This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] CVE-2014-8121: Fix nss_files file management [BZ#18007]
- From: Florian Weimer <fw at deneb dot enyo dot de>
- To: Andreas Schwab <schwab at suse dot de>
- Cc: libc-alpha at sourceware dot org
- Date: Wed, 25 Mar 2015 13:27:02 +0100
- Subject: Re: [PATCH] CVE-2014-8121: Fix nss_files file management [BZ#18007]
- Authentication-results: sourceware.org; auth=none
- References: <54EB120A dot 1010202 at redhat dot com> <5506F010 dot 1090608 at redhat dot com> <mvmlhil1n5g dot fsf at hawking dot suse dot de>
* Andreas Schwab:
> Florian Weimer <fweimer@redhat.com> writes:
>
>> On 02/23/2015 12:42 PM, Florian Weimer wrote:
>>> Robin Hack discovered that Samba would enter an infinite loop when
>>> processing quota-related requests. It turns out this is a bug in the
>>> nss_files database. Performing a lookup in the middle of an iteration
>>> (say, getwuid between getpwent) effectively resets the file pointer, so
>>> that the iteration starts again from the beginning.
>>>
>>> Tested on x86_64-redhat-linux-gnu. Okay to commit?
>>
>> Ping?
>>
>> Can we at least fix the most common instance of this bug?
>
> It's the wrong way to fix the bug. The getpwuid function should use a
> separate state local to this function, with _all_ backends.
Sorry, I don't see how this can be retrofitted on top of the existing
NSS API. It assumes that the NSS module keeps the iteration state in
a per-module global variable.
The fix I proposed builds on Ulrich's original patch which attempted
to separate the state for lookup and iteration, but failed to do so
because of that incorrectly initialized variable. We didn't notice
this because there was no test.
I can fix the other modules as well if someone can provide
instructions how to set up test environments.