[Bug nss/28953] New: NSS lookup result can be incorrect if function lookup clobbers errno

[Bug nss/28953] New: NSS lookup result can be incorrect if function lookup clobbers errno

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28953

            Bug ID: 28953
           Summary: NSS lookup result can be incorrect if function lookup
                    clobbers errno
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nss
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security-

This originated in a downstream bug report. The slightly incorrect reproducer
looks like this:

#include <sys/types.h>
#include <pwd.h>
#include <errno.h>
#include <stdio.h>

int main(void)
{
    struct passwd *pw;
    errno = 0;
    setpwent();
    while ((pw = getpwent()) != NULL) {
        errno = 0;
        printf("%d: %s\n", pw->pw_uid, pw->pw_name);
    }
    printf("getpwent errno = %d (%m)\n", errno);
    endpwent();
    return 0;
}

And the last NSS module has an ELF constructor that clobbers errno, but its
lookup function does not return any data. The errno value from the ELF
constructor then leaks into the getpwent result.

We saw this with the 2.28 code, but I think the issue is present in the current
upstream version as well (although NSS function lookup has been rewritten).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28953] NSS lookup result can be incorrect if function lookup clobbers errno

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28953

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com
             Status|NEW                         |ASSIGNED
                 CC|                            |fweimer at redhat dot com

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Patch posted:

[PATCH 2/2] nss: Protect against errno changes in function lookup (bug 28953)
https://sourceware.org/pipermail/libc-alpha/2022-March/137009.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/28953] NSS lookup result can be incorrect if function lookup clobbers errno

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28953

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED
   Target Milestone|---                         |2.36

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Fixed via:

commit 9bdf92c79d63b42f931101bb6df87129c408b0c4
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Mar 11 08:23:56 2022 +0100

    nss: Protect against errno changes in function lookup (bug 28953)

    dlopen may clobber errno.  The nss_test_errno module uses an ELF
    constructor to achieve that, but there could be internal errors
    during dlopen that cause this, too.  Therefore, the NSS framework
    has to guard against such errno clobbers.

    __nss_module_get_function is currently the only function that calls
    __nss_module_load, so it is sufficient to save and restore errno
    around this call.

    Reviewed-by: Carlos O'Donell <carlos@redhat.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.