Bug 20338

Summary: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications
Product: glibc Reporter: fedora.dm0
Component: libcAssignee: Florian Weimer <fweimer>
Severity: normal CC: carlos, drepper.fsp, fedora.dm0, fweimer, howaboutsynergy, jasonvperrin
Priority: P2 Flags: fweimer: security-
Version: 2.21   
Target Milestone: 2.32   
See Also: https://github.com/systemd/systemd/issues/6512
Host: Target:
Build: Last reconfirmed: 2016-07-11 00:00:00
Attachments: gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c

Description fedora.dm0 2016-07-08 14:44:55 UTC
Specifically structured /etc/gshadow entries can cause fgetgsent() to return invalid pointers that cause applications to segfault on dereference.

One line must fit into the character buffer (1024 bytes, unless a previous line was longer) but have enough group members such that

     line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) > 1024.

The parser would return early to avoid overflow, leaving the static result struct pointing to pointers from the previous line which are now invalid, causing segfaults when those pointers are dereferenced.

See the following for a test program and a patch:

Comment 1 fedora.dm0 2016-12-15 23:36:16 UTC
Created attachment 9705 [details]
gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c
Comment 2 fedora.dm0 2017-02-20 06:45:05 UTC
Can this be applied to make it into the next release?
Comment 3 Jason Perrin 2019-10-18 01:00:04 UTC
This is affecting us too (specifically this bug, leading to https://github.com/systemd/systemd/issues/6512 in systemd, which then leads to https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1848614 when installing tomcat9 on Ubuntu bionic). Any updates on this, the patch attached, or anything we can do to help get the patch merged?

Thanks for your work on glibc!
Comment 4 Florian Weimer 2020-07-17 08:33:23 UTC
Patches posted: https://sourceware.org/pipermail/libc-alpha/2020-July/116430.html
Comment 5 Florian Weimer 2020-07-21 15:16:12 UTC
Fixed for glibc 2.32 via:

commit 2add4235ef674988948155f9a8f60a8c7b09bcff
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Jul 16 17:31:20 2020 +0200

    gshadow: Implement fgetsgent_r using __nss_fgetent_r (bug 20338)
    Tested-by: Carlos O'Donell <carlos@redhat.com>
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Comment 6 Florian Weimer 2020-07-31 10:02:37 UTC
I'm flagging this as security- because the affected files contain trusted content.