* [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
@ 2021-02-25 21:13 DJ Delorie
2021-03-01 7:48 ` Siddhesh Poyarekar
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: DJ Delorie @ 2021-02-25 21:13 UTC (permalink / raw)
To: libc-alpha
In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
was fixed, but this led to an occasional double-free. This patch
tracks the "live" allocation better.
Tested manually by a third party.
Related: RHBZ 1927877
---
nscd/netgroupcache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index dba6ceec1b..ad2daddafd 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
: NULL);
ndomain = (ndomain ? newbuf + ndomaindiff
: NULL);
- buffer = newbuf;
+ *tofreep = buffer = newbuf;
}
nhost = memcpy (buffer + bufused,
@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
{
buflen *= 2;
- buffer = xrealloc (buffer, buflen);
+ *tofreep = buffer = xrealloc (buffer, buflen);
}
else if (status == NSS_STATUS_RETURN
|| status == NSS_STATUS_NOTFOUND
--
2.21.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
2021-02-25 21:13 [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462] DJ Delorie
@ 2021-03-01 7:48 ` Siddhesh Poyarekar
2021-03-02 17:38 ` DJ Delorie
2021-03-02 17:03 ` Carlos O'Donell
2021-03-03 12:19 ` Andreas Schwab
2 siblings, 1 reply; 8+ messages in thread
From: Siddhesh Poyarekar @ 2021-03-01 7:48 UTC (permalink / raw)
To: DJ Delorie, libc-alpha
On 2/26/21 2:43 AM, DJ Delorie via Libc-alpha wrote:
>
> In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
> was fixed, but this led to an occasional double-free. This patch
> tracks the "live" allocation better.
>
> Tested manually by a third party.
>
> Related: RHBZ 1927877
Looks fine to me. Now that we have container testing, we should add
tests for nscd, especially since nscd doesn't seem to be going anywhere.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Siddhesh
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
2021-02-25 21:13 [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462] DJ Delorie
2021-03-01 7:48 ` Siddhesh Poyarekar
@ 2021-03-02 17:03 ` Carlos O'Donell
2021-03-03 12:19 ` Andreas Schwab
2 siblings, 0 replies; 8+ messages in thread
From: Carlos O'Donell @ 2021-03-02 17:03 UTC (permalink / raw)
To: DJ Delorie, libc-alpha
On 2/25/21 4:13 PM, DJ Delorie via Libc-alpha wrote:
>
> In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
> was fixed, but this led to an occasional double-free. This patch
> tracks the "live" allocation better.
>
> Tested manually by a third party.
This looks like it should be logically the correct fix. There are only
two xrealloc's that I see that could impact the buffer reuse here and
we need to track the update to the pointer.
LGTM.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
> Related: RHBZ 1927877
> ---
> nscd/netgroupcache.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
> index dba6ceec1b..ad2daddafd 100644
> --- a/nscd/netgroupcache.c
> +++ b/nscd/netgroupcache.c
> @@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> : NULL);
> ndomain = (ndomain ? newbuf + ndomaindiff
> : NULL);
> - buffer = newbuf;
> + *tofreep = buffer = newbuf;
> }
>
> nhost = memcpy (buffer + bufused,
> @@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
> else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
> {
> buflen *= 2;
> - buffer = xrealloc (buffer, buflen);
> + *tofreep = buffer = xrealloc (buffer, buflen);
> }
> else if (status == NSS_STATUS_RETURN
> || status == NSS_STATUS_NOTFOUND
>
--
Cheers,
Carlos.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
2021-03-01 7:48 ` Siddhesh Poyarekar
@ 2021-03-02 17:38 ` DJ Delorie
0 siblings, 0 replies; 8+ messages in thread
From: DJ Delorie @ 2021-03-02 17:38 UTC (permalink / raw)
To: Siddhesh Poyarekar, Carlos O'Donell; +Cc: libc-alpha
> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Thanks! Pushed.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
2021-02-25 21:13 [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462] DJ Delorie
2021-03-01 7:48 ` Siddhesh Poyarekar
2021-03-02 17:03 ` Carlos O'Donell
@ 2021-03-03 12:19 ` Andreas Schwab
2021-03-03 17:11 ` DJ Delorie
2 siblings, 1 reply; 8+ messages in thread
From: Andreas Schwab @ 2021-03-03 12:19 UTC (permalink / raw)
To: DJ Delorie via Libc-alpha
Please add the CVE reference.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
2021-03-03 12:19 ` Andreas Schwab
@ 2021-03-03 17:11 ` DJ Delorie
2021-03-03 17:48 ` Andreas Schwab
0 siblings, 1 reply; 8+ messages in thread
From: DJ Delorie @ 2021-03-03 17:11 UTC (permalink / raw)
To: Andreas Schwab; +Cc: libc-alpha
The CVE info is already in the bugzilla. Sorry, it's too late to add it
to the git commit message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462]
2021-03-03 17:11 ` DJ Delorie
@ 2021-03-03 17:48 ` Andreas Schwab
2021-03-03 19:55 ` [PATCH v1] NEWS: Add entry for CVE-2021-27645 DJ Delorie
0 siblings, 1 reply; 8+ messages in thread
From: Andreas Schwab @ 2021-03-03 17:48 UTC (permalink / raw)
To: DJ Delorie; +Cc: libc-alpha
You need to add it to NEWS.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1] NEWS: Add entry for CVE-2021-27645
2021-03-03 17:48 ` Andreas Schwab
@ 2021-03-03 19:55 ` DJ Delorie
0 siblings, 0 replies; 8+ messages in thread
From: DJ Delorie @ 2021-03-03 19:55 UTC (permalink / raw)
To: Andreas Schwab; +Cc: libc-alpha
Andreas Schwab <schwab@linux-m68k.org> writes:
> You need to add it to NEWS.
---
NEWS | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index 73a1a0df97..aa0f10a891 100644
--- a/NEWS
+++ b/NEWS
@@ -31,7 +31,10 @@ Changes to build and runtime requirements:
Security related changes:
- [Add security related changes here]
+ CVE-2021-27645: The nameserver caching daemon (nscd), when processing
+ a request for netgroup lookup, may crash due to a double-free,
+ potentially resulting in degraded service or Denial of Service on the
+ local system. Reported by Chris Schanzle.
The following bugs are resolved with this release:
--
2.29.2
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-03-03 19:56 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-25 21:13 [PATCH v1] nscd: Fix double free in netgroupcache [BZ #27462] DJ Delorie
2021-03-01 7:48 ` Siddhesh Poyarekar
2021-03-02 17:38 ` DJ Delorie
2021-03-02 17:03 ` Carlos O'Donell
2021-03-03 12:19 ` Andreas Schwab
2021-03-03 17:11 ` DJ Delorie
2021-03-03 17:48 ` Andreas Schwab
2021-03-03 19:55 ` [PATCH v1] NEWS: Add entry for CVE-2021-27645 DJ Delorie
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).