From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 70743 invoked by alias); 27 Nov 2018 20:49:47 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 70729 invoked by uid 89); 27 Nov 2018 20:49:47 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 27 Nov 2018 20:49:45 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6E36ECA1DF for ; Tue, 27 Nov 2018 20:49:44 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-116-38.ams2.redhat.com [10.36.116.38]) by smtp.corp.redhat.com (Postfix) with ESMTP id 39A705C1B2 for ; Tue, 27 Nov 2018 20:49:44 +0000 (UTC) Received: by oldenburg.str.redhat.com (Postfix, from userid 1000) id C4C0A4399457D; Tue, 27 Nov 2018 21:49:35 +0100 (CET) Date: Mon, 01 Jan 2018 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.26 COMMITTED] CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20181127204935.C4C0A4399457D@oldenburg.str.redhat.com> From: fweimer@redhat.com (Florian Weimer) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 27 Nov 2018 20:49:44 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2018-11/txt/msg00030.txt.bz2 (cherry picked from commit d527c860f5a3f0ed687bd03f0cb464612dc23408) 2018-11-27 Florian Weimer [BZ #23927] CVE-2018-19591 * sysdeps/unix/sysv/linux/if_index.c (__if_nametoindex): Avoid descriptor leak in case of ENODEV error. diff --git a/NEWS b/NEWS index 3c708d2903..f6d26425ff 100644 --- a/NEWS +++ b/NEWS @@ -82,6 +82,10 @@ Security related changes: architecture could write beyond the target buffer, resulting in a buffer overflow. Reported by Andreas Schwab. + CVE-2018-19591: A file descriptor leak in if_nametoindex can lead to a + denial of service due to resource exhaustion when processing getaddrinfo + calls with crafted host names. Reported by Guido Vranken. + The following bugs are resolved with this release: [16750] ldd: Never run file directly. @@ -158,6 +162,7 @@ The following bugs are resolved with this release: [23562] signal: Use correct type for si_band in siginfo_t [23579] libc: Errors misreported in preadv2 [23709] Fix CPU string flags for Haswell-type CPUs + [23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591) Version 2.26 diff --git a/sysdeps/unix/sysv/linux/if_index.c b/sysdeps/unix/sysv/linux/if_index.c index a874634d52..b620d21936 100644 --- a/sysdeps/unix/sysv/linux/if_index.c +++ b/sysdeps/unix/sysv/linux/if_index.c @@ -38,11 +38,6 @@ __if_nametoindex (const char *ifname) return 0; #else struct ifreq ifr; - int fd = __opensock (); - - if (fd < 0) - return 0; - if (strlen (ifname) >= IFNAMSIZ) { __set_errno (ENODEV); @@ -50,6 +45,12 @@ __if_nametoindex (const char *ifname) } strncpy (ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); + + int fd = __opensock (); + + if (fd < 0) + return 0; + if (__ioctl (fd, SIOCGIFINDEX, &ifr) < 0) { int saved_errno = errno;