From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 093C3385802E; Wed, 24 Feb 2021 07:46:10 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 093C3385802E
From: "siddhesh at sourceware dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug nscd/27462] New: double-free in nscd
Date: Wed, 24 Feb 2021 07:46:09 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: nscd
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: siddhesh at sourceware dot org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
 flagtypes.name
Message-ID: <bug-27462-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 07:46:10 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D27462

            Bug ID: 27462
           Summary: double-free in nscd
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
          Assignee: unassigned at sourceware dot org
          Reporter: siddhesh at sourceware dot org
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---
             Flags: security+

The following upstream patch:

commit 745664bd798ec8fd50438605948eea594179fba1
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 28 13:19:27 2018 +0200

    nscd: Fix use-after-free in addgetnetgrentX [BZ #23520]

    addinnetgrX may use the heap-allocated buffer, so free the buffer
    in this function.

introduced a double free bug because reference to an already freed object m=
ay
escape into tofree.  The worst case impact is an nscd crash (and hence DoS)=
 due
to the double free.  The freed object does not get used anywhere, so there'=
s no
use-after-free.

Here's a potential (untested) fix proposed by Carlos O'Donell.


diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index dba6ceec1b..ad2daddafd 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
request_header *req,
                                             : NULL);
                                    ndomain =3D (ndomain ? newbuf + ndomain=
diff
                                               : NULL);
-                                   buffer =3D newbuf;
+                                   *tofreep =3D buffer =3D newbuf;
                                  }

                                nhost =3D memcpy (buffer + bufused,
@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd,
request_header *req,
                    else if (status =3D=3D NSS_STATUS_TRYAGAIN && e =3D=3D =
ERANGE)
                      {
                        buflen *=3D 2;
-                       buffer =3D xrealloc (buffer, buflen);
+                       *tofreep =3D buffer =3D xrealloc (buffer, buflen);
                      }
                    else if (status =3D=3D NSS_STATUS_RETURN
                             || status =3D=3D NSS_STATUS_NOTFOUND
---

--=20
You are receiving this mail because:
You are on the CC list for the bug.=