From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-896-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 14093 invoked by alias); 4 Feb 2019 16:18:59 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 13766 invoked by uid 89); 4 Feb 2019 16:18:58 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.4 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KAM_NUMSUBJECT,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=mainly
X-Spam-Status: No, score=-25.4 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_LAZY_DOMAIN_SECURITY,KAM_NUMSUBJECT,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level:
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 04 Feb 2019 16:18:57 +0000
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id 0C5C037E85;	Mon,  4 Feb 2019 16:18:56 +0000 (UTC)
Received: from oldenburg2.str.redhat.com (dhcp-192-219.str.redhat.com [10.33.192.219])	by smtp.corp.redhat.com (Postfix) with ESMTPS id AB6066E9F6;	Mon,  4 Feb 2019 16:18:51 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: Carlos O'Donell <carlos@redhat.com>
Cc: Aurelien Jarno <aurelien@aurel32.net>,  libc-stable@sourceware.org
Subject: Re: Backporting CVE-2016-10739
References: <20190204134254.GA13816@aurel32.net>	<871s4nppu4.fsf@oldenburg2.str.redhat.com>	<87r2cno9qq.fsf@oldenburg2.str.redhat.com>	<0a9daa70-7ea9-1ebd-8690-04b6ff2acd88@redhat.com>	<87munbo8wy.fsf@oldenburg2.str.redhat.com>	<47ca567f-7120-19c5-7ed6-c67c9f6306ca@redhat.com>
Date: Tue, 01 Jan 2019 00:00:00 -0000
In-Reply-To: <47ca567f-7120-19c5-7ed6-c67c9f6306ca@redhat.com> (Carlos	O'Donell's message of "Mon, 4 Feb 2019 10:46:49 -0500")
Message-ID: <87y36vmsr9.fsf@oldenburg2.str.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 04 Feb 2019 16:18:56 +0000 (UTC)
X-IsSubscribed: yes
X-SW-Source: 2019-02/txt/msg00014.txt.bz2

* Carlos O'Donell:

> On 2/4/19 10:44 AM, Florian Weimer wrote:
>> * Carlos O'Donell:
>> 
>>>> +#include <arpa/inet.h>
>>>> +
>>>
>>> Please add a comment explaining why this is here.
>> 
>> You mean like this?
>> 
>> /* Obtain the prototype for __inet_aton_exact.  */
>
> It should reference the bug or CVE to document the intent
> of the changes.
>
> Post v3 and I'll sign off?

This approach does not actually work because copying a prototype this
way and adding a hidden visibility attribute does not actually make the
symbol hidden.  The patch below however has the desired effect, mainly
because interposition no longer happens and the __inet_aton_exact_hidden
function is not added to the dynamic symbol table of the nscd
executable.

I suspect I would have had to use __attribute__ ((visibility
("hidden"))) directly because we define attribute_hidden thusly:

#if defined SHARED || defined LIBC_NONSHARED \
  || (BUILD_PIE_DEFAULT && IS_IN (libc))
# define attribute_hidden __attribute__ ((visibility ("hidden")))
#else
# define attribute_hidden
#endif

I can post yet another patch which uses real hidden visibility and
avoids the symbol redirect.

Thanks,
Florian

This commit avoids referencing the __inet_aton_exact@GLIBC_PRIVATE
symbol from nscd.  In master, the separately-compiled getaddrinfo
implementation in nscd needs it, however such an internal ABI change
is not desirable on a release branch if it can be avoided.

2019-02-04  Florian Weimer  <fweimer@redhat.com>

	[BZ #20018]
	nscd: Do not rely on new GLIBC_PRIVATE ABI after CVE-2016-10739 fix.
	* nscd/nscd-inet_addr.c: New file.  Build resolv/inet_addr.c for
	nscd, without public symbols.
	* nscd/Makefile (nscd-modules): Add it.
	* nscd/gai.c: Include <arpa/inet.h> and redirect __inet_aton_exact
	to __inet_aton_exact_hidden.

diff --git a/nscd/Makefile b/nscd/Makefile
index b713a84c49..eb23c01a39 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -36,7 +36,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \
 		getsrvbynm_r getsrvbypt_r servicescache \
 		dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \
 		xmalloc xstrdup aicache initgrcache gai res_hconf \
-		netgroupcache
+		netgroupcache nscd-inet_addr
 
 ifeq ($(build-nscd)$(have-thread-library),yesyes)
 
diff --git a/nscd/gai.c b/nscd/gai.c
index f57f396f57..36cc6ce4c3 100644
--- a/nscd/gai.c
+++ b/nscd/gai.c
@@ -33,6 +33,13 @@
 #define __getifaddrs getifaddrs
 #define __freeifaddrs freeifaddrs
 
+/* We do not want to export __inet_aton_exact.  Get the prototype and
+   change it to hidden visibility, and redirect to the hidden
+   definition.  */
+#include <arpa/inet.h>
+__typeof__ (__inet_aton_exact) __inet_aton_exact_hidden attribute_hidden;
+#define __inet_aton_exact __inet_aton_exact_hidden
+
 /* We are nscd, so we don't want to be talking to ourselves.  */
 #undef  USE_NSCD
 
diff --git a/nscd/nscd-inet_addr.c b/nscd/nscd-inet_addr.c
new file mode 100644
index 0000000000..901fc620b3
--- /dev/null
+++ b/nscd/nscd-inet_addr.c
@@ -0,0 +1,33 @@
+/* Legacy IPv4 text-to-address functions.  Version for nscd.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <arpa/inet.h>
+
+/* We do not want to export __inet_aton_exact.  Get the prototype and
+   change it to hidden visibility, and arrange for a definition under
+   a different name.  */
+#include <arpa/inet.h>
+__typeof__ (__inet_aton_exact) __inet_aton_exact_hidden attribute_hidden;
+#define __inet_aton_exact __inet_aton_exact_hidden
+
+/* Do not provide definitions of the public symbols exported from
+   libc.  */
+#undef weak_alias
+#define weak_alias(from, to)
+
+#include <resolv/inet_addr.c>