From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 16042 invoked by alias); 17 May 2018 12:43:48 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 15953 invoked by uid 89); 17 May 2018 12:43:48 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 17 May 2018 12:43:46 +0000 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C710B3111BF0 for ; Thu, 17 May 2018 12:43:45 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.36.118.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 98CA83001727 for ; Thu, 17 May 2018 12:43:45 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id 03D4D43985E65; Thu, 17 May 2018 14:43:45 +0200 (CEST) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.26 COMMITTED] [BZ #22342] Fix netgroup cache keys. User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20180517124345.03D4D43985E65@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Thu, 17 May 2018 12:43:45 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-05/txt/msg00031.txt.bz2 From: DJ Delorie Unlike other nscd caches, the netgroup cache contains two types of records - those for "iterate through a netgroup" (i.e. setnetgrent()) and those for "is this user in this netgroup" (i.e. innetgr()), i.e. full and partial records. The timeout code assumes these records have the same key for the group name, so that the collection of records that is "this netgroup" can be expired as a unit. However, the keys are not the same, as the in-netgroup key is generated by nscd rather than being passed to it from elsewhere, and is generated without the trailing NUL. All other keys have the trailing NUL, and as noted in the linked BZ, debug statements confirm that two keys for the same netgroup are added to the cache with two different lengths. The result of this is that as records in the cache expire, the purge code only cleans out one of the two types of entries, resulting in stale, possibly incorrect, and possibly inconsistent cache data. The patch simply includes the existing NUL in the computation for the key length ('key' points to the char after the NUL, and 'group' to the first char of the group, so 'key-group' includes the first char to the NUL, inclusive). [BZ #22342] * nscd/netgroupcache.c (addinnetgrX): Include trailing NUL in key value. Reviewed-by: Carlos O'Donell (cherry picked from commit 1c81d55fc4b07b51adf68558ba74ce975153e580) 2018-03-01 DJ Delorie [BZ #22342] * nscd/netgroupcache.c (addinnetgrX): Include trailing NUL in key value. diff --git a/NEWS b/NEWS index a8016a054a..4deb16c7c7 100644 --- a/NEWS +++ b/NEWS @@ -107,6 +107,7 @@ The following bugs are resolved with this release: [22321] sysconf: Fix missing definition of UIO_MAXIOV on Linux [22322] libc: [mips64] wrong bits/long-double.h installed [22325] glibc: Memory leak in glob with GLOB_TILDE (CVE-2017-15671) + [22342] NSCD not properly caching netgroup [22343] malloc: Integer overflow in posix_memalign (CVE-2018-6485) [22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426) [22377] Provide a C++ version of iseqsig diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index cd0c3ea19b..741c3bba2b 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -480,7 +480,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, { const char *group = key; key = (char *) rawmemchr (key, '\0') + 1; - size_t group_len = key - group - 1; + size_t group_len = key - group; const char *host = *key++ ? key : NULL; if (host != NULL) key = (char *) rawmemchr (key, '\0') + 1;