public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug nscd/27462] New: double-free in nscd
@ 2021-02-24 7:46 siddhesh at sourceware dot org
2021-02-24 15:52 ` [Bug nscd/27462] double-free in nscd (CVE-2021-27645) siddhesh at sourceware dot org
` (9 more replies)
0 siblings, 10 replies; 11+ messages in thread
From: siddhesh at sourceware dot org @ 2021-02-24 7:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Bug ID: 27462
Summary: double-free in nscd
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: nscd
Assignee: unassigned at sourceware dot org
Reporter: siddhesh at sourceware dot org
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Flags: security+
The following upstream patch:
commit 745664bd798ec8fd50438605948eea594179fba1
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Aug 28 13:19:27 2018 +0200
nscd: Fix use-after-free in addgetnetgrentX [BZ #23520]
addinnetgrX may use the heap-allocated buffer, so free the buffer
in this function.
introduced a double free bug because reference to an already freed object may
escape into tofree. The worst case impact is an nscd crash (and hence DoS) due
to the double free. The freed object does not get used anywhere, so there's no
use-after-free.
Here's a potential (untested) fix proposed by Carlos O'Donell.
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index dba6ceec1b..ad2daddafd 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
request_header *req,
: NULL);
ndomain = (ndomain ? newbuf + ndomaindiff
: NULL);
- buffer = newbuf;
+ *tofreep = buffer = newbuf;
}
nhost = memcpy (buffer + bufused,
@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
request_header *req,
else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
{
buflen *= 2;
- buffer = xrealloc (buffer, buflen);
+ *tofreep = buffer = xrealloc (buffer, buflen);
}
else if (status == NSS_STATUS_RETURN
|| status == NSS_STATUS_NOTFOUND
---
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
@ 2021-02-24 15:52 ` siddhesh at sourceware dot org
2021-02-24 19:16 ` sam at gentoo dot org
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: siddhesh at sourceware dot org @ 2021-02-24 15:52 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2021-27645
Summary|double-free in nscd |double-free in nscd
| |(CVE-2021-27645)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
2021-02-24 15:52 ` [Bug nscd/27462] double-free in nscd (CVE-2021-27645) siddhesh at sourceware dot org
@ 2021-02-24 19:16 ` sam at gentoo dot org
2021-02-24 20:22 ` carnil at debian dot org
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: sam at gentoo dot org @ 2021-02-24 19:16 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Sam James <sam at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at gentoo dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
2021-02-24 15:52 ` [Bug nscd/27462] double-free in nscd (CVE-2021-27645) siddhesh at sourceware dot org
2021-02-24 19:16 ` sam at gentoo dot org
@ 2021-02-24 20:22 ` carnil at debian dot org
2021-02-25 4:28 ` siddhesh at sourceware dot org
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: carnil at debian dot org @ 2021-02-24 20:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Salvatore Bonaccorso <carnil at debian dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carnil at debian dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
` (2 preceding siblings ...)
2021-02-24 20:22 ` carnil at debian dot org
@ 2021-02-25 4:28 ` siddhesh at sourceware dot org
2021-02-25 4:30 ` siddhesh at sourceware dot org
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: siddhesh at sourceware dot org @ 2021-02-25 4:28 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carlos at redhat dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
` (3 preceding siblings ...)
2021-02-25 4:28 ` siddhesh at sourceware dot org
@ 2021-02-25 4:30 ` siddhesh at sourceware dot org
2021-02-27 5:08 ` crushor at hotmail dot com
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: siddhesh at sourceware dot org @ 2021-02-25 4:30 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |dj at redhat dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
` (4 preceding siblings ...)
2021-02-25 4:30 ` siddhesh at sourceware dot org
@ 2021-02-27 5:08 ` crushor at hotmail dot com
2021-02-27 5:43 ` dj at redhat dot com
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: crushor at hotmail dot com @ 2021-02-27 5:08 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
crushor at hotmail dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |crushor at hotmail dot com
--- Comment #1 from crushor at hotmail dot com ---
accoring to xrealloc manual
If there is not enough memory in the memory pool to satisfy the memory
request, a null pointer is returned and the original memory block is not
affected.
so , is it safety which using return value of xrealloc without checking?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
` (5 preceding siblings ...)
2021-02-27 5:08 ` crushor at hotmail dot com
@ 2021-02-27 5:43 ` dj at redhat dot com
2021-02-27 6:02 ` crushor at hotmail dot com
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: dj at redhat dot com @ 2021-02-27 5:43 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
--- Comment #2 from dj at redhat dot com <dj at redhat dot com> ---
You're reading the documentation for realloc, not xrealloc. xrealloc cannot
return NULL.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
` (6 preceding siblings ...)
2021-02-27 5:43 ` dj at redhat dot com
@ 2021-02-27 6:02 ` crushor at hotmail dot com
2021-03-01 2:22 ` siddhesh at sourceware dot org
2021-03-03 5:02 ` siddhesh at sourceware dot org
9 siblings, 0 replies; 11+ messages in thread
From: crushor at hotmail dot com @ 2021-02-27 6:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
--- Comment #3 from crushor at hotmail dot com ---
(In reply to dj@redhat.com from comment #2)
> You're reading the documentation for realloc, not xrealloc. xrealloc cannot
> return NULL.
sure, you are right.
by the way , another question is: why redhat assigns a 7.5 score for it ?
AC is network, and AI is high.
nscd provides caching for accesses of the passwd(5), group(5),
hosts(5) services(5) and netgroup databases through standard libc
interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3),
getgrgid(3), gethostbyname(3), and others.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
` (7 preceding siblings ...)
2021-02-27 6:02 ` crushor at hotmail dot com
@ 2021-03-01 2:22 ` siddhesh at sourceware dot org
2021-03-03 5:02 ` siddhesh at sourceware dot org
9 siblings, 0 replies; 11+ messages in thread
From: siddhesh at sourceware dot org @ 2021-03-01 2:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
--- Comment #4 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
(In reply to crushor from comment #3)
> (In reply to dj@redhat.com from comment #2)
> > You're reading the documentation for realloc, not xrealloc. xrealloc cannot
> > return NULL.
>
> sure, you are right.
>
> by the way , another question is: why redhat assigns a 7.5 score for it ?
> AC is network, and AI is high.
IMO the score is incorrect because at least:
- AV should be local because nscd doesn't listen on remote requests.
- AC should be high since it is constrained by needing a netgroup request to
have a response larger than 1K to cause the double-free crash
- A (availability impact) is low since nscd crashing (the freed pointer is not
used anywhere in the code path, so there's no UAF) will merely cause a direct
request to authentication servers and incur a performance penalty, it won't be
a full on denial of service.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Bug nscd/27462] double-free in nscd (CVE-2021-27645)
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
` (8 preceding siblings ...)
2021-03-01 2:22 ` siddhesh at sourceware dot org
@ 2021-03-03 5:02 ` siddhesh at sourceware dot org
9 siblings, 0 replies; 11+ messages in thread
From: siddhesh at sourceware dot org @ 2021-03-03 5:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
Target Milestone|--- |2.34
--- Comment #5 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673
commit dca565886b5e8bd7966e15f0ca42ee5cff686673
Author: DJ Delorie <dj@redhat.com>
Date: Thu Feb 25 16:08:21 2021 -0500
nscd: Fix double free in netgroupcache [BZ #27462]
In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
was fixed, but this led to an occasional double-free. This patch
tracks the "live" allocation better.
Tested manually by a third party.
Related: RHBZ 1927877
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-03-03 5:02 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-24 7:46 [Bug nscd/27462] New: double-free in nscd siddhesh at sourceware dot org
2021-02-24 15:52 ` [Bug nscd/27462] double-free in nscd (CVE-2021-27645) siddhesh at sourceware dot org
2021-02-24 19:16 ` sam at gentoo dot org
2021-02-24 20:22 ` carnil at debian dot org
2021-02-25 4:28 ` siddhesh at sourceware dot org
2021-02-25 4:30 ` siddhesh at sourceware dot org
2021-02-27 5:08 ` crushor at hotmail dot com
2021-02-27 5:43 ` dj at redhat dot com
2021-02-27 6:02 ` crushor at hotmail dot com
2021-03-01 2:22 ` siddhesh at sourceware dot org
2021-03-03 5:02 ` siddhesh at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).