Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538090 (CVE-2013-7423) - <sys-libs/glibc-2.20-r2: getaddrinfo() writes DNS queries to random file descriptors under high load (CVE-2013-7423)
Summary: <sys-libs/glibc-2.20-r2: getaddrinfo() writes DNS queries to random file desc...
Status: RESOLVED FIXED
Alias: CVE-2013-7423
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa cleanup]
Keywords:
Depends on: CVE-2014-0475 544034
Blocks:
  Show dependency tree
 
Reported: 2015-01-28 19:41 UTC by Kristian Fiskerstrand
Modified: 2016-02-17 15:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2015-01-28 19:41:40 UTC
From ${URL}:

Under high load, getaddrinfo() starts sending DNS queries to random
file descriptors, e.g. some unrelated socket connected to a remote service.

The attached code reproduces the bug on at least the following configurations:

Archlinux libc6 2.18
Debian libc6 2.6.11
Debian libc6 2.13-38
Debian libc6 2.17-92
Ubuntu libc6 2.17-0ubuntu5

What the code does is to fill the file descriptor space, closing and creating many file descriptors, to maximize the chances of reproducing the bug:

 - a thread listens to a local unix socket
 - a thread connects to the unix socket, never writes to it, dups the
connection as much as possible (fills the fd space), closes the dups, and starts
dup()ing again
 - lots of threads call getaddrinfo()

Under less than a minute, the listener starts reading garbage.

The garbage received by the listener seems to always be a full, well-formed, DNS query. It seems to always be an AAAA query, even when hints.ai_family is AF_INET. All queries are similar, only the id changes.

- -- 
CVE assigned today at http://seclists.org/oss-sec/2015/q1/316
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2015-01-29 09:45:01 UTC
This issue seems to be confirmed fixed in version 2.20. There was some confusion whether the issue still persists after this version, however that seems to have been limited to a bad testcase. Versions prior to 2.20 are vulnerable to this issue.

https://sourceware.org/ml/glibc-bugs/2015-01/msg00226.html
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-17 17:31:26 UTC
CVE-2013-7423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7423):
  The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or
  libc6) before 2.20 does not properly reuse file descriptors, which allows
  remote attackers to send DNS queries to unintended locations via a large
  number of request that trigger a call to the getaddrinfo function.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-02-17 15:38:20 UTC
This issue was resolved and addressed in
 GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02
by GLSA coordinator Tobias Heinlein (keytoaster).