Report vulnerability

u...@curv.co

unread,

Aug 21, 2019, 6:18:58 AM8/21/19

to grpc.io

Hi,

Our team has recently discovered a Null Pointer Dereference security vulnerability in gRPC.

How do we disclose it and open a CVE.

Thanks!

Srini Polavarapu

unread,

Aug 21, 2019, 12:42:25 PM8/21/19

to u...@curv.co, grpc.io

Hi,

Thanks for reaching out. Please follow the CVE process here: https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md.

Thanks.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/850291a3-0eef-4455-8748-1cacb3a2ceda%40googlegroups.com.

jian...@google.com

unread,

Aug 21, 2019, 12:50:18 PM8/21/19

to grpc.io

Thank you very much for keeping us in the loop.

Could you please email detailed vulnerabilities to the private grpc-s...@googlegroups.com list? Production security engineers will evaluate the vulnerability within 3 workdays.

gRPC CVE process can be found in https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md

Thanks,

Jiangtao

Uri Eden

unread,

Aug 25, 2019, 9:18:57 AM8/25/19

to jian...@google.com, grpc.io, grpc-s...@googlegroups.com, Lev Pachmanov

Hi,

Below please find the details of the vulnerability with an open PR - https://github.com/grpc/grpc/pull/19766 found by our system architect – Lev Pachmanov (CC’d).

The problem is in the src/core/lib/iomgr/tcp_server_custom.cc: tcp_server_add_port

When the initializing of the socket object fails:


grpc_custom_socket_vtable->init(socket, family);

The error is value is not checked causing reference to an invalid pointer later in add_socket_to_server.

We encountered this scenario running on a platform where getaddrinfo returns an IPv6 address while socket(AF_INET6, …) returns EAFNOSUPPORT.

This vulnerability might be exploited using common null pointer dereferences.

Hope this helps.

Uri + Lev

--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/xAzkJAWBkmc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/e43d36ab-5a99-46bc-b654-a24ea984a6a8%40googlegroups.com.

Jiangtao Li

unread,

Aug 26, 2019, 11:55:44 AM8/26/19

to Uri Eden, grpc.io, grpc-s...@googlegroups.com, Lev Pachmanov

Uri and Lev,

Thank you very much for reporting and pull requests! I have approved the PR. We will evaluate the impact of this vulnerability.

Thanks,

Jiangtao

Uri Eden

unread,

Sep 4, 2019, 7:46:26 AM9/4/19

to Jiangtao Li, grpc.io, grpc-s...@googlegroups.com, Lev Pachmanov

Hi Jiangtao,

Wanted to follow up and see if you had a chance to evaluate the impact and if a CVE will be opened.