This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] CVE-2014-8121: Fix nss_files file management [BZ#18007]


* Andreas Schwab:

> Florian Weimer <fweimer@redhat.com> writes:
>
>> On 02/23/2015 12:42 PM, Florian Weimer wrote:
>>> Robin Hack discovered that Samba would enter an infinite loop when
>>> processing quota-related requests.  It turns out this is a bug in the
>>> nss_files database.  Performing a lookup in the middle of an iteration
>>> (say, getwuid between getpwent) effectively resets the file pointer, so
>>> that the iteration starts again from the beginning.
>>> 
>>> Tested on x86_64-redhat-linux-gnu.  Okay to commit?
>>
>> Ping?
>>
>> Can we at least fix the most common instance of this bug?
>
> It's the wrong way to fix the bug.  The getpwuid function should use a
> separate state local to this function, with _all_ backends.

Sorry, I don't see how this can be retrofitted on top of the existing
NSS API.  It assumes that the NSS module keeps the iteration state in
a per-module global variable.

The fix I proposed builds on Ulrich's original patch which attempted
to separate the state for lookup and iteration, but failed to do so
because of that incorrectly initialized variable.  We didn't notice
this because there was no test.

I can fix the other modules as well if someone can provide
instructions how to set up test environments.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]