[Bug nss/28752] New: Segfault in getpwuid when stat fails

[Bug nss/28752] New: Segfault in getpwuid when stat fails

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28752

            Bug ID: 28752
           Summary: Segfault in getpwuid when stat fails
           Product: glibc
           Version: 2.34
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nss
          Assignee: unassigned at sourceware dot org
          Reporter: sam at gentoo dot org
  Target Milestone: ---

Created attachment 13894
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13894&action=edit
reproducer-seccomp.c

Originally reported in Gentoo: https://bugs.gentoo.org/828070
Discussed on libc-help here:
https://sourceware.org/pipermail/libc-help/2021-December/006061.html

glib compiled with FAM support ends up crashing Firefox. Andreas Fink did some
substantial debugging and ended up finding that the issue is that stat (in
nss_database_check_reload_and_get) may fail when e.g. newfstatat is forbidden
by a seccomp filter.

I've attached Andreas' reproducer here. Needs to be linked against libseccomp.

azanella had a simple patch which works for me:
```
diff --git a/nss/nss_database.c b/nss/nss_database.c
index d56c5b798d..24e34213cd 100644
--- a/nss/nss_database.c
+++ b/nss/nss_database.c
@@ -424,10 +424,11 @@ nss_database_check_reload_and_get (struct
nss_database_state *local,
      errors here are very unlikely, but the chance that we're entering
      a container is also very unlikely, so we err on the side of both
      very unlikely things not happening at the same time.  */
-  if (__stat64_time64 ("/", &str) != 0
-      || (local->root_ino != 0
-         && (str.st_ino != local->root_ino
-             ||  str.st_dev != local->root_dev)))
+  if (__stat64_time64 ("/", &str) != 0)
+    return false;
+
+  if (local->root_ino != 0 && (str.st_ino != local->root_ino
+                              || str.st_dev != local->root_dev))
     {
       /* Change detected; disable reloading and return current state.  */
       atomic_store_release (&local->data.reload_disabled, 1);
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28752] Segfault in getpwuid when stat fails

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28752

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-
                 CC|                            |fweimer at redhat dot com

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Thanks. The comment needs updating as well.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28752] Segfault in getpwuid when stat fails

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28752

--- Comment #2 from Sam James <sam at gentoo dot org> ---
Updated patch sent to libc-alpha:
https://patchwork.sourceware.org/project/glibc/patch/20220314165414.3110670-2-sam@gentoo.org/.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28752] Segfault in getpwuid when stat fails

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28752

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.redhat.com
                   |                            |/show_bug.cgi?id=2084588

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28752] Segfault in getpwuid when stat fails

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28752

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dj at redhat dot com
             Status|NEW                         |WAITING

--- Comment #3 from Sam James <sam at gentoo dot org> ---
Fixed in master with 3fdf0a205b622e40fa7e3c4ed1e4ed4d5c6c5380 and
ace9e3edbca62d978b1e8f392d8a5d78500272d9.

I'm not au fait with the workflow yet for glibc's Bugzilla, so I'll call this
WAITING based on the fact we haven't backported it yet, and it's a good
candidate for doing so after some time to soak.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28752] Segfault in getpwuid when stat fails

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28752

--- Comment #4 from Sam James <sam at gentoo dot org> ---
(In reply to Sam James from comment #3)
> Fixed in master with 3fdf0a205b622e40fa7e3c4ed1e4ed4d5c6c5380 and
> ace9e3edbca62d978b1e8f392d8a5d78500272d9.
>

Sorry, thought it'd linkify:

commit ace9e3edbca62d978b1e8f392d8a5d78500272d9 (origin/master, origin/HEAD,
master)
Author: Sam James <sam@gentoo.org>
Date:   Sun Jun 5 04:57:10 2022 +0100

    nss: handle stat failure in check_reload_and_get (BZ #28752)

    Skip the chroot test if the database isn't loaded
    correctly (because the chroot test uses some
    existing DB state).

    The __stat64_time64 -> fstatat call can fail if
    running under an (aggressive) seccomp filter,
    like Firefox seems to use.

    This manifested in a crash when using glib built
    with FAM support with such a Firefox build.

    Suggested-by: DJ Delorie <dj@redhat.com>
    Signed-off-by: Sam James <sam@gentoo.org>
    Reviewed-by: DJ Delorie <dj@redhat.com>

commit 3fdf0a205b622e40fa7e3c4ed1e4ed4d5c6c5380
Author: Sam James <sam@gentoo.org>
Date:   Sun Jun 5 04:57:09 2022 +0100

    nss: add assert to DB_LOOKUP_FCT (BZ #28752)

    It's interesting if we have a null action list,
    so an assert is worthwhile.

    Suggested-by: DJ Delorie <dj@redhat.com>
    Signed-off-by: Sam James <sam@gentoo.org>
    Reviewed-by: DJ Delorie <dj@redhat.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28752] Segfault in getpwuid when stat fails

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28752

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|WAITING                     |RESOLVED

--- Comment #5 from Sam James <sam at gentoo dot org> ---
Backports are done to 2.34 & 2.35. Earlier versions were unaffected.

Thanks all!

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28752] Segfault in getpwuid when stat fails

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28752

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.36

-- 
You are receiving this mail because:
You are on the CC list for the bug.