From patchwork Fri Aug 28 20:59:01 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aurelien Jarno X-Patchwork-Id: 512035 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4825C140319 for ; Sat, 29 Aug 2015 06:59:16 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=kQkxJct+; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; q=dns; s= default; b=DnetQJf2nxh4loRM1UBJ5AWX3g1OEAp5XD5J6+VyvsGCFgUVQjL6e mGeBB9JL16rsVyF2ckwtuZnn5I5YW4kvI0GBIyKdLB4j07p3jrl5aI6v4hZRn5KM 48bDl0NH/VPTNHmZoQthvsRXOD2BsV7RCT8aUlPGUZ5+bThVF9wMdU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; s=default; bh=p30cBCQpRzNab92Vg4YzZWY3WYk=; b=kQkxJct+GXot0CGKnEjwHsdQGVEW kHryCePukQ39QvpT0zpuvwSoi//XG+EpflVAopemeg78Llr33FMyjzBXIvLPMtDn BzIiROFGvW3nBo9mjGcTw0P1Z/g04QSQLR6RN3TSwf717kh+xuOWI2qw3MkMqkzR mW5rcpZ7dMNO22o= Received: (qmail 89173 invoked by alias); 28 Aug 2015 20:59:09 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 89160 invoked by uid 89); 28 Aug 2015 20:59:09 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.3 required=5.0 tests=BAYES_00, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: hall.aurel32.net From: Aurelien Jarno To: libc-alpha@sourceware.org Cc: Arjun Shankar Subject: [COMMITTED 2.19] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287] Date: Fri, 28 Aug 2015 22:59:01 +0200 Message-Id: <1440795541-14843-1-git-send-email-aurelien@aurel32.net> From: Arjun Shankar (cherry picked from commit 2959eda9272a033863c271aff62095abd01bd4e3) --- ChangeLog | 6 ++++++ NEWS | 10 +++++++++- resolv/nss_dns/dns-host.c | 3 ++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index b88cd04..0eb6c3f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2015-04-21 Arjun Shankar + + [BZ #18287] + * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length + based on padding. (CVE-2015-1781) + 2014-12-11 Andreas Schwab [BZ #16657] diff --git a/NEWS b/NEWS index 6f240cd..7f9388f 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,15 @@ Version 2.19.1 * The following bugs are resolved with this release: 15946, 16545, 16574, 16623, 16657, 16695, 16878, 16882, 16885, 16916, - 16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555. + 16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555, + 18287. + +* A buffer overflow in gethostbyname_r and related functions performing DNS + requests has been fixed. If the NSS functions were called with a + misaligned buffer, the buffer length change due to pointer alignment was + not taken into account. This could result in application crashes or, + potentially arbitrary code execution, using crafted, but syntactically + valid DNS responses. (CVE-2015-1781) * Reverted change of ABI data structures for s390 and s390x: On s390 and s390x the size of struct ucontext and jmp_buf was increased in diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index f0b4b17..f36d28b 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, int have_to_map = 0; uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); buffer += pad; - if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0)) + buflen = buflen > pad ? buflen - pad : 0; + if (__builtin_expect (buflen < sizeof (struct host_data), 0)) { /* The buffer is too small. */ too_small: