From patchwork Thu Sep 14 10:13:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 1834141 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=J8pMHiKL; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=server2.sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=patchwork.ozlabs.org) Received: from server2.sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RmY7K6nG3z1yh0 for ; Thu, 14 Sep 2023 20:13:33 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id DD56C3857704 for ; Thu, 14 Sep 2023 10:13:31 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DD56C3857704 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1694686411; bh=kSJkkT2pxKwDkIM9WqY0OIU1mUqDydCiq8saBaS9+EA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=J8pMHiKL/B2OmQJpICgF7EQn2MQcNUfl5kWACLZO6CDAHlLgF7ESq4VweFHdGF/6c BHOKnFFiJTBvG9DldgZj+sT8VHF2ft6pCureG0XttjGWg0V3Z8Gi+Iy2EMVOjAMVu3 h6CVxXVzIRVPDC4D4BouPAbAYZRH+21tiK6ZZtKQ= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from bird.elm.relay.mailchannels.net (bird.elm.relay.mailchannels.net [23.83.212.17]) by sourceware.org (Postfix) with ESMTPS id 474B4385841A for ; Thu, 14 Sep 2023 10:13:14 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 474B4385841A Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 3D3DF813BE; Thu, 14 Sep 2023 10:13:13 +0000 (UTC) Received: from pdx1-sub0-mail-a209.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id D52A78153D; Thu, 14 Sep 2023 10:13:12 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1694686392; a=rsa-sha256; cv=none; b=7f0FtL1Mnyin1c3uUpQy4u350LiCoTJdjyhIFgmlVLzXY2OsF13yAFHKUqug/pbdil6ue0 e0hc/K8ySXcA3cC28GM9POHGiZrPW5vNH8oQ1VSGOyqvnzrcEfKNdbDH+Z73wybdy0cITc RxUFyxTYgyCXfF3BuiNRo6xL12hUs6ERL6jFlVBfbFi/dtc7kcraRE96zpM5Vi28GU8yjm Gnd3uztaVe+80xXX/haizcjkGPA2oIVBnKrvzam8WE8NGTWjTRBNi4aioY8R1UBN0WPzFY 5L7FAQbgTUm0sH7Q2PY+HD/mgWWZHxT82ShWvSDAra8JJ734pYLInj/l43IrRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1694686392; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kSJkkT2pxKwDkIM9WqY0OIU1mUqDydCiq8saBaS9+EA=; b=vPAykWOwmrUtYsr8XOdczHijT//m56AF0mOfjlDG9/M+QmcbrquX6gh2+nGmmVZCS0XhKW sojSwZA3Bmd+aMJHfKMeM2WXXBLOrH9u4h94AEcfv/VPh8uqoN9L7hcrD8UgC0EHjnfFcm YKxTQcBXaa9mkaoLp1ExYR/1YKnx/RApJ0jfoSCJGVhxn9p7QX2hLa8bl7XSgbM30wimKN H1m+2S3kPXY5V5HqcAro8VafDsBaYgUdacWVhczxPypfrCj1QN2pzEfHmg/r8smKNDUoUP KsG+ufyokeem5xJ4XcKjKVPxCSSvTG+Nair63hYt3Yna+0OOa9ugITwKfciNIw== ARC-Authentication-Results: i=1; rspamd-7d5dc8fd68-t6t44; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Whimsical-Soft: 3497bbd9708f9d30_1694686393130_3797991151 X-MC-Loop-Signature: 1694686393130:374536395 X-MC-Ingress-Time: 1694686393130 Received: from pdx1-sub0-mail-a209.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.119.184.206 (trex/6.9.1); Thu, 14 Sep 2023 10:13:13 +0000 Received: from fedora.. (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a209.dreamhost.com (Postfix) with ESMTPSA id 4RmY6w2YmPzB0; Thu, 14 Sep 2023 03:13:12 -0700 (PDT) From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: schwab@suse.de, fweimer@redhat.com, carlos@redhat.com Subject: [PATCH v3] getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) Date: Thu, 14 Sep 2023 06:13:02 -0400 Message-ID: <20230914101302.3128752-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230913173638.3067388-1-siddhesh@sourceware.org> References: <20230913173638.3067388-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1171.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar Tested-by: Carlos O'Donell Reviewed-by: Carlos O'Donell --- Changes from v2: - Added su to container script to make it explicit that the test runs as root. Changes from v1: - Auto-generated hosts in PREPARE of the test. - Added postclean.req nss/Makefile | 15 ++++- nss/nss_test_gai_hv2_canonname.c | 56 +++++++++++++++++ nss/tst-nss-gai-hv2-canonname.c | 63 +++++++++++++++++++ nss/tst-nss-gai-hv2-canonname.h | 1 + .../postclean.req | 0 .../tst-nss-gai-hv2-canonname.script | 2 + sysdeps/posix/getaddrinfo.c | 26 +++++--- 7 files changed, 153 insertions(+), 10 deletions(-) create mode 100644 nss/nss_test_gai_hv2_canonname.c create mode 100644 nss/tst-nss-gai-hv2-canonname.c create mode 100644 nss/tst-nss-gai-hv2-canonname.h create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script diff --git a/nss/Makefile b/nss/Makefile index 06fcdc450f..8a5126ecf3 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -82,6 +82,7 @@ tests-container := \ tst-nss-test3 \ tst-reload1 \ tst-reload2 \ + tst-nss-gai-hv2-canonname \ # tests-container # Tests which need libdl @@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) ifeq ($(build-static-nss),yes) tests-static += tst-nss-static endif -extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os +extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ + nss_test_gai_hv2_canonname.os include ../Rules @@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver libof-nss_test1 = extramodules libof-nss_test2 = extramodules libof-nss_test_errno = extramodules +libof-nss_test_gai_hv2_canonname = extramodules $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) $(build-module) $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) $(build-module) $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) $(build-module) +$(objpfx)/libnss_test_gai_hv2_canonname.so: \ + $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) + $(build-module) $(objpfx)nss_test2.os : nss_test1.c # Use the nss_files suffix for these objects as well. $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so @@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ $(objpfx)/libnss_test_errno.so $(make-link) +$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ + $(objpfx)/libnss_test_gai_hv2_canonname.so + $(make-link) $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ - $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ + $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) ifeq (yes,$(have-thread-library)) $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) @@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags +LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c new file mode 100644 index 0000000000..4439c83c9f --- /dev/null +++ b/nss/nss_test_gai_hv2_canonname.c @@ -0,0 +1,56 @@ +/* NSS service provider that only provides gethostbyname2_r. + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include "nss/tst-nss-gai-hv2-canonname.h" + +/* Catch misnamed and functions. */ +#pragma GCC diagnostic error "-Wmissing-prototypes" +NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) + +extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, + struct hostent *, char *, + size_t, int *, int *); + +enum nss_status +_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, + struct hostent *result, + char *buffer, size_t buflen, + int *errnop, int *herrnop) +{ + return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, + herrnop); +} + +enum nss_status +_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, + size_t buflen, char **result, + int *errnop, int *h_errnop) +{ + /* We expect QUERYNAME, which is a small enough string that it shouldn't fail + the test. */ + if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) + || buflen < sizeof (QUERYNAME)) + abort (); + + strncpy (buffer, name, buflen); + *result = buffer; + return NSS_STATUS_SUCCESS; +} diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c new file mode 100644 index 0000000000..d5f10c07d6 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.c @@ -0,0 +1,63 @@ +/* Test NSS query path for plugins that only implement gethostbyname2 + (#30843). + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include "nss/tst-nss-gai-hv2-canonname.h" + +#define PREPARE do_prepare + +static void do_prepare (int a, char **av) +{ + FILE *hosts = xfopen ("/etc/hosts", "w"); + for (unsigned i = 2; i < 255; i++) + { + fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); + fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); + } + xfclose (hosts); +} + +static int +do_test (void) +{ + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); + + struct addrinfo hints = {}; + struct addrinfo *result = NULL; + + hints.ai_family = AF_INET6; + hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; + + int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); + + if (ret != 0) + FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); + + TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); + + freeaddrinfo(result); + return 0; +} + +#include diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h new file mode 100644 index 0000000000..14f2a9cb08 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.h @@ -0,0 +1 @@ +#define QUERYNAME "test.example.com" diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req new file mode 100644 index 0000000000..e69de29bb2 diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script new file mode 100644 index 0000000000..31848b4a28 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script @@ -0,0 +1,2 @@ +cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 +su diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index 6ae6744fe4..eb5ba59dac 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -120,6 +120,7 @@ struct gaih_result { struct gaih_addrtuple *at; char *canon; + char *hname; bool free_at; bool got_ipv6; }; @@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) if (res->free_at) free (res->at); free (res->canon); + free (res->hname); memset (res, 0, sizeof (*res)); } @@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, return 0; } -/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name - is not copied, and the struct hostent object must not be deallocated - prematurely. The new addresses are appended to the tuple array in RES. */ +/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new + addresses are appended to the tuple array in RES. */ static bool convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, struct hostent *h, struct gaih_result *res) @@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, res->at = array; res->free_at = true; + /* Duplicate h_name because it may get reclaimed when the underlying storage + is freed. */ + if (res->hname == NULL) + { + res->hname = __strdup (h->h_name); + if (res->hname == NULL) + return false; + } + /* Update the next pointers on reallocation. */ for (size_t i = 0; i < old; i++) array[i].next = array + i + 1; @@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, } array[i].next = array + i + 1; } - array[0].name = h->h_name; array[count - 1].next = NULL; return true; @@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, memory allocation failure. The returned string is allocated on the heap; the caller has to free it. */ static char * -getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) +getcanonname (nss_action_list nip, const char *hname, const char *name) { nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); char *s = (char *) name; if (cfct != NULL) { char buf[256]; - if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), - &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) + if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, + &h_errno)) != NSS_STATUS_SUCCESS) /* If the canonical name cannot be determined, use the passed string. */ s = (char *) name; @@ -740,6 +749,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, } no_inet6_data = no_data; inet6_status = status; + } if (req->ai_family == AF_INET || req->ai_family == AF_UNSPEC @@ -771,7 +781,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, if ((req->ai_flags & AI_CANONNAME) != 0 && res->canon == NULL) { - char *canonbuf = getcanonname (nip, res->at, name); + char *canonbuf = getcanonname (nip, res->hname, name); if (canonbuf == NULL) { __resolv_context_put (res_ctx);