glibc/sysdeps/posix
Siddhesh Poyarekar 973fe93a56 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during tmpbuf resizing, through h_name in a previous query response.

The backing store for res->at->name when doing a query with
gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
gethosts during the query.  For AF_INET6 lookup with AI_ALL |
AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
for a v4 lookup.  In this case, if the first call reallocates tmpbuf
enough number of times, resulting in a malloc, th->h_name (that
res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
Now if the second call to gethosts also causes the plugin callback to
return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
reference in res->at->name.  This then gets dereferenced in the
getcanonname_r plugin call, resulting in the use after free.

Fix this by copying h_name over and freeing it at the end.  This
resolves BZ #30843, which is assigned CVE-2023-4806.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-15 14:38:28 -04:00
..
alarm.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
clock_getres.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
clock.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
ctermid.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
cuserid.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
dl-fileid.h Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
dup2.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
dup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
euidaccess.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
flock.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
fpathconf.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
gai_strerror-strs.h posix: Handle success in gai_strerror() 2023-06-13 20:54:49 +02:00
gai_strerror.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
getaddrinfo.c getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 14:38:28 -04:00
getcwd.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
getdtsz.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
gethostname.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
getpagesize.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
isatty.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
isfdtype.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
killpg.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
libc_fatal.c stdio: Remove __libc_message alloca usage 2023-09-11 16:16:49 +00:00
mkfifo.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
mkfifoat.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nice.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
open64.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pathconf.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pause.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
posix_fallocate64.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
posix_fallocate.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pread64.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pread.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
preadv2.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
preadv64.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
preadv64v2.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
preadv_common.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
preadv.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
profil.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pwrite64.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pwrite.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pwritev2.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pwritev64.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pwritev64v2.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pwritev_common.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pwritev.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
raise.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
readv.c hurd: readv: Get rid of alloca 2023-06-20 19:15:10 +02:00
remove.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
rename.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sigblock.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sigignore.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sigintr.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
signal.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sigpause.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sigset.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sigsetmask.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sigsuspend.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sigwait.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sleep.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sprofil.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
Subdirs
sysconf-pthread_stack_min.h Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sysconf.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
system.c system: Add "--" after "-c" for sh (BZ #28519) 2023-03-28 10:12:30 -03:00
sysv_signal.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tempname.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
truncate.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
ttyname_r.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
ttyname.c Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions 2023-03-27 13:57:55 -03:00
ulimit.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
usleep.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
utime.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
utimes.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
writev_nocancel.c hurd: Fix __writev_nocancel_nostatus 2020-06-14 17:45:04 +00:00
writev.c hurd: writev: Add back cleanup handler 2023-06-20 18:37:04 +02:00