This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 19 Oct 2015 11:23:06 +0000
- Subject: [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
- Auto-submitted: auto-generated
- References: <bug-18007-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #15 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.19/master has been updated
via 83e9e8b0464dcff36930b8bb53d04ac3b551b5a3 (commit)
from 012adb33827608d3b78e3832a1948b468b549946 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=83e9e8b0464dcff36930b8bb53d04ac3b551b5a3
commit 83e9e8b0464dcff36930b8bb53d04ac3b551b5a3
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Apr 29 14:41:25 2015 +0200
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
â
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
â
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */
\
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{
\
/* Tell getent function that we have repositioned the file pointer.
*/ \
last_use = getby;
\
\
while ((status = internal_getent (result, buffer, buflen, errnop
\
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
}
\
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
(cherry picked from commit 03d2730b44cc2236318fd978afa2651753666c55)
Conflicts:
ChangeLog
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 +++
NEWS | 7 ++-
nss/Makefile | 2 +-
nss/nss_files/files-XXX.c | 2 +-
nss/tst-nss-getpwent.c | 118 +++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 134 insertions(+), 3 deletions(-)
create mode 100644 nss/tst-nss-getpwent.c
--
You are receiving this mail because:
You are on the CC list for the bug.