From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <siddhesh@sourceware.org>
Received: from cichlid.ash.relay.mailchannels.net (cichlid.ash.relay.mailchannels.net [23.83.222.36])
	by sourceware.org (Postfix) with ESMTPS id 7EA7D3858CDA
	for <libc-alpha@sourceware.org>; Thu, 14 Sep 2023 11:27:21 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7EA7D3858CDA
Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org
Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id C5D3A840FEB;
	Thu, 14 Sep 2023 11:27:18 +0000 (UTC)
Received: from pdx1-sub0-mail-a280.dreamhost.com (unknown [127.0.0.6])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id 28482841006;
	Thu, 14 Sep 2023 11:27:18 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1694690838; a=rsa-sha256;
	cv=none;
	b=eEiEMphLv0/JvLO3Y4zAcVfMslAOvrw6/O2f5GsqwhzT8JcG9q8YgJ1KM7aEojahFGrDZy
	TVQTRSMIh4IrJxI1kS03unZhgrv/7LGJECogs/zSlHlpzByoLSmQ22u9mRCR8vl0zCnVei
	oUF0jJfierBDaQcQmGiex7QaV3k65XhVEJAiiuano3Bsz0fTJrQJwnt0+NZBCOY3VvZDmE
	SrHFLwipdEfEn2Di8tugTjsYYuHvT1934iMJBtM/hWiYT5RMWccHoCnU2CXTBBAEqO1ygg
	nHdGVCE+QJJHikS11gmxCtuDTt7esILAZltSgdD0EbL8KYZzlTvz+rVAPT39Zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1694690838;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=x2bDnS7dOCtyhqm+C1yj/64cQDrpXcLRlBYZ1uJbwlc=;
	b=7PXyxOhdn4htK5C2aAPdWH2W5H4W6uULVMdyaFMKXmdo1GKESsDR+ZzmnRDOm3VcAil6sr
	odpfHn3VGhWWzJN6e84FpmMK/3zdMhqkCjOhNyUla1v8ogkzvVHER4RYoMHEiYD3OKYvT6
	s7Rd8LnWNHerCgzZrermAnKItf4K5ZjJGDdqlLBNBqkw1Yvtl/KNAafidO/iRdumFCjNcE
	tbdjCSmMTwN+Iaij1AdVG4lfutQfRDOhBc9QX96MKsj3BGmDZWQCnqivpkatRqzmBd8ej7
	O3wllja79upzRsGZx6FJLUnitNRAT8qaKo2vZE8ocWCB5yfCs/Qws5kIAMWjbQ==
ARC-Authentication-Results: i=1;
	rspamd-7d5dc8fd68-t6t44;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org
X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org
X-MailChannels-Auth-Id: dreamhost
X-Wipe-Towering: 2a4338e042c49bbc_1694690838438_431554425
X-MC-Loop-Signature: 1694690838438:2742608042
X-MC-Ingress-Time: 1694690838438
Received: from pdx1-sub0-mail-a280.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.99.54.176 (trex/6.9.1);
	Thu, 14 Sep 2023 11:27:18 +0000
Received: from [192.168.0.182] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: siddhesh@gotplt.org)
	by pdx1-sub0-mail-a280.dreamhost.com (Postfix) with ESMTPSA id 4RmZmP53JrzDH;
	Thu, 14 Sep 2023 04:27:17 -0700 (PDT)
Message-ID: <77a393e5-34e1-09b3-1fa0-e52387664e0a@sourceware.org>
Date: Thu, 14 Sep 2023 07:27:12 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.13.0
Subject: Re: [PATCH v3] getaddrinfo: Fix use after free in getcanonname
 (CVE-2023-4806)
Content-Language: en-US
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-alpha@sourceware.org, schwab@suse.de, carlos@redhat.com
References: <20230913173638.3067388-1-siddhesh@sourceware.org>
 <20230914101302.3128752-1-siddhesh@sourceware.org>
 <87il8d2fhq.fsf@oldenburg3.str.redhat.com>
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
In-Reply-To: <87il8d2fhq.fsf@oldenburg3.str.redhat.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1166.2 required=5.0 tests=BAYES_00,KAM_DMARC_NONE,KAM_DMARC_STATUS,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On 2023-09-14 06:53, Florian Weimer wrote:
>> @@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
>>   	}
>>         array[i].next = array + i + 1;
>>       }
>> -  array[0].name = h->h_name;
>>     array[count - 1].next = NULL;
> 
> I would expect
> 
>    array[0].name = res->h_name;
> 
> here, but that's not needed because the assignment happens in
> generate_addrinfo, from res->canon, which may have been set with
> res->h_name as a fallback?

Right, we basically only use res->at->name in the gethostbyname4_r path 
as a transitory value (it finally gets duplicated into res->canon) 
because unfortunately we've encoded that into the NSS API :/

Thanks,
Sid