CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]

Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests.  We eventually tracked this down to a
glibc issue.

Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:

…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
read(3, "root0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET)                = 2717
close(3)                                = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
lseek(3, 0, SEEK_SET)                   = 0
read(3, "root0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET)                = 2717
close(3)                                = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
…

The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
supposed skip closing the input file if it was already open.

  /* Reset file pointer to beginning or open file.  */			      \
  status = internal_setent (keep_stream);				      \
									      \
  if (status == NSS_STATUS_SUCCESS)					      \
    {									      \
      /* Tell getent function that we have repositioned the file pointer.  */ \
      last_use = getby;							      \
									      \
      while ((status = internal_getent (result, buffer, buflen, errnop	      \
					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
	     == NSS_STATUS_SUCCESS)					      \
	{ break_if_match }						      \
									      \
      if (! keep_stream)						      \
	internal_endent ();						      \
    }									      \

keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:

  status = internal_setent (stayopen);

However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.

Thus, the fix is this:

-  status = internal_setent (stayopen);
+  status = internal_setent (1);

This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
This commit is contained in:
Florian Weimer 2015-04-29 14:41:25 +02:00
parent 7d0b257541
commit 03d2730b44
5 changed files with 136 additions and 6 deletions

View File

@ -1,3 +1,11 @@
2015-04-29 Florian Weimer <fweimer@redhat.com>
[BZ #18007]
* nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen.
(CVE-2014-8121)
* nss/tst-nss-getpwent.c: New file.
* nss/Makefile (tests): Add new test.
2015-04-28 Joseph Myers <joseph@codesourcery.com>
[BZ #18346]

12
NEWS
View File

@ -13,10 +13,10 @@ Version 2.22
16512, 16560, 16783, 16850, 17090, 17195, 17269, 17523, 17542, 17569,
17588, 17596, 17620, 17621, 17628, 17631, 17711, 17715, 17776, 17779,
17792, 17836, 17912, 17916, 17930, 17932, 17944, 17949, 17964, 17965,
17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020,
18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047,
18068, 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185,
18197, 18206, 18210, 18211, 18247, 18287, 18333, 18346.
17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18007, 18019,
18020, 18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046,
18047, 18068, 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138,
18185, 18197, 18206, 18210, 18211, 18247, 18287, 18333, 18346.
* Cache information can be queried via sysconf() function on s390 e.g. with
_SC_LEVEL1_ICACHE_SIZE as argument.
@ -43,6 +43,10 @@ Version 2.22
Hat). These updates cause user visible changes, such as the fix for bug
17998.
* CVE-2014-8121 The NSS files backend would reset the file pointer used by
the get*ent functions if any of the query functions for the same database
are used during the iteration, causing a denial-of-service condition in
some applications.
Version 2.21

View File

@ -47,7 +47,7 @@ install-bin := getent makedb
makedb-modules = xmalloc hash-string
extra-objs += $(makedb-modules:=.o)
tests = test-netdb tst-nss-test1 test-digits-dots
tests = test-netdb tst-nss-test1 test-digits-dots tst-nss-getpwent
xtests = bug-erange
# Specify rules for the nss_* modules. We have some services.

View File

@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
__libc_lock_lock (lock);
status = internal_setent (stayopen);
status = internal_setent (1);
if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
{

118
nss/tst-nss-getpwent.c Normal file
View File

@ -0,0 +1,118 @@
/* Copyright (C) 2015 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#include <pwd.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int
do_test (void)
{
/* Count the number of entries in the password database, and fetch
data from the first and last entries. */
size_t count = 0;
struct passwd * pw;
char *first_name = NULL;
uid_t first_uid = 0;
char *last_name = NULL;
uid_t last_uid = 0;
setpwent ();
while ((pw = getpwent ()) != NULL)
{
if (first_name == NULL)
{
first_name = strdup (pw->pw_name);
if (first_name == NULL)
{
printf ("strdup: %m\n");
return 1;
}
first_uid = pw->pw_uid;
}
free (last_name);
last_name = strdup (pw->pw_name);
if (last_name == NULL)
{
printf ("strdup: %m\n");
return 1;
}
last_uid = pw->pw_uid;
++count;
}
endpwent ();
if (count == 0)
{
printf ("No entries in the password database.\n");
return 0;
}
/* Try again, this time interleaving with name-based and UID-based
lookup operations. The counts do not match if the interleaved
lookups affected the enumeration. */
size_t new_count = 0;
setpwent ();
while ((pw = getpwent ()) != NULL)
{
if (new_count == count)
{
printf ("Additional entry in the password database.\n");
return 1;
}
++new_count;
struct passwd *pw2 = getpwnam (first_name);
if (pw2 == NULL)
{
printf ("getpwnam (%s) failed: %m\n", first_name);
return 1;
}
pw2 = getpwnam (last_name);
if (pw2 == NULL)
{
printf ("getpwnam (%s) failed: %m\n", last_name);
return 1;
}
pw2 = getpwuid (first_uid);
if (pw2 == NULL)
{
printf ("getpwuid (%llu) failed: %m\n",
(unsigned long long) first_uid);
return 1;
}
pw2 = getpwuid (last_uid);
if (pw2 == NULL)
{
printf ("getpwuid (%llu) failed: %m\n",
(unsigned long long) last_uid);
return 1;
}
}
endpwent ();
if (new_count < count)
{
printf ("Missing entry in the password database.\n");
return 1;
}
return 0;
}
#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c"