Bug 20338

Summary: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications
Product: glibc Reporter: fedora.dm0
Component: libcAssignee: Florian Weimer <fweimer>
Status: RESOLVED FIXED    
Severity: normal CC: carlos, drepper.fsp, fedora.dm0, fweimer, howaboutsynergy, jasonvperrin, sam
Priority: P2 Flags: fweimer: security-
Version: 2.21   
Target Milestone: 2.32   
See Also: https://github.com/systemd/systemd/issues/6512
https://bugzilla.redhat.com/show_bug.cgi?id=1793577
https://sourceware.org/bugzilla/show_bug.cgi?id=30151
Host: Target:
Build: Last reconfirmed: 2016-07-11 00:00:00
Attachments: gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c

Description fedora.dm0 2016-07-08 14:44:55 UTC 
Specifically structured /etc/gshadow entries can cause fgetgsent() to return invalid pointers that cause applications to segfault on dereference.

One line must fit into the character buffer (1024 bytes, unless a previous line was longer) but have enough group members such that

     line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) > 1024.

The parser would return early to avoid overflow, leaving the static result struct pointing to pointers from the previous line which are now invalid, causing segfaults when those pointers are dereferenced.

See the following for a test program and a patch:

https://sourceware.org/ml/libc-alpha/2016-06/msg01015.html
Comment 1 fedora.dm0 2016-12-15 23:36:16 UTC 
Created attachment 9705 [details]
gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c
Comment 2 fedora.dm0 2017-02-20 06:45:05 UTC 
Can this be applied to make it into the next release?
Comment 3 Jason Perrin 2019-10-18 01:00:04 UTC 
This is affecting us too (specifically this bug, leading to https://github.com/systemd/systemd/issues/6512 in systemd, which then leads to https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1848614 when installing tomcat9 on Ubuntu bionic). Any updates on this, the patch attached, or anything we can do to help get the patch merged?

Thanks for your work on glibc!
Comment 4 Florian Weimer 2020-07-17 08:33:23 UTC 
Patches posted: https://sourceware.org/pipermail/libc-alpha/2020-July/116430.html
Comment 5 Florian Weimer 2020-07-21 15:16:12 UTC 
Fixed for glibc 2.32 via:

commit 2add4235ef674988948155f9a8f60a8c7b09bcff
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Jul 16 17:31:20 2020 +0200

    gshadow: Implement fgetsgent_r using __nss_fgetent_r (bug 20338)
    
    Tested-by: Carlos O'Donell <carlos@redhat.com>
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Comment 6 Florian Weimer 2020-07-31 10:02:37 UTC 
I'm flagging this as security- because the affected files contain trusted content.