Bug 25976

Summary: internal_end*ent in nss_compat may clobber errno, hiding ERANGE
Product: glibc Reporter: Florian Weimer <fweimer>
Component: nssAssignee: Florian Weimer <fweimer>
Status: RESOLVED FIXED    
Severity: normal CC: fweimer
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: 2.32   
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1402403
Host: Target:
Build: Last reconfirmed:

Description Florian Weimer 2020-05-12 11:48:30 UTC 
The end*ent functions such as internal_endpwent call into the rest of glibc and other NSS modules, without saving errno around those calls. Since successful function calls can clobber errno, a critical ERANGE error can be masked, and the caller will not retry with a larger buffer, reporting a different error instead.
Comment 1 Florian Weimer 2020-05-12 12:53:12 UTC 
Patch posted: https://sourceware.org/pipermail/libc-alpha/2020-May/113864.html
Comment 2 Florian Weimer 2020-05-19 12:20:53 UTC 
Fixed for glibc 2.32 with:

commit 790b8dda4455865cb8c3a47801f4304c1a43baf6
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue May 19 14:09:38 2020 +0200

    nss_compat: internal_end*ent may clobber errno, hiding ERANGE [BZ #25976]
    
    During cleanup, before returning from get*_r functions, the end*ent
    calls must not change errno.  Otherwise, an ERANGE error from the
    underlying implementation can be hidden, causing unexpected lookup
    failures.  This commit introduces an internal_end*ent_noerror
    function which saves and restore errno, and marks the original
    internal_end*ent function as warn_unused_result, so that it is used
    only in contexts were errors from it can be handled explicitly.
    
    Reviewed-by: DJ Delorie <dj@redhat.com>