public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix
@ 2021-08-09 12:14 npv1310 at gmail dot com
2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: npv1310 at gmail dot com @ 2021-08-09 12:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
Bug ID: 28213
Summary: NULL pointer dereference due to CVE-2021-33574 fix
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: librt
Assignee: unassigned at sourceware dot org
Reporter: npv1310 at gmail dot com
Target Milestone: ---
Hello.
While investigating the upstream fix of the recent CVE-2021-33574, i've found
following problem:
Helper thread frees copied attribute on NOTIFY_REMOVED message received from
the OS kernel. Unfortunately, it fails to check whether copied attribute
actually exists (data.attr != NULL). This worked earlier because free() checks
passed pointer before actually attempting to release corresponding memory. But
__pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to
__pthread_attr_destroy will result in segmentation fault. This scenario is
possible if notification->sigev_notify_attributes == NULL (which means default
thread attributes should be used).
Affected file: sysdeps/unix/sysv/linux/mq_notify.c
Affected function: helper_thread
Affected lineno: 137
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix
2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com
@ 2021-08-09 12:29 ` npv1310 at gmail dot com
2021-08-09 14:53 ` siddhesh at sourceware dot org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: npv1310 at gmail dot com @ 2021-08-09 12:29 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
--- Comment #1 from Nikita Popov <npv1310 at gmail dot com> ---
Created attachment 13606
--> https://sourceware.org/bugzilla/attachment.cgi?id=13606&action=edit
Proposed patch
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix
2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com
2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com
@ 2021-08-09 14:53 ` siddhesh at sourceware dot org
2021-08-12 12:10 ` siddhesh at sourceware dot org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: siddhesh at sourceware dot org @ 2021-08-09 14:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |siddhesh at sourceware dot org
Resolution|--- |FIXED
Target Milestone|--- |2.35
Status|UNCONFIRMED |RESOLVED
--- Comment #2 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Pushed to master and 2.34.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix
2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com
2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com
2021-08-09 14:53 ` siddhesh at sourceware dot org
@ 2021-08-12 12:10 ` siddhesh at sourceware dot org
2021-08-18 3:50 ` sam at gentoo dot org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: siddhesh at sourceware dot org @ 2021-08-12 12:10 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
--- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> ---
Test case for the fix.
commit 4cc79c217744743077bf7a0ec5e0a4318f1e6641 (HEAD -> master, origin/master,
origin/HEAD)
Author: Nikita Popov <npv1310@gmail.com>
Date: Thu Aug 12 16:09:50 2021 +0530
librt: add test (bug 28213)
This test implements following logic:
1) Create POSIX message queue.
Register a notification with mq_notify (using NULL attributes).
Then immediately unregister the notification with mq_notify.
Helper thread in a vulnerable version of glibc
should cause NULL pointer dereference after these steps.
2) Once again, register the same notification.
Try to send a dummy message.
Test is considered successfulif the dummy message
is successfully received by the callback function.
Signed-off-by: Nikita Popov <npv1310@gmail.com>
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix
2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com
` (2 preceding siblings ...)
2021-08-12 12:10 ` siddhesh at sourceware dot org
@ 2021-08-18 3:50 ` sam at gentoo dot org
2021-08-18 3:50 ` sam at gentoo dot org
2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org
5 siblings, 0 replies; 7+ messages in thread
From: sam at gentoo dot org @ 2021-08-18 3:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
Sam James <sam at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at gentoo dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix
2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com
` (3 preceding siblings ...)
2021-08-18 3:50 ` sam at gentoo dot org
@ 2021-08-18 3:50 ` sam at gentoo dot org
2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org
5 siblings, 0 replies; 7+ messages in thread
From: sam at gentoo dot org @ 2021-08-18 3:50 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
Sam James <sam at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |toolchain at gentoo dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604)
2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com
` (4 preceding siblings ...)
2021-08-18 3:50 ` sam at gentoo dot org
@ 2021-08-23 2:47 ` siddhesh at sourceware dot org
5 siblings, 0 replies; 7+ messages in thread
From: siddhesh at sourceware dot org @ 2021-08-23 2:47 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
Siddhesh Poyarekar <siddhesh at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|NULL pointer dereference |NULL pointer dereference in
|due to CVE-2021-33574 fix |mq_notify (CVE-2021-38604)
Flags| |security+
Alias| |CVE-2021-38604
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-08-23 2:47 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com
2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com
2021-08-09 14:53 ` siddhesh at sourceware dot org
2021-08-12 12:10 ` siddhesh at sourceware dot org
2021-08-18 3:50 ` sam at gentoo dot org
2021-08-18 3:50 ` sam at gentoo dot org
2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).