CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007] - mirror/glibc - mirror of git://sourceware.org/git/glibc.git

diff options

author	Florian Weimer <fweimer@redhat.com>	2015-04-29 14:41:25 +0200
committer	Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>	2015-05-25 16:24:56 -0300
commit	ed21c85d5090667e3ab7d3a7e98dde43842aa70c (patch)
tree	058d3bf7a77449913daf28dd9717cf0fe9e6cfa2 /stdlib/lrand48_r.c
parent	19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208 (diff)
download	glibc-ed21c85d5090667e3ab7d3a7e98dde43842aa70c.tar.gz glibc-ed21c85d5090667e3ab7d3a7e98dde43842aa70c.tar.xz glibc-ed21c85d5090667e3ab7d3a7e98dde43842aa70c.zip

CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]

Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests.  We eventually tracked this down to a
glibc issue.

Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:

…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET)                = 2717
close(3)                                = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
lseek(3, 0, SEEK_SET)                   = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET)                = 2717
close(3)                                = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
…

The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
supposed skip closing the input file if it was already open.

  /* Reset file pointer to beginning or open file.  */			      \
  status = internal_setent (keep_stream);				      \
									      \
  if (status == NSS_STATUS_SUCCESS)					      \
    {									      \
      /* Tell getent function that we have repositioned the file pointer.  */ \
      last_use = getby;							      \
									      \
      while ((status = internal_getent (result, buffer, buflen, errnop	      \
					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
	     == NSS_STATUS_SUCCESS)					      \
	{ break_if_match }						      \
									      \
      if (! keep_stream)						      \
	internal_endent ();						      \
    }									      \

keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:

  status = internal_setent (stayopen);

However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.

Thus, the fix is this:

-  status = internal_setent (stayopen);
+  status = internal_setent (1);

This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.

Conflicts:
	NEWS

Diffstat (limited to 'stdlib/lrand48_r.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: