public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings
@ 2024-04-24 11:53 fweimer at redhat dot com
2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: fweimer at redhat dot com @ 2024-04-24 11:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31680
Bug ID: 31680
Summary: nscd: netgroup cache assumes NSS callback uses
in-buffer strings
Product: glibc
Version: 2.40
Status: NEW
Severity: normal
Priority: P2
Component: nscd
Assignee: unassigned at sourceware dot org
Reporter: fweimer at redhat dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Flags: security+
The buffer-resizing code in addgetnetgrentX assumes that all string pointers
point into the supplied buffer:
const char *nhost = data.val.triple.host;
const char *nuser = data.val.triple.user;
const char *ndomain = data.val.triple.domain;
size_t hostlen = strlen (nhost ?: "") + 1;
size_t userlen = strlen (nuser ?: "") + 1;
size_t domainlen = strlen (ndomain ?: "") + 1;
if (nhost == NULL || nuser == NULL || ndomain ==
NULL
|| nhost > nuser || nuser > ndomain)
{
const char *last = nhost;
if (last == NULL
|| (nuser != NULL && nuser > last))
last = nuser;
if (last == NULL
|| (ndomain != NULL && ndomain > last))
last = ndomain;
size_t bufused
= (last == NULL
? buffilled
: last + strlen (last) + 1 - buffer);
/* We have to make temporary copies. */
size_t needed = hostlen + userlen + domainlen;
if (buflen - req->key_len - bufused < needed)
{
buflen += MAX (buflen, 2 * needed);
/* Save offset in the old buffer. We don't
bother with the NULL check here since
we'll do that later anyway. */
size_t nhostdiff = nhost - buffer;
size_t nuserdiff = nuser - buffer;
size_t ndomaindiff = ndomain - buffer;
char *newbuf = xrealloc (buffer, buflen);
/* Fix up the triplet pointers into the new
buffer. */
nhost = (nhost ? newbuf + nhostdiff
: NULL);
nuser = (nuser ? newbuf + nuserdiff
: NULL);
ndomain = (ndomain ? newbuf + ndomaindiff
: NULL);
*tofreep = buffer = newbuf;
}
I do not think this is implied by the NSS API contract. We should simplify this
code to use two buffers that are resized separately.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings
2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com
@ 2024-04-24 11:53 ` fweimer at redhat dot com
2024-04-24 20:36 ` carlos at redhat dot com
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: fweimer at redhat dot com @ 2024-04-24 11:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31680
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Assignee|unassigned at sourceware dot org |fweimer at redhat dot com
CC| |fweimer at redhat dot com
Status|NEW |ASSIGNED
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings
2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com
2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com
@ 2024-04-24 20:36 ` carlos at redhat dot com
2024-04-25 13:35 ` fweimer at redhat dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: carlos at redhat dot com @ 2024-04-24 20:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31680
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carlos at redhat dot com
Alias| |CVE-2024-33602
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings
2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com
2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com
2024-04-24 20:36 ` carlos at redhat dot com
@ 2024-04-25 13:35 ` fweimer at redhat dot com
2024-04-25 13:53 ` sam at gentoo dot org
2024-04-25 21:00 ` carnil at debian dot org
4 siblings, 0 replies; 6+ messages in thread
From: fweimer at redhat dot com @ 2024-04-25 13:35 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31680
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Target Milestone|--- |2.40
Status|ASSIGNED |RESOLVED
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.40 via:
commit c04a21e050d64a1193a6daab872bca2528bda44b
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Apr 25 15:01:07 2024 +0200
CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in
addgetnetgrentX (bug 31680)
This avoids potential memory corruption when the underlying NSS
callback function does not use the buffer space to store all strings
(e.g., for constant strings).
Instead of custom buffer management, two scratch buffers are used.
This increases stack usage somewhat.
Scratch buffer allocation failure is handled by return -1
(an invalid timeout value) instead of terminating the process.
This fixes bug 31679.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings
2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com
` (2 preceding siblings ...)
2024-04-25 13:35 ` fweimer at redhat dot com
@ 2024-04-25 13:53 ` sam at gentoo dot org
2024-04-25 21:00 ` carnil at debian dot org
4 siblings, 0 replies; 6+ messages in thread
From: sam at gentoo dot org @ 2024-04-25 13:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31680
Sam James <sam at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at gentoo dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings
2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com
` (3 preceding siblings ...)
2024-04-25 13:53 ` sam at gentoo dot org
@ 2024-04-25 21:00 ` carnil at debian dot org
4 siblings, 0 replies; 6+ messages in thread
From: carnil at debian dot org @ 2024-04-25 21:00 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31680
Salvatore Bonaccorso <carnil at debian dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carnil at debian dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-04-25 21:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com
2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com
2024-04-24 20:36 ` carlos at redhat dot com
2024-04-25 13:35 ` fweimer at redhat dot com
2024-04-25 13:53 ` sam at gentoo dot org
2024-04-25 21:00 ` carnil at debian dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).