From patchwork Mon Oct 19 11:12:55 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Aurelien Jarno X-Patchwork-Id: 532228 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id C71E0140134 for ; Mon, 19 Oct 2015 22:13:18 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=Hv6cehh7; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id :mime-version:content-type:content-transfer-encoding; q=dns; s= default; b=CzDwuwUzSXO6IY3NxNw09j6WvpzlDAIYzN7Cre+/3Yn9wi6wohNGU Mcrs2iWMeowSxrpx5WK+JAZ0oCKeRZceYtfPYaVWYr8M3eS/XX+dLnsAfF6rBLCR 10TJoBkw6yrlXagovGK6iT7taG9DIQTpIdLPEmqo3oCB3TzbNOThIk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id :mime-version:content-type:content-transfer-encoding; s=default; bh=xTauSpWlmhkGgurDiE8GK/6dfN0=; b=Hv6cehh7zxXNGsVsK02bnvEH+dEQ OZt1PvNttTkAH2xotc/9M5WOdeU9NMWKrjXsjY20WW7gfdj4c1croUhUJ137DvDM XeitztS+J7MStuXYAzEX4ugYyglhc2U3P/sz8mLNeS3b/NYa9M4jk+h7s2Y3z3tn MffySd5yNRjwdAU= Received: (qmail 2013 invoked by alias); 19 Oct 2015 11:13:11 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 1641 invoked by uid 89); 19 Oct 2015 11:13:11 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=BAYES_00, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=no version=3.3.2 X-HELO: hall.aurel32.net From: Aurelien Jarno To: libc-alpha@sourceware.org Cc: Florian Weimer Subject: [COMMITTED 2.21] CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007] Date: Mon, 19 Oct 2015 13:12:55 +0200 Message-Id: <1445253175-14646-1-git-send-email-aurelien@aurel32.net> MIME-Version: 1.0 From: Florian Weimer Robin Hack discovered Samba would enter an infinite loop processing certain quota-related requests. We eventually tracked this down to a glibc issue. Running a (simplified) test case under strace shows that /etc/passwd is continuously opened and closed: … open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717 lseek(3, 2717, SEEK_SET) = 2717 close(3) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 lseek(3, 0, SEEK_SET) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717 lseek(3, 2717, SEEK_SET) = 2717 close(3) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 … The lookup function implementation in nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is supposed skip closing the input file if it was already open. /* Reset file pointer to beginning or open file. */ \ status = internal_setent (keep_stream); \ \ if (status == NSS_STATUS_SUCCESS) \ { \ /* Tell getent function that we have repositioned the file pointer. */ \ last_use = getby; \ \ while ((status = internal_getent (result, buffer, buflen, errnop \ H_ERRNO_ARG EXTRA_ARGS_VALUE)) \ == NSS_STATUS_SUCCESS) \ { break_if_match } \ \ if (! keep_stream) \ internal_endent (); \ } \ keep_stream is initialized from the stayopen flag in internal_setent. internal_setent is called from the set*ent implementation as: status = internal_setent (stayopen); However, for non-host database, this flag is always 0, per the STAYOPEN magic in nss/getXXent_r.c. Thus, the fix is this: - status = internal_setent (stayopen); + status = internal_setent (1); This is not a behavioral change even for the hosts database (where the application can specify the stayopen flag) because with a call to sethostent(0), the file handle is still not closed in the implementation of gethostent. (cherry picked from commit 03d2730b44cc2236318fd978afa2651753666c55) Conflicts: ChangeLog NEWS --- ChangeLog | 8 ++++ NEWS | 7 ++- nss/Makefile | 2 +- nss/nss_files/files-XXX.c | 2 +- nss/tst-nss-getpwent.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 134 insertions(+), 3 deletions(-) create mode 100644 nss/tst-nss-getpwent.c diff --git a/ChangeLog b/ChangeLog index 9aa8f51..debdd21 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2015-04-29 Florian Weimer + + [BZ #18007] + * nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen. + (CVE-2014-8121) + * nss/tst-nss-getpwent.c: New file. + * nss/Makefile (tests): Add new test. + 2015-08-28 Mike Frysinger [BZ #18887] diff --git a/NEWS b/NEWS index 52116d5..3014c08 100644 --- a/NEWS +++ b/NEWS @@ -9,7 +9,7 @@ Version 2.21.1 * The following bugs are resolved with this release: - 17269, 17949, 18032, 18287, 18694, 18887. + 17269, 17949, 18007, 18032, 18287, 18694, 18887. * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a @@ -21,6 +21,11 @@ Version 2.21.1 * The 32-bit sparc sigaction ABI was inadvertently broken in the 2.20 and 2.21 releases. It has been fixed to match 2.19 and older, but binaries built against 2.20 and 2.21 might need to be recompiled. See BZ#18694. + +* CVE-2014-8121 The NSS files backend would reset the file pointer used by + the get*ent functions if any of the query functions for the same database + are used during the iteration, causing a denial-of-service condition in + some applications. Version 2.21 diff --git a/nss/Makefile b/nss/Makefile index d419baf..dc351dd 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -39,7 +39,7 @@ install-bin := getent makedb makedb-modules = xmalloc hash-string extra-objs += $(makedb-modules:=.o) -tests = test-netdb tst-nss-test1 test-digits-dots +tests = test-netdb tst-nss-test1 test-digits-dots tst-nss-getpwent xtests = bug-erange # Specify rules for the nss_* modules. We have some services. diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c index a7a45e5..a7ce5ea 100644 --- a/nss/nss_files/files-XXX.c +++ b/nss/nss_files/files-XXX.c @@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen) __libc_lock_lock (lock); - status = internal_setent (stayopen); + status = internal_setent (1); if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0) { diff --git a/nss/tst-nss-getpwent.c b/nss/tst-nss-getpwent.c new file mode 100644 index 0000000..f2e8abc --- /dev/null +++ b/nss/tst-nss-getpwent.c @@ -0,0 +1,118 @@ +/* Copyright (C) 2015 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include + +int +do_test (void) +{ + /* Count the number of entries in the password database, and fetch + data from the first and last entries. */ + size_t count = 0; + struct passwd * pw; + char *first_name = NULL; + uid_t first_uid = 0; + char *last_name = NULL; + uid_t last_uid = 0; + setpwent (); + while ((pw = getpwent ()) != NULL) + { + if (first_name == NULL) + { + first_name = strdup (pw->pw_name); + if (first_name == NULL) + { + printf ("strdup: %m\n"); + return 1; + } + first_uid = pw->pw_uid; + } + + free (last_name); + last_name = strdup (pw->pw_name); + if (last_name == NULL) + { + printf ("strdup: %m\n"); + return 1; + } + last_uid = pw->pw_uid; + ++count; + } + endpwent (); + + if (count == 0) + { + printf ("No entries in the password database.\n"); + return 0; + } + + /* Try again, this time interleaving with name-based and UID-based + lookup operations. The counts do not match if the interleaved + lookups affected the enumeration. */ + size_t new_count = 0; + setpwent (); + while ((pw = getpwent ()) != NULL) + { + if (new_count == count) + { + printf ("Additional entry in the password database.\n"); + return 1; + } + ++new_count; + struct passwd *pw2 = getpwnam (first_name); + if (pw2 == NULL) + { + printf ("getpwnam (%s) failed: %m\n", first_name); + return 1; + } + pw2 = getpwnam (last_name); + if (pw2 == NULL) + { + printf ("getpwnam (%s) failed: %m\n", last_name); + return 1; + } + pw2 = getpwuid (first_uid); + if (pw2 == NULL) + { + printf ("getpwuid (%llu) failed: %m\n", + (unsigned long long) first_uid); + return 1; + } + pw2 = getpwuid (last_uid); + if (pw2 == NULL) + { + printf ("getpwuid (%llu) failed: %m\n", + (unsigned long long) last_uid); + return 1; + } + } + endpwent (); + if (new_count < count) + { + printf ("Missing entry in the password database.\n"); + return 1; + } + + return 0; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c"