Fix stack overflow due to large AF_INET6 requests

Resolves #16072 (CVE-2013-4458).

This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6.  The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.

diff --git a/ChangeLog b/ChangeLog
index 3805278d9398c12882ec04020e35fa30138fcec0..ed41494afdf9c086fab5a33e07a8940e5bb0036b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,76 +1,9 @@
-2013-10-10  Joseph Myers  <joseph@codsourcery.com>
+2013-10-25  Siddhesh Poyarekar  <siddhesh@redhat.com>
 
-       * sysdeps/ieee754/ldbl-128ibm/e_acosl.c (__ieee754_acosl): Check
-       for NaNs before doing comparisons on argument.
-       * sysdeps/ieee754/ldbl-128ibm/e_asinl.c (__ieee754_asinl):
-       Likewise.
-
-2013-10-04  Anton Blanchard <anton@au1.ibm.com>
-           Alistair Popple <alistair@ozlabs.au.ibm.com>
-           Alan Modra <amodra@gmail.com>
-
-       [BZ #15723]
-       * sysdeps/powerpc/jmpbuf-offsets.h: Comment fix.
-       * sysdeps/powerpc/powerpc32/fpu/__longjmp-common.S: Correct
-       _dl_hwcap access for little-endian.
-       * sysdeps/powerpc/powerpc32/fpu/setjmp-common.S: Likewise.  Don't
-       destroy vmx regs when saving unaligned.
-       * sysdeps/powerpc/powerpc64/__longjmp-common.S: Correct CR load.
-       * sysdeps/powerpc/powerpc64/setjmp-common.S: Likewise CR save.  Don't
-       destroy vmx regs when saving unaligned.
-
-2013-09-09  Allan McRae  <allan@archlinux.org>
-
-       [BZ #15893]
-       * stdlib/isomac.c (get_null_defines): Fix memory leak.
-
-       [BZ #15892]
-       * libio/memstream.c (open_memstream): Fix memory leak.
-       * libio/wmemstream.c (open_wmemstream): Likewise.
-
-       [BZ #15895]
-       * nscd/netgroupcache.c: Fix nesting of ifdefs.
-
-2013-09-05  Adhemerval Zanella  <azanella@linux.vnet.ibm.com>
-
-       * sysdeps/powerpc/powerpc32/power7/memrchr.S (__memrchr): Fix invalid
-       memory access for final bytes in some large inputs.
-       * sysdeps/powerpc/powerpc64/power7/memrchr.S (__memrchr): Likewise.
-
-2013-09-05  Adhemerval Zanella  <azanella@linux.vnet.ibm.com>
-
-       * string/test-memrchr.c: New file.
-       * string/test-memrchr-ifunc.c: New file.
-       * string/Makefile: Add new memrchr testcase.
-
-2013-09-03  Joseph Myers  <joseph@codesourcery.com>
-
-       [BZ #15427]
-       * sysdeps/ieee754/flt-32/e_lgammaf_r.c (__ieee754_lgammaf_r): Use
-       2**-30 instead of 2**-70 as threshold for returning -log(|x|).
-       * math/libm-test.inc (lgamma_test_data): Add more tests.
-       * sysdeps/i386/fpu/libm-test-ulps: Update.
-       * sysdeps/x86_64/fpu/libm-test-ulps: Likewise.
-
-2013-09-03   Ondřej Bílka  <neleai@seznam.cz>
-
-       * sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S: New file.
-       * sysdeps/x86_64/multiarch/ifunc-impl-list.c (__libc_ifunc_impl_list):
-       Add ifunc.
-       * sysdeps/x86_64/multiarch/Makefile (sysdep_routines):
-       Add strcmp-sse2-unaligned
-       * sysdeps/x86_64/multiarch/strcmp.S (strcmp): Add ifunc.
-
-2013-09-02  Mike Frysinger  <vapier@gentoo.org>
-
-       * Versions.def (libc): Add GLIBC_2.19.
-
-2013-09-02  Mike Frysinger  <vapier@gentoo.org>
-
-       * sysdeps/unix/sysv/linux/tst-fanotify.c: New test.
-       * sysdeps/unix/sysv/linux/Makefile (tests): Add tst-fanotify.
+       [BZ #16072]
+       * sysdeps/posix/getaddrinfo.c (gethosts): Allocate tmpbuf on
+       heap for large requests.
 
->>>>>>> ffa3cd7... Fix lgammaf spurious underflow (bug 15427).
 2013-09-02  Joseph Myers  <joseph@codesourcery.com>
 
        [BZ #14155]

diff --git a/NEWS b/NEWS
index 8689dd0a2948735bafa093685cc07a58c6b831ec..f0a93464e0b902ec61d8f72c7f044059f4366704 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -23,7 +23,7 @@ Version 2.18
   15465, 15480, 15485, 15488, 15490, 15492, 15493, 15497, 15506, 15522,
   15529, 15532, 15536, 15553, 15577, 15583, 15618, 15627, 15631, 15654,
   15655, 15666, 15667, 15674, 15711, 15755, 15759, 15797, 15892, 15893,
-  15895, 15988.
+  15895, 15988, 16072.
 
 * CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal
   has been fixed by disabling the use of pt_chown (Bugzilla #15755).
@@ -42,6 +42,9 @@ Version 2.18
   to the d_name member of struct dirent, or omit the terminating NUL
   character.  (Bugzilla #14699).
 
+* CVE-2013-4458 Stack overflow in getaddrinfo with large number of results
+  for AF_INET6 has been fixed (Bugzilla #16072).
+
 * Add support for calling C++11 thread_local object destructors on thread
   and program exit.  This needs compiler support for offloading C++11
   destructor calls to glibc.

diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index 7bb3ded9af07ae2392633876c7009de2789bd3b6..2e97255133659a9b74ec1b759ace0a55912363bb 100644 (file)
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
                                &rc, &herrno, NULL, &localcanon));            \
     if (rc != ERANGE || herrno != NETDB_INTERNAL)                            \
       break;                                                                 \
-    tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen);               \
+    if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen))    \
+      tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen,              \
+                                     alloca_used);                           \
+    else                                                                     \
+      {                                                                              \
+       char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL,                  \
+                             2 * tmpbuflen);                                 \
+       if (newp == NULL)                                                     \
+         {                                                                   \
+           result = -EAI_MEMORY;                                             \
+           goto free_and_return;                                             \
+         }                                                                   \
+       tmpbuf = newp;                                                        \
+       malloc_tmpbuf = true;                                                 \
+       tmpbuflen = 2 * tmpbuflen;                                            \
+      }                                                                              \
   }                                                                          \
   if (status == NSS_STATUS_SUCCESS && rc == 0)                               \
     h = &th;                                                                 \
@@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
        {                                                                     \
          __set_h_errno (herrno);                                             \
          _res.options |= old_res_options & RES_USE_INET6;                    \
-         return -EAI_SYSTEM;                                                 \
+         result = -EAI_SYSTEM;                                               \
+         goto free_and_return;                                               \
        }                                                                     \
       if (herrno == TRY_AGAIN)                                               \
        no_data = EAI_AGAIN;                                                  \