mirror of
https://sourceware.org/git/glibc.git
synced 2025-01-01 07:20:15 +00:00
973fe93a56
When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
229 lines
7.1 KiB
Makefile
229 lines
7.1 KiB
Makefile
# Copyright (C) 1996-2023 Free Software Foundation, Inc.
|
|
# This file is part of the GNU C Library.
|
|
|
|
# The GNU C Library is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2.1 of the License, or (at your option) any later version.
|
|
|
|
# The GNU C Library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# Lesser General Public License for more details.
|
|
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
# License along with the GNU C Library; if not, see
|
|
# <https://www.gnu.org/licenses/>.
|
|
|
|
#
|
|
# Makefile for name service switch.
|
|
#
|
|
subdir := nss
|
|
|
|
include ../Makeconfig
|
|
|
|
headers := nss.h
|
|
|
|
# This is the trivial part which goes into libc itself.
|
|
routines = nsswitch getnssent getnssent_r digits_dots \
|
|
valid_field valid_list_field rewrite_field \
|
|
$(addsuffix -lookup,$(databases)) \
|
|
compat-lookup nss_hash nss_files_fopen \
|
|
nss_readline nss_parse_line_result \
|
|
nss_fgetent_r nss_module nss_action \
|
|
nss_action_parse nss_database nss_files_data \
|
|
nss_files_functions
|
|
|
|
# These are the databases that go through nss dispatch.
|
|
# Caution: if you add a database here, you must add its real name
|
|
# in databases.def, too.
|
|
databases = proto service hosts network grp pwd ethers \
|
|
spwd netgrp alias sgrp
|
|
|
|
ifneq (,$(filter sunrpc,$(subdirs)))
|
|
databases += key rpc
|
|
have-sunrpc := 1
|
|
else
|
|
have-sunrpc := 0
|
|
endif
|
|
CPPFLAGS-getent.c = -DHAVE_SUNRPC=$(have-sunrpc)
|
|
|
|
others := getent makedb
|
|
install-bin := getent makedb
|
|
makedb-modules = xmalloc hash-string
|
|
others-extras = $(makedb-modules)
|
|
extra-objs += $(makedb-modules:=.o)
|
|
|
|
tests-static = tst-field
|
|
tests-internal = tst-field
|
|
|
|
tests := \
|
|
bug17079 \
|
|
test-digits-dots \
|
|
test-netdb \
|
|
tst-nss-getpwent \
|
|
tst-nss-hash \
|
|
tst-nss-test1 \
|
|
tst-nss-test2 \
|
|
tst-nss-test4 \
|
|
tst-nss-test5 \
|
|
tst-nss-test_errno \
|
|
# tests
|
|
|
|
xtests = bug-erange
|
|
|
|
tests-container := \
|
|
tst-nss-compat1 \
|
|
tst-nss-db-endgrent \
|
|
tst-nss-db-endpwent \
|
|
tst-nss-files-hosts-long \
|
|
tst-nss-files-hosts-v4mapped \
|
|
tst-nss-gai-actions \
|
|
tst-nss-test3 \
|
|
tst-reload1 \
|
|
tst-reload2 \
|
|
tst-nss-gai-hv2-canonname \
|
|
# tests-container
|
|
|
|
# Tests which need libdl
|
|
ifeq (yes,$(build-shared))
|
|
tests += tst-nss-files-hosts-erange
|
|
tests += tst-nss-files-hosts-multi
|
|
tests += tst-nss-files-hosts-getent
|
|
tests += tst-nss-files-alias-leak
|
|
tests += tst-nss-files-alias-truncated
|
|
endif
|
|
|
|
# If we have a thread library then we can test cancellation against
|
|
# some routines like getpwuid_r.
|
|
ifeq (yes,$(have-thread-library))
|
|
tests += tst-cancel-getpwuid_r
|
|
endif
|
|
|
|
# Specify rules for the nss_* modules. We have some services.
|
|
services := files db compat
|
|
|
|
extra-libs = $(services:%=libnss_%)
|
|
# These libraries will be built in the `others' pass rather than
|
|
# the `lib' pass, because they depend on libc.so being built already.
|
|
extra-libs-others = $(extra-libs)
|
|
|
|
# The sources are found in the appropriate subdir.
|
|
subdir-dirs = $(services:%=nss_%)
|
|
vpath %.c $(subdir-dirs) ../locale/programs ../intl
|
|
|
|
|
|
routines += \
|
|
$(addprefix files-, $(filter-out key, $(databases))) \
|
|
files-init \
|
|
files-initgroups \
|
|
# routines
|
|
|
|
# Build only an empty shared libnss_files.
|
|
libnss_files-inhibit-o = $(filter-out .os,$(object-suffixes))
|
|
|
|
# Pretend that libnss_files.so is a linker script, so that the symbolic link
|
|
# is not installed.
|
|
install-lib-ldscripts = libnss_files.so
|
|
$(inst_libdir)/libnss_files.so:
|
|
|
|
libnss_db-dbs := $(addprefix db-,\
|
|
$(filter-out hosts network key alias,\
|
|
$(databases))) \
|
|
db-initgroups
|
|
libnss_db-routines := $(libnss_db-dbs) db-open db-init hash-string
|
|
generated += $(filter-out db-alias.c db-netgrp.c, \
|
|
$(addsuffix .c,$(libnss_db-dbs)))
|
|
|
|
libnss_compat-routines := $(addprefix compat-,grp pwd spwd initgroups) \
|
|
nisdomain
|
|
|
|
install-others += $(inst_vardbdir)/Makefile
|
|
|
|
# Build static module into libc if requested
|
|
libnss_db-inhibit-o = $(filter-out .os,$(object-suffixes))
|
|
libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes))
|
|
ifeq ($(build-static-nss),yes)
|
|
tests-static += tst-nss-static
|
|
endif
|
|
extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
|
|
nss_test_gai_hv2_canonname.os
|
|
|
|
include ../Rules
|
|
|
|
ifeq (yes,$(have-selinux))
|
|
LDLIBS-makedb := -lselinux
|
|
endif
|
|
|
|
libnss-libc = $(common-objpfx)linkobj/libc.so
|
|
# Target-specific variable setting to link objects using deprecated
|
|
# RPC interfaces with the version of libc.so that makes them available
|
|
# for new links:
|
|
$(services:%=$(objpfx)libnss_%.so): libc-for-link = $(libnss-libc)
|
|
|
|
$(libnss_db-dbs:%=$(objpfx)%.c): $(objpfx)db-%.c: nss_files/files-%.c
|
|
@rm -f $@.new
|
|
(echo '#define EXTERN_PARSER';\
|
|
echo '#define GENERIC "../nss_db/db-XXX.c"';\
|
|
echo '#include "$<"') > $@.new
|
|
mv -f $@.new $@
|
|
|
|
|
|
$(objpfx)makedb: $(makedb-modules:%=$(objpfx)%.o)
|
|
|
|
$(inst_vardbdir)/Makefile: db-Makefile $(+force)
|
|
$(do-install)
|
|
|
|
libnss_test1.so-no-z-defs = 1
|
|
libnss_test2.so-no-z-defs = 1
|
|
|
|
rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver
|
|
|
|
libof-nss_test1 = extramodules
|
|
libof-nss_test2 = extramodules
|
|
libof-nss_test_errno = extramodules
|
|
libof-nss_test_gai_hv2_canonname = extramodules
|
|
$(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
|
|
$(build-module)
|
|
$(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
|
|
$(build-module)
|
|
$(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps)
|
|
$(build-module)
|
|
$(objpfx)/libnss_test_gai_hv2_canonname.so: \
|
|
$(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps)
|
|
$(build-module)
|
|
$(objpfx)nss_test2.os : nss_test1.c
|
|
# Use the nss_files suffix for these objects as well.
|
|
$(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so
|
|
$(make-link)
|
|
$(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so
|
|
$(make-link)
|
|
$(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \
|
|
$(objpfx)/libnss_test_errno.so
|
|
$(make-link)
|
|
$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
|
|
$(objpfx)/libnss_test_gai_hv2_canonname.so
|
|
$(make-link)
|
|
$(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \
|
|
$(objpfx)/libnss_test1.so$(libnss_files.so-version) \
|
|
$(objpfx)/libnss_test2.so$(libnss_files.so-version) \
|
|
$(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
|
|
$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
|
|
|
|
ifeq (yes,$(have-thread-library))
|
|
$(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
|
|
endif
|
|
|
|
$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
|
|
$(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
|
|
|
|
# Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
|
|
# functions can load testing NSS modules via DT_RPATH.
|
|
LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
|
|
LDFLAGS-tst-nss-test2 = -Wl,--disable-new-dtags
|
|
LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
|
|
LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
|
|
LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
|
|
LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags
|
|
LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags
|