From patchwork Fri Sep 22 17:11:58 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Romain Geissler <romain.geissler@amadeus.com>
X-Patchwork-Id: 1838390
Return-Path: <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=amadeus.com header.i=@amadeus.com header.a=rsa-sha256
 header.s=selector1 header.b=b5XX2VTt;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org
 (client-ip=8.43.85.97; helo=server2.sourceware.org;
 envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org;
 receiver=patchwork.ozlabs.org)
Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Rsf3p5F5xz1yh6
	for <incoming@patchwork.ozlabs.org>; Sat, 23 Sep 2023 03:13:09 +1000 (AEST)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 924F33858C36
	for <incoming@patchwork.ozlabs.org>; Fri, 22 Sep 2023 17:13:07 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from EUR03-DBA-obe.outbound.protection.outlook.com
 (mail-dbaeur03on2054.outbound.protection.outlook.com [40.107.104.54])
 by sourceware.org (Postfix) with ESMTPS id 532453858D28
 for <libc-alpha@sourceware.org>; Fri, 22 Sep 2023 17:12:47 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 532453858D28
Authentication-Results: sourceware.org;
 dmarc=pass (p=reject dis=none) header.from=amadeus.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=amadeus.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=ZbnPXnRmq9g4xPxgFb3UNpNfFNHv7Byh5PXAMjJ4RCBG3ntLrELHj0Ni1p3bm2hf/ynAlhrZeUiKybGcr5//AtFi2aS+YzO1MEZg+kSmdJ0TiCacKgAV+Ab2PlGPN4UeXaxZ0yEG2vuWgSNuks9DILn3vLteOk3K2En0vtNmbkVKQPQ2GdOyLtNL/uxK8shTCU4KMkZmWP/SmVI/VY+w60IJ9OyYHZuHkcAI81IjmJjPZHV2Sw4+WPLj6HYO9+zEVGfZLeCpqxUGm3+mDSnjY+tutmoGBHFjCtdgE+NdoeDR4KeMC9+bzHAt2iGtZH5lc2XAwiW3XZnk7IDRA35aYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=dQpaVYe0hSsCmeKiAHcEagTz3d3MldkKSjUE3YlmiCE=;
 b=KDfoWiQVZ0AL98VTF7nBmoWh74FXzMqPgEk/jEii3dAxQacAvFcbMPu8nS4uH5/oZaXsj+BWTUmIPghti4ply1+AXdpe/cl6LTzDm353iMUWGhSXAK3T681R5plI/VwJ32KVhz8vrimQMAxcqzI9OluYshN05G3L9YE2jNFUyGAoRvy63DiX+l6GUxcw+BaWT30mKFlhpoatWFNTodlW3klu9MQYBFVtRxeORq15lklcKzrptaTq2C0iN80wq8C8RKxS1dz3jlMf0VXz5HRkfExLMiTTdxvkpjtzkEQowxS8xRhoGclwT7oIDK3jpOD7A45GEcc2G0VFY+l20pWV6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 171.17.131.35) smtp.rcpttodomain=sourceware.org smtp.mailfrom=amadeus.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=amadeus.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amadeus.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=dQpaVYe0hSsCmeKiAHcEagTz3d3MldkKSjUE3YlmiCE=;
 b=b5XX2VTtVsoBegI3zTA1WEsgD0WzdZ0Y5HuWXV2CTDx+Z/FKq+UnzHxrFbwgB6UO+ancfIOjyickcSlNDAaFuSRBrpBwg0u/kinxkTzIPYQEI+TlUD2fMBBEJG+PunJU4FAHNipAB69pcWwjteycdabCZRMmwfhwGQ81WcLtUwRvzEKwk2AFJnmU2eF5BrPVjnL9wonnHoeaZ7dHlVTbvrAYk7FSmHNUFBl4fMK5i2qmesbKWE4GZez0ucoSPs24wM75G+MJBo6NfrVWHQwvwBdPo5yKjB1XSEZejY80QIjH/sgdbL4YzUhImhR0ZCSga2kFMc02X5SNhhefhHMWUw==
Received: from AM6P195CA0001.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:81::14)
 by GV2PR10MB7558.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:dc::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.23; Fri, 22 Sep
 2023 17:12:44 +0000
Received: from AM2PEPF0001C70E.eurprd05.prod.outlook.com
 (2603:10a6:209:81:cafe::e8) by AM6P195CA0001.outlook.office365.com
 (2603:10a6:209:81::14) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.32 via Frontend
 Transport; Fri, 22 Sep 2023 17:12:44 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 171.17.131.35)
 smtp.mailfrom=amadeus.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=amadeus.com;
Received-SPF: Pass (protection.outlook.com: domain of amadeus.com designates
 171.17.131.35 as permitted sender) receiver=protection.outlook.com;
 client-ip=171.17.131.35; helo=smtpexch.amadeus.com; pr=C
Received: from smtpexch.amadeus.com (171.17.131.35) by
 AM2PEPF0001C70E.mail.protection.outlook.com (10.167.16.202) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6792.20 via Frontend Transport; Fri, 22 Sep 2023 17:12:44 +0000
Received: from MUCEX20MBX001.iis.amadeus.net (172.19.131.74) by
 smtpexch.amadeus.com (172.19.134.54) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1258.25; Fri, 22 Sep 2023 17:11:43 +0000
Received: from b2c0fece6092.rnd.amadeus.net (10.64.176.26) by
 MUCEX20MBX001.iis.amadeus.net (172.19.131.74) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1258.25; Fri, 22 Sep 2023 17:12:43 +0000
From: Romain Geissler <romain.geissler@amadeus.com>
To: <libc-alpha@sourceware.org>
CC: <romain.geissler@amadeus.com>
Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for
 CVE-2023-4806.
Date: Fri, 22 Sep 2023 17:11:58 +0000
Message-ID: <20230922171157.65-1-romain.geissler@amadeus.com>
X-Mailer: git-send-email 2.39.3
MIME-Version: 1.0
X-ClientProxiedBy: MUCEXHYBP02.iis.amadeus.net (172.19.131.108) To
 MUCEX20MBX001.iis.amadeus.net (172.19.131.74)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM2PEPF0001C70E:EE_|GV2PR10MB7558:EE_
X-MS-Office365-Filtering-Correlation-Id: ed0f356b-47bc-40da-b079-08dbbb8f230f
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 Jf7WotLwdtAWqmSbKGZOSok8KDy9Bl+sSDGP5STumKMFl4kzH/CSmD5yecR0zVwoeFeWP42OMzAmTEM8wOr29NTMv5jsj3bsviODWr3yJ09xS7Sbjjo9/LT5/L73dWMMd116cOu2OVFfens4vkgrdcMoGNb4erb5XN2kj9V9kZ8GD7013U1tGMb7Li5YFUnEOvqmgvP6A1ANOrOnrCch0lqH0tkrqbJlODiGzP3IFB1oIxZYk9AYiRWwQ9vRy71Xam7qFXMrprJU2ehGT28z3DcTelEWGsYpZk2r02dkbMXtiTm/C5hG73I7drFJhQ4oEZY64hvwVVDKT4aOhYkRQOoTNSkB0/YsogTgYQmiUDX3SaO8Py0UHAgklTDjmqRrcA4v9WzfWTfC0jSDT3Y28+RLGvbxwWdHtKN3eiqeMKk+O+Vtfhc/ryVQeKonEeqwVjrqY7qFfZNZz8RquyC1N0gZDkJPe44+TMgc3iTmYOfT/+F5n7hDFN/Rgv8rFkfB5DrYbi/csZfTHT1tMwYv02Ist+eIyLafuGRlKWd+g6CBxiLatC5ErCSmeZBqoIF++2+0L+IFR5eU5NVQKsZ+Bjb3MI/Wd/RsA1x3Cy2MgHXss4bndSPxxPKdNifqmmwSXrwhOqypTajQiRLAC66tEWk6PAiQ88Nl+3O0QS+/nrE5SEqOv5pJBl9JMkjWq9p1WIVQaaUpi6ePj3s4E7nfD+RMair0ZAhROD9ze6jDpIgkCVz6YsJIABG7yFY11qNw9pVUV/7U0QLDULPYr+h84xGaJnAMSrOTLca+HB1GYuSZRG9uuBJ+0muZIG1y9BSy
X-Forefront-Antispam-Report: CIP:171.17.131.35; CTRY:DE; LANG:en; SCL:1; SRV:;
 IPV:CAL; SFV:NSPM; H:smtpexch.amadeus.com; PTR:InfoDomainNonexistent;
 CAT:NONE;
 SFS:(13230031)(4636009)(396003)(136003)(346002)(376002)(39860400002)(1800799009)(186009)(230921699003)(451199024)(82310400011)(46966006)(36840700001)(40470700004)(36756003)(40480700001)(40460700003)(107886003)(2616005)(26005)(1076003)(336012)(82960400001)(5660300002)(2906002)(86362001)(44832011)(6916009)(8936002)(8676002)(82740400003)(81166007)(36860700001)(356005)(41300700001)(70206006)(70586007)(316002)(47076005)(478600001)(83380400001)(4326008)(6666004)(36900700001);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: amadeus.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Sep 2023 17:12:44.5224 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 ed0f356b-47bc-40da-b079-08dbbb8f230f
X-MS-Exchange-CrossTenant-Id: b3f4f7c2-72ce-4192-aba4-d6c7719b5766
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=b3f4f7c2-72ce-4192-aba4-d6c7719b5766; Ip=[171.17.131.35];
 Helo=[smtpexch.amadeus.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 AM2PEPF0001C70E.eurprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2PR10MB7558
X-Spam-Status: No, score=-11.0 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org

This patch fixes a very recently added leak in getaddrinfo (which was
backported on release branches too).

I didn't spend much more than 5 minutes on investigating the code to end
up with this patch, so it may be wrong. Quickly testing it on my side,
it seems to work for me, but it definitely needs review from people who
actually know this part of the code ;)

Running a stripped down version of the newly added test
nss/nss_test_gai_hv2_canonname.c with valgrind results in exposure of
the leak:

> cat test.c

int main()
{
    char aHostName[256];
    gethostname(aHostName,255);

    struct addrinfo hints = {};
    struct addrinfo *result = NULL;

    hints.ai_family = AF_INET6;
    hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;

    int ret = getaddrinfo(aHostName, NULL, &hints, &result);

    if (ret != 0)
        return 1;
    freeaddrinfo(result);
    return 0;
}

> /opt/1A/toolchain/x86_64-v19/bin/gcc -g -o test test.c
> /opt/1A/toolchain/x86_64-v19/build-pack/default/bin/valgrind --leak-check=full ./test
   ... (snapped)
==68017== 37 bytes in 1 blocks are definitely lost in loss record 1 of 1
==68017==    at 0x4840745: malloc (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/build-pack/19.0.81.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==68017==    by 0x48E7CDA: strdup (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6)
==68017==    by 0x4936582: convert_hostent_to_gaih_addrtuple.isra.0 (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6)
==68017==    by 0x4936787: gethosts (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6)
==68017==    by 0x4938F37: getaddrinfo (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6)
==68017==    by 0x4011A5: main (test.c:17)
   ... (snapped)
Reviewed-by: DJ Delorie <dj@redhat.com>
---
 sysdeps/posix/getaddrinfo.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index b4e8ea3880a..5f5bc3fd51f 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -1199,6 +1199,7 @@ free_and_return:
   if (res.free_at)
     free (res.at);
   free (res.canon);
+  free (res.h_name);
 
   return result;
 }