glibc/nss
Florian Weimer 03d2730b44 CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests.  We eventually tracked this down to a
glibc issue.

Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:

…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
read(3, "root0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET)                = 2717
close(3)                                = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
lseek(3, 0, SEEK_SET)                   = 0
read(3, "root0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET)                = 2717
close(3)                                = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
…

The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
supposed skip closing the input file if it was already open.

  /* Reset file pointer to beginning or open file.  */			      \
  status = internal_setent (keep_stream);				      \
									      \
  if (status == NSS_STATUS_SUCCESS)					      \
    {									      \
      /* Tell getent function that we have repositioned the file pointer.  */ \
      last_use = getby;							      \
									      \
      while ((status = internal_getent (result, buffer, buflen, errnop	      \
					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
	     == NSS_STATUS_SUCCESS)					      \
	{ break_if_match }						      \
									      \
      if (! keep_stream)						      \
	internal_endent ();						      \
    }									      \

keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:

  status = internal_setent (stayopen);

However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.

Thus, the fix is this:

-  status = internal_setent (stayopen);
+  status = internal_setent (1);

This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
2015-04-29 14:41:26 +02:00
..
nss_db Enhance nscd's inotify support (Bug 14906). 2015-03-13 09:49:24 -04:00
nss_files CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007] 2015-04-29 14:41:26 +02:00
alias-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
bug-erange.c Update. 2002-09-29 18:25:48 +00:00
databases.def Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
db-Makefile Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
Depend Update. 2000-01-02 04:20:21 +00:00
digits_dots.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
ethers-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
function.def Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
getent.c Exclude rpcent functions and NSS backends for rpc, key when excluding sunrpc. 2015-02-06 10:43:19 -08:00
getnssent_r.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
getnssent.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
getXXbyYY_r.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
getXXbyYY.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
getXXent_r.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
getXXent.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
grp-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
hosts-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
key-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
makedb.c Update copyright dates not handled by scripts/update-copyrights. 2015-01-02 16:54:45 +00:00
Makefile CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007] 2015-04-29 14:41:26 +02:00
netgrp-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
network-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
nss_test1.c Add self-contained test for NSS. 2010-08-11 07:25:02 -07:00
nss.h Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
nsswitch.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
nsswitch.conf More configurability for secondary group lookup 2011-05-10 00:36:29 -04:00
nsswitch.h Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
proto-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
pwd-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
rpc-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
service-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
sgrp-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
spwd-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
test-digits-dots.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00
test-netdb.c Split rpcent tests out of tst-netdb. 2015-03-04 15:55:38 -08:00
tst-nss-getpwent.c CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007] 2015-04-29 14:41:26 +02:00
tst-nss-static.c 2012-04-06 Paul Pluzhnikov <ppluzhnikov@google.com> 2012-04-06 13:49:35 -07:00
tst-nss-test1.c Fix nss/tst-nss-test1.c format warning. 2014-11-27 03:24:18 +00:00
Versions Get canonical name in getaddrinfo from hosts file for AF_INET (fixes 16077) 2013-11-28 17:18:12 +05:30
XXX-lookup.c Update copyright dates with scripts/update-copyrights. 2015-01-02 16:29:47 +00:00