From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-820-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 12748 invoked by alias); 12 Nov 2018 12:42:42 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 12382 invoked by uid 89); 12 Nov 2018 12:42:42 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.8 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 spammy=
X-Spam-Status: No, score=-25.8 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level:
X-HELO: mail-qk1-f169.google.com
Received: from mail-qk1-f169.google.com (HELO mail-qk1-f169.google.com) (209.85.222.169) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 12 Nov 2018 12:42:40 +0000
Received: by mail-qk1-f169.google.com with SMTP id y16so12949437qki.7        for <libc-stable@sourceware.org>; Mon, 12 Nov 2018 04:42:40 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20161025;        h=x-gm-message-state:to:from:subject:openpgp:organization:message-id         :date:user-agent:mime-version:content-language;        bh=6Yb/AesXQaL1opwukUrVey5CtWenQwzT4NeJe7k4eYE=;        b=FZVYJYLpVn+VZn64TcMe4wUDUddq+sBSyKnMSoVpvaczZTE5GWMOsRCrqeWseHifg4         WvaLLWvnwx6Lkc9u9i6GKh35sB6yoosbZi5ZTjogrw/CFnTf29YLlbZLtJEJCmnIxhuU         M3Woq69URN1L3cLP/0AUpxpTbX7b8DLZLvWUfdcJDN55SCbieuGyOYCZ7UW69Wgfd51Z         DXyFAAfC/DxROHKoNuoKqDJQnPdIn3+lF3rE1UPP6j+a73NVuD9ZM1ELi2PDesFtbAoq         019TPJZY/ujGOP2vnIFpCu9vSR2Ued4xID+44exeMqdS19g2iBoBTjFBZb66GdXY6Ilz         m5Ow==
X-Gm-Message-State: AGRZ1gJ/ADSMzKU547X9v+L6ThLnX8X86XXSd98QACXG/YmrsnFse6D5	/B1E3lkVduNxrGEpRqFWt/KxBpwNm1+MFw==
X-Google-Smtp-Source: AJdET5eN8UqM4BeTyOWOBiAuG9EgCoqijYswWXuHzmylkXU9cGLyjqXFxWGXYKFLdqxLnVnrya3+xQ==
X-Received: by 2002:a0c:95e8:: with SMTP id t37mr713889qvt.163.1542026558631;        Mon, 12 Nov 2018 04:42:38 -0800 (PST)
Received: from [10.150.73.190] (97.sub-174-227-17.myvzw.com. [174.227.17.97])        by smtp.gmail.com with ESMTPSA id u11sm11023647qtc.61.2018.11.12.04.42.37        for <libc-stable@sourceware.org>        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);        Mon, 12 Nov 2018 04:42:37 -0800 (PST)
To: "GNU C Library (Stable)" <libc-stable@sourceware.org>
From: Carlos O'Donell <carlos@redhat.com>
Subject: [2.28 COMMITTED] nscd: Fix use-after-free in addgetnetgrentX [BZ #23520]
Openpgp: preference=signencrypt
Organization: Red Hat
Message-ID: <3733b386-366d-4dd5-1cc4-763da220d5f7@redhat.com>
Date: Mon, 01 Jan 2018 00:00:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------5AA4550551EABAE3BF65A779"
Content-Language: en-US
X-SW-Source: 2018-11/txt/msg00020.txt.bz2

This is a multi-part message in MIME format.
--------------5AA4550551EABAE3BF65A779
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-length: 397

Tested on x86_64. build-many-glibcs run in progress.
--
addinnetgrX may use the heap-allocated buffer, so free the buffer
in this function.

(cherry picked from commit 745664bd798ec8fd50438605948eea594179fba1)
---
 ChangeLog            | 12 ++++++++++++
 nscd/netgroupcache.c | 42 +++++++++++++++++++++++++++++-------------
 2 files changed, 41 insertions(+), 13 deletions(-)

-- 
Cheers,
Carlos.

--------------5AA4550551EABAE3BF65A779
Content-Type: text/x-patch;
 name="0005-nscd-Fix-use-after-free-in-addgetnetgrentX-BZ-23520.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename*0="0005-nscd-Fix-use-after-free-in-addgetnetgrentX-BZ-23520.pat";
 filename*1="ch"
Content-length: 4616

>From 7d174f53539bfbfa9cdfa41ead605573d3f219eb Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Tue, 28 Aug 2018 13:19:27 +0200
Subject: [PATCH 5/8] nscd: Fix use-after-free in addgetnetgrentX [BZ #23520]

addinnetgrX may use the heap-allocated buffer, so free the buffer
in this function.

(cherry picked from commit 745664bd798ec8fd50438605948eea594179fba1)
---
 ChangeLog            | 12 ++++++++++++
 nscd/netgroupcache.c | 42 +++++++++++++++++++++++++++++-------------
 2 files changed, 41 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e81991066e..79d303e7b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2018-08-28  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #23520]
+	nscd: Fix use-after-free in addgetnetgrentX and its callers.
+	* nscd/netgroupcache.c
+	(addgetnetgrentX): Add tofreep parameter.  Do not free
+	heap-allocated buffer.
+	(addinnetgrX): Free buffer allocated bt addgetnetgrentX.
+	(addgetnetgrentX_ignore): New function.
+	(addgetnetgrent): Call it.
+	(readdgetnetgrent): Likewise.
+
 2018-08-16  DJ Delorie  <dj@delorie.com>
 
 	* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index 2b35389cc8..87059fb280 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -113,7 +113,8 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
 static time_t
 addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 		 const char *key, uid_t uid, struct hashentry *he,
-		 struct datahead *dh, struct dataset **resultp)
+		 struct datahead *dh, struct dataset **resultp,
+		 void **tofreep)
 {
   if (__glibc_unlikely (debug_level > 0))
     {
@@ -139,6 +140,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
   size_t group_len = strlen (key) + 1;
   struct name_list *first_needed
     = alloca (sizeof (struct name_list) + group_len);
+  *tofreep = NULL;
 
   if (netgroup_database == NULL
       && __nss_database_lookup ("netgroup", NULL, NULL, &netgroup_database))
@@ -151,6 +153,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
 
   memset (&data, '\0', sizeof (data));
   buffer = xmalloc (buflen);
+  *tofreep = buffer;
   first_needed->next = first_needed;
   memcpy (first_needed->name, key, group_len);
   data.needed_groups = first_needed;
@@ -439,8 +442,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
     }
 
  out:
-  free (buffer);
-
   *resultp = dataset;
 
   return timeout;
@@ -477,8 +478,12 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
 							    group, group_len,
 							    db, uid);
   time_t timeout;
+  void *tofree;
   if (result != NULL)
-    timeout = result->head.timeout;
+    {
+      timeout = result->head.timeout;
+      tofree = NULL;
+    }
   else
     {
       request_header req_get =
@@ -487,7 +492,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
 	  .key_len = group_len
 	};
       timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL,
-				 &result);
+				 &result, &tofree);
     }
 
   struct indataset
@@ -560,7 +565,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
       ++dh->nreloads;
       if (cacheable)
         pthread_rwlock_unlock (&db->lock);
-      return timeout;
+      goto out;
     }
 
   if (he == NULL)
@@ -596,17 +601,30 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
 	dh->usable = false;
     }
 
+ out:
+  free (tofree);
   return timeout;
 }
 
 
+static time_t
+addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req,
+			const char *key, uid_t uid, struct hashentry *he,
+			struct datahead *dh)
+{
+  struct dataset *ignore;
+  void *tofree;
+  time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh,
+				    &ignore, &tofree);
+  free (tofree);
+  return timeout;
+}
+
 void
 addgetnetgrent (struct database_dyn *db, int fd, request_header *req,
 		void *key, uid_t uid)
 {
-  struct dataset *ignore;
-
-  addgetnetgrentX (db, fd, req, key, uid, NULL, NULL, &ignore);
+  addgetnetgrentX_ignore (db, fd, req, key, uid, NULL, NULL);
 }
 
 
@@ -619,10 +637,8 @@ readdgetnetgrent (struct database_dyn *db, struct hashentry *he,
       .type = GETNETGRENT,
       .key_len = he->len
     };
-  struct dataset *ignore;
-
-  return addgetnetgrentX (db, -1, &req, db->data + he->key, he->owner, he, dh,
-			  &ignore);
+  return addgetnetgrentX_ignore
+    (db, -1, &req, db->data + he->key, he->owner, he, dh);
 }
 
 
-- 
2.17.2


--------------5AA4550551EABAE3BF65A779--