Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 489104 Details for
Bug 627338
=sys-libs/glibc-2.26: will stop recognizing 'compat' entries in /etc/nsswitch.conf
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
nss-mdns-9999-src-nss.c-fix-out-of-bounds-memset.patch
nss-mdns-9999-src-nss.c-fix-out-of-bounds-memset.patch (text/plain), 2.41 KB, created by
Sergei Trofimovich (RETIRED)
on 2017-08-15 08:53:10 UTC
(
hide
)
Description:
nss-mdns-9999-src-nss.c-fix-out-of-bounds-memset.patch
Filename:
MIME Type:
Creator:
Sergei Trofimovich (RETIRED)
Created:
2017-08-15 08:53:10 UTC
Size:
2.41 KB
patch
obsolete
>From 4cdb0b68b9d7680e3c3f11f48b9e739c394a2a6a Mon Sep 17 00:00:00 2001 >From: Sergei Trofimovich <slyfox@gentoo.org> >Date: Tue, 15 Aug 2017 09:45:29 +0100 >Subject: [PATCH] src/nss.c: fix out-of-bounds memset() >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >out-of-bounds access happens at memset() call site: > > @@ -272,9 +272,9 @@ enum nss_status _nss_mdns_gethostbyname4_r( > // Copy address > memcpy(&(tuple->addr), &(u.data.result[i].address), address_length); > if(address_length < sizeof(ipv6_address_t)) { > memset((&(tuple->addr) + address_length - sizeof(ipv6_address_t)), 0, > (sizeof(ipv6_address_t) - address_length) > ); > } > >The problem here is in 'addr' type: > struct gaih_addrtuple { > ... > uint32_t addr[4]; > ... > }; > >It means pointer addressing is not byte-based as offsets imply and memset() >wipes 12 bytes in hearby memory (of stack in glibc case). > >valgrind detects the overflow as: > > ==12732== Invalid write of size 1 > ==12732== at 0x4C11A29: memset (vg_replace_strmem.c:1239) > ==12732== by 0x57FA348: _nss_mdns_minimal_gethostbyname4_r (nss.c:292) > ==12732== by 0x4F016D8: gaih_inet.constprop.7 (getaddrinfo.c:806) > ==12732== by 0x4F02673: getaddrinfo (getaddrinfo.c:2317) > ==12732== by 0x4800B3B: main (a.c:34) > >The effect is SIGSEGV-ing getaddrinfo() call on systems with >the following nsswitch.conf: > > hosts: files mdns_minimal [NOTFOUND=return] dns > >The fix is to simplify memset()/memcpy() sequence. > >Reported-by: MichaŠGórny >Bug: https://bugs.gentoo.org/627770 >Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> >--- > src/nss.c | 6 +----- > 1 file changed, 1 insertion(+), 5 deletions(-) > >diff --git a/src/nss.c b/src/nss.c >index ebb887c..1f50bad 100644 >--- a/src/nss.c >+++ b/src/nss.c >@@ -271,12 +271,8 @@ enum nss_status _nss_mdns_gethostbyname4_r( > tuple->family = u.data.result[i].af; > > // Copy address >+ memset(&(tuple->addr), 0, sizeof(ipv6_address_t)); > memcpy(&(tuple->addr), &(u.data.result[i].address), address_length); >- if(address_length < sizeof(ipv6_address_t)) { >- memset((&(tuple->addr) + address_length - sizeof(ipv6_address_t)), 0, >- (sizeof(ipv6_address_t) - address_length) >- ); >- } > > // Assign interface scope id > tuple->scopeid = u.data.result[i].scopeid; >-- >2.14.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=489104">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 627338
: 489104
