CVE-2022-28893 – Sun Microsystem not appear any more, however sunrpc still working on Linux. (14th April 2022)

Preface: ONTAP or Data ONTAP or Clustered Data ONTAP or Data ONTAP 7-Mode is NetApp’s proprietary operating system used in storage disk arrays such as NetApp FAS and AFF, ONTAP Select and Cloud Volumes ONTAP. RHEL 6.3 and later can be used with NetApp Clustered Data ONTAP. This setup integrate with SUNPRC UNIX Network Programming.
Remark: RHEL 6.3 end of life on November 30, 2020. Additionally, Extended Lifecycle Support will end on June 30, 2024.

Background: Remote Procedure Call (SunRPC) protocol provides access to run procedures on remote machine. RPC is used heavily in UNIX to implement many protocols, for example NFS and NIS. RPC protocol is designed to be machine, operating system, network architecture, and transport protocol independent.
Sun RPC does not have a network-wide binding service. Instead it provides a local binding service called the port mapper which runs on every computer. Each instance of a port mapper records the port in use by each service running locally. The port mapper assigns a unique TCP/UDP protocol port number to an RPC program. Upon starting, the Network File System uses a port map to listen to and send data to specific ports.

Vulnerability details: The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets are in the intended state.

Highlight one of the technical issues – In the C programming language, the instruction malloc() is used to allocate memory space of the requested size for use by the program. When a program needs to read or write data in memory, it uses pointers. When the program is done using the data, it can use the function free() to free the memory.
It’s important to note that free() just marks the block of memory as free and available for use. It does not clear any data stored in the memory block, nor does it free or clear the pointers that the program uses to refer to the memory block.

Remedy: Ensure we flush any closed sockets before xs_xprt_free().

For solution details, please refer to the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1a3b1bba7c7a5eb8a11513cf88427cb9d77bc60a

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.