public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix
@ 2021-08-09 12:14 npv1310 at gmail dot com
2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: npv1310 at gmail dot com @ 2021-08-09 12:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28213
Bug ID: 28213
Summary: NULL pointer dereference due to CVE-2021-33574 fix
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: librt
Assignee: unassigned at sourceware dot org
Reporter: npv1310 at gmail dot com
Target Milestone: ---
Hello.
While investigating the upstream fix of the recent CVE-2021-33574, i've found
following problem:
Helper thread frees copied attribute on NOTIFY_REMOVED message received from
the OS kernel. Unfortunately, it fails to check whether copied attribute
actually exists (data.attr != NULL). This worked earlier because free() checks
passed pointer before actually attempting to release corresponding memory. But
__pthread_attr_destroy assumes pointer is not NULL. So passing NULL pointer to
__pthread_attr_destroy will result in segmentation fault. This scenario is
possible if notification->sigev_notify_attributes == NULL (which means default
thread attributes should be used).
Affected file: sysdeps/unix/sysv/linux/mq_notify.c
Affected function: helper_thread
Affected lineno: 137
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com @ 2021-08-09 12:29 ` npv1310 at gmail dot com 2021-08-09 14:53 ` siddhesh at sourceware dot org ` (4 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: npv1310 at gmail dot com @ 2021-08-09 12:29 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 --- Comment #1 from Nikita Popov <npv1310 at gmail dot com> --- Created attachment 13606 --> https://sourceware.org/bugzilla/attachment.cgi?id=13606&action=edit Proposed patch -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com 2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com @ 2021-08-09 14:53 ` siddhesh at sourceware dot org 2021-08-12 12:10 ` siddhesh at sourceware dot org ` (3 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: siddhesh at sourceware dot org @ 2021-08-09 14:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |siddhesh at sourceware dot org Resolution|--- |FIXED Target Milestone|--- |2.35 Status|UNCONFIRMED |RESOLVED --- Comment #2 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- Pushed to master and 2.34. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com 2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com 2021-08-09 14:53 ` siddhesh at sourceware dot org @ 2021-08-12 12:10 ` siddhesh at sourceware dot org 2021-08-18 3:50 ` sam at gentoo dot org ` (2 subsequent siblings) 5 siblings, 0 replies; 7+ messages in thread From: siddhesh at sourceware dot org @ 2021-08-12 12:10 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 --- Comment #3 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- Test case for the fix. commit 4cc79c217744743077bf7a0ec5e0a4318f1e6641 (HEAD -> master, origin/master, origin/HEAD) Author: Nikita Popov <npv1310@gmail.com> Date: Thu Aug 12 16:09:50 2021 +0530 librt: add test (bug 28213) This test implements following logic: 1) Create POSIX message queue. Register a notification with mq_notify (using NULL attributes). Then immediately unregister the notification with mq_notify. Helper thread in a vulnerable version of glibc should cause NULL pointer dereference after these steps. 2) Once again, register the same notification. Try to send a dummy message. Test is considered successfulif the dummy message is successfully received by the callback function. Signed-off-by: Nikita Popov <npv1310@gmail.com> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com ` (2 preceding siblings ...) 2021-08-12 12:10 ` siddhesh at sourceware dot org @ 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org 5 siblings, 0 replies; 7+ messages in thread From: sam at gentoo dot org @ 2021-08-18 3:50 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Sam James <sam at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sam at gentoo dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference due to CVE-2021-33574 fix 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com ` (3 preceding siblings ...) 2021-08-18 3:50 ` sam at gentoo dot org @ 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org 5 siblings, 0 replies; 7+ messages in thread From: sam at gentoo dot org @ 2021-08-18 3:50 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Sam James <sam at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |toolchain at gentoo dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com ` (4 preceding siblings ...) 2021-08-18 3:50 ` sam at gentoo dot org @ 2021-08-23 2:47 ` siddhesh at sourceware dot org 5 siblings, 0 replies; 7+ messages in thread From: siddhesh at sourceware dot org @ 2021-08-23 2:47 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|NULL pointer dereference |NULL pointer dereference in |due to CVE-2021-33574 fix |mq_notify (CVE-2021-38604) Flags| |security+ Alias| |CVE-2021-38604 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-08-23 2:47 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-09 12:14 [Bug librt/28213] New: NULL pointer dereference due to CVE-2021-33574 fix npv1310 at gmail dot com 2021-08-09 12:29 ` [Bug librt/28213] " npv1310 at gmail dot com 2021-08-09 14:53 ` siddhesh at sourceware dot org 2021-08-12 12:10 ` siddhesh at sourceware dot org 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-18 3:50 ` sam at gentoo dot org 2021-08-23 2:47 ` [Bug librt/28213] NULL pointer dereference in mq_notify (CVE-2021-38604) siddhesh at sourceware dot org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).