[Bug nscd/16474] New: nscd accesses freed memory on netgroup query

[Bug nscd/16474] New: nscd accesses freed memory on netgroup query

[siddhesh at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=16474

            Bug ID: 16474
           Summary: nscd accesses freed memory on netgroup query
           Product: glibc
           Version: 2.18
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
          Assignee: siddhesh at redhat dot com
          Reporter: siddhesh at redhat dot com
                CC: drepper.fsp at gmail dot com

nscd accesses freed memory on netgroup query when there are a large number of
entries in a netgroup.  This is easily seen by running nscd under valgrind.

How Reproducible:

Always

Steps to Reproduce:

1. Add a group (foo_long) with a large number of members (>1000)
2. valgrind nscd -d
3. getent netgroup foo_long

Actual Results:

==1802== Invalid read of size 1
==1802==    at 0x4C2E640: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1802==    by 0x1250CF: addgetnetgrentX (string3.h:51)
==1802==    by 0x126D2D: addgetnetgrent (netgroupcache.c:646)
==1802==    by 0x110C8C: nscd_run_worker (connections.c:1339)
==1802==    by 0x4E3C172: start_thread (pthread_create.c:309)
==1802==    by 0x59B737C: clone (clone.S:111)
==1802==  Address 0x655b8e8 is 968 bytes inside a block of size 1,024 free'd
==1802==    at 0x4C2C3AA: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1802==    by 0x11C29D: xrealloc (xmalloc.c:107)
==1802==    by 0x125532: addgetnetgrentX (netgroupcache.c:245)
==1802==    by 0x126D2D: addgetnetgrent (netgroupcache.c:646)
==1802==    by 0x110C8C: nscd_run_worker (connections.c:1339)
==1802==    by 0x4E3C172: start_thread (pthread_create.c:309)
==1802==    by 0x59B737C: clone (clone.S:111)
==1802==
==1802== Invalid read of size 1
==1802==    at 0x4C2E64E: memcpy@@GLIBC_2.14 (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1802==    by 0x1250CF: addgetnetgrentX (string3.h:51)
==1802==    by 0x126D2D: addgetnetgrent (netgroupcache.c:646)
==1802==    by 0x110C8C: nscd_run_worker (connections.c:1339)
==1802==    by 0x4E3C172: start_thread (pthread_create.c:309)
==1802==    by 0x59B737C: clone (clone.S:111)
==1802==  Address 0x655b8ea is 970 bytes inside a block of size 1,024 free'd
==1802==    at 0x4C2C3AA: realloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1802==    by 0x11C29D: xrealloc (xmalloc.c:107)
==1802==    by 0x125532: addgetnetgrentX (netgroupcache.c:245)
==1802==    by 0x126D2D: addgetnetgrent (netgroupcache.c:646)
==1802==    by 0x110C8C: nscd_run_worker (connections.c:1339)
==1802==    by 0x4E3C172: start_thread (pthread_create.c:309)
==1802==    by 0x59B737C: clone (clone.S:111)

Expected Results:

No warnings.

Fix coming up.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/16474] nscd accesses freed memory on netgroup query

[cvs-commit at gcc dot gnu.org]

http://sourceware.org/bugzilla/show_bug.cgi?id=16474

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  5d41dadf31bc8a2f9c34c40d52a442d3794e405c (commit)
      from  0bad441c77fa4ff382dd3990542dcf52052b2121 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5d41dadf31bc8a2f9c34c40d52a442d3794e405c

commit 5d41dadf31bc8a2f9c34c40d52a442d3794e405c
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Fri Jan 24 13:51:15 2014 +0530

    Adjust pointers to triplets in netgroup query data (BZ #16474)

    The _nss_*_getnetgrent_r query populates the netgroup results in the
    allocated buffer and then sets the result triplet to point to strings
    in the buffer.  This is a problem when the buffer is reallocated since
    the pointers to the triplet strings are no longer valid.  The pointers
    need to be adjusted so that they now point to strings in the
    reallocated buffer.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog            |    6 ++++++
 NEWS                 |    2 +-
 nscd/netgroupcache.c |   12 +++++++++++-
 3 files changed, 18 insertions(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/16474] nscd accesses freed memory on netgroup query

[siddhesh at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=16474

Siddhesh Poyarekar <siddhesh at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Siddhesh Poyarekar <siddhesh at redhat dot com> ---
Fixed in master.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/16474] nscd accesses freed memory on netgroup query

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=16474

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.