qiurui
/
glibc
mirror of git://sourceware.org/git/glibc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
glibc/nss
History
Siddhesh Poyarekar e3ccb230a9 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 
When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during tmpbuf resizing, through h_name in a previous query response.

The backing store for res->at->name when doing a query with
gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
gethosts during the query.  For AF_INET6 lookup with AI_ALL |
AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
for a v4 lookup.  In this case, if the first call reallocates tmpbuf
enough number of times, resulting in a malloc, th->h_name (that
res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
Now if the second call to gethosts also causes the plugin callback to
return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
reference in res->at->name.  This then gets dereferenced in the
getcanonname_r plugin call, resulting in the use after free.

Fix this by copying h_name over and freeing it at the end.  This
resolves BZ #30843, which is assigned CVE-2023-4806.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 973fe93a56)
 		2023-09-15 18:32:43 -04:00
..
nss_compat Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_db Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_files Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-compat1.root nss: fix nss_database_lookup2's alternate handling [BZ #27416] 2021-03-09 14:34:50 -05:00
tst-nss-db-endgrent.root/etc
tst-nss-db-endpwent.root
tst-nss-files-hosts-long.root/etc Fix failing nss/tst-nss-files-hosts-long with local resolver 2021-09-07 21:41:38 +02:00
tst-nss-gai-actions.root/etc Simplify allocations and fix merge and continue actions [BZ #28931] 2023-09-14 14:32:44 -04:00
tst-nss-gai-hv2-canonname.root getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 18:32:43 -04:00
tst-nss-test3.root
tst-reload1.root Fix failing nss/tst-nss-files-hosts-long. 2021-07-12 11:59:04 +02:00
tst-reload2.root nss: Re-enable NSS module loading after chroot [BZ #27389] 2021-03-02 16:14:18 -05:00
Depend
Makefile getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 18:32:43 -04:00
Versions nss_files: Move into libc 2021-07-07 18:33:52 +02:00
XXX-lookup.c nss: add assert to DB_LOOKUP_FCT (BZ #28752) 2022-06-13 18:15:29 -04:00
alias-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
bug-erange.c
bug17079.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
compat-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
databases.def Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
db-Makefile Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
digits_dots.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
ethers-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
function.def Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getXXbyYY.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getXXbyYY_r.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getXXent.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getXXent_r.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getent.c nss: Implement --no-addrconfig option for getent 2022-10-13 15:11:25 +02:00
getnssent.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
getnssent_r.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
grp-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
hosts-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
key-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
makedb.c Update copyright dates not handled by scripts/update-copyrights. 2022-01-01 11:42:26 -08:00
netgrp-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
network-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss.h Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_action.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_action.h Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_action_parse.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_database.c nss: handle stat failure in check_reload_and_get (BZ #28752) 2022-06-13 18:15:40 -04:00
nss_database.h Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_fgetent_r.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_files_data.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_files_fopen.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_files_functions.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_hash.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_module.c nss: Protect against errno changes in function lookup (bug 28953) 2022-03-11 10:17:55 +01:00
nss_module.h Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_parse_line_result.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_readline.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_test.h Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_test.ver
nss_test1.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_test2.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nss_test_errno.c hurd: Fix arbitrary error code 2022-04-18 17:54:19 +02:00
nss_test_gai_hv2_canonname.c getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 18:32:43 -04:00
nsswitch.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
nsswitch.conf Remove --enable-obsolete-nsl configure flag 2020-07-08 17:25:57 +02:00
nsswitch.h Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
proto-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
pwd-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
rewrite_field.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
rpc-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
service-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
sgrp-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
spwd-lookup.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
test-digits-dots.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
test-netdb.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-cancel-getpwuid_r.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-field.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-compat1.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-db-endgrent.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-db-endpwent.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-files-alias-leak.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-files-alias-truncated.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-files-hosts-erange.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-files-hosts-getent.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-files-hosts-long.c nss: Fix tst-nss-files-hosts-long on single-stack hosts (bug 24816) 2022-10-13 15:12:20 +02:00
tst-nss-files-hosts-multi.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-gai-actions.c Simplify allocations and fix merge and continue actions [BZ #28931] 2023-09-14 14:32:44 -04:00
tst-nss-gai-hv2-canonname.c getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 18:32:43 -04:00
tst-nss-gai-hv2-canonname.h getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 18:32:43 -04:00
tst-nss-getpwent.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-static.c
tst-nss-test1.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-test2.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-test3.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-test4.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-test5.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
tst-nss-test_errno.c nss: Protect against errno changes in function lookup (bug 28953) 2022-03-11 10:17:55 +01:00
tst-reload1.c nss: Use shared prefix in IPv4 address in tst-reload1 2022-10-13 15:12:21 +02:00
tst-reload2.c Allow for unpriviledged nested containers 2022-11-25 15:16:14 +01:00
valid_field.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00
valid_list_field.c Update copyright dates with scripts/update-copyrights 2022-01-01 11:40:24 -08:00