public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix @ 2021-08-09 12:14 npv1310 at gmail dot com 2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com ` (5 more replies) 0 siblings, 6 replies; 7+ messages in thread From: npv1310 at gmail dot com @ 2021-08-09 12:14 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Bug ID: 28213 Summary: NULL pointer dereference due to CVE-2021-33574 fix Product: glibc Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: librt Assignee: unassigned at sourceware dot org Reporter: npv1310 at gmail dot com Target Milestone: --- Hello. While investigating the upstream fix of the recent CVE-2021-33574, i've found following problem: Helper thread frees copied attribute on NOTIFY_REMOVED message received from the OS kernel. Unfortunately, it fails to check whether copied attribute actually exists (data.attr != NULL). This worked earlier because free() checks passed pointer before actually attempting to release corresponding memory. But __pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to __pthread_attr_destroy will result in segmentation fault. This scenario is possible if notification->sigev_notify_attributes == NULL (which means default thread attributes should be used). Affected file: sysdeps/unix/sysv/linux/mq_notify.c Affected function: helper_thread Affected lineno: 137 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com @ 2021-08-09 12:29 ` npv1310 at gmail dot com 2021-08-09 14:53 ` siddhesh at sourceware dot org ` (4 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: npv1310 at gmail dot com @ 2021-08-09 12:29 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 --- Comment #1 from Nikita Popov <npv1310 at gmail dot com> --- Created attachment 13606 --> https://sourceware.org/bugzilla/attachment.cgi?id=13606&action=edit Proposed patch -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com 2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com @ 2021-08-09 14:53 ` siddhesh at sourceware dot org 2021-08-12 12:10 ` siddhesh at sourceware dot org ` (3 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: siddhesh at sourceware dot org @ 2021-08-09 14:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |siddhesh at sourceware dot org Resolution|--- |FIXED Target Milestone|--- |2.35 Status|UNCONFIRMED |RESOLVED --- Comment #2 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- Pushed to master and 2.34. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com 2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com 2021-08-09 14:53 ` siddhesh at sourceware dot org @ 2021-08-12 12:10 ` siddhesh at sourceware dot org 2021-08-18 3:50 ` sam at gentoo dot org ` (2 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: siddhesh at sourceware dot org @ 2021-08-12 12:10 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 --- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- Test case for the fix. commit 4cc79c217744743077bf7a0ec5e0a4318f1e6641 (HEAD -> master, origin/master, origin/HEAD) Author: Nikita Popov <npv1310@gmail.com> Date: Thu Aug 12 16:09:50 2021 +0530 librt: add test (bug 28213) This test implements following logic: 1) Create POSIX message queue. Register a notification with mq_notify (using NULL attributes). Then immediately unregister the notification with mq_notify. Helper thread in a vulnerable version of glibc should cause NULL pointer dereference after these steps. 2) Once again, register the same notification. Try to send a dummy message. Test is considered successfulif the dummy message is successfully received by the callback function. Signed-off-by: Nikita Popov <npv1310@gmail.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com ` (2 preceding siblings ...) 2021-08-12 12:10 ` siddhesh at sourceware dot org @ 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org 5 siblings, 0 replies; 7+ messages in thread From: sam at gentoo dot org @ 2021-08-18 3:50 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Sam James <sam at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sam at gentoo dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com ` (3 preceding siblings ...) 2021-08-18 3:50 ` sam at gentoo dot org @ 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org 5 siblings, 0 replies; 7+ messages in thread From: sam at gentoo dot org @ 2021-08-18 3:50 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Sam James <sam at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |toolchain at gentoo dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com ` (4 preceding siblings ...) 2021-08-18 3:50 ` sam at gentoo dot org @ 2021-08-23 2:47 ` siddhesh at sourceware dot org 5 siblings, 0 replies; 7+ messages in thread From: siddhesh at sourceware dot org @ 2021-08-23 2:47 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|NULL pointer dereference |NULL pointer dereference in |due to CVE-2021-33574 fix |mq_notify (CVE-2021-38604) Flags| |security+ Alias| |CVE-2021-38604 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-08-23 2:47 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com 2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com 2021-08-09 14:53 ` siddhesh at sourceware dot org 2021-08-12 12:10 ` siddhesh at sourceware dot org 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).