public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions
@ 2024-04-23 20:20 carlos at redhat dot com
2024-04-24 7:25 ` [Bug nscd/31677] " fweimer at redhat dot com
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: carlos at redhat dot com @ 2024-04-23 20:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31677
Bug ID: 31677
Summary: nscd: negroup cache: invalid memcpy under low
memory/storage conditions
Product: glibc
Version: 2.40
Status: NEW
Severity: normal
Priority: P2
Component: nscd
Assignee: unassigned at sourceware dot org
Reporter: carlos at redhat dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
nscd/netgroupcache.c (addinnetgrX):
497 struct indataset
498 {
499 struct datahead head;
500 innetgroup_response_header resp;
501 } *dataset
502 = (struct indataset *) mempool_alloc (db,
503 sizeof (*dataset) +
req->key_len,
504 1);
mempool_alloc fails and returns NULL.
This is possible if posix_fallocate fails and the retry fails.
505 struct indataset dataset_mem;
506 bool cacheable = true;
507 if (__glibc_unlikely (dataset == NULL))
508 {
509 cacheable = false;
510 dataset = &dataset_mem;
This structure has no room for req->key_len material.
511 }
512
513 datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
514 sizeof (innetgroup_response_header),
515 he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
516 /* Set the notfound status and timeout based on the result from
517 getnetgrent. */
518 dataset->head.notfound = result->head.notfound;
519 dataset->head.timeout = timeout;
520
521 dataset->resp.version = NSCD_VERSION;
522 dataset->resp.found = result->resp.found;
523 /* Until we find a matching entry the result is 0. */
524 dataset->resp.result = 0;
525
526 char *key_copy = memcpy ((char *) (dataset + 1), group, req->key_len);
This copies up to req->key_len material to a structure that has no storage
space for it.
This was detected by static code analysis.
It will only happen in the case the database runs out of memory/storage while
expanding the netgroup cache.
The group entries overwrite other data on the stack after dataset_mem.
The workaround is not to cache the netgroup if this is impacting the use of the
application.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: negroup cache: invalid memcpy under low memory/storage conditions
2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com
@ 2024-04-24 7:25 ` fweimer at redhat dot com
2024-04-24 8:33 ` fweimer at redhat dot com
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2024-04-24 7:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31677
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: negroup cache: invalid memcpy under low memory/storage conditions
2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com
2024-04-24 7:25 ` [Bug nscd/31677] " fweimer at redhat dot com
@ 2024-04-24 8:33 ` fweimer at redhat dot com
2024-04-24 9:29 ` [Bug nscd/31677] nscd: netgroup " fweimer at redhat dot com
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2024-04-24 8:33 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31677
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |fweimer at redhat dot com
Status|NEW |ASSIGNED
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions
2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com
2024-04-24 7:25 ` [Bug nscd/31677] " fweimer at redhat dot com
2024-04-24 8:33 ` fweimer at redhat dot com
@ 2024-04-24 9:29 ` fweimer at redhat dot com
2024-04-24 20:35 ` carlos at redhat dot com
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2024-04-24 9:29 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31677
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|nscd: negroup cache: |nscd: netgroup cache:
|invalid memcpy under low |invalid memcpy under low
|memory/storage conditions |memory/storage conditions
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions
2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com
` (2 preceding siblings ...)
2024-04-24 9:29 ` [Bug nscd/31677] nscd: netgroup " fweimer at redhat dot com
@ 2024-04-24 20:35 ` carlos at redhat dot com
2024-04-25 13:36 ` fweimer at redhat dot com
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: carlos at redhat dot com @ 2024-04-24 20:35 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31677
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2024-33599
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions
2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com
` (3 preceding siblings ...)
2024-04-24 20:35 ` carlos at redhat dot com
@ 2024-04-25 13:36 ` fweimer at redhat dot com
2024-04-25 13:53 ` sam at gentoo dot org
2024-04-25 21:00 ` carnil at debian dot org
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2024-04-25 13:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31677
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.40
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.40 via:
commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Apr 25 15:00:45 2024 +0200
CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug
31677)
Using alloca matches what other caches do. The request length is
bounded by MAXKEYLEN.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions
2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com
` (4 preceding siblings ...)
2024-04-25 13:36 ` fweimer at redhat dot com
@ 2024-04-25 13:53 ` sam at gentoo dot org
2024-04-25 21:00 ` carnil at debian dot org
6 siblings, 0 replies; 8+ messages in thread
From: sam at gentoo dot org @ 2024-04-25 13:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31677
Sam James <sam at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at gentoo dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug nscd/31677] nscd: netgroup cache: invalid memcpy under low memory/storage conditions
2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com
` (5 preceding siblings ...)
2024-04-25 13:53 ` sam at gentoo dot org
@ 2024-04-25 21:00 ` carnil at debian dot org
6 siblings, 0 replies; 8+ messages in thread
From: carnil at debian dot org @ 2024-04-25 21:00 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31677
Salvatore Bonaccorso <carnil at debian dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carnil at debian dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-04-25 21:00 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-23 20:20 [Bug nscd/31677] New: nscd: negroup cache: invalid memcpy under low memory/storage conditions carlos at redhat dot com
2024-04-24 7:25 ` [Bug nscd/31677] " fweimer at redhat dot com
2024-04-24 8:33 ` fweimer at redhat dot com
2024-04-24 9:29 ` [Bug nscd/31677] nscd: netgroup " fweimer at redhat dot com
2024-04-24 20:35 ` carlos at redhat dot com
2024-04-25 13:36 ` fweimer at redhat dot com
2024-04-25 13:53 ` sam at gentoo dot org
2024-04-25 21:00 ` carnil at debian dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).