7b10101b6f
Fix for 2.21 and 2.22: CVE-2015-7547 - glibc getaddrinfo stack-based buffer overflow. For 2.21: CVE-2014-8121 - Unexpected closing of nss_files databases after lookups causes denial of service. CVE-2015-1781 - buffer overflow in gethostbyname_r() and related functions with misaligned buffer. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
237 lines
7.3 KiB
Diff
237 lines
7.3 KiB
Diff
Fetched from gentoo glibc patchball
|
|
Original patch filename: 10_all_glibc-CVE-2015-7547.patch
|
|
Based on: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
|
|
|
|
Fixes:
|
|
CVE-2015-7547 - glibc getaddrinfo stack-based buffer overflow.
|
|
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
|
|
--- a/resolv/nss_dns/dns-host.c
|
|
+++ b/resolv/nss_dns/dns-host.c
|
|
@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
|
|
int h_namelen = 0;
|
|
|
|
if (ancount == 0)
|
|
- return NSS_STATUS_NOTFOUND;
|
|
+ {
|
|
+ *h_errnop = HOST_NOT_FOUND;
|
|
+ return NSS_STATUS_NOTFOUND;
|
|
+ }
|
|
|
|
while (ancount-- > 0 && cp < end_of_message && had_error == 0)
|
|
{
|
|
@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
|
|
/* Special case here: if the resolver sent a result but it only
|
|
contains a CNAME while we are looking for a T_A or T_AAAA record,
|
|
we fail with NOTFOUND instead of TRYAGAIN. */
|
|
- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
|
|
+ if (canon != NULL)
|
|
+ {
|
|
+ *h_errnop = HOST_NOT_FOUND;
|
|
+ return NSS_STATUS_NOTFOUND;
|
|
+ }
|
|
+
|
|
+ *h_errnop = NETDB_INTERNAL;
|
|
+ return NSS_STATUS_TRYAGAIN;
|
|
}
|
|
|
|
|
|
@@ -1242,8 +1252,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
|
|
&pat, &buffer, &buflen,
|
|
errnop, h_errnop, ttlp,
|
|
&first);
|
|
+ /* Use the second response status in some cases. */
|
|
if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
|
|
status = status2;
|
|
+ /* Do not return a truncated second response (unless it was
|
|
+ unavoidable e.g. unrecoverable TRYAGAIN). */
|
|
+ if (status == NSS_STATUS_SUCCESS
|
|
+ && (status2 == NSS_STATUS_TRYAGAIN
|
|
+ && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
|
|
+ status = NSS_STATUS_TRYAGAIN;
|
|
}
|
|
|
|
return status;
|
|
--- a/resolv/res_query.c
|
|
+++ b/resolv/res_query.c
|
|
@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
|
|
{
|
|
free (*answerp2);
|
|
*answerp2 = NULL;
|
|
+ *nanswerp2 = 0;
|
|
*answerp2_malloced = 0;
|
|
}
|
|
}
|
|
@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
|
|
{
|
|
free (*answerp2);
|
|
*answerp2 = NULL;
|
|
+ *nanswerp2 = 0;
|
|
*answerp2_malloced = 0;
|
|
}
|
|
|
|
@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
|
|
{
|
|
free (*answerp2);
|
|
*answerp2 = NULL;
|
|
+ *nanswerp2 = 0;
|
|
*answerp2_malloced = 0;
|
|
}
|
|
if (saved_herrno != -1)
|
|
--- a/resolv/res_send.c
|
|
+++ b/resolv/res_send.c
|
|
@@ -639,11 +639,7 @@ send_vc(res_state statp,
|
|
{
|
|
const HEADER *hp = (HEADER *) buf;
|
|
const HEADER *hp2 = (HEADER *) buf2;
|
|
- u_char *ans = *ansp;
|
|
- int orig_anssizp = *anssizp;
|
|
- // XXX REMOVE
|
|
- // int anssiz = *anssizp;
|
|
- HEADER *anhp = (HEADER *) ans;
|
|
+ HEADER *anhp = (HEADER *) *ansp;
|
|
struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns];
|
|
int truncating, connreset, n;
|
|
/* On some architectures compiler might emit a warning indicating
|
|
@@ -767,35 +763,6 @@ send_vc(res_state statp,
|
|
assert (anscp != NULL || ansp2 == NULL);
|
|
thisresplenp = &resplen;
|
|
} else {
|
|
- if (*anssizp != MAXPACKET) {
|
|
- /* No buffer allocated for the first
|
|
- reply. We can try to use the rest
|
|
- of the user-provided buffer. */
|
|
-#if __GNUC_PREREQ (4, 7)
|
|
- DIAG_PUSH_NEEDS_COMMENT;
|
|
- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
|
|
-#endif
|
|
-#if _STRING_ARCH_unaligned
|
|
- *anssizp2 = orig_anssizp - resplen;
|
|
- *ansp2 = *ansp + resplen;
|
|
-#else
|
|
- int aligned_resplen
|
|
- = ((resplen + __alignof__ (HEADER) - 1)
|
|
- & ~(__alignof__ (HEADER) - 1));
|
|
- *anssizp2 = orig_anssizp - aligned_resplen;
|
|
- *ansp2 = *ansp + aligned_resplen;
|
|
-#endif
|
|
-#if __GNUC_PREREQ (4, 7)
|
|
- DIAG_POP_NEEDS_COMMENT;
|
|
-#endif
|
|
- } else {
|
|
- /* The first reply did not fit into the
|
|
- user-provided buffer. Maybe the second
|
|
- answer will. */
|
|
- *anssizp2 = orig_anssizp;
|
|
- *ansp2 = *ansp;
|
|
- }
|
|
-
|
|
thisanssizp = anssizp2;
|
|
thisansp = ansp2;
|
|
thisresplenp = resplen2;
|
|
@@ -804,10 +771,14 @@ send_vc(res_state statp,
|
|
anhp = (HEADER *) *thisansp;
|
|
|
|
*thisresplenp = rlen;
|
|
- if (rlen > *thisanssizp) {
|
|
- /* Yes, we test ANSCP here. If we have two buffers
|
|
- both will be allocatable. */
|
|
- if (__glibc_likely (anscp != NULL)) {
|
|
+ /* Is the answer buffer too small? */
|
|
+ if (*thisanssizp < rlen) {
|
|
+ /* If the current buffer is not the the static
|
|
+ user-supplied buffer then we can reallocate
|
|
+ it. */
|
|
+ if (thisansp != NULL && thisansp != ansp) {
|
|
+ /* Always allocate MAXPACKET, callers expect
|
|
+ this specific size. */
|
|
u_char *newp = malloc (MAXPACKET);
|
|
if (newp == NULL) {
|
|
*terrno = ENOMEM;
|
|
@@ -957,8 +928,6 @@ send_dg(res_state statp,
|
|
{
|
|
const HEADER *hp = (HEADER *) buf;
|
|
const HEADER *hp2 = (HEADER *) buf2;
|
|
- u_char *ans = *ansp;
|
|
- int orig_anssizp = *anssizp;
|
|
struct timespec now, timeout, finish;
|
|
struct pollfd pfd[1];
|
|
int ptimeout;
|
|
@@ -1154,50 +1123,48 @@ send_dg(res_state statp,
|
|
assert (anscp != NULL || ansp2 == NULL);
|
|
thisresplenp = &resplen;
|
|
} else {
|
|
- if (*anssizp != MAXPACKET) {
|
|
- /* No buffer allocated for the first
|
|
- reply. We can try to use the rest
|
|
- of the user-provided buffer. */
|
|
-#if _STRING_ARCH_unaligned
|
|
- *anssizp2 = orig_anssizp - resplen;
|
|
- *ansp2 = *ansp + resplen;
|
|
-#else
|
|
- int aligned_resplen
|
|
- = ((resplen + __alignof__ (HEADER) - 1)
|
|
- & ~(__alignof__ (HEADER) - 1));
|
|
- *anssizp2 = orig_anssizp - aligned_resplen;
|
|
- *ansp2 = *ansp + aligned_resplen;
|
|
-#endif
|
|
- } else {
|
|
- /* The first reply did not fit into the
|
|
- user-provided buffer. Maybe the second
|
|
- answer will. */
|
|
- *anssizp2 = orig_anssizp;
|
|
- *ansp2 = *ansp;
|
|
- }
|
|
-
|
|
thisanssizp = anssizp2;
|
|
thisansp = ansp2;
|
|
thisresplenp = resplen2;
|
|
}
|
|
|
|
if (*thisanssizp < MAXPACKET
|
|
- /* Yes, we test ANSCP here. If we have two buffers
|
|
- both will be allocatable. */
|
|
- && anscp
|
|
+ /* If the current buffer is not the the static
|
|
+ user-supplied buffer then we can reallocate
|
|
+ it. */
|
|
+ && (thisansp != NULL && thisansp != ansp)
|
|
#ifdef FIONREAD
|
|
+ /* Is the size too small? */
|
|
&& (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
|
|
|| *thisanssizp < *thisresplenp)
|
|
#endif
|
|
) {
|
|
+ /* Always allocate MAXPACKET, callers expect
|
|
+ this specific size. */
|
|
u_char *newp = malloc (MAXPACKET);
|
|
if (newp != NULL) {
|
|
- *anssizp = MAXPACKET;
|
|
- *thisansp = ans = newp;
|
|
+ *thisanssizp = MAXPACKET;
|
|
+ *thisansp = newp;
|
|
if (thisansp == ansp2)
|
|
*ansp2_malloced = 1;
|
|
}
|
|
}
|
|
+ /* We could end up with truncation if anscp was NULL
|
|
+ (not allowed to change caller's buffer) and the
|
|
+ response buffer size is too small. This isn't a
|
|
+ reliable way to detect truncation because the ioctl
|
|
+ may be an inaccurate report of the UDP message size.
|
|
+ Therefore we use this only to issue debug output.
|
|
+ To do truncation accurately with UDP we need
|
|
+ MSG_TRUNC which is only available on Linux. We
|
|
+ can abstract out the Linux-specific feature in the
|
|
+ future to detect truncation. */
|
|
+ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
|
|
+ Dprint(statp->options & RES_DEBUG,
|
|
+ (stdout, ";; response may be truncated (UDP)\n")
|
|
+ );
|
|
+ }
|
|
+
|
|
HEADER *anhp = (HEADER *) *thisansp;
|
|
socklen_t fromlen = sizeof(struct sockaddr_in6);
|
|
assert (sizeof(from) <= fromlen);
|