From patchwork Tue Apr 21 12:51:39 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Florian Weimer <fweimer@redhat.com>
X-Patchwork-Id: 463111
Return-Path: 
 <libc-alpha-return-58510-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id C9E971401AD
	for <incoming@patchwork.ozlabs.org>;
	Tue, 21 Apr 2015 22:51:50 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass
	reason="1024-bit key; unprotected key"
	header.d=sourceware.org header.i=@sourceware.org header.b=Tj+CeO97;
	dkim-adsp=none (unprotected policy); dkim-atps=neutral
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:content-type; q=dns; s=default; b=sQQAZ1/YwyDWjW+wVQd/1pd94WF8D
	dAeKH4lm5ZugwL7ftP7fixkPXKKO1c1x1kWV9pgFFQccXdDGSAAtustTp1GzXHOe
	9s3Ki3m+alcAqZuZr9/zEi/Wfssgf3ObaMRTaBlyfMK58OtZX/ABsRnHQ+r7BP9A
	3sVABKCNVZl12k=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:content-type; s=default; bh=88XUI31EZt/PScUi0cM90cJrpgY=; b=Tj+
	CeO977bD2hNDUOwkzwBbWHZxRPUF3Ttk9jSFrrIbfzClxP8IJWWNrGPwzs7tEHHh
	0KxXMkt8wgVh+mAdmgnONRSTLTiAVz8Hy5z5ZhiUrAbDR84QJfMYJQ9B3rUZmkl6
	nz4JIiui7cWCGHng5u99ziHLhZtGgNoZGw+Rltmc=
Received: (qmail 71840 invoked by alias); 21 Apr 2015 12:51:43 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 71727 invoked by uid 89); 21 Apr 2015 12:51:43 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.8 required=5.0 tests=AWL, BAYES_00,
	SPF_HELO_PASS, SPF_PASS,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx1.redhat.com
Message-ID: <553647DB.9050107@redhat.com>
Date: Tue, 21 Apr 2015 14:51:39 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: GNU C Library <libc-alpha@sourceware.org>
Subject: [PATCH COMMITTED] Fix CVE-2015-1781: buffer overflow in nss_dns
	[BZ#18287]

This was reviewed off-list.

From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
From: Arjun Shankar <arjun.is@lostca.se>
Date: Tue, 21 Apr 2015 14:06:31 +0200
Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
 [BZ#18287]

---
 ChangeLog                 | 6 ++++++
 NEWS                      | 9 ++++++++-
 resolv/nss_dns/dns-host.c | 3 ++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7c3e625..26dcfc7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+	[BZ #18287]
+	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+	based on padding.  (CVE-2015-1781)
+
 2015-04-20  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
 	* nptl/pthread_cond_timedwait.c: Change include bits/libc-vdso.h to just
diff --git a/NEWS b/NEWS
index 2bbd6a3..ccc4d13 100644
--- a/NEWS
+++ b/NEWS
@@ -16,7 +16,14 @@ Version 2.22
   17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020, 18029,
   18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047, 18068,
   18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185, 18197,
-  18206, 18210, 18211, 18247.
+  18206, 18210, 18211, 18247, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+  requests has been fixed.  If the NSS functions were called with a
+  misaligned buffer, the buffer length change due to pointer alignment was
+  not taken into account.  This could result in application crashes or,
+  potentially arbitrary code execution, using crafted, but syntactically
+  valid DNS responses.  (CVE-2015-1781)
 
 * A powerpc and powerpc64 optimization for TLS, similar to TLS descriptors
   for LD and GD on x86 and x86-64, has been implemented.  You will need
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index b16b0dd..d8c5579 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
     {
       /* The buffer is too small.  */
     too_small:
-- 
2.1.0