The netgroup cache uses xmalloc/xrealloc and may terminate the process due to a memory allocation failure.
[carlos@athas nscd]$ grep 'xmalloc' * Makefile:# To find xmalloc.c Makefile: xmalloc xstrdup aicache initgrcache res_hconf \ connections.c: dbs[cnt].head = xmalloc (sizeof (struct database_pers_head) connections.c: dbs[cnt].data = xmalloc (dbs[cnt].head->data_size); connections.c: struct pollfd *conns = (struct pollfd *) xmalloc (nconns connections.c: server_groups = (gid_t *) xmalloc (server_ngroups * sizeof (gid_t)); mem.c: he = xmalloc (memory_needed); mem.c:#define obstack_chunk_alloc xmalloc netgroupcache.c: buffer = xmalloc (buflen); nscd.h:#include <programs/xmalloc.h> [carlos@athas nscd]$ grep 'xrealloc' * netgroupcache.c: char *newbuf = xrealloc (buffer, buflen); netgroupcache.c: *tofreep = buffer = xrealloc (buffer, buflen); Yes, we should not be doing this anywhere, we should check the result and handle the OOM gracefully.
(In reply to Carlos O'Donell from comment #1) > [carlos@athas nscd]$ grep 'xmalloc' * > Makefile:# To find xmalloc.c > Makefile: xmalloc xstrdup aicache initgrcache res_hconf \ > connections.c: dbs[cnt].head = xmalloc (sizeof (struct > database_pers_head) > connections.c: dbs[cnt].data = xmalloc (dbs[cnt].head->data_size); > connections.c: struct pollfd *conns = (struct pollfd *) xmalloc (nconns > connections.c: server_groups = (gid_t *) xmalloc (server_ngroups * sizeof > (gid_t)); > mem.c: he = xmalloc (memory_needed); > mem.c:#define obstack_chunk_alloc xmalloc > netgroupcache.c: buffer = xmalloc (buflen); > nscd.h:#include <programs/xmalloc.h> > [carlos@athas nscd]$ grep 'xrealloc' * > netgroupcache.c: char *newbuf = xrealloc (buffer, buflen); > netgroupcache.c: *tofreep = buffer = xrealloc (buffer, buflen); > > Yes, we should not be doing this anywhere, we should check the result and > handle the OOM gracefully. I should note that this bug is only about the netgroupcache.c usage.
I believe the other usages are harmless because they happen during startup only.
The master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c04a21e050d64a1193a6daab872bca2528bda44b commit c04a21e050d64a1193a6daab872bca2528bda44b Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Fixed for glibc 2.40 via: commit c04a21e050d64a1193a6daab872bca2528bda44b Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
The release/2.39/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a9a8d3eebb145779a18d90e3966009a1daa63cd8 commit a9a8d3eebb145779a18d90e3966009a1daa63cd8 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
The release/2.38/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=71af8ca864345d39b746d5cee84b94b430fad5db commit 71af8ca864345d39b746d5cee84b94b430fad5db Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
The release/2.37/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6e106dc214d6a033a4e945d1c6cf58061f1c5f1f commit 6e106dc214d6a033a4e945d1c6cf58061f1c5f1f Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
The release/2.36/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b6742463694b1dfdd5120b91ee21cf05d15ec2e2 commit b6742463694b1dfdd5120b91ee21cf05d15ec2e2 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
The release/2.35/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7a5864cac60e06000394128a5a2817b03542f5a3 commit 7a5864cac60e06000394128a5a2817b03542f5a3 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
The release/2.34/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=86f1d5f4129c373ac6fb6df5bcf38273838843cb commit 86f1d5f4129c373ac6fb6df5bcf38273838843cb Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
The release/2.33/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4d27d4b9a188786fc6a56745506cec2acfc51f83 commit 4d27d4b9a188786fc6a56745506cec2acfc51f83 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
The release/2.32/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3ed195a8ec89da281e3c4bf887a13d281b72d8f4 commit 3ed195a8ec89da281e3c4bf887a13d281b72d8f4 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
The release/2.31/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bbf5a58ccb55679217f94de706164d15372fbbc0 commit bbf5a58ccb55679217f94de706164d15372fbbc0 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) This avoids potential memory corruption when the underlying NSS callback function does not use the buffer space to store all strings (e.g., for constant strings). Instead of custom buffer management, two scratch buffers are used. This increases stack usage somewhat. Scratch buffer allocation failure is handled by return -1 (an invalid timeout value) instead of terminating the process. This fixes bug 31679. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)