From 6f95434fd488e9b72117f9b93ec2e2dbf397a4d3 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Fri, 25 Oct 2013 10:22:12 +0530 Subject: [PATCH] Fix stack overflow due to large AF_INET6 requests Resolves #16072 (CVE-2013-4458). This patch fixes another stack overflow in getaddrinfo when it is called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914, but the AF_INET6 case went undetected back then. --- ChangeLog | 75 ++----------------------------------- NEWS | 5 ++- sysdeps/posix/getaddrinfo.c | 20 +++++++++- 3 files changed, 26 insertions(+), 74 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3805278d939..ed41494afdf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,76 +1,9 @@ -2013-10-10 Joseph Myers +2013-10-25 Siddhesh Poyarekar - * sysdeps/ieee754/ldbl-128ibm/e_acosl.c (__ieee754_acosl): Check - for NaNs before doing comparisons on argument. - * sysdeps/ieee754/ldbl-128ibm/e_asinl.c (__ieee754_asinl): - Likewise. - -2013-10-04 Anton Blanchard - Alistair Popple - Alan Modra - - [BZ #15723] - * sysdeps/powerpc/jmpbuf-offsets.h: Comment fix. - * sysdeps/powerpc/powerpc32/fpu/__longjmp-common.S: Correct - _dl_hwcap access for little-endian. - * sysdeps/powerpc/powerpc32/fpu/setjmp-common.S: Likewise. Don't - destroy vmx regs when saving unaligned. - * sysdeps/powerpc/powerpc64/__longjmp-common.S: Correct CR load. - * sysdeps/powerpc/powerpc64/setjmp-common.S: Likewise CR save. Don't - destroy vmx regs when saving unaligned. - -2013-09-09 Allan McRae - - [BZ #15893] - * stdlib/isomac.c (get_null_defines): Fix memory leak. - - [BZ #15892] - * libio/memstream.c (open_memstream): Fix memory leak. - * libio/wmemstream.c (open_wmemstream): Likewise. - - [BZ #15895] - * nscd/netgroupcache.c: Fix nesting of ifdefs. - -2013-09-05 Adhemerval Zanella - - * sysdeps/powerpc/powerpc32/power7/memrchr.S (__memrchr): Fix invalid - memory access for final bytes in some large inputs. - * sysdeps/powerpc/powerpc64/power7/memrchr.S (__memrchr): Likewise. - -2013-09-05 Adhemerval Zanella - - * string/test-memrchr.c: New file. - * string/test-memrchr-ifunc.c: New file. - * string/Makefile: Add new memrchr testcase. - -2013-09-03 Joseph Myers - - [BZ #15427] - * sysdeps/ieee754/flt-32/e_lgammaf_r.c (__ieee754_lgammaf_r): Use - 2**-30 instead of 2**-70 as threshold for returning -log(|x|). - * math/libm-test.inc (lgamma_test_data): Add more tests. - * sysdeps/i386/fpu/libm-test-ulps: Update. - * sysdeps/x86_64/fpu/libm-test-ulps: Likewise. - -2013-09-03 Ondřej Bílka - - * sysdeps/x86_64/multiarch/strcmp-sse2-unaligned.S: New file. - * sysdeps/x86_64/multiarch/ifunc-impl-list.c (__libc_ifunc_impl_list): - Add ifunc. - * sysdeps/x86_64/multiarch/Makefile (sysdep_routines): - Add strcmp-sse2-unaligned - * sysdeps/x86_64/multiarch/strcmp.S (strcmp): Add ifunc. - -2013-09-02 Mike Frysinger - - * Versions.def (libc): Add GLIBC_2.19. - -2013-09-02 Mike Frysinger - - * sysdeps/unix/sysv/linux/tst-fanotify.c: New test. - * sysdeps/unix/sysv/linux/Makefile (tests): Add tst-fanotify. + [BZ #16072] + * sysdeps/posix/getaddrinfo.c (gethosts): Allocate tmpbuf on + heap for large requests. ->>>>>>> ffa3cd7... Fix lgammaf spurious underflow (bug 15427). 2013-09-02 Joseph Myers [BZ #14155] diff --git a/NEWS b/NEWS index 8689dd0a294..f0a93464e0b 100644 --- a/NEWS +++ b/NEWS @@ -23,7 +23,7 @@ Version 2.18 15465, 15480, 15485, 15488, 15490, 15492, 15493, 15497, 15506, 15522, 15529, 15532, 15536, 15553, 15577, 15583, 15618, 15627, 15631, 15654, 15655, 15666, 15667, 15674, 15711, 15755, 15759, 15797, 15892, 15893, - 15895, 15988. + 15895, 15988, 16072. * CVE-2013-2207 Incorrectly granting access to another user's pseudo-terminal has been fixed by disabling the use of pt_chown (Bugzilla #15755). @@ -42,6 +42,9 @@ Version 2.18 to the d_name member of struct dirent, or omit the terminating NUL character. (Bugzilla #14699). +* CVE-2013-4458 Stack overflow in getaddrinfo with large number of results + for AF_INET6 has been fixed (Bugzilla #16072). + * Add support for calling C++11 thread_local object destructors on thread and program exit. This needs compiler support for offloading C++11 destructor calls to glibc. diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index 7bb3ded9af0..2e972551336 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, &rc, &herrno, NULL, &localcanon)); \ if (rc != ERANGE || herrno != NETDB_INTERNAL) \ break; \ - tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \ + if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \ + tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \ + alloca_used); \ + else \ + { \ + char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \ + 2 * tmpbuflen); \ + if (newp == NULL) \ + { \ + result = -EAI_MEMORY; \ + goto free_and_return; \ + } \ + tmpbuf = newp; \ + malloc_tmpbuf = true; \ + tmpbuflen = 2 * tmpbuflen; \ + } \ } \ if (status == NSS_STATUS_SUCCESS && rc == 0) \ h = &th; \ @@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, { \ __set_h_errno (herrno); \ _res.options |= old_res_options & RES_USE_INET6; \ - return -EAI_SYSTEM; \ + result = -EAI_SYSTEM; \ + goto free_and_return; \ } \ if (herrno == TRY_AGAIN) \ no_data = EAI_AGAIN; \ -- 2.47.2