Bug 20338 - Parsing of /etc/gshadow can return bad pointers causing segfaults in applications
Summary: Parsing of /etc/gshadow can return bad pointers causing segfaults in applicat...
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.21
: P2 normal
Target Milestone: 2.32
Assignee: Florian Weimer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-08 14:44 UTC by fedora.dm0
Modified: 2020-07-31 10:02 UTC (History)
6 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2016-07-11 00:00:00
fweimer: security-


Attachments
gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c (1.31 KB, patch)
2016-12-15 23:36 UTC, fedora.dm0
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description fedora.dm0 2016-07-08 14:44:55 UTC
Specifically structured /etc/gshadow entries can cause fgetgsent() to return invalid pointers that cause applications to segfault on dereference.

One line must fit into the character buffer (1024 bytes, unless a previous line was longer) but have enough group members such that

     line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) > 1024.

The parser would return early to avoid overflow, leaving the static result struct pointing to pointers from the previous line which are now invalid, causing segfaults when those pointers are dereferenced.

See the following for a test program and a patch:

https://sourceware.org/ml/libc-alpha/2016-06/msg01015.html
Comment 1 fedora.dm0 2016-12-15 23:36:16 UTC
Created attachment 9705 [details]
gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c
Comment 2 fedora.dm0 2017-02-20 06:45:05 UTC
Can this be applied to make it into the next release?
Comment 3 Jason Perrin 2019-10-18 01:00:04 UTC
This is affecting us too (specifically this bug, leading to https://github.com/systemd/systemd/issues/6512 in systemd, which then leads to https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1848614 when installing tomcat9 on Ubuntu bionic). Any updates on this, the patch attached, or anything we can do to help get the patch merged?

Thanks for your work on glibc!
Comment 4 Florian Weimer 2020-07-17 08:33:23 UTC
Patches posted: https://sourceware.org/pipermail/libc-alpha/2020-July/116430.html
Comment 5 Florian Weimer 2020-07-21 15:16:12 UTC
Fixed for glibc 2.32 via:

commit 2add4235ef674988948155f9a8f60a8c7b09bcff
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Jul 16 17:31:20 2020 +0200

    gshadow: Implement fgetsgent_r using __nss_fgetent_r (bug 20338)
    
    Tested-by: Carlos O'Donell <carlos@redhat.com>
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Comment 6 Florian Weimer 2020-07-31 10:02:37 UTC
I'm flagging this as security- because the affected files contain trusted content.