glibc

mirror of https://sourceware.org/git/glibc.git synced 2024-11-08 06:10:06 +00:00

History

Siddhesh Poyarekar 973fe93a56 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL \| AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>	2023-09-15 14:38:28 -04:00
..
postclean.req	getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)	2023-09-15 14:38:28 -04:00
tst-nss-gai-hv2-canonname.script	getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)	2023-09-15 14:38:28 -04:00

Siddhesh Poyarekar 973fe93a56 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)

When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during tmpbuf resizing, through h_name in a previous query response.

The backing store for res->at->name when doing a query with
gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
gethosts during the query.  For AF_INET6 lookup with AI_ALL |
AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
for a v4 lookup.  In this case, if the first call reallocates tmpbuf
enough number of times, resulting in a malloc, th->h_name (that
res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
Now if the second call to gethosts also causes the plugin callback to
return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
reference in res->at->name.  This then gets dereferenced in the
getcanonname_r plugin call, resulting in the use after free.

Fix this by copying h_name over and freeing it at the end.  This
resolves BZ #30843, which is assigned CVE-2023-4806.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

2023-09-15 14:38:28 -04:00

postclean.req

getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)

2023-09-15 14:38:28 -04:00

tst-nss-gai-hv2-canonname.script

getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)

2023-09-15 14:38:28 -04:00