glibc-2.9 CVE-2015-7547 fix

Darcy Watkins dwatkins@sierrawireless.com
Tue Mar 8 16:47:00 GMT 2016 

Hello,

I backported the CVE-2015-7547 fix along with some other related
maintenance to apply to glibc-2.9 and we found that this introduced
regressions handling name lookups in java code running on openjdk7.

Through a bisection-like technique, I managed to isolate it to a single
line of code in the CVE-2015-7547 patch changes applied to
resolv/nss_dns/dns-host.c.

The change adds "*h_errnop = NETDB_INTERNAL;" just before returning
NSS_STATUS_TRYAGAIN to the invoker (in function gaih_getanswer_slice()).

If I comment out that added line (to leave default behaviour for this
case, like before the CVE fix, or if I change the value from
NETDB_INTERNAL to NO_RECOVERY, the regression I noticed appears to be
resolved.

The patch below depicts what I did (for glibc 2.9 after the
CVE-2015-7547 patch has been backported and applied).

--------
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index c2be74b..a4ba76d 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -1199,7 +1199,11 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
       return NSS_STATUS_NOTFOUND;
     }
 
+#if 1
+  *h_errnop = NO_RECOVERY;
+#else
   *h_errnop = NETDB_INTERNAL;
+#endif
   return NSS_STATUS_TRYAGAIN;
 }
 
--------


This is the patch chuck from the CVE-2015-7547 patch that it modifies:
--------
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -1190,7 +1193,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
   /* Special case here: if the resolver sent a result but it only
      contains a CNAME while we are looking for a T_A or T_AAAA record,
      we fail with NOTFOUND instead of TRYAGAIN.  */
-  return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
+  if (canon != NULL)
+    {
+      *h_errnop = HOST_NOT_FOUND;
+      return NSS_STATUS_NOTFOUND;
+    }
+
+  *h_errnop = NETDB_INTERNAL;
+  return NSS_STATUS_TRYAGAIN;
 }
 
 
--------

Someone who understands what is going on in this part of the library
please comment to give me some insight, particularly if this change may
be a bad idea for other reasons.

Thanks!

-- 

Regards,

Darcy

---

Darcy Watkins
Staff Engineer, Firmware
Sierra Wireless
13811 Wireless Way, Richmond, BC
Canada, V6V 3A4
[P1]

More information about the Libc-help mailing list