFiGM=; h=Reply-To:Subject:References:To:Cc:From:Date:In-Reply-To; b=l7kDhR+8o7hJRnHhJJh0bDHAilbBqbFRdrCJj0YboNgMpmMPAmZnQf6FIEOhW7n1M /EaM8CLs9Zv0hGGj9K6dQ9R6akZ5VRMLgWt4EkEXdPqX1dvW1MTE83i0GQ/Pi5wCsw Ci/yebjMRM+ggghVEE+QABdFVQH7vfwhb6KewDyE= Reply-To: d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> To: Robert Blayzor , d@delphij.net Cc: freebsd-security@freebsd.org From: Xin Li X-Enigmail-Draft-Status: N1110 Organization: The FreeBSD Project Message-ID: <560C3771.1040105@delphij.net> Date: Wed, 30 Sep 2015 12:26:41 -0700 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="5PAsLTuHPSLq1oLeQSDlVWWVEjX2vjGr3" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 19:26:43 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --5PAsLTuHPSLq1oLeQSDlVWWVEjX2vjGr3 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 09/30/15 12:12, Robert Blayzor wrote: > On Sep 30, 2015, at 3:10 PM, Xin Li wrote: >> >> Will it be possible for you to get a backtrace from the coredump? >> >> Cheers, >=20 >=20 > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and yo= u are > welcome to change it and/or distribute copies of it under certain condi= tions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for deta= ils. > This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbo= ls found)... > Core was generated by `rpcbind'. > Program terminated with signal 6, Aborted. > Reading symbols from /usr/lib/libwrap.so.6...(no debugging symbols foun= d)...done. > Loaded symbols for /usr/lib/libwrap.so.6 > Reading symbols from /lib/libutil.so.9...(no debugging symbols found)..= =2Edone. > Loaded symbols for /lib/libutil.so.9 > Reading symbols from /lib/libc.so.7...(no debugging symbols found)...do= ne. > Loaded symbols for /lib/libc.so.7 > Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found= )...done. > Loaded symbols for /libexec/ld-elf.so.1 > #0 0x0000000800d0164a in thr_kill () from /lib/libc.so.7 > (gdb) bt > #0 0x0000000800d0164a in thr_kill () from /lib/libc.so.7 > #1 0x0000000800d01636 in raise () from /lib/libc.so.7 > #2 0x0000000800d015b9 in abort () from /lib/libc.so.7 > #3 0x0000000800d67f31 in __assert () from /lib/libc.so.7 > #4 0x000000000040739a in ?? () > #5 0x0000000000404075 in ?? () > #6 0x000000000040303f in ?? () > #7 0x000000080062a000 in ?? () > #8 0x0000000000000000 in ?? () Can you compile debugging symbols in? Also can you try running rpcbind by hand with -d, which allows one to see the messages? Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --5PAsLTuHPSLq1oLeQSDlVWWVEjX2vjGr3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWDDdyAAoJEJW2GBstM+nsk3cP/Aw1nczn1LsLFzI/SqGTYOIR Xve0VlagbopcG6ReUykDeOnrJVcPf1RXbidROiqiMoxwnvQgfyn2hWfeddlONALi p1V7ECcV+0uXtwu5LkybkEHLwT/WEFwgsrr8MFaTW0oQHrNYsqSsL71FTLzUyVcm 2hqRY0CatqGu35g0AT8cGxVYvZKfCKXPK3JA5XeVtWuKW2H7FWKMX4faHJeaIgE8 iUl6bi5fM6w/iBXyiA55O17IwFAmJv7ak2sywcdDjO3ESBptDMyjm9WuzqCNiSCc yNe9dHz7O11RP0PeJ4VZhw7zeJBzAzb+r13kqDjyRqziWQxoooroz/87r0kabjSC fNXyXKqzY4lXg3uWZUsg7jq7FmK8acHfDI+KToMKk+4tMQPnxr1eTdASGq+EpFbI UREMmGq3OhqSeNLhJ60OHytpZ7wLOWb7UUypqIKVeJITWhFhRr0LyqVJYBJqJXYJ yTyqyC7X1iDEi8qLV6x/0uaZ/0vCpk1nvIZhq0lw36w/Dwk65VZmUtHwzBkhDW9U 6y3w/zO26KRfX9YXoJGJ9OxWR69Z6bBO96EqnEXdDNwTePvtV9G7Bs1/tGe/dkyO lEvq5D5GJOIDpFhUKlzYBjG3Cvs4E03q6UGIT8PcH3XiGq/GbX1IVnvHETAiq8wk ocuF2gAoqDGfT41+hxNM =rwcr -----END PGP SIGNATURE----- --5PAsLTuHPSLq1oLeQSDlVWWVEjX2vjGr3-- From owner-freebsd-security@freebsd.org Wed Sep 30 19:26:57 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2312A0CD9A for ; Wed, 30 Sep 2015 19:26:56 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (mx.catwhisker.org [198.144.209.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A01001C1E for ; Wed, 30 Sep 2015 19:26:55 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from albert.catwhisker.org (localhost [127.0.0.1]) by albert.catwhisker.org (8.15.2/8.15.2) with ESMTP id t8UJQbKI045199; Wed, 30 Sep 2015 12:26:37 -0700 (PDT) (envelope-from david@albert.catwhisker.org) Received: (from david@localhost) by albert.catwhisker.org (8.15.2/8.15.2/Submit) id t8UJQbqW045198; Wed, 30 Sep 2015 12:26:37 -0700 (PDT) (envelope-from david) Date: Wed, 30 Sep 2015 12:26:36 -0700 From: David Wolfskill To: d@delphij.net Cc: Robert Blayzor , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind Message-ID: <20150930192636.GX1125@albert.catwhisker.org> Mail-Followup-To: David Wolfskill , d@delphij.net, Robert Blayzor , freebsd-security@freebsd.org References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="GSe1yqLCWMTKXEPF" Content-Disposition: inline In-Reply-To: <560C33B7.70100@delphij.net> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 19:26:57 -0000 --GSe1yqLCWMTKXEPF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 30, 2015 at 12:10:47PM -0700, Xin Li wrote: > Hi, >=20 > On 09/30/15 11:47, Robert Blayzor via freebsd-security wrote: > > Was this regression tested or missing more info? After updating and reb= ooting seeing a ton of problems with rpcbind core dumping at start.. lock m= anager fails to start, etc. >=20 > Yes, this was tested specifically with NFS scenario for some time and > was reviewed by several developers. > ... FWIW, after updating my build machine (which acts as both an NFS client, obtaining access to certain file systems from a ReadyNAS, and as an NFS server, providing access to its /usr/src and /usr/obj during updates of "production" machines), I noted no problems -- and I have tested both roles on the machine. It was updated from: FreeBSD freebeast.catwhisker.org 10.2-STABLE FreeBSD 10.2-STABLE #1813 r28= 8356M/288358:1002500: Tue Sep 29 04:15:28 PDT 2015 root@freebeast.catwh= isker.org:/common/S1/obj/usr/src/sys/GENERIC amd64 to: FreeBSD freebeast.catwhisker.org 10.2-STABLE FreeBSD 10.2-STABLE #1814 r28= 8411M/288418:1002500: Wed Sep 30 04:15:42 PDT 2015 root@freebeast.catwh= isker.org:/common/S1/obj/usr/src/sys/GENERIC amd64 And: freebeast(10.2-S)[13] service lockd status lockd is running as pid 582. freebeast(10.2-S)[14] ^lock^stat service statd status statd is running as pid 579. freebeast(10.2-S)[15]=20 (Yes, I recognize that I'm running stable/10, while the OP is running =2E.. releng/10, I think.) Peace, david --=20 David H. Wolfskill david@catwhisker.org Those who would murder in the name of God or prophet are blasphemous coward= s. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --GSe1yqLCWMTKXEPF Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJWDDdsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RThEMDY4QTIxMjc1MDZFRDIzODYzRTc4 QTY3RjlDOERFRjQxOTNCAAoJEIpn+cje9Bk7TQsP/i0ZmzlSR5hM8hApv9vwLDJ4 tNqM6coFSFgpOUhRgJrMkRuDN5P6aAGr6NexWwjdnO76QUg23lZ/+H790PHauOnW egduzHG+dQ/DXoMoOpO6iyUe8U54j+0RHBbmoxSss5LIMTDJdBRelvqUt7BmvxOs X6f8TwEtEx0WbSXCaDhylm1K6fDqc6fUmfpbjQp0YyMZmJlwp1YL83II2JlCThOF AH+XlZtvEW/7Y699MV1wOIAhu3GgQEcexdjbvGZIlLV6vmErIG5lWEFSPL2p823N XBbjFybkB21LBzu846XMn/muZRHHyagB/M5bjaZsuaFALrxQEoYMYOfAKocSzM4l 4tOGD0JkD1NX2I4outj6oQd8OW6Tv9HTWe4BR9NjOWy5WN5bCBP6eVn0R4YAgzN6 X8m35j0VfSq+xdmu/Ww4L0qZYytlwlCWyxq6JVTp5WkK4liuo0UsL7fxMIwhHatY Zydu7acatUGmUPCi/Ek9+mup3F8MKfPxaDL59sTRyv9rXRvofwoRd29iHH9jmA2C Zeq5Cvtg5nSrXqDLN4wny35Zs1zbbGcb1uAvEckXNfvGbHE1II3lcYFrmtF8ppc3 ldCyQ+gmf6jIyNjANpEvec0FyO2wEX/AlsDUfpu6JoLbuBQ0gQwGJZT31sqfNJc8 IQhOB34KVSA1RgYsvUXx =DSWD -----END PGP SIGNATURE----- --GSe1yqLCWMTKXEPF-- From owner-freebsd-security@freebsd.org Wed Sep 30 19:36:20 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5378BA0B5B9 for ; Wed, 30 Sep 2015 19:36:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 394D3123F for ; Wed, 30 Sep 2015 19:36:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id EB83024ADD; Wed, 30 Sep 2015 12:36:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1443641780; x=1443656180; bh=hvfCZEJyv8ZF9w7XNd9bliWtGHx6P8QsrfOXQeqB64Q=; h=Reply-To:Subject:References:To:Cc:From:Date:In-Reply-To; b=YIQ8aMvvty67PRUoCSmfdFlHqS2xfrd6oviiU3wM/7AW69d+mQZQMKPFrwzQCgui0 HCM8YQE50G+iOR1z0i9kkO8bxQTxa6gM8kH6J3mCNM+ShKLeIJP1Y4+qJwHwRQb2e2 HiXUaYrcy7ttiXBK7dnsiuG/87iwp9QzeTMhoYB4= Reply-To: d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> To: Robert Blayzor , d@delphij.net Cc: freebsd-security@freebsd.org From: Xin Li Organization: The FreeBSD Project Message-ID: <560C39B3.1020806@delphij.net> Date: Wed, 30 Sep 2015 12:36:19 -0700 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fwHlPM0sLrS7GUWCBCu5cqaSRqLvWiGqH" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 19:36:20 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fwHlPM0sLrS7GUWCBCu5cqaSRqLvWiGqH Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 09/30/15 12:22, Robert Blayzor wrote: > On Sep 30, 2015, at 3:10 PM, Xin Li wrote: >>> Was this regression tested or missing more info? After updating and r= ebooting seeing a ton of problems with rpcbind core dumping at start.. lo= ck manager fails to start, etc. >> >> Yes, this was tested specifically with NFS scenario for some time and >> was reviewed by several developers. >=20 >=20 > I appear to have traced this back to when ypserv starts. >=20 > rpcbind starts first, when ypserv starts, rpcbind core dumps. I have created an empty testing domain but can't reproduce the problem -- however, the backtrace does seem related to the change (which may indicate a real problem with the old code, though). Please let me know if you have additional information. Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --fwHlPM0sLrS7GUWCBCu5cqaSRqLvWiGqH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWDDmzAAoJEJW2GBstM+nsfMgP/RO7jlNaDfaOE7IG84R4Z5mt Xuuh9z23QrfEYWbrso2bCaUH+Gw1m5VxmnMhQYOXrNqlrvVcl7VsOeptlTulubtT 1yCE8HucKy/6wJQXfKR5OweL5e+sFsvpdEmeDU1z2k/K97G8HdR4/1gyzWeyO6VH 1P5HTAScPW2RLhSF6IVhhcjCxVYHsLL2669s0ex5+DXDKythEgAFOQexS3xCmE3S c0WmcLLrGg1PSnzxfDL7vaG7r9g4SGTLXQDnL3DfkEU2MjuT+EUW7dyUgr0EV42a 4/iDBk3FuTTSUB/JXFDd2ZzWTwb999bItVgz9wlPYnxgRZL/7zwMxSnCeLG9C2O2 xHEZpSsg6suPDvHhasADdFQzoCv7oOxd2pb931r5uVaDNzsQoQYouawvOuDH1L/j xdzXU0VlqK38UOrMElxJLrwK1DApUoqMI1vq2tMNEr5onL4VJY7VheZ5kcnB20uU B24lsmUeSEgB5WD0/3z0RfMDrlMMsI3BjnH1q7Badp5VhGz0EE7RswQpRdhMoGsX 4q/nqg5PK7irmnEqIZHkp6cal3i06axO3KSrwa0vN6eZrzIlR+UVsX99CPS8Ydq2 ioDUY0uofkTIq+4yrO88xXuMV1ITWTy+L0oJ5QC+aFeXiE9P8jcCjISGzfM1QwKb +y2mPFUi6225EuI7EyI4 =0khb -----END PGP SIGNATURE----- --fwHlPM0sLrS7GUWCBCu5cqaSRqLvWiGqH-- From owner-freebsd-security@freebsd.org Wed Sep 30 19:41:42 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C746A0B9A6 for ; Wed, 30 Sep 2015 19:41:42 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) Received: from mta0.alb.inoc.net (mta0.alb.inoc.net [IPv6:2607:f058:110:2::1:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 52638156B for ; Wed, 30 Sep 2015 19:41:42 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inoc.net; s=201501; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=5BzVoQFoSyZ0P1xLApyOf00avsrm1qgNPOuGd7cF80I=; b=hhSI0VLjvTvisbXbZ2ciUsVSsB 5ictaBP1ccmR6vi8RK/feinQ4/IY+BrTtXhU0nGikwU3p88mtQMcgdX0Qd9Yztd8L1b/x3fKSOeLy Wfs0Lp+R3c6nTEvgVtqTWwU1crnJ6aiHkJmPcZyLNLj3F6dZZLaKqt/z9hXz0w3X9dNXNRXFrnVgu Fihr4TIQ83MMYiSmyj++NSDAE/uDCqsfL9ymsdGqlflXnyOE7uCoYKhlc+5ljhOe2QyImvxpGtFCb 2TFytqWSEpddCRyQ6KBKX5UWVk/F6X267YHa2QRFYG6+CGs24h7Uu8WFxjGUp80M8AsSiKuPsUfsS REArRpeQ==; Received: from [64.246.135.7] (helo=void.ops.inoc.net) by mail.inoc.net with ESMTPA (Exim 4.86) (envelope-from ) id 1ZhNG1-000J93-69 by authid ; Wed, 30 Sep 2015 19:41:41 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind From: Robert Blayzor In-Reply-To: <560C39B3.1020806@delphij.net> Date: Wed, 30 Sep 2015 15:41:40 -0400 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> <560C39B3.1020806@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.2104) X-Auth-Info: cmJsYXl6b3JAaW5vYy5uZXQ= X-Virus-Scanned: ClamAV 0.98.7/20949/Wed Sep 30 14:30:18 2015 X-Anti-Abuse: Please report to abuse@inoc.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 19:41:42 -0000 > I have created an empty testing domain but can't reproduce the problem > -- however, the backtrace does seem related to the change (which may > indicate a real problem with the old code, though). Please let me = know > if you have additional information. >=20 here is the crash with rpcbind in the foreground: [~] sudo rpcbind -d Password: rpcbind debugging enabled. Assertion failed: (dst->buf =3D=3D NULL), function netbuf_copybuf, file = /usr/10.2-RELEASE/usr.sbin/rpcbind/rpcb_svc_com.c, line 1056. Not exactly sure which rpc is kicking it, but we have lockd, statd, = ypserv =85 nfs client is enabled, but not currently used.. If you need more than this it will take some time for debugging symbols. -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu From owner-freebsd-security@freebsd.org Wed Sep 30 19:54:27 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B15DDA0C3B9 for ; Wed, 30 Sep 2015 19:54:27 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 918961D97 for ; Wed, 30 Sep 2015 19:54:27 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id B945A24B85; Wed, 30 Sep 2015 12:54:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1443642866; x=1443657266; bh=+yUqI0Cm6oReEGEY4SWAArWNH+9mBES5xLT3ECkz/WE=; h=Reply-To:Subject:References:To:Cc:From:Date:In-Reply-To; b=yqkrfkUFnZ3dIAJxxUafh8bdKU1+RVCyVqVrYhwW7DQNRSFbb0DxHEuRTTcK2blTg e0hiF9swtyuTrHhqft2x1IJ1UHDPpKdXxc4yHOKicAo5te2A8WwX7ORpyiVadPQICY zwF/9j9+fQBtYinDq7l1WEPSWp/Gq+fu7yhYyDW0= Reply-To: d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> <560C39B3.1020806@delphij.net> To: Robert Blayzor , d@delphij.net Cc: freebsd-security@freebsd.org From: Xin Li Organization: The FreeBSD Project Message-ID: <560C3DF2.5070608@delphij.net> Date: Wed, 30 Sep 2015 12:54:26 -0700 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="CQtUxqDjeRTbUK0Ef4FfbR2ttF6vBjswJ" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 19:54:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --CQtUxqDjeRTbUK0Ef4FfbR2ttF6vBjswJ Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi, Can you make this change and see if it helps? Index: rpcb_svc_com.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- rpcb_svc_com.c (revision 288421) +++ rpcb_svc_com.c (working copy) @@ -1052,7 +1052,7 @@ static bool_t netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) { - assert(dst->buf =3D=3D NULL); + assert(dst->len =3D=3D 0 || dst->buf =3D=3D NULL); if ((dst->buf =3D malloc(src->len)) =3D=3D NULL) return (FALSE); Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --CQtUxqDjeRTbUK0Ef4FfbR2ttF6vBjswJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWDD3yAAoJEJW2GBstM+nslVQQAIW9HZzOes88wacqtiQBLIUm KKXntKxy+ChLYTJoVITFJnAwy/4UZ3OuscR5A+eOJMrY0UEgokPbWLlEcxcu+JX6 wc3MNVpS/tntHgpliv72delFbnCjCkgRtltZb7iXUOXat+6SNcj3yah96N1L4BEG LDeLXKbNjAhloJuzqZHEx++r069NyAo8KuKSlGOKMgcTcEqc/1B1qaD+ZZjKgRDm 1qw7rrgTesUa6ExRfoJKpdHUCNPTTqEKLt/lgw9ALJpghEb50lVhuq7KA2U8mWLT vNsxxjjRajgftNfR6PpwVhRPTAfTneMjdWY0jU7bWkY718iic/MJZF8w7AcRyur0 s+5Ji8mPmXN3EJEvT3a7KwbeNDowpt7sa1O+rEKmCIP8bmzTlREpzr9gett5wd0x JkzWdqLdoSbuJeDrCpZAyQBdw8Pg90o2A9I3K1TTh5dwkFH0kdrA4+L4ZGnmmFfw rrySj0TQ7QOqbv4HpwQJaSrkctBoCv08molX9sMYgIbqHkcy5Wx0rGiQETaD8+mF 5S0LOC93kvA7/Fq6ue6gSQkogpyK5etiwz2J9oybLazeuOC7ehGAuJUj3zKAJEGd W3rc9UeBtVMYe8VA6R/5PZzC+pTk1ldMf02MSWqZMTs7FvndZcNyufpUpYfqs+jc hd1JlMkYlJUk6MqLu6tX =kjD9 -----END PGP SIGNATURE----- --CQtUxqDjeRTbUK0Ef4FfbR2ttF6vBjswJ-- From owner-freebsd-security@freebsd.org Wed Sep 30 20:03:33 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C70C0A0C9B2 for ; Wed, 30 Sep 2015 20:03:33 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) Received: from mta3.alb.inoc.net (mta3.alb.inoc.net [IPv6:2607:f058:110:2::1:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C4C311BF for ; Wed, 30 Sep 2015 20:03:33 +0000 (UTC) (envelope-from prvs=071588ecfe=rblayzor.bulk@inoc.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inoc.net; s=201501; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=5cHNUv7oeqRJ7c7tG+LAVROMBiv5Y4mmXJU8imFifyo=; b=ptqkmXau5d0i5i7pPYKqHHwA5H ryzI15n3kuo/BYez35VG6vHuyqeE3C88MQHtHD6Uwv8ipMwyoHSkQ+C+KvhcYppuRY7ttVzGvPCeL B5Pp31x5GKftXAtNyha+nVy9vvxVBNt0rDMVrj2jSOZJRsZO86xmQfpYu3GbOwAOmHIlu8O9+nEtA ghFpFFDBSeOXXVO1yd+13dKqhmDxtnwr5mRUBBONip1IQvEMeNkZoNsa4q25OPk03y8KGFkyjCLyz 7Nz+bQvXkQq6FYQKGoHOa6vzs1pOOonuKjPHdcNODyRjDJTLROXzNrn/8YVopz3/p5d7jaSqqs3nF wQMaMksw==; Received: from [64.246.135.7] (helo=void.ops.inoc.net) by mail.inoc.net with ESMTPA (Exim 4.86) (envelope-from ) id 1ZhNb9-000L0B-QD by authid ; Wed, 30 Sep 2015 20:03:31 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind From: Robert Blayzor In-Reply-To: <560C3DF2.5070608@delphij.net> Date: Wed, 30 Sep 2015 16:03:28 -0400 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <20BCBD1F-D22E-4878-AB6C-CBE9F7FD4BF2@inoc.net> References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> <560C39B3.1020806@delphij.net> <560C3DF2.5070608@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.2104) X-Auth-Info: cmJsYXl6b3JAaW5vYy5uZXQ= X-Virus-Scanned: ClamAV 0.98.7/20949/Wed Sep 30 14:30:18 2015 X-Anti-Abuse: Please report to abuse@inoc.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 20:03:33 -0000 On Sep 30, 2015, at 3:54 PM, Xin Li wrote: >=20 > Can you make this change and see if it helps? >=20 > Index: rpcb_svc_com.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- rpcb_svc_com.c (revision 288421) > +++ rpcb_svc_com.c (working copy) > @@ -1052,7 +1052,7 @@ static bool_t > netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) > { >=20 > - assert(dst->buf =3D=3D NULL); > + assert(dst->len =3D=3D 0 || dst->buf =3D=3D NULL); =85 Same result: Assertion failed: (dst->len =3D=3D 0 || dst->buf =3D=3D NULL), function = netbuf_copybuf, file rpcb_svc_com.c, line 1056. #0 0x0000000800d0164a in thr_kill () from /lib/libc.so.7 (gdb) bt #0 0x0000000800d0164a in thr_kill () from /lib/libc.so.7 #1 0x0000000800d01636 in raise () from /lib/libc.so.7 #2 0x0000000800d015b9 in abort () from /lib/libc.so.7 #3 0x0000000800d67f31 in __assert () from /lib/libc.so.7 #4 0x00000000004073aa in ?? () #5 0x0000000000404075 in ?? () #6 0x000000000040303f in ?? () #7 0x000000080062a000 in ?? () #8 0x0000000000000000 in ?? () -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu From owner-freebsd-security@freebsd.org Wed Sep 30 20:13:49 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14A80A0B01C for ; Wed, 30 Sep 2015 20:13:49 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EC71718E3 for ; Wed, 30 Sep 2015 20:13:48 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 1664424C3F; Wed, 30 Sep 2015 13:13:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1443644013; x=1443658413; bh=n1Mqaif+qbd5JoZ9i3eW4R8vg+mTxnJLjusdMBgtIWw=; h=Reply-To:Subject:References:To:Cc:From:Date:In-Reply-To; b=OdN912H25TwMD9x/yUoHuCfHU5O/qunBNCnp0qs9bn/wQzTXzUDui77OgcrA9DT79 RqIvqiO5DUSr0Ge+Ay7hZlFLGm8z8Cf34dihI6MvQgijCi5bGWITcOnsTX7Msdtsv+ QfmjjDat+kyNMUsOyBdYHJJWqAXXny3yKgEkSmG4= Reply-To: d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> <560C39B3.1020806@delphij.net> <560C3DF2.5070608@delphij.net> <20BCBD1F-D22E-4878-AB6C-CBE9F7FD4BF2@inoc.net> To: Robert Blayzor , d@delphij.net Cc: freebsd-security@freebsd.org From: Xin Li Organization: The FreeBSD Project Message-ID: <560C426B.1000608@delphij.net> Date: Wed, 30 Sep 2015 13:13:31 -0700 MIME-Version: 1.0 In-Reply-To: <20BCBD1F-D22E-4878-AB6C-CBE9F7FD4BF2@inoc.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="26W7StUUQMFgPLQQokSa7oFWaF9eBlqoj" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 20:13:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --26W7StUUQMFgPLQQokSa7oFWaF9eBlqoj Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 09/30/15 13:03, Robert Blayzor wrote: > On Sep 30, 2015, at 3:54 PM, Xin Li wrote: >> >> Can you make this change and see if it helps? >> >> Index: rpcb_svc_com.c >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> --- rpcb_svc_com.c (revision 288421) >> +++ rpcb_svc_com.c (working copy) >> @@ -1052,7 +1052,7 @@ static bool_t >> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) >> { >> >> - assert(dst->buf =3D=3D NULL); >> + assert(dst->len =3D=3D 0 || dst->buf =3D=3D NULL); > =85 >=20 >=20 > Same result: >=20 >=20 > Assertion failed: (dst->len =3D=3D 0 || dst->buf =3D=3D NULL), function= netbuf_copybuf, file rpcb_svc_com.c, line 1056. Hmm this suggests there were either a use-after-free or a memory leak with existing code. I will need some time to further investigate this. In the meantime, please comment out the assertion (which turns the crash back into memory leak in the worst case). Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --26W7StUUQMFgPLQQokSa7oFWaF9eBlqoj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWDEJsAAoJEJW2GBstM+nsBtgP/0kmSJ7cc4io5sRCYL7T+Yzb rtsN+eKD/RHLnrzcXt0OwxQNzsvpoSCGliaOS+Q42FJ+UuJKdz3H9SOWdN2O4yDX gQiTzspkh3SQ0gj0+vfqJ7bjrvPN7EePXZJ1hKEomOvV+XOyxDS0AlOCN/ciIhcX b6i3L028DXUmsJHATVmTmGAHK2zmLUCSMgNF1jHE+S1zWQ2ordgKXo13Erfx6IgH iDeF6pSK29Cs9lNT0kcmUuvxysXBHtYpvhgJbpJt89ym7R71nl36EahbXBAOkrjt Ih0PzONmPMRxRWVTUD6EYu/ulZlQ2uwH6E/7NlwDmNdf6lw7MZWiAkWUQy9/yBbs 7VElXsLpTzCKIoLFPxK/cjdbFovQ4aRiT2e27hhpvehMfumtkf2r0wqS+e5Zi7N6 GC6eTsuiF9Q5A+hJBo/G1aWGqOo99fRWi8Lv4griqEnJSF6VOxPLcEbK+C0YiDZI fhl7OIuSwDULuoPLqQqIFWpDAEBHL6cLHRDxpB+vbbMs9wufhFWyqOHWMO7N5Eaa j7bWw8wWEkOzK8D6obI+1RBaJ+Pz4XI9qQ4pWW9jF5A9oDuDEjxJrqBVwK69P/S9 bswQ8tFxuiMhiDAcVozX+1b/iCtYi3MCpZGp497OmmOJmXu4391zjY04ZlaRw51J izI2qQbns4C1CCho0hcI =t5Ab -----END PGP SIGNATURE----- --26W7StUUQMFgPLQQokSa7oFWaF9eBlqoj-- From owner-freebsd-security@freebsd.org Wed Sep 30 22:04:45 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A53DAA0CCEB for ; Wed, 30 Sep 2015 22:04:45 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CF8212BA; Wed, 30 Sep 2015 22:04:45 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id C71C524F75; Wed, 30 Sep 2015 15:04:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1443650684; x=1443665084; bh=6dF7RgvtygX/RWg88dVmCmwZPO2dSKoh2rQ9cWMsqdI=; h=Reply-To:Subject:References:To:Cc:From:Date:In-Reply-To; b=SXozQHPvuFGQofdmcQlsDt/GYQKMJdbxwLn3oroICMQQd74EUZEHR6hbG9vQL2sSx ZO3ejRDlfJdB/bbggd5wVDnvF6Oop+sC1oM4LdYAjwF6eNCCxfuiAE3JJi7SpUn1cB TKsX+UMwa1H/6LDu0v2FMIqHEY8Ke7HB/8z3vldg= Reply-To: d@delphij.net Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> <560C39B3.1020806@delphij.net> <560C3DF2.5070608@delphij.net> <20BCBD1F-D22E-4878-AB6C-CBE9F7FD4BF2@inoc.net> <560C426B.1000608@delphij.net> To: Robert Blayzor , d@delphij.net Cc: freebsd-security@freebsd.org, Alfred Perlstein , Hiroki Sato , Rick Macklem , Doug Rabson From: Xin Li X-Enigmail-Draft-Status: N1110 Organization: The FreeBSD Project Message-ID: <560C5C79.3080308@delphij.net> Date: Wed, 30 Sep 2015 15:04:41 -0700 MIME-Version: 1.0 In-Reply-To: <560C426B.1000608@delphij.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2015 22:04:45 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c Content-Type: multipart/mixed; boundary="------------040300060705050704010101" This is a multi-part message in MIME format. --------------040300060705050704010101 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 09/30/15 13:13, Xin Li wrote: > On 09/30/15 13:03, Robert Blayzor wrote: >> On Sep 30, 2015, at 3:54 PM, Xin Li wrote: >>> >>> Can you make this change and see if it helps? >>> >>> Index: rpcb_svc_com.c >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>> --- rpcb_svc_com.c (revision 288421) >>> +++ rpcb_svc_com.c (working copy) >>> @@ -1052,7 +1052,7 @@ static bool_t >>> netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) >>> { >>> >>> - assert(dst->buf =3D=3D NULL); >>> + assert(dst->len =3D=3D 0 || dst->buf =3D=3D NULL); >> =85 >> >> >> Same result: >> >> >> Assertion failed: (dst->len =3D=3D 0 || dst->buf =3D=3D NULL), functio= n netbuf_copybuf, file rpcb_svc_com.c, line 1056. >=20 > Hmm this suggests there were either a use-after-free or a memory leak > with existing code. I will need some time to further investigate this.= >=20 > In the meantime, please comment out the assertion (which turns the cras= h > back into memory leak in the worst case). Please try the attached patch, which will reallocate buffer only when the passed in netbuf is of a different size. Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --------------040300060705050704010101 Content-Type: text/x-patch; name="rpcbind.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="rpcbind.diff" Index: usr.sbin/rpcbind/rpcb_svc_com.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- usr.sbin/rpcbind/rpcb_svc_com.c (revision 288421) +++ usr.sbin/rpcbind/rpcb_svc_com.c (working copy) @@ -1052,12 +1052,15 @@ static bool_t netbuf_copybuf(struct netbuf *dst, const struct netbuf *src) { =20 - assert(dst->buf =3D=3D NULL); + if (dst->len !=3D src->len || dst->buf =3D=3D NULL) { + if (dst->buf !=3D NULL) + free(dst->buf); + if ((dst->buf =3D malloc(src->len)) =3D=3D NULL) + return (FALSE); =20 - if ((dst->buf =3D malloc(src->len)) =3D=3D NULL) - return (FALSE); + dst->maxlen =3D dst->len =3D src->len; + } =20 - dst->maxlen =3D dst->len =3D src->len; memcpy(dst->buf, src->buf, src->len); return (TRUE); } --------------040300060705050704010101-- --fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWDFx5AAoJEJW2GBstM+nsQD8QAI0HEadIYoHUbcrajcx+gNF7 uiK5a4eRhELVg5uB5vhq/CsVQxHQfStMt+biTa7rDO2JkZDoU3g0BvY0BbwQnYr4 veXd/QvE26kdBOR6poR8dSrpCwtrT/Og/ZHvZQzT88pKngUP6xYJJ3t+dKD9r4v8 tVxZm3kJhiDu7KNLb6YXUGJnK+3UCJagdNHRZX7ZPDqpFmiOs0yiZ845SK0KrtT+ NSRB1NDWPkpEHLhQdtN+GsC2eeMw7jP44W1DtMXilYgd7+eJtbuaDIL9l+ZruJj7 8wAzuw+gQ0ZbfVwz7pWs8BJxH3Rd4nxmZPgdx0oEItBkWxuoSTgYQZlhUnhnOnaM 9cuNIDFjGmIcXR21D6mgGlYBG7hEYXgYty979rVE7cW25I5D7cMt9sDAi3FibI3R FbHWr1EDZHvBhdqTx1tZIwn7XfLVajKFB/KLlh+sAyExlyfplyaRrwTZRyTIVFVu 1Gxinh/1e/FRBe2exM/wsv8fgR+rQsZdHzWbKw1kl4pl+gSWv2Ut3pGrXIyMix58 Vl2JrFtXFhFWJ3cXWDrJS49gHCXtoEQ164lowXjt++2lWsb//b9PVsp6IVmAh0RN UXQsWSdQtpdlQl30S2OPjPBbmDMPMo1SlIl2M6mlY87IYjfXfTZUtUw5Kfq7UKjH u/iNxQ64D9Awh9bmvH0z =6ZWK -----END PGP SIGNATURE----- --fn22nMNXA4eqIrnbk3L0bS4nrJMc8Pb4c-- From owner-freebsd-security@freebsd.org Thu Oct 1 00:43:02 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7F43A0C8AB for ; Thu, 1 Oct 2015 00:43:02 +0000 (UTC) (envelope-from prvs=0716f0758d=rblayzor.bulk@inoc.net) Received: from mta3.alb.inoc.net (mta3.alb.inoc.net [IPv6:2607:f058:110:2::1:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AA6AB1318; Thu, 1 Oct 2015 00:43:02 +0000 (UTC) (envelope-from prvs=0716f0758d=rblayzor.bulk@inoc.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inoc.net; s=201501; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=XA8qpwKj8lNP4wrhRjwnNgGO0uxrLmg8AKL+E6oLtfk=; b=jllw4aqW4+rHW1RnzkGlIxCWZh MELl31XNiYc4vpFQLjGg9CRvJ3NO6Z3nUPIbGl27jlNnyDC6T5SgNyCYWFAre8V0Dln1Taoh2adL4 ObDEyf1+ZTsyz2RQosf/O02U2mwXcJv8jANk8RiFDp6v1riH17InaeIgeaMbHZgogqdBOSkn0E/Gk SB1QTAY4kjbeZdhGVA4rbqz1NeOWfUMCStuUTIa+4UHj+/VhVB396a0JZGfY7U6fey0K9w+TZOtKj Uz1dtWwefK1A4k23whm79TVaONmC470Zi8xu0l6t87jgnIPsAhO6diZCye5vlklq/qydtzEsA/PEI 1zSzwzfA==; Received: from pool-108-4-140-72.albyny.fios.verizon.net ([108.4.140.72] helo=void.home) by mail.inoc.net with ESMTPA (Exim 4.86) (envelope-from ) id 1ZhRxc-000P8O-Qv by authid ; Thu, 01 Oct 2015 00:43:00 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind From: Robert Blayzor In-Reply-To: <560C5C79.3080308@delphij.net> Date: Wed, 30 Sep 2015 20:42:54 -0400 Cc: freebsd-security@freebsd.org, Alfred Perlstein , Doug Rabson , Rick Macklem Content-Transfer-Encoding: quoted-printable Message-Id: <739CE21F-0205-47C0-A7A9-E3FE39FD5CB8@inoc.net> References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> <560C39B3.1020806@delphij.net> <560C3DF2.5070608@delphij.net> <20BCBD1F-D22E-4878-AB6C-CBE9F7FD4BF2@inoc.net> <560C426B.1000608@delphij.net> <560C5C79.3080308@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.2104) X-Auth-Info: cmJsYXl6b3JAaW5vYy5uZXQ= X-Virus-Scanned: ClamAV 0.98.7/20949/Wed Sep 30 14:30:18 2015 X-Origin-Country: US X-Anti-Abuse: Please report to abuse@inoc.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 00:43:03 -0000 On Sep 30, 2015, at 6:04 PM, Xin Li wrote: >=20 > Please try the attached patch, which will reallocate buffer only when > the passed in netbuf is of a different size. Patch installed and things appear to be running ok. Will monitor next = 24hrs and report back if any problems. -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu From owner-freebsd-security@freebsd.org Thu Oct 1 14:02:58 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9F684A0CB68 for ; Thu, 1 Oct 2015 14:02:58 +0000 (UTC) (envelope-from prvs=0716f0758d=rblayzor.bulk@inoc.net) Received: from mta2.alb.inoc.net (mta2.alb.inoc.net [IPv6:2607:f058:110:2::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 607031EA5; Thu, 1 Oct 2015 14:02:58 +0000 (UTC) (envelope-from prvs=0716f0758d=rblayzor.bulk@inoc.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inoc.net; s=201501; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type; bh=ilHY5wrECYv6Xn+dMmLXTzWmu6aA5KlZhQfV0W0fEcA=; b=z/QCm9p/NdMskNuJ4FoWwYqAxO 9m/5i36iQ+DDUfYiL9PnOmJEprnqgmCxYh+8mqEwI9iADaMBTxMYxCt0aQPBf4cq4J9FY4LfGQb+O 2Iv/ANkEW5QjZnwb3ckMOp1cyd0ScoGo7mvjKqSjuaiLt7QIJ0dqJ8mcj8RsLdO4MgK7GQdTiPwPk Lkz0EE7UeBE+stdAoEyvsWmtZDnuR2w5t6oXrkxyrAttNU+aZYcaF0ZgrdNx40MIWDjedDnHDfi1B jnbFn8Kk4Qtgh2t4rPdFqgvJ8OosSY6ym3ewkxzQZDY4vLBmsCWWujy1dLM6nUl8fUzlxNTspeFU8 QQ17EF/w==; Received: from devops.alb3.inoc.net ([64.246.140.34] helo=[172.21.21.100]) by mail.inoc.net with ESMTPA (Exim 4.86) (envelope-from ) id 1ZheRl-0009tS-1h by authid ; Thu, 01 Oct 2015 14:02:57 +0000 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind From: Robert Blayzor In-Reply-To: <560C5C79.3080308@delphij.net> Date: Thu, 1 Oct 2015 10:02:50 -0400 Cc: freebsd-security@freebsd.org, Alfred Perlstein , Doug Rabson , Rick Macklem Content-Transfer-Encoding: quoted-printable Message-Id: <22AFE97A-FA21-4D4A-B4C7-01D14BFF0535@inoc.net> References: <20150929183942.569F311FD@freefall.freebsd.org> <560C33B7.70100@delphij.net> <560C39B3.1020806@delphij.net> <560C3DF2.5070608@delphij.net> <20BCBD1F-D22E-4878-AB6C-CBE9F7FD4BF2@inoc.net> <560C426B.1000608@delphij.net> <560C5C79.3080308@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.3094) X-Auth-Info: cmJsYXl6b3JAaW5vYy5uZXQ= X-Virus-Scanned: ClamAV 0.98.7/20949/Wed Sep 30 14:30:18 2015 X-Origin-Country: US X-Anti-Abuse: Please report to abuse@inoc.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 14:02:58 -0000 On Sep 30, 2015, at 6:04 PM, Xin Li wrote: >=20 > Please try the attached patch, which will reallocate buffer only when > the passed in netbuf is of a different size. Looks like this patch did the trick. It=92s been several hours, rpcbind = seems happy along with all other RPC services. -- Robert inoc.net!rblayzor Jabber: rblayzor.AT.inoc.net PGP Key: 78BEDCE1 @ pgp.mit.edu From owner-freebsd-security@freebsd.org Fri Oct 2 15:29:17 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44EC6A0DF50 for ; Fri, 2 Oct 2015 15:29:17 +0000 (UTC) (envelope-from mwaldeck@infinito.it) Received: from smtp-2.infinito.ipnext.it (smtp-2.infinito.ipnext.it [212.121.70.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.infinito.it", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D11FC1BA4 for ; Fri, 2 Oct 2015 15:29:16 +0000 (UTC) (envelope-from mwaldeck@infinito.it) X-Virus-Scanned: amavisd-new at milter-4 X-Spam-Flag: NO X-Spam-Score: -0.999 X-Spam-Level: X-Spam-Status: No, score=-0.999 tagged_above=-1 required=5 tests=[ALL_TRUSTED=-1, FREEMAIL_FROM=0.001] autolearn=no Received: from [192.168.1.105] (2-224-246-61.ip173.fastwebnet.it [2.224.246.61]) (authenticated bits=0) by smtp-2.infinito.ipnext.it (8.14.4/8.14.4) with ESMTP id t92FKnlM028983 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Fri, 2 Oct 2015 17:20:50 +0200 From: "Nicola Dell'Uomo" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: VPN support broken after Freebsd 10.2-RELEASE p4 update (FreeBSD-SA-15:24.rpcbind) Message-Id: <7605D64C-3E2C-49F1-892A-CBABC3CAE1EF@infinito.it> Date: Fri, 2 Oct 2015 17:20:44 +0200 To: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) X-Mailer: Apple Mail (2.1510) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2015 15:29:17 -0000 Hi, can anybody help me? I have a linux VPN host in my network and a Freebsd host (FreeBSD = 10.2-RELEASE): after the latest update (p4) I'm not able to access my = BSD system via VPN. =46rom inside my network (not using VPN) everything works fine; however = FreeBSD host is unreachable via VPN. I can reach via VPN every other host in the network. Any idea? Regards= From owner-freebsd-security@freebsd.org Fri Oct 2 17:06:01 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93B67A0E77C for ; Fri, 2 Oct 2015 17:06:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 85BDE1A3E; Fri, 2 Oct 2015 17:06:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 1035) id 858021192; Fri, 2 Oct 2015 17:06:01 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20151002170601.858021192@freefall.freebsd.org> Date: Fri, 2 Oct 2015 17:06:01 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2015 17:06:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:24.rpcbind Security Advisory The FreeBSD Project Topic: rpcbind(8) remote denial of service [REVISED] Category: core Module: rpcbind Announced: 2015-09-29, revised on 2015-10-02 Affects: All supported versions of FreeBSD. Corrected: 2015-10-02 16:36:16 UTC (stable/10, 10.2-STABLE) 2015-10-02 16:37:06 UTC (releng/10.2, 10.2-RELEASE-p5) 2015-10-02 16:37:06 UTC (releng/10.1, 10.1-RELEASE-p22) 2015-10-02 16:36:16 UTC (stable/9, 9.3-STABLE) 2015-10-02 16:37:06 UTC (releng/9.3, 9.3-RELEASE-p28) CVE Name: CVE-2015-7236 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2015-09-29 Initial release. v1.1 2015-10-02 Revised patch to address a regression related to NIS usage I. Background Sun RPC is a remote procedure call framework which allows clients to invoke procedures in a server process over a network transparently. The rpcbind(8) utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. The Sun RPC framework uses a netbuf structure to represent the transport specific form of a universal transport address. The structure is expected to be opaque to consumers. In the current implementation, the structure contains a pointer to a buffer that holds the actual address. II. Problem Description In rpcbind(8), netbuf structures are copied directly, which would result in two netbuf structures that reference to one shared address buffer. When one of the two netbuf structures is freed, access to the other netbuf structure would result in an undefined result that may crash the rpcbind(8) daemon. III. Impact A remote attacker who can send specifically crafted packets to the rpcbind(8) daemon can cause it to crash, resulting in a denial of service condition. IV. Workaround No workaround is available, but systems that do not provide the rpcbind(8) service to untrusted systems, or do not provide any RPC services are not vulnerable. On FreeBSD, typical RPC based services includes NIS and NFS. Alternatively, rpcbind(8) can be configured to bind on specific IP address(es) by using the '-h' option. This may be used to reduce the attack vector when the system has multiple network interfaces and when some of them would face an untrusted network. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart the applicable daemons, or reboot the system. Because rpcbind(8) is an essential service to all RPC service daemons, these daemons may also need to be restarted. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart the applicable daemons, or reboot the system. Because rpcbind(8) is an essential service to all RPC service daemons, these daemons may also need to be restarted. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch.asc # gpg --verify rpcbind.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind-00.patch # fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind-00.patch.asc # gpg --verify rpcbind-00.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r288511 releng/9.3/ r288512 stable/10/ r288511 releng/10.1/ r288512 releng/10.2/ r288512 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.8 (FreeBSD) iQIcBAEBCgAGBQJWDrUCAAoJEO1n7NZdz2rnYU0QAL5iWj6a9z50ZGTDJLuE0+Zw gDyW9gggo0eBPPuYCOpLr4IIt+0B0AvCVHJKCCc5r7DMptuBDAUtWHeyhvRH4XmU rGnweLqI3AzfCSq+CnFV/meJEs+6EaaEGXEarMl+/3YysEMkNEOqO5dEryNaDjK+ +jF+d2Xv13RZ+i2aDWwteQW+8LLdzhYHXWWM9NV70TubPITyq7iL5TXLTKlfRJKP eOyphNeV/x+hpAL8zq5Kyu0AS8FoMWjR1rD/OtumraCI0zJsAxonZTY95WqM7Jl9 mQwrsxvxUTUmLm+CieNEAAmFMiMBBRv6JeucvVn7I59dIFDSTo2REsVzc+y4zTta 5PJyy6txlwFSrsNiJrn8aklF3voYQMYuE08jRiHAOqNqGwMuPjDjysMfiK/a1WZM 7XKgSjQwGjX3ZEk9XIWqE3DjKjpyW24rceNL/AM1gRv4Hw9UDMQLlzoAh6RM8F/3 GwiU6I5DuXIV942JX25ciHLfCkhoCyE9aEMR90ICQUgxV5xix0PpU5pukPgM9rZN CeKKbX3v7GfmIy3oWNc3yby6guqZbWbeDimiyz6WboWVvmiZOTPTjtMLuXLbcaSQ KbidUmkNU8SDzHMGXJypZ4DX9wlLFK2Wv3anaQsE/hxwgNPKpSMEZujysJ0tyTc9 F4iUcG0fCsWryp8DydvE =J1ex -----END PGP SIGNATURE-----