diff --git a/NEWS b/NEWS
index c66475c914706d7ed6303881ac1c24a7075e7b6d..35bba67d36b820bd6fda55e70a453cb772365f15 100644
--- a/NEWS
+++ b/NEWS
@@ -36,6 +36,10 @@ documents those changes that are of interest to users and administrators.
-- scrontab - add cli_filter hooks.
-- job_submit/lua - expose a "cron_job" flag to identify jobs submitted
through scrontab.
+ -- PMIx - fix potential buffer overflows from use of unpackmem().
+ CVE-2020-27745.
+ -- X11 forwarding - fix potential leak of the magic cookie when sent as an
+ argument to the xauth command. CVE-2020-27746.
* Changes in Slurm 20.11.0rc1
==============================
@@ -162,6 +166,9 @@ documents those changes that are of interest to users and administrators.
-- Add --ntasks-per-gpu option.
-- Add --gpu-bind=single option.
+* Changes in Slurm 20.02.7
+==========================
+
* Changes in Slurm 20.02.6
==========================
-- Fix sbcast --fanout option.
@@ -243,6 +250,10 @@ documents those changes that are of interest to users and administrators.
from config.
-- cons_tres - fix regression regarding gpus with --cpus-per-task.
-- Don't send job completion email for revoked federation jobs.
+ -- PMIx - fix potential buffer overflows from use of unpackmem().
+ CVE-2020-27745.
+ -- X11 forwarding - fix potential leak of the magic cookie when sent as an
+ argument to the xauth command. CVE-2020-27746.
* Changes in Slurm 20.02.5
==========================
@@ -634,10 +645,17 @@ documents those changes that are of interest to users and administrators.
-- Make it so you can "stack" the energy plugins
-- Add energy accounting plugin for AMD GPU
+* Changes in Slurm 19.05.9
+==========================
+
* Changes in Slurm 19.05.8
==========================
-- sbatch - handle --uid/--gid in #SBATCH directives properly.
-- Fix HDF5 type version build error.
+ -- PMIx - fix potential buffer overflows from use of unpackmem().
+ CVE-2020-27745.
+ -- X11 forwarding - fix potential leak of the magic cookie when sent as an
+ argument to the xauth command. CVE-2020-27746.
* Changes in Slurm 19.05.7
==========================
diff --git a/src/common/x11_util.c b/src/common/x11_util.c
index ebf531644e147e583f7caaab500c49edba69e4d9..c95df75769f4a7294b67dc49e841fa808c29c60f 100644
--- a/src/common/x11_util.c
+++ b/src/common/x11_util.c
@@ -214,28 +214,45 @@ extern int x11_set_xauth(char *xauthority, char *cookie,
int i=0, status;
char *result;
char **xauth_argv;
+ char template[] = "/tmp/xauth-source-XXXXXX";
+ char *contents = NULL;
+ int fd;
+
+ /* protect against weak file permissions in old glibc */
+ umask(0077);
+ if ((fd = mkstemp(template)) < 0)
+ fatal("%s: could not create temp file", __func__);
+
+ xstrfmtcat(contents, "add %s/unix:%u MIT-MAGIC-COOKIE-1 %s\n",
+ host, display, cookie);
+ safe_write(fd, contents, strlen(contents));
+ xfree(contents);
+ close(fd);
xauth_argv = xmalloc(sizeof(char *) * 10);
- xauth_argv[i++] = xstrdup("xauth");
- xauth_argv[i++] = xstrdup("-v");
- xauth_argv[i++] = xstrdup("-f");
- xauth_argv[i++] = xstrdup(xauthority);
- xauth_argv[i++] = xstrdup("add");
- xauth_argv[i++] = xstrdup_printf("%s/unix:%u", host, display);
- xauth_argv[i++] = xstrdup("MIT-MAGIC-COOKIE-1");
- xauth_argv[i++] = xstrdup(cookie);
+ xauth_argv[i++] = "xauth";
+ xauth_argv[i++] = "-v";
+ xauth_argv[i++] = "-f";
+ xauth_argv[i++] = xauthority;
+ xauth_argv[i++] = "source";
+ xauth_argv[i++] = template;
xauth_argv[i++] = NULL;
xassert(i < 10);
result = run_command("xauth", XAUTH_PATH, xauth_argv, 10000, 0,
&status);
- free_command_argv(xauth_argv);
+ (void) unlink(template);
+ xfree(xauth_argv);
debug2("%s: result from xauth: %s", __func__, result);
xfree(result);
return status;
+
+rwfail:
+ fatal("%s: could not write temporary xauth file", __func__);
+ return SLURM_ERROR;
}
extern int x11_delete_xauth(char *xauthority, char *host, uint16_t display)
diff --git a/src/plugins/mpi/pmix/pmixp_coll_ring.c b/src/plugins/mpi/pmix/pmixp_coll_ring.c
index 20c54edfe691221624039729ddb24cc310d18536..64da0c9a6a729cf5b03e4b50a901fee596333dbf 100644
--- a/src/plugins/mpi/pmix/pmixp_coll_ring.c
+++ b/src/plugins/mpi/pmix/pmixp_coll_ring.c
@@ -148,6 +148,7 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
uint32_t nprocs = 0;
uint32_t tmp;
int rc, i;
+ char *temp_ptr;
/* 1. extract the type of collective */
if (SLURM_SUCCESS != (rc = unpack32(&tmp, buf))) {
@@ -168,13 +169,13 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
/* 3. get namespace/rank of particular process */
for (i = 0; i < (int)nprocs; i++) {
- rc = unpackmem(procs[i].nspace, &tmp, buf);
- if (SLURM_SUCCESS != rc) {
+ if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+ (strlcpy(procs[i].nspace, temp_ptr,
+ PMIXP_MAX_NSLEN + 1) > PMIXP_MAX_NSLEN)) {
PMIXP_ERROR("Cannot unpack namespace for process #%d",
i);
return rc;
}
- procs[i].nspace[tmp] = '\0';
rc = unpack32(&tmp, buf);
procs[i].rank = tmp;
@@ -186,11 +187,14 @@ int pmixp_coll_ring_unpack(Buf buf, pmixp_coll_type_t *type,
}
/* 4. extract the ring info */
- if (SLURM_SUCCESS != (rc = unpackmem((char *)ring_hdr, &tmp, buf))) {
+ if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+ (tmp != sizeof(pmixp_coll_ring_msg_hdr_t))) {
PMIXP_ERROR("Cannot unpack ring info");
return rc;
}
+ memcpy(ring_hdr, temp_ptr, sizeof(pmixp_coll_ring_msg_hdr_t));
+
return SLURM_SUCCESS;
}
diff --git a/src/plugins/mpi/pmix/pmixp_coll_tree.c b/src/plugins/mpi/pmix/pmixp_coll_tree.c
index e4b13145929aa7a24316ce0b9996e7d4e8273ba5..f9588266541038abb262086bd6c468717049f72a 100644
--- a/src/plugins/mpi/pmix/pmixp_coll_tree.c
+++ b/src/plugins/mpi/pmix/pmixp_coll_tree.c
@@ -76,6 +76,7 @@ int pmixp_coll_tree_unpack(Buf buf, pmixp_coll_type_t *type,
uint32_t nprocs = 0;
uint32_t tmp;
int i, rc;
+ char *temp_ptr;
/* 1. extract the type of collective */
if (SLURM_SUCCESS != (rc = unpack32(&tmp, buf))) {
@@ -96,13 +97,13 @@ int pmixp_coll_tree_unpack(Buf buf, pmixp_coll_type_t *type,
for (i = 0; i < (int)nprocs; i++) {
/* 3. get namespace/rank of particular process */
- rc = unpackmem(procs[i].nspace, &tmp, buf);
- if (SLURM_SUCCESS != rc) {
+ if ((rc = unpackmem_ptr(&temp_ptr, &tmp, buf)) ||
+ (strlcpy(procs[i].nspace, temp_ptr,
+ PMIXP_MAX_NSLEN + 1) > PMIXP_MAX_NSLEN)) {
PMIXP_ERROR("Cannot unpack namespace for process #%d",
i);
return rc;
}
- procs[i].nspace[tmp] = '\0';
unsigned int tmp;
rc = unpack32(&tmp, buf);