From bdce95930e1d9a7d013d1ba78740243491262879 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 23 May 2016 20:18:34 +0200
Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ
 #20112]

The call is technically in a loop, and under certain circumstances
(which are quite difficult to reproduce in a test case), alloca
can be invoked repeatedly during a single call to clntudp_call.
As a result, the available stack space can be exhausted (even
though individual alloca sizes are bounded implicitly by what
can fit into a UDP packet, as a side effect of the earlier
successful send operation).

(cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c)
---
 ChangeLog         |  7 +++++++
 NEWS              |  4 ++++
 sunrpc/clnt_udp.c | 10 +++++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
index a6cf5f1..4d9acb1 100644
--- a/sunrpc/clnt_udp.c
+++ b/sunrpc/clnt_udp.c
@@ -388,9 +388,15 @@ send_again:
 	  struct sock_extended_err *e;
 	  struct sockaddr_in err_addr;
 	  struct iovec iov;
-	  char *cbuf = (char *) alloca (outlen + 256);
+	  char *cbuf = malloc (outlen + 256);
 	  int ret;
 
+	  if (cbuf == NULL)
+	    {
+	      cu->cu_error.re_errno = errno;
+	      return (cu->cu_error.re_status = RPC_CANTRECV);
+	    }
+
 	  iov.iov_base = cbuf + 256;
 	  iov.iov_len = outlen;
 	  msg.msg_name = (void *) &err_addr;
@@ -415,10 +421,12 @@ send_again:
 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
 		{
+		  free (cbuf);
 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
 		  cu->cu_error.re_errno = e->ee_errno;
 		  return (cu->cu_error.re_status = RPC_CANTRECV);
 		}
+	  free (cbuf);
 	}
 #endif
       do
-- 
2.9.3

ption value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=25ff62e2501badd10c55e81ef2e8655fb8f85177'>root</a>/<a href='/guix/log/nix?id=25ff62e2501badd10c55e81ef2e8655fb8f85177'>nix</a>/<a href='/guix/log/nix/libutil?id=25ff62e2501badd10c55e81ef2e8655fb8f85177'>libutil</a>/<a href='/guix/log/nix/libutil/util.hh?id=25ff62e2501badd10c55e81ef2e8655fb8f85177'>util.hh</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/nix/libutil/util.hh?id=25ff62e2501badd10c55e81ef2e8655fb8f851<tr><td><span title='2023-04-21 16:16:38 +0200'>2023-04-21</span></t<tr><td><span title='2024-03-12 14:07:28 +0100'>2024-03-12</span></td><td><a href='/guix/commit/nix/libutil/util.hh?id=ff1251de0bc327ec478fc66a562430fbf35aef42'>daemon: Address shortcoming in previous security fix for CVE-2024-27297.</a><span class='msg-avail'>...<span class='msg-tooltip'>This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.

Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
ways: (1) it didn’t have any effet for fixed-output derivations
performed in a chroot, which is the case for all of them except those
using “builtin:download” and “builtin:git-download”, and (2) it did not
preserve ownership when copying, leading to “suspicious ownership or
permission […] rejecting this build output” errors.

* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
‘chrootRootDir’ when copying ‘drv.outputs’.
* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
calls to preserve file ownership; this is necessary for chrooted
fixed-output derivation builds.
* nix/libutil/util.hh: Update comment.

Chan<tr><td><span title='2022-10-22 01:46:55 +0200'>2022-10-22</span></td><td><a href='/guix/commit/tests/guix-daemon.sh?id=a3619079f95213c4f983e69210ed12b38fd31022'>Remove now unnecessary uses of (guix grafts).</a><span class='msg-avail'>...<span class='msg-tooltip'>These modules would use (guix grafts) just to access '%graft?' and
related bindings, which are now in (guix store).

* gnu/ci.scm,
guix/gexp.scm,
guix/lint.scm,
guix/scripts.scm,
guix/scripts/archive.scm,
guix/scripts/build.scm,
guix/scripts/challenge.scm,
guix/scripts/deploy.scm,
guix/scripts/environment.scm,
guix/scripts/home.scm,
guix/scripts/pack.scm,
guix/scripts/package.scm,
guix/scripts/pull.scm,
guix/scripts/size.scm,
guix/scripts/system.scm,
guix/scripts/weather.scm,
tests/builders.scm,
tests/channels.scm,
tests/cpan.scm,
tests/derivations.scm,
tests/gexp.scm,
tests/graph.scm,
tests/guix-daemon.sh,
tests/monads.scm,
tests/pack.scm,
tests/packages.scm,
tests/profiles.scm,
tests/system.scm: Remove #:use-module (guix grafts).
</span></span></td><td>Ludovic Courtès</td></tr>

a file descriptor.  Rewrite the ‘Path’ variant accordingly.
(copyFile, copyFileRecursively): New functions.
* nix/libutil/util.hh (copyFileRecursively): New declaration.
* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.

Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4

Reported-by: Picnoir &lt;picnoir@alternativebit.fr&gt;, Théophane Hufschmitt &lt;theophane.hufschmitt@tweag.io&gt;
Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2020-12-08 22:30:07 +0100'>2020-12-08</span></td><td><a href='/guix/commit/nix/libutil/util.hh?id=2e308238ad09e9527f9b8c3ec4a90b6b05a93367'>daemon: 'Agent' constructor takes a list of environment variables.</a><span class='msg-avail'>...<span class='msg-tooltip'>* nix/libutil/util.hh (struct Agent)[Agent]: Add 'env' parameter.
* nix/libutil/util.cc (Agent::Agent): Honor it.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2020-09-14 15:42:55 +0200'>2020-09-14</span></td><td><a href='/guix/commit/nix/libutil/util.hh?id=ee9dff34f9317509cb2b833d07a0d5e01a36a4ae'>daemon: Move 'Agent' to libutil.</a><span class='msg-avail'>...<span class='msg-tooltip'>* nix/libstore/build.cc (DerivationGoal::tryBuildHook): Add "offload" to
'args' and pass settings.guixProgram as the first argument to
Agent::Agent.
(pathNullDevice, commonChildInit, Agent, Agent::Agent)
(Agent::~Agent): Move to...
* nix/libutil/util.cc: ... here.
* nix/libutil/util.hh (struct Agent, commonChildInit): New
declarations.
</span></span></td><td>Ludovic Courtès</td></tr>

Age	Commit message (2023-04-21	2024-03-12	daemon: Address shortcoming in previous security fix for CVE-2024-27297....This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Chan
2022-10-22	Remove now unnecessary uses of (guix grafts)....These modules would use (guix grafts) just to access '%graft?' and related bindings, which are now in (guix store). * gnu/ci.scm, guix/gexp.scm, guix/lint.scm, guix/scripts.scm, guix/scripts/archive.scm, guix/scripts/build.scm, guix/scripts/challenge.scm, guix/scripts/deploy.scm, guix/scripts/environment.scm, guix/scripts/home.scm, guix/scripts/pack.scm, guix/scripts/package.scm, guix/scripts/pull.scm, guix/scripts/size.scm, guix/scripts/system.scm, guix/scripts/weather.scm, tests/builders.scm, tests/channels.scm, tests/cpan.scm, tests/derivations.scm, tests/gexp.scm, tests/graph.scm, tests/guix-daemon.sh, tests/monads.scm, tests/pack.scm, tests/packages.scm, tests/profiles.scm, tests/system.scm: Remove #:use-module (guix grafts).	Ludovic Courtès
Ludovic Courtès
2020-12-08	daemon: 'Agent' constructor takes a list of environment variables....* nix/libutil/util.hh (struct Agent)[Agent]: Add 'env' parameter. * nix/libutil/util.cc (Agent::Agent): Honor it.	Ludovic Courtès
2020-09-14	daemon: Move 'Agent' to libutil....* nix/libstore/build.cc (DerivationGoal::tryBuildHook): Add "offload" to 'args' and pass settings.guixProgram as the first argument to Agent::Agent. (pathNullDevice, commonChildInit, Agent, Agent::Agent) (Agent::~Agent): Move to... * nix/libutil/util.cc: ... here. * nix/libutil/util.hh (struct Agent, commonChildInit): New declarations.	Ludovic Courtès