Bug 9954 - getaddrinfo assertion triggered without reason
Summary: getaddrinfo assertion triggered without reason
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: network (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-15 15:31 UTC by Aurelien Jarno
Modified: 2014-06-13 11:15 UTC (History)
5 users (show)

See Also:
Host: x86_64-unknown-linux-gnu
Target: x86_64-unknown-linux-gnu
Build: x86_64-unknown-linux-gnu
Last reconfirmed: 2010-06-01 03:44:20
fweimer: security-


Attachments
Patch to fix the problem. (611 bytes, patch)
2009-03-15 15:32 UTC, Aurelien Jarno
Details | Diff
testcase (267 bytes, text/x-csrc)
2009-03-15 20:49 UTC, Aurelien Jarno
Details
/etc/host.conf for testcase (17 bytes, text/plain)
2009-03-15 20:50 UTC, Aurelien Jarno
Details
/etc/hosts for testcase (51 bytes, text/plain)
2009-03-15 20:51 UTC, Aurelien Jarno
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Aurelien Jarno 2009-03-15 15:31:06 UTC
With the following /etc/hosts:
127.0.0.1       www.my-domain.es
127.0.1.1       www.my-domain.es
192.168.0.1     www.my-domain.es

Using getaddrinfo() on www.my-domain.es, trigger the following assertion:
../sysdeps/posix/getaddrinfo.c:1473: rfc3484_sort: Assertion 
`src->results[i].native == -1 || src->results[i].native == a1_native' failed.

This is due to two different bugs:
- In rfc3484_sort() rule 7, src->results[i].native is assigned even if 
src->results[i].index is -1, meaning that no interface is associated.
- In getaddrinfo() the source IP address used with the lo interface needs a 
special case, as it can be any IP within 127.X.Y.Z.

Patch fixing both problems will follow shortly.
Comment 1 Aurelien Jarno 2009-03-15 15:32:10 UTC
Created attachment 3822 [details]
Patch to fix the problem.
Comment 2 Ulrich Drepper 2009-03-15 18:39:42 UTC
None of the change should be needed.

None of the known interfaces should have the index -1 and hence the test should
be unnecessary.  If this is not the case there is a problem elsewhere and you're
hiding it with the change.

For the deprecated addresses the same, the problem is in the configuration and
you're hiding it.

And no, I cannot reproduce any problem with the information you provide.  You
have to be much more detailed.
Comment 3 Aurelien Jarno 2009-03-15 20:19:21 UTC
> None of the known interfaces should have the index -1 and hence the test
> should be unnecessary.  If this is not the case there is a problem elsewhere
> and you're hiding it with the change.

Entries in /etc/hosts corresponding to IP 127.X.Y.Z, while being different than 
127.0.0.1 are getting index -1, thus triggerring the problem.
Comment 4 Aurelien Jarno 2009-03-15 20:49:59 UTC
Created attachment 3823 [details]
testcase
Comment 5 Aurelien Jarno 2009-03-15 20:50:51 UTC
Created attachment 3824 [details]
/etc/host.conf for testcase
Comment 6 Aurelien Jarno 2009-03-15 20:51:56 UTC
Created attachment 3825 [details]
/etc/hosts for testcase
Comment 7 list 2009-07-17 18:13:58 UTC
I'm also hitting this and it seems to be due to conflicts between /etc/hosts and
DNS. I've removed everything but localhost from /etc/hosts, and now everything
seems fine. However, this "assertion failed" message is very unclear. It's very
hard to find out what's actually causing it because there's not even the
slightest hint of what we are actually talking about. What is src, what's the
meaning of the results field, what is a1_native...?
Providing just a *little* bit of context would greatly ease the debugging of
this. Right now, the only option of getting *some rough* idea of what this
assertion actually means is reading the code, which is obiously very
time-consuming for anyone not familiar glibc internals.
Comment 8 cvs-commit@gcc.gnu.org 2013-10-25 04:28:54 UTC
       via  894f3f1049135dcbeaab8f18690973663ef3147c (commit)
      from  b85545a67110b236676aec8000f52d8385465660 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=894f3f1049135dcbeaab8f18690973663ef3147c

commit 894f3f1049135dcbeaab8f18690973663ef3147c
Author: Allan McRae <allan@archlinux.org>
Date:   Fri Oct 25 14:25:38 2013 +1000

    Fix incorrect getaddrinfo assertion trigger
    
    [BZ #9954]
    
    With the following /etc/hosts:
    127.0.0.1       www.my-domain.es
    127.0.1.1       www.my-domain.es
    192.168.0.1     www.my-domain.es
    
    Using getaddrinfo() on www.my-domain.es, trigger the following assertion:
    ../sysdeps/posix/getaddrinfo.c:1473: rfc3484_sort: Assertion
    `src->results[i].native == -1 || src->results[i].native == a1_native' failed.
    
    This is due to two different bugs:
    - In rfc3484_sort() rule 7, src->results[i].native is assigned even if
    src->results[i].index is -1, meaning that no interface is associated.
    - In getaddrinfo() the source IP address used with the lo interface needs a
    special case, as it can be any IP within 127.X.Y.Z.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                   |    8 ++++++++
 sysdeps/posix/getaddrinfo.c |   13 ++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)
Comment 9 Allan McRae 2013-10-25 05:04:01 UTC
Fixed in master
Comment 10 law 2013-10-25 05:12:40 UTC
Whee, another patch that Fedora won't have to carry around anymore.  Glad to see these bugs with patches being fixed over time.
Comment 11 cvs-commit@gcc.gnu.org 2013-10-25 13:59:55 UTC
       via  0b0e50ce9efe2fec10e147eddba4f0802235a042 (commit)
       via  54377921e7092f709c6a5985688769404637055f (commit)
       via  9a010a5f6328aa7ba353679e9a9e07465917d6a0 (commit)
       via  f03cfdf9bf62f776338171fe2ba6eebbf8948875 (commit)
       via  6957bcb15456b5118c44bb49754b199462336639 (commit)
       via  56532663f2881ce7b7996d75dbb6bbb438187457 (commit)
       via  52b8d67f22068991f404c51b38b30e7e35c1bb99 (commit)
       via  dc7ba1835ba16cb49d6c38d50e153b70beb2a091 (commit)
       via  8f29d3b5ae201ae4af368d2221381c5a856913d5 (commit)
       via  63e9a36056fe53621fa3001fe22b4833a9ea9457 (commit)
       via  a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e (commit)
      from  642c8732a111450a97e4ae41c12a920bc7f02ee0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0b0e50ce9efe2fec10e147eddba4f0802235a042

commit 0b0e50ce9efe2fec10e147eddba4f0802235a042
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Fri Oct 25 10:22:12 2013 +0530

    Fix stack overflow due to large AF_INET6 requests
    
    Resolves #16072 (CVE-2013-4458).
    
    This patch fixes another stack overflow in getaddrinfo when it is
    called with AF_INET6.  The AF_UNSPEC case was fixed as CVE-2013-1914,
    but the AF_INET6 case went undetected back then.
    
    (cherry picked from commit 7cbcdb3699584db8913ca90f705d6337633ee10f)
    
    Conflicts:
    	NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=54377921e7092f709c6a5985688769404637055f

commit 54377921e7092f709c6a5985688769404637055f
Author: Allan McRae <allan@archlinux.org>
Date:   Fri Oct 25 14:25:38 2013 +1000

    Fix incorrect getaddrinfo assertion trigger
    
    [BZ #9954]
    
    With the following /etc/hosts:
    127.0.0.1       www.my-domain.es
    127.0.1.1       www.my-domain.es
    192.168.0.1     www.my-domain.es
    
    Using getaddrinfo() on www.my-domain.es, trigger the following assertion:
    ../sysdeps/posix/getaddrinfo.c:1473: rfc3484_sort: Assertion
    `src->results[i].native == -1 || src->results[i].native == a1_native' failed.
    
    This is due to two different bugs:
    - In rfc3484_sort() rule 7, src->results[i].native is assigned even if
    src->results[i].index is -1, meaning that no interface is associated.
    - In getaddrinfo() the source IP address used with the lo interface needs a
    special case, as it can be any IP within 127.X.Y.Z.
    
    (cherry picked from commit 894f3f1049135dcbeaab8f18690973663ef3147c)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9a010a5f6328aa7ba353679e9a9e07465917d6a0

commit 9a010a5f6328aa7ba353679e9a9e07465917d6a0
Author: Carlos O'Donell <carlos@redhat.com>
Date:   Mon Sep 23 01:44:38 2013 -0400

    BZ #15754: Fix test case for ARM.
    
    Statically built binaries use __pointer_chk_guard_local,
    while dynamically built binaries use __pointer_chk_guard.
    Provide the right definition depending on the test case
    we are building.

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f03cfdf9bf62f776338171fe2ba6eebbf8948875

commit f03cfdf9bf62f776338171fe2ba6eebbf8948875
Author: Carlos O'Donell <carlos@redhat.com>
Date:   Mon Sep 23 00:52:09 2013 -0400

    BZ #15754: CVE-2013-4788
    
    The pointer guard used for pointer mangling was not initialized for
    static applications resulting in the security feature being disabled.
    The pointer guard is now correctly initialized to a random value for
    static applications. Existing static applications need to be
    recompiled to take advantage of the fix.
    
    The test tst-ptrguard1-static and tst-ptrguard1 add regression
    coverage to ensure the pointer guards are sufficiently random
    and initialized to a default value.
    
    Conflicts:
    	NEWS
    	ports/ChangeLog.ia64
    	ports/ChangeLog.tile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6957bcb15456b5118c44bb49754b199462336639

commit 6957bcb15456b5118c44bb49754b199462336639
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon Sep 23 11:24:30 2013 +0530

    Check for integer overflow in cache size computation in strcoll
    
    strcoll is implemented using a cache for indices and weights of
    collation sequences in the strings so that subsequent passes do not
    have to search through collation data again.  For very large string
    inputs, the cache size computation could overflow.  In such a case,
    use the fallback function that does not cache indices and weights of
    collation sequences.
    
    Fixes CVE-2012-4412.
    
    (cherry picked from commit 303e567a8062200dc06acde7c76fc34679f08d8f)
    
    Conflicts:
    	NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=56532663f2881ce7b7996d75dbb6bbb438187457

commit 56532663f2881ce7b7996d75dbb6bbb438187457
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon Sep 23 11:20:02 2013 +0530

    Fall back to non-cached sequence traversal and comparison on malloc fail
    
    strcoll currently falls back to alloca if malloc fails, resulting in a
    possible stack overflow.  This patch implements sequence traversal and
    comparison without caching indices and rules.
    
    Fixes CVE-2012-4424.
    
    (cherry picked from commit 141f3a77fe4f1b59b0afa9bf6909cd2000448883)
    
    Conflicts:
    	NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52b8d67f22068991f404c51b38b30e7e35c1bb99

commit 52b8d67f22068991f404c51b38b30e7e35c1bb99
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Tue Aug 20 08:40:05 2013 +0530

    Simplify strcoll implementation
    
    Break up strcoll into simpler functions so that the logic is easier to
    follow and maintain.
    
    (cherry picked from commit 1326ba1af22068db9488c2328bdaf852b8a93dcf)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dc7ba1835ba16cb49d6c38d50e153b70beb2a091

commit dc7ba1835ba16cb49d6c38d50e153b70beb2a091
Author: Will Newton <will.newton@linaro.org>
Date:   Fri Aug 16 12:54:29 2013 +0100

    malloc: Check for integer overflow in memalign.
    
    A large bytes parameter to memalign could cause an integer overflow
    and corrupt allocator internals. Check the overflow does not occur
    before continuing with the allocation.
    
    ChangeLog:
    
    2013-09-11  Will Newton  <will.newton@linaro.org>
    
    	[BZ #15857]
    	* malloc/malloc.c (__libc_memalign): Check the value of bytes
    	does not overflow.
    
    (cherry picked from commit b73ed247781d533628b681f57257dc85882645d3)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f29d3b5ae201ae4af368d2221381c5a856913d5

commit 8f29d3b5ae201ae4af368d2221381c5a856913d5
Author: Will Newton <will.newton@linaro.org>
Date:   Fri Aug 16 11:59:37 2013 +0100

    malloc: Check for integer overflow in valloc.
    
    A large bytes parameter to valloc could cause an integer overflow
    and corrupt allocator internals. Check the overflow does not occur
    before continuing with the allocation.
    
    ChangeLog:
    
    2013-09-11  Will Newton  <will.newton@linaro.org>
    
    	[BZ #15856]
    	* malloc/malloc.c (__libc_valloc): Check the value of bytes
    	does not overflow.
    
    (cherry picked from commit 55e17aadc1ef17a1df9626fb0e9fba290ece3331)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=63e9a36056fe53621fa3001fe22b4833a9ea9457

commit 63e9a36056fe53621fa3001fe22b4833a9ea9457
Author: Will Newton <will.newton@linaro.org>
Date:   Mon Aug 12 15:08:02 2013 +0100

    malloc: Check for integer overflow in pvalloc.
    
    A large bytes parameter to pvalloc could cause an integer overflow
    and corrupt allocator internals. Check the overflow does not occur
    before continuing with the allocation.
    
    ChangeLog:
    
    2013-09-11  Will Newton  <will.newton@linaro.org>
    
    	[BZ #15855]
    	* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
    	does not overflow.
    
    (cherry picked from commit 1159a193696ad48ec86e5895f6dee3e539619c0e)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e

commit a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Aug 16 09:38:52 2013 +0200

    CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
    
    	* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
    	member.
    	* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
    	member.
    	* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
    	* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
    	Return delayed error code.  Remove GETDENTS_64BIT_ALIGNED
    	conditional.
    	* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
    	GETDENTS_64BIT_ALIGNED.
    	* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
    	* manual/filesys.texi (Reading/Closing Directory): Document
    	ENAMETOOLONG return value of readdir_r.  Recommend readdir more
    	strongly.
    	* manual/conf.texi (Limits for Files): Add portability note to
    	NAME_MAX, PATH_MAX.
    	(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
    
    (cherry picked from commit 91ce40854d0b7f865cf5024ef95a8026b76096f3)
    
    Conflicts:
    	NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                       |  118 +++
 csu/libc-start.c                                |   16 +
 elf/Makefile                                    |   12 +-
 elf/tst-ptrguard1-static.c                      |    1 +
 elf/tst-ptrguard1.c                             |  202 +++++
 malloc/malloc.c                                 |   21 +
 manual/conf.texi                                |    9 +
 manual/filesys.texi                             |   73 ++-
 ports/ChangeLog.ia64                            |    5 +
 ports/ChangeLog.tile                            |    5 +
 ports/sysdeps/ia64/stackguard-macros.h          |    3 +
 ports/sysdeps/tile/stackguard-macros.h          |    6 +
 string/Makefile                                 |    2 +
 string/strcoll_l.c                              |  926 +++++++++++++----------
 string/tst-strcoll-overflow.c                   |   61 ++
 sysdeps/generic/stackguard-macros.h             |    8 +
 sysdeps/i386/stackguard-macros.h                |    8 +
 sysdeps/posix/dirstream.h                       |    2 +
 sysdeps/posix/getaddrinfo.c                     |   33 +-
 sysdeps/posix/opendir.c                         |    1 +
 sysdeps/posix/readdir_r.c                       |   42 +-
 sysdeps/posix/rewinddir.c                       |    1 +
 sysdeps/powerpc/powerpc32/stackguard-macros.h   |   10 +
 sysdeps/powerpc/powerpc64/stackguard-macros.h   |   10 +
 sysdeps/s390/s390-32/stackguard-macros.h        |   11 +
 sysdeps/s390/s390-64/stackguard-macros.h        |   14 +
 sysdeps/sparc/sparc32/stackguard-macros.h       |    3 +
 sysdeps/sparc/sparc64/stackguard-macros.h       |    3 +
 sysdeps/unix/sysv/linux/i386/readdir64_r.c      |    1 -
 sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c |    1 -
 sysdeps/x86_64/stackguard-macros.h              |    5 +
 31 files changed, 1159 insertions(+), 454 deletions(-)
 create mode 100644 elf/tst-ptrguard1-static.c
 create mode 100644 elf/tst-ptrguard1.c
 create mode 100644 string/tst-strcoll-overflow.c
Comment 12 Jackie Rosen 2014-02-16 18:23:26 UTC
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.