public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions @ 2024-04-23 20:20 carlos at redhat dot com 2024-04-24 7:25 ` [Bug nscd/31677] " fweimer at redhat dot com ` (6 more replies) 0 siblings, 7 replies; 8+ messages in thread From: carlos at redhat dot com @ 2024-04-23 20:20 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31677 Bug ID: 31677 Summary: nscd: negroup cache: invalid memcpy under low memory/storage conditions Product: glibc Version: 2.40 Status: NEW Severity: normal Priority: P2 Component: nscd Assignee: unassigned at sourceware dot org Reporter: carlos at redhat dot com CC: drepper.fsp at gmail dot com Target Milestone: --- nscd/netgroupcache.c (addinnetgrX): 497 struct indataset 498 { 499 struct datahead head; 500 innetgroup_response_header resp; 501 } *dataset 502 = (struct indataset *) mempool_alloc (db, 503 sizeof (*dataset) + req->key_len, 504 1); mempool_alloc fails and returns NULL. This is possible if posix_fallocate fails and the retry fails. 505 struct indataset dataset_mem; 506 bool cacheable = true; 507 if (__glibc_unlikely (dataset == NULL)) 508 { 509 cacheable = false; 510 dataset = &dataset_mem; This structure has no room for req->key_len material. 511 } 512 513 datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, 514 sizeof (innetgroup_response_header), 515 he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); 516 /* Set the notfound status and timeout based on the result from 517 getnetgrent. */ 518 dataset->head.notfound = result->head.notfound; 519 dataset->head.timeout = timeout; 520 521 dataset->resp.version = NSCD_VERSION; 522 dataset->resp.found = result->resp.found; 523 /* Until we find a matching entry the result is 0. */ 524 dataset->resp.result = 0; 525 526 char *key_copy = memcpy ((char *) (dataset + 1), group, req->key_len); This copies up to req->key_len material to a structure that has no storage space for it. This was detected by static code analysis. It will only happen in the case the database runs out of memory/storage while expanding the netgroup cache. The group entries overwrite other data on the stack after dataset_mem. The workaround is not to cache the netgroup if this is impacting the use of the application. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: negroup cache: invalid memcpy under low memory/storage conditions 2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com @ 2024-04-24 7:25 ` fweimer at redhat dot com 2024-04-24 8:33 ` fweimer at redhat dot com ` (5 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: fweimer at redhat dot com @ 2024-04-24 7:25 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31677 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security+ -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: negroup cache: invalid memcpy under low memory/storage conditions 2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com 2024-04-24 7:25 ` [Bug nscd/31677] " fweimer at redhat dot com @ 2024-04-24 8:33 ` fweimer at redhat dot com 2024-04-24 9:29 ` [Bug nscd/31677] nscd: netgroup " fweimer at redhat dot com ` (4 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: fweimer at redhat dot com @ 2024-04-24 8:33 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31677 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|unassigned at sourceware dot org |fweimer at redhat dot com Status|NEW |ASSIGNED -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions 2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com 2024-04-24 7:25 ` [Bug nscd/31677] " fweimer at redhat dot com 2024-04-24 8:33 ` fweimer at redhat dot com @ 2024-04-24 9:29 ` fweimer at redhat dot com 2024-04-24 20:35 ` carlos at redhat dot com ` (3 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: fweimer at redhat dot com @ 2024-04-24 9:29 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31677 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|nscd: negroup cache: |nscd: netgroup cache: |invalid memcpy under low |invalid memcpy under low |memory/storage conditions |memory/storage conditions -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions 2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com ` (2 preceding siblings ...) 2024-04-24 9:29 ` [Bug nscd/31677] nscd: netgroup " fweimer at redhat dot com @ 2024-04-24 20:35 ` carlos at redhat dot com 2024-04-25 13:36 ` fweimer at redhat dot com ` (2 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: carlos at redhat dot com @ 2024-04-24 20:35 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31677 Carlos O'Donell <carlos at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2024-33599 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions 2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com ` (3 preceding siblings ...) 2024-04-24 20:35 ` carlos at redhat dot com @ 2024-04-25 13:36 ` fweimer at redhat dot com 2024-04-25 13:53 ` sam at gentoo dot org 2024-04-25 21:00 ` carnil at debian dot org 6 siblings, 0 replies; 8+ messages in thread From: fweimer at redhat dot com @ 2024-04-25 13:36 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31677 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.40 Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #1 from Florian Weimer <fweimer at redhat dot com> --- Fixed for glibc 2.40 via: commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:00:45 2024 +0200 CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677) Using alloca matches what other caches do. The request length is bounded by MAXKEYLEN. Reviewed-by: Carlos O'Donell <carlos@redhat.com> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions 2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com ` (4 preceding siblings ...) 2024-04-25 13:36 ` fweimer at redhat dot com @ 2024-04-25 13:53 ` sam at gentoo dot org 2024-04-25 21:00 ` carnil at debian dot org 6 siblings, 0 replies; 8+ messages in thread From: sam at gentoo dot org @ 2024-04-25 13:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31677 Sam James <sam at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sam at gentoo dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions 2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com ` (5 preceding siblings ...) 2024-04-25 13:53 ` sam at gentoo dot org @ 2024-04-25 21:00 ` carnil at debian dot org 6 siblings, 0 replies; 8+ messages in thread From: carnil at debian dot org @ 2024-04-25 21:00 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31677 Salvatore Bonaccorso <carnil at debian dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |carnil at debian dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-04-25 21:00 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com 2024-04-24 7:25 ` [Bug nscd/31677] " fweimer at redhat dot com 2024-04-24 8:33 ` fweimer at redhat dot com 2024-04-24 9:29 ` [Bug nscd/31677] nscd: netgroup " fweimer at redhat dot com 2024-04-24 20:35 ` carlos at redhat dot com 2024-04-25 13:36 ` fweimer at redhat dot com 2024-04-25 13:53 ` sam at gentoo dot org 2024-04-25 21:00 ` carnil at debian dot org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).