[Bug nscd/27462] New: double-free in nscd

[Bug nscd/27462] New: double-free in nscd

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

            Bug ID: 27462
           Summary: double-free in nscd
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
          Assignee: unassigned at sourceware dot org
          Reporter: siddhesh at sourceware dot org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---
             Flags: security+

The following upstream patch:

commit 745664bd798ec8fd50438605948eea594179fba1
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 28 13:19:27 2018 +0200

    nscd: Fix use-after-free in addgetnetgrentX [BZ #23520]

    addinnetgrX may use the heap-allocated buffer, so free the buffer
    in this function.

introduced a double free bug because reference to an already freed object may
escape into tofree.  The worst case impact is an nscd crash (and hence DoS) due
to the double free.  The freed object does not get used anywhere, so there's no
use-after-free.

Here's a potential (untested) fix proposed by Carlos O'Donell.


diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index dba6ceec1b..ad2daddafd 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
request_header *req,
                                             : NULL);
                                    ndomain = (ndomain ? newbuf + ndomaindiff
                                               : NULL);
-                                   buffer = newbuf;
+                                   *tofreep = buffer = newbuf;
                                  }

                                nhost = memcpy (buffer + bufused,
@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
request_header *req,
                    else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
                      {
                        buflen *= 2;
-                       buffer = xrealloc (buffer, buflen);
+                       *tofreep = buffer = xrealloc (buffer, buflen);
                      }
                    else if (status == NSS_STATUS_RETURN
                             || status == NSS_STATUS_NOTFOUND
---

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |CVE-2021-27645
            Summary|double-free in nscd         |double-free in nscd
                   |                            |(CVE-2021-27645)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[carnil at debian dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

Salvatore Bonaccorso <carnil at debian dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carnil at debian dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |dj at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[crushor at hotmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

crushor at hotmail dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |crushor at hotmail dot com

--- Comment #1 from crushor at hotmail dot com ---
accoring to xrealloc manual
   If there is not enough memory in the memory pool to satisfy the memory
request, a null pointer is returned and the original memory block is not
affected.

so , is it safety which using return value of xrealloc without checking?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[dj at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

--- Comment #2 from dj at redhat dot com <dj at redhat dot com> ---
You're reading the documentation for realloc, not xrealloc.  xrealloc cannot
return NULL.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[crushor at hotmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

--- Comment #3 from crushor at hotmail dot com ---
(In reply to dj@redhat.com from comment #2)
> You're reading the documentation for realloc, not xrealloc.  xrealloc cannot
> return NULL.

sure, you are right.

by the way , another question is: why redhat assigns a 7.5 score for it ?
AC is network, and AI is high. 

nscd provides caching for accesses of the passwd(5), group(5),
       hosts(5) services(5) and netgroup databases through standard libc
       interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3),
       getgrgid(3), gethostbyname(3), and others.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

--- Comment #4 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
(In reply to crushor from comment #3)
> (In reply to dj@redhat.com from comment #2)
> > You're reading the documentation for realloc, not xrealloc.  xrealloc cannot
> > return NULL.
> 
> sure, you are right.
> 
> by the way , another question is: why redhat assigns a 7.5 score for it ?
> AC is network, and AI is high. 

IMO the score is incorrect because at least:

- AV should be local because nscd doesn't listen on remote requests.

- AC should be high since it is constrained by needing a netgroup request to
have a response larger than 1K to cause the double-free crash

- A (availability impact) is low since nscd crashing (the freed pointer is not
used anywhere in the code path, so there's no UAF) will merely cause a direct
request to authentication servers and incur a performance penalty, it won't be
a full on denial of service.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/27462] double-free in nscd (CVE-2021-27645)

[siddhesh at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=27462

Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
   Target Milestone|---                         |2.34

--- Comment #5 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673

commit dca565886b5e8bd7966e15f0ca42ee5cff686673
Author: DJ Delorie <dj@redhat.com>
Date:   Thu Feb 25 16:08:21 2021 -0500

    nscd: Fix double free in netgroupcache [BZ #27462]

    In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
    was fixed, but this led to an occasional double-free.  This patch
    tracks the "live" allocation better.

    Tested manually by a third party.

    Related: RHBZ 1927877

    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.