From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
From: Arjun Shankar <arjun.is@lostca.se>
Date: Tue, 21 Apr 2015 14:06:31 +0200
Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
[BZ#18287]
---
ChangeLog | 6 ++++++
NEWS | 9 ++++++++-
resolv/nss_dns/dns-host.c | 3 ++-
3 files changed, 16 insertions(+), 2 deletions(-)
@@ -1,3 +1,9 @@
+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
+
+ [BZ #18287]
+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+ based on padding. (CVE-2015-1781)
+
2015-04-20 Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nptl/pthread_cond_timedwait.c: Change include bits/libc-vdso.h to just
@@ -16,7 +16,14 @@ Version 2.22
17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020, 18029,
18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047, 18068,
18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185, 18197,
- 18206, 18210, 18211, 18247.
+ 18206, 18210, 18211, 18247, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
+ misaligned buffer, the buffer length change due to pointer alignment was
+ not taken into account. This could result in application crashes or,
+ potentially arbitrary code execution, using crafted, but syntactically
+ valid DNS responses. (CVE-2015-1781)
* A powerpc and powerpc64 optimization for TLS, similar to TLS descriptors
for LD and GD on x86 and x86-64, has been implemented. You will need
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
{
/* The buffer is too small. */
too_small:
--
2.1.0