Summary: | double-free in nscd (CVE-2021-27645) | ||
---|---|---|---|
Product: | glibc | Reporter: | Siddhesh Poyarekar <siddhesh> |
Component: | nscd | Assignee: | dj <dj> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | carlos, carnil, crushor, drepper.fsp, sam |
Priority: | P2 | Flags: | siddhesh:
security+
|
Version: | unspecified | ||
Target Milestone: | 2.34 | ||
Host: | Target: | ||
Build: | Last reconfirmed: |
Description
Siddhesh Poyarekar
2021-02-24 07:46:09 UTC
accoring to xrealloc manual If there is not enough memory in the memory pool to satisfy the memory request, a null pointer is returned and the original memory block is not affected. so , is it safety which using return value of xrealloc without checking? You're reading the documentation for realloc, not xrealloc. xrealloc cannot return NULL. (In reply to dj@redhat.com from comment #2) > You're reading the documentation for realloc, not xrealloc. xrealloc cannot > return NULL. sure, you are right. by the way , another question is: why redhat assigns a 7.5 score for it ? AC is network, and AI is high. nscd provides caching for accesses of the passwd(5), group(5), hosts(5) services(5) and netgroup databases through standard libc interfaces, such as getpwnam(3), getpwuid(3), getgrnam(3), getgrgid(3), gethostbyname(3), and others. (In reply to crushor from comment #3) > (In reply to dj@redhat.com from comment #2) > > You're reading the documentation for realloc, not xrealloc. xrealloc cannot > > return NULL. > > sure, you are right. > > by the way , another question is: why redhat assigns a 7.5 score for it ? > AC is network, and AI is high. IMO the score is incorrect because at least: - AV should be local because nscd doesn't listen on remote requests. - AC should be high since it is constrained by needing a netgroup request to have a response larger than 1K to cause the double-free crash - A (availability impact) is low since nscd crashing (the freed pointer is not used anywhere in the code path, so there's no UAF) will merely cause a direct request to authentication servers and incur a performance penalty, it won't be a full on denial of service. https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673 commit dca565886b5e8bd7966e15f0ca42ee5cff686673 Author: DJ Delorie <dj@redhat.com> Date: Thu Feb 25 16:08:21 2021 -0500 nscd: Fix double free in netgroupcache [BZ #27462] In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free was fixed, but this led to an occasional double-free. This patch tracks the "live" allocation better. Tested manually by a third party. Related: RHBZ 1927877 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed-by: Carlos O'Donell <carlos@redhat.com> |