glibc/sysdeps
Siddhesh Poyarekar e09ee267c0 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during tmpbuf resizing, through h_name in a previous query response.

The backing store for res->at->name when doing a query with
gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
gethosts during the query.  For AF_INET6 lookup with AI_ALL |
AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
for a v4 lookup.  In this case, if the first call reallocates tmpbuf
enough number of times, resulting in a malloc, th->h_name (that
res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
Now if the second call to gethosts also causes the plugin callback to
return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
reference in res->at->name.  This then gets dereferenced in the
getcanonname_r plugin call, resulting in the use after free.

Fix this by copying h_name over and freeing it at the end.  This
resolves BZ #30843, which is assigned CVE-2023-4806.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 973fe93a56)
2023-09-15 20:00:04 -04:00
..
aarch64 elf: Fix rtld-audit trampoline for aarch64 2022-11-22 10:34:14 -03:00
alpha elf: Add _dl_audit_pltexit 2022-04-08 14:18:12 -04:00
arc elf: Fix dynamic-link.h usage on rtld.c 2022-04-08 14:18:11 -04:00
arm elf: Add _dl_audit_pltexit 2022-04-08 14:18:12 -04:00
csky elf: Fix dynamic-link.h usage on rtld.c 2022-04-08 14:18:11 -04:00
generic elf: Fix 64 time_t support for installed statically binaries 2023-02-08 09:32:42 +01:00
gnu hurd: Fix glob lstat compatibility 2021-07-22 20:31:52 +02:00
hppa hppa: Remove _dl_skip_args usage (BZ# 29165) 2022-06-10 09:13:54 -03:00
htl htl: Do not expose pthread hidden proto outside libpthread 2021-07-18 20:25:33 +00:00
hurd Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
i386 i386: Regenerate ulps 2022-04-27 21:20:43 -04:00
ia64 elf: Issue la_symbind for bind-now (BZ #23734) 2022-04-12 13:32:59 -04:00
ieee754 s_sincosf.h: Change pio4 type to float [BZ #28713] 2023-01-11 15:29:37 +01:00
m68k elf: Add _dl_audit_pltexit 2022-04-08 14:18:12 -04:00
mach socket: Check lengths before advancing pointer in CMSG_NXTHDR 2022-08-22 18:59:26 +02:00
microblaze elf: Fix dynamic-link.h usage on rtld.c 2022-04-08 14:18:11 -04:00
mips elf: Add _dl_audit_pltexit 2022-04-08 14:18:12 -04:00
nios2 nios2: Remove _dl_skip_args usage (BZ# 29187) 2022-06-10 09:15:00 -03:00
nptl nptl: Add backoff mechanism to spinlock loop 2022-09-28 07:34:53 -07:00
posix getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) 2023-09-15 20:00:04 -04:00
powerpc elf: Drop elf/tls-macros.h in favor of __thread and tls_model attributes [BZ #28152] [BZ #28205] 2023-01-10 19:09:21 +01:00
pthread nptl: Fix __libc_cleanup_pop_restore asynchronous restore (BZ#29214) 2022-06-08 17:15:08 -03:00
riscv elf: Fix dynamic-link.h usage on rtld.c 2022-04-08 14:18:11 -04:00
s390 S390: Enable static PIE 2022-05-19 17:15:57 +02:00
sh elf: Add _dl_audit_pltexit 2022-04-08 14:18:12 -04:00
sparc elf: Add _dl_audit_pltexit 2022-04-08 14:18:12 -04:00
unix __check_pf: Add a cancellation cleanup handler [BZ #20975] 2023-05-23 14:53:23 -07:00
wordsize-32 Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
wordsize-64 Update copyright dates with scripts/update-copyrights 2021-01-02 12:17:34 -08:00
x86 x86: Fix incorrect scope of setting shared_per_thread [BZ# 30745] 2023-09-05 17:17:52 -05:00
x86_64 x86_64: Fix asm constraints in feraiseexcept (bug 30305) 2023-04-24 16:00:13 +02:00