glibc/nss
Siddhesh Poyarekar 973fe93a56 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during tmpbuf resizing, through h_name in a previous query response.

The backing store for res->at->name when doing a query with
gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
gethosts during the query.  For AF_INET6 lookup with AI_ALL |
AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
for a v4 lookup.  In this case, if the first call reallocates tmpbuf
enough number of times, resulting in a malloc, th->h_name (that
res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
Now if the second call to gethosts also causes the plugin callback to
return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
reference in res->at->name.  This then gets dereferenced in the
getcanonname_r plugin call, resulting in the use after free.

Fix this by copying h_name over and freeing it at the end.  This
resolves BZ #30843, which is assigned CVE-2023-4806.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-15 14:38:28 -04:00
..
nss_compat Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
nss_db Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
nss_files Restore lookup of IPv4 mapped addresses in files database (bug 25457) 2023-07-24 13:16:24 +02:00
tst-nss-compat1.root nss: fix nss_database_lookup2's alternate handling [BZ #27416] 2021-03-09 14:34:50 -05:00
tst-nss-db-endgrent.root/etc nss_db: fix endent wrt NULL mappings [BZ #24695] [BZ #24696] 2019-07-10 14:51:18 -04:00
tst-nss-db-endpwent.root nss_db: fix endent wrt NULL mappings [BZ #24695] [BZ #24696] 2019-07-10 14:51:18 -04:00
tst-nss-files-hosts-long.root/etc Fix failing nss/tst-nss-files-hosts-long with local resolver 2021-09-07 21:41:38 +02:00
tst-nss-files-hosts-v4mapped.root/etc Restore lookup of IPv4 mapped addresses in files database (bug 25457) 2023-07-24 13:16:24 +02:00
tst-nss-gai-actions.root/etc Simplify allocations and fix merge and continue actions [BZ #28931] 2022-03-22 19:38:36 +05:30
tst-nss-gai-hv2-canonname.root getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 14:38:28 -04:00
tst-nss-test3.root Add test-in-container infrastructure. 2018-08-22 21:20:37 -04:00
tst-reload1.root Fix failing nss/tst-nss-files-hosts-long. 2021-07-12 11:59:04 +02:00
tst-reload2.root nss: Re-enable NSS module loading after chroot [BZ #27389] 2021-03-02 16:14:18 -05:00
alias-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
bug17079.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
bug-erange.c Update. 2002-09-29 18:25:48 +00:00
compat-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
databases.def Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
db-Makefile Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
Depend
digits_dots.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
ethers-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
function.def Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
getent.c Update copyright dates not handled by scripts/update-copyrights 2023-01-06 21:45:36 +00:00
getnssent_r.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
getnssent.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
getXXbyYY_r.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
getXXbyYY.c Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions 2023-03-27 13:57:55 -03:00
getXXent_r.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
getXXent.c Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions 2023-03-27 13:57:55 -03:00
grp-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
hosts-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
key-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
makedb.c Update copyright dates not handled by scripts/update-copyrights 2023-01-06 21:45:36 +00:00
Makefile getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 14:38:28 -04:00
netgrp-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
network-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_action_parse.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_action.c Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions 2023-03-27 13:57:55 -03:00
nss_action.h Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions 2023-03-27 13:57:55 -03:00
nss_database.c Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
nss_database.h Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions 2023-03-27 13:57:55 -03:00
nss_fgetent_r.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_files_data.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_files_fopen.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_files_functions.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_hash.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_module.c nss: Reconcile conditional declaration and use of `is_nscd' 2023-05-16 11:40:10 +02:00
nss_module.h Move libc_freeres_ptrs and libc_subfreeres to hidden/weak functions 2023-03-27 13:57:55 -03:00
nss_parse_line_result.c Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
nss_readline.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_test1.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_test2.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_test_errno.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_test_gai_hv2_canonname.c getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 14:38:28 -04:00
nss_test.h Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nss_test.ver Extend NSS test suite 2017-07-17 15:52:44 -04:00
nss.h Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nsswitch.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
nsswitch.conf Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
nsswitch.h Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
proto-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
pwd-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
rewrite_field.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
rpc-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
service-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
sgrp-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
simple-nss-hash.h Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
spwd-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
test-digits-dots.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
test-netdb.c Fix all the remaining misspellings -- BZ 25337 2023-06-02 01:39:48 +00:00
tst-cancel-getpwuid_r.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-field.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-compat1.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-db-endgrent.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-db-endpwent.c tests: replace system by xsystem 2023-06-19 09:15:05 -04:00
tst-nss-files-alias-leak.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-files-alias-truncated.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-files-hosts-erange.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-files-hosts-getent.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-files-hosts-long.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-files-hosts-multi.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-files-hosts-v4mapped.c Restore lookup of IPv4 mapped addresses in files database (bug 25457) 2023-07-24 13:16:24 +02:00
tst-nss-gai-actions.c Simplify allocations and fix merge and continue actions [BZ #28931] 2022-03-22 19:38:36 +05:30
tst-nss-gai-hv2-canonname.c getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 14:38:28 -04:00
tst-nss-gai-hv2-canonname.h getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 14:38:28 -04:00
tst-nss-getpwent.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-hash.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-static.c Update nss tests to new skeleton 2017-08-17 18:00:51 -04:00
tst-nss-test1.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-test2.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-test3.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-test4.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-test5.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-nss-test_errno.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-reload1.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
tst-reload2.c tests: Replace various function calls with their x variant 2023-06-06 08:23:53 -04:00
valid_field.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
valid_list_field.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00
Versions nss_files: Move into libc 2021-07-07 18:33:52 +02:00
XXX-lookup.c Update copyright dates with scripts/update-copyrights 2023-01-06 21:14:39 +00:00