public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings @ 2024-04-24 11:53 fweimer at redhat dot com 2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com ` (4 more replies) 0 siblings, 5 replies; 6+ messages in thread From: fweimer at redhat dot com @ 2024-04-24 11:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31680 Bug ID: 31680 Summary: nscd: netgroup cache assumes NSS callback uses in-buffer strings Product: glibc Version: 2.40 Status: NEW Severity: normal Priority: P2 Component: nscd Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Flags: security+ The buffer-resizing code in addgetnetgrentX assumes that all string pointers point into the supplied buffer: const char *nhost = data.val.triple.host; const char *nuser = data.val.triple.user; const char *ndomain = data.val.triple.domain; size_t hostlen = strlen (nhost ?: "") + 1; size_t userlen = strlen (nuser ?: "") + 1; size_t domainlen = strlen (ndomain ?: "") + 1; if (nhost == NULL || nuser == NULL || ndomain == NULL || nhost > nuser || nuser > ndomain) { const char *last = nhost; if (last == NULL || (nuser != NULL && nuser > last)) last = nuser; if (last == NULL || (ndomain != NULL && ndomain > last)) last = ndomain; size_t bufused = (last == NULL ? buffilled : last + strlen (last) + 1 - buffer); /* We have to make temporary copies. */ size_t needed = hostlen + userlen + domainlen; if (buflen - req->key_len - bufused < needed) { buflen += MAX (buflen, 2 * needed); /* Save offset in the old buffer. We don't bother with the NULL check here since we'll do that later anyway. */ size_t nhostdiff = nhost - buffer; size_t nuserdiff = nuser - buffer; size_t ndomaindiff = ndomain - buffer; char *newbuf = xrealloc (buffer, buflen); /* Fix up the triplet pointers into the new buffer. */ nhost = (nhost ? newbuf + nhostdiff : NULL); nuser = (nuser ? newbuf + nuserdiff : NULL); ndomain = (ndomain ? newbuf + ndomaindiff : NULL); *tofreep = buffer = newbuf; } I do not think this is implied by the NSS API contract. We should simplify this code to use two buffers that are resized separately. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings 2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com @ 2024-04-24 11:53 ` fweimer at redhat dot com 2024-04-24 20:36 ` carlos at redhat dot com ` (3 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: fweimer at redhat dot com @ 2024-04-24 11:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31680 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|unassigned at sourceware dot org |fweimer at redhat dot com CC| |fweimer at redhat dot com Status|NEW |ASSIGNED -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings 2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com 2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com @ 2024-04-24 20:36 ` carlos at redhat dot com 2024-04-25 13:35 ` fweimer at redhat dot com ` (2 subsequent siblings) 4 siblings, 0 replies; 6+ messages in thread From: carlos at redhat dot com @ 2024-04-24 20:36 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31680 Carlos O'Donell <carlos at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |carlos at redhat dot com Alias| |CVE-2024-33602 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings 2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com 2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com 2024-04-24 20:36 ` carlos at redhat dot com @ 2024-04-25 13:35 ` fweimer at redhat dot com 2024-04-25 13:53 ` sam at gentoo dot org 2024-04-25 21:00 ` carnil at debian dot org 4 siblings, 0 replies; 6+ messages in thread From: fweimer at redhat dot com @ 2024-04-25 13:35 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31680 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Target Milestone|--- |2.40 Status|ASSIGNED |RESOLVED --- Comment #1 from Florian Weimer <fweimer at redhat dot com> --- Fixed for glibc 2.40 via: commit c04a21e050d64a1193a6daab872bca2528bda44b Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings 2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com ` (2 preceding siblings ...) 2024-04-25 13:35 ` fweimer at redhat dot com @ 2024-04-25 13:53 ` sam at gentoo dot org 2024-04-25 21:00 ` carnil at debian dot org 4 siblings, 0 replies; 6+ messages in thread From: sam at gentoo dot org @ 2024-04-25 13:53 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31680 Sam James <sam at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sam at gentoo dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug nscd/31680] nscd: netgroup cache assumes NSS callback uses in-buffer strings 2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com ` (3 preceding siblings ...) 2024-04-25 13:53 ` sam at gentoo dot org @ 2024-04-25 21:00 ` carnil at debian dot org 4 siblings, 0 replies; 6+ messages in thread From: carnil at debian dot org @ 2024-04-25 21:00 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=31680 Salvatore Bonaccorso <carnil at debian dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |carnil at debian dot org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-04-25 21:00 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-04-24 11:53 [Bug nscd/31680] New: nscd: netgroup cache assumes NSS callback uses in-buffer strings fweimer at redhat dot com 2024-04-24 11:53 ` [Bug nscd/31680] " fweimer at redhat dot com 2024-04-24 20:36 ` carlos at redhat dot com 2024-04-25 13:35 ` fweimer at redhat dot com 2024-04-25 13:53 ` sam at gentoo dot org 2024-04-25 21:00 ` carnil at debian dot org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).