From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 39387 invoked by alias); 4 Feb 2019 19:25:54 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 39376 invoked by uid 89); 4 Feb 2019 19:25:53 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.4 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KAM_NUMSUBJECT,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-25.4 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KAM_NUMSUBJECT,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 04 Feb 2019 19:25:52 +0000 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DF120811D5; Mon, 4 Feb 2019 19:25:50 +0000 (UTC) Received: from oldenburg2.str.redhat.com (ovpn-116-144.ams2.redhat.com [10.36.116.144]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C33C617987; Mon, 4 Feb 2019 19:25:43 +0000 (UTC) From: Florian Weimer To: Carlos O'Donell Cc: Aurelien Jarno , libc-stable@sourceware.org Subject: Re: Backporting CVE-2016-10739 References: <20190204134254.GA13816@aurel32.net> <871s4nppu4.fsf@oldenburg2.str.redhat.com> <87r2cno9qq.fsf@oldenburg2.str.redhat.com> <0a9daa70-7ea9-1ebd-8690-04b6ff2acd88@redhat.com> <87munbo8wy.fsf@oldenburg2.str.redhat.com> <47ca567f-7120-19c5-7ed6-c67c9f6306ca@redhat.com> <87y36vmsr9.fsf@oldenburg2.str.redhat.com> Date: Tue, 01 Jan 2019 00:00:00 -0000 In-Reply-To: (Carlos O'Donell's message of "Mon, 4 Feb 2019 12:05:06 -0500") Message-ID: <877eefmk3z.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Mon, 04 Feb 2019 19:25:51 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2019-02/txt/msg00016.txt.bz2 * Carlos O'Donell: > On 2/4/19 11:18 AM, Florian Weimer wrote: >> * Carlos O'Donell: >> >>> On 2/4/19 10:44 AM, Florian Weimer wrote: >>>> * Carlos O'Donell: >>>> >>>>>> +#include >>>>>> + >>>>> >>>>> Please add a comment explaining why this is here. >>>> >>>> You mean like this? >>>> >>>> /* Obtain the prototype for __inet_aton_exact. */ >>> >>> It should reference the bug or CVE to document the intent >>> of the changes. >>> >>> Post v3 and I'll sign off? >> >> This approach does not actually work because copying a prototype this >> way and adding a hidden visibility attribute does not actually make the >> symbol hidden. The patch below however has the desired effect, mainly >> because interposition no longer happens and the __inet_aton_exact_hidden >> function is not added to the dynamic symbol table of the nscd >> executable. >> >> I suspect I would have had to use __attribute__ ((visibility >> ("hidden"))) directly because we define attribute_hidden thusly: >> >> #if defined SHARED || defined LIBC_NONSHARED \ >> || (BUILD_PIE_DEFAULT && IS_IN (libc)) >> # define attribute_hidden __attribute__ ((visibility ("hidden"))) >> #else >> # define attribute_hidden >> #endif >> >> I can post yet another patch which uses real hidden visibility and >> avoids the symbol redirect. > > This version is a little hack-ish, but I don't object to it. It does > the job. > > It is certainly a minimal set of changes, and that makes it quite > useful for the release branch. > > I don't think you need to go any further unless you think the version > using real hidden visibility is all that much better? Well, at least it does not have the completely ineffective attribute_hidden. 8-) Patch below. What do you think? This one gets the symbol visibility correct. $ eu-readelf -s ../build/nscd/nscd-inet_addr.o | grep inet_aton_exact 22: 0000000000000150 56 FUNC GLOBAL HIDDEN 1 __inet_aton_exact $ eu-readelf -s ../build/nscd/gai.o | grep inet_aton_exact 99: 0000000000000000 0 NOTYPE GLOBAL HIDDEN UNDEF __inet_aton_exact And there's no __inet_aton_exact symbol in nscd. I think this is fairly standard usage of a hidden symbol, so renaming the symbol should not be necessary. Thanks, Florian nscd: Do not use __inet_aton_exact@GLIBC_PRIVATE [BZ #20018] This commit avoids referencing the __inet_aton_exact@GLIBC_PRIVATE symbol from nscd. In master, the separately-compiled getaddrinfo implementation in nscd needs it, however such an internal ABI change is not desirable on a release branch if it can be avoided. 2019-02-04 Florian Weimer [BZ #20018] nscd: Do not rely on new GLIBC_PRIVATE ABI after CVE-2016-10739 fix. * nscd/nscd-inet_addr.c: New file. Build resolv/inet_addr.c for nscd, without public symbols. * nscd/Makefile (nscd-modules): Add it. * nscd/gai.c: Include and change visibility of __inet_aton_exact. diff --git a/nscd/Makefile b/nscd/Makefile index b713a84c49..eb23c01a39 100644 --- a/nscd/Makefile +++ b/nscd/Makefile @@ -36,7 +36,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \ getsrvbynm_r getsrvbypt_r servicescache \ dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \ xmalloc xstrdup aicache initgrcache gai res_hconf \ - netgroupcache + netgroupcache nscd-inet_addr ifeq ($(build-nscd)$(have-thread-library),yesyes) diff --git a/nscd/gai.c b/nscd/gai.c index f57f396f57..68a4abd30e 100644 --- a/nscd/gai.c +++ b/nscd/gai.c @@ -33,6 +33,12 @@ #define __getifaddrs getifaddrs #define __freeifaddrs freeifaddrs +/* We do not want to export __inet_aton_exact. Get the prototype and + change its visibility to hidden. */ +#include +__typeof__ (__inet_aton_exact) __inet_aton_exact + __attribute__ ((visibility ("hidden"))); + /* We are nscd, so we don't want to be talking to ourselves. */ #undef USE_NSCD diff --git a/nscd/nscd-inet_addr.c b/nscd/nscd-inet_addr.c new file mode 100644 index 0000000000..f366b9567d --- /dev/null +++ b/nscd/nscd-inet_addr.c @@ -0,0 +1,32 @@ +/* Legacy IPv4 text-to-address functions. Version for nscd. + Copyright (C) 2019 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include + +/* We do not want to export __inet_aton_exact. Get the prototype and + change the visibility to hidden. */ +#include +__typeof__ (__inet_aton_exact) __inet_aton_exact + __attribute__ ((visibility ("hidden"))); + +/* Do not provide definitions of the public symbols exported from + libc. */ +#undef weak_alias +#define weak_alias(from, to) + +#include