AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-11-22 04:50:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ #18784]

Browse Source 
Also rename T_UNSPEC because an upcoming public header file
update will use that name.
This commit is contained in:
Florian Weimer 2016-12-31 20:22:09 +01:00
parent 3c589b1a8a
commit fc82b0a2df
8 changed files with 220 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ChangeLog
View File

@ -1,3 +1,17 @@
2016-12-31 Florian Weimer <fweimer@redhat.com>
[BZ #18784]
CVE-2015-5180
* include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
T_UNSPEC. Adjust value.
* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
* resolv/res_query.c (__libc_res_nquery): Likewise.
* resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
QTYPEs.
* resolv/tst-resolv-qtypes.c: New file.
* resolv/Makefile (xtests): Add tst-resolv-qtypes.
(tst-resolv-qtypes): Link against libresolv and libpthread.
2016-12-31 Florian Weimer <fweimer@redhat.com> 2016-12-31 Florian Weimer <fweimer@redhat.com>
* elf/dl-tunables.h (__tunables_init): Fix unused attribute. * elf/dl-tunables.h (__tunables_init): Fix unused attribute.

8
NEWS
View File

@ -191,12 +191,18 @@ Version 2.25
Security related changes: Security related changes:
On ARM EABI (32-bit), generating a backtrace for execution contexts which * On ARM EABI (32-bit), generating a backtrace for execution contexts which
have been created with makecontext could fail to terminate due to a have been created with makecontext could fail to terminate due to a
missing .cantunwind annotation. This has been observed to lead to a hang missing .cantunwind annotation. This has been observed to lead to a hang
(denial of service) in some Go applications compiled with gccgo. Reported (denial of service) in some Go applications compiled with gccgo. Reported
by Andreas Schwab. (CVE-2016-6323) by Andreas Schwab. (CVE-2016-6323)
* The DNS stub resolver functions would crash due to a NULL pointer
dereference when processing a query with a valid DNS question type which
was used internally in the implementation. The stub resolver now uses a
question type which is outside the range of valid question type values.
(CVE-2015-5180)
The following bugs are resolved with this release: The following bugs are resolved with this release:
[The release manager will add the list generated by [The release manager will add the list generated by

6
include/arpa/nameser_compat.h
View File

@ -3,9 +3,9 @@
# ifndef _ISOMAC # ifndef _ISOMAC
/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e., /* The number is outside the 16-bit RR type range and is used
T_A and T_AAAA). */ internally by the implementation. */
#define T_UNSPEC 62321 #define T_QUERY_A_AND_AAAA 439963904
# endif /* !_ISOMAC */ # endif /* !_ISOMAC */
#endif #endif

3
resolv/Makefile
View File

@ -49,6 +49,8 @@ tests += \
tst-resolv-network \ tst-resolv-network \
tst-resolv-search \ tst-resolv-search \
# This test sends millions of packets and is rather slow.
xtests += tst-resolv-qtypes
endif endif
extra-libs-others = $(extra-libs) extra-libs-others = $(extra-libs)
libresolv-routines := res_comp res_debug \ libresolv-routines := res_comp res_debug \
@ -123,6 +125,7 @@ $(objpfx)tst-bug18665: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-res_use_inet6: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-res_use_inet6: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-basic: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-basic: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-network: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-network: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
$(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library)
# This test case uses the deprecated RES_USE_INET6 resolver option. # This test case uses the deprecated RES_USE_INET6 resolver option.

2
resolv/nss_dns/dns-host.c
View File

@ -324,7 +324,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
int olderr = errno; int olderr = errno;
enum nss_status status; enum nss_status status;
int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC, int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
host_buffer.buf->buf, 2048, &host_buffer.ptr, host_buffer.buf->buf, 2048, &host_buffer.ptr,
&ans2p, &nans2p, &resplen2, &ans2p_malloced); &ans2p, &nans2p, &resplen2, &ans2p_malloced);
if (n >= 0) if (n >= 0)

4
resolv/res_mkquery.c
View File

@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
int n; int n;
u_char *dnptrs[20], **dpp, **lastdnptr; u_char *dnptrs[20], **dpp, **lastdnptr;
if (class < 0 || class > 65535
|| type < 0 || type > 65535)
return -1;
#ifdef DEBUG #ifdef DEBUG
if (statp->options & RES_DEBUG) if (statp->options & RES_DEBUG)
printf(";; res_nmkquery(%s, %s, %s, %s)\n", printf(";; res_nmkquery(%s, %s, %s, %s)\n",

6
resolv/res_query.c
View File

@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
int n, use_malloc = 0; int n, use_malloc = 0;
u_int oflags = statp->_flags; u_int oflags = statp->_flags;
size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE; size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
u_char *buf = alloca (bufsize); u_char *buf = alloca (bufsize);
u_char *query1 = buf; u_char *query1 = buf;
int nquery1 = -1; int nquery1 = -1;
@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
printf(";; res_query(%s, %d, %d)\n", name, class, type); printf(";; res_query(%s, %d, %d)\n", name, class, type);
#endif #endif
if (type == T_UNSPEC) if (type == T_QUERY_A_AND_AAAA)
{ {
n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL, n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
query1, bufsize); query1, bufsize);
@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
if (__builtin_expect (n <= 0, 0) && !use_malloc) { if (__builtin_expect (n <= 0, 0) && !use_malloc) {
/* Retry just in case res_nmkquery failed because of too /* Retry just in case res_nmkquery failed because of too
short buffer. Shouldn't happen. */ short buffer. Shouldn't happen. */
bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET; bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
buf = malloc (bufsize); buf = malloc (bufsize);
if (buf != NULL) { if (buf != NULL) {
query1 = buf; query1 = buf;

185
resolv/tst-resolv-qtypes.c Normal file
View File

@ -0,0 +1,185 @@
/* Exercise low-level query functions with different QTYPEs.
Copyright (C) 2016 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
#include <resolv.h>
#include <string.h>
#include <support/check.h>
#include <support/check_nss.h>
#include <support/resolv_test.h>
#include <support/support.h>
#include <support/test-driver.h>
#include <support/xmemstream.h>
/* If ture, the response function will send the actual response packet
over TCP instead of UDP. */
static volatile bool force_tcp;
/* Send back a fake resource record matching the QTYPE. */
static void
response (const struct resolv_response_context *ctx,
struct resolv_response_builder *b,
const char *qname, uint16_t qclass, uint16_t qtype)
{
if (force_tcp && ctx->tcp)
{
resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 });
resolv_response_add_question (b, qname, qclass, qtype);
return;
}
resolv_response_init (b, (struct resolv_response_flags) { });
resolv_response_add_question (b, qname, qclass, qtype);
resolv_response_section (b, ns_s_an);
resolv_response_open_record (b, qname, qclass, qtype, 0);
resolv_response_add_data (b, &qtype, sizeof (qtype));
resolv_response_close_record (b);
}
static const const char *domain = "www.example.com";
static int
wrap_res_query (int type, unsigned char *answer, int answer_length)
{
return res_query (domain, C_IN, type, answer, answer_length);
}
static int
wrap_res_search (int type, unsigned char *answer, int answer_length)
{
return res_query (domain, C_IN, type, answer, answer_length);
}
static int
wrap_res_querydomain (int type, unsigned char *answer, int answer_length)
{
return res_querydomain ("www", "example.com", C_IN, type,
answer, answer_length);
}
static int
wrap_res_send (int type, unsigned char *answer, int answer_length)
{
unsigned char buf[512];
int ret = res_mkquery (QUERY, domain, C_IN, type,
(const unsigned char *) "", 0, NULL,
buf, sizeof (buf));
if (type < 0 || type >= 65536)
{
/* res_mkquery fails for out-of-range record types. */
TEST_VERIFY_EXIT (ret == -1);
return -1;
}
TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
return res_send (buf, ret, answer, answer_length);
}
static int
wrap_res_nquery (int type, unsigned char *answer, int answer_length)
{
return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
}
static int
wrap_res_nsearch (int type, unsigned char *answer, int answer_length)
{
return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
}
static int
wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length)
{
return res_nquerydomain (&_res, "www", "example.com", C_IN, type,
answer, answer_length);
}
static int
wrap_res_nsend (int type, unsigned char *answer, int answer_length)
{
unsigned char buf[512];
int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type,
(const unsigned char *) "", 0, NULL,
buf, sizeof (buf));
if (type < 0 || type >= 65536)
{
/* res_mkquery fails for out-of-range record types. */
TEST_VERIFY_EXIT (ret == -1);
return -1;
}
TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
return res_nsend (&_res, buf, ret, answer, answer_length);
}
static void
test_function (const char *fname,
int (*func) (int type,
unsigned char *answer, int answer_length))
{
unsigned char buf[512];
for (int tcp = 0; tcp < 2; ++tcp)
{
force_tcp = tcp;
for (unsigned int type = 1; type <= 65535; ++type)
{
if (test_verbose)
printf ("info: sending QTYPE %d with %s (tcp=%d)\n",
type, fname, tcp);
int ret = func (type, buf, sizeof (buf));
if (ret != 47)
FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d",
fname,tcp, type, ret);
/* One question, one answer record. */
TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0);
/* Question section. */
static const char qname[] = "\3www\7example\3com";
size_t qname_length = sizeof (qname);
TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0);
/* RDATA part of answer. */
uint16_t type16 = type;
TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0);
}
}
TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));
TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));
}
static int
do_test (void)
{
struct resolv_redirect_config config =
{
.response_callback = response,
};
struct resolv_test *obj = resolv_test_start (config);
test_function ("res_query", &wrap_res_query);
test_function ("res_search", &wrap_res_search);
test_function ("res_querydomain", &wrap_res_querydomain);
test_function ("res_send", &wrap_res_send);
test_function ("res_nquery", &wrap_res_nquery);
test_function ("res_nsearch", &wrap_res_nsearch);
test_function ("res_nquerydomain", &wrap_res_nquerydomain);
test_function ("res_nsend", &wrap_res_nsend);
resolv_test_end (obj);
return 0;
}
#define TIMEOUT 300
#include <support/test-driver.c>