Fix memory leak regression in getaddrinfo (RHEL-2426)

Related: RHEL-2426
This commit is contained in:
Florian Weimer 2023-09-25 07:54:46 +01:00
parent d9eb6f4246
commit df2a403efa
3 changed files with 127 additions and 1 deletions

37
glibc-RHEL-2426-14.patch Normal file
View File

@ -0,0 +1,37 @@
commit 57e349b1b0df1aee2dcd19dae1f324bde25ff8f0
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Wed Dec 8 07:02:27 2021 -0800
Disable DT_RUNPATH on NSS tests [BZ #28455]
The glibc internal NSS functions should always load NSS modules from
the system. For testing purpose, disable DT_RUNPATH on NSS tests so
that the glibc internal NSS functions can load testing NSS modules
via DT_RPATH.
This partially fixes BZ #28455.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Conflicts:
nss/Makefile
(different test backport order)
diff --git a/nss/Makefile b/nss/Makefile
index 64b29745131d3cf5..9af46fb3a8195809 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -215,3 +215,13 @@ endif
$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
$(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+
+# Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
+# functions can load testing NSS modules via DT_RPATH.
+LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
+LDFLAGS-tst-nss-test2 = -Wl,--disable-new-dtags
+LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
+LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
+LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
+LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags
+LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags

84
glibc-RHEL-2426-15.patch Normal file
View File

@ -0,0 +1,84 @@
commit ec6b95c3303c700eb89eebeda2d7264cc184a796
Author: Romain Geissler <romain.geissler@amadeus.com>
Date: Mon Sep 25 01:21:51 2023 +0100
Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
This patch fixes a very recently added leak in getaddrinfo.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
diff --git a/nss/Makefile b/nss/Makefile
index 9af46fb3a8195809..62a68880198c243c 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -148,6 +148,15 @@ endif
extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
nss_test_gai_hv2_canonname.os
+ifeq ($(run-built-tests),yes)
+ifneq (no,$(PERL))
+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
+endif
+endif
+
+generated += mtrace-tst-nss-gai-hv2-canonname.out \
+ tst-nss-gai-hv2-canonname.mtrace
+
include ../Rules
ifeq (yes,$(have-selinux))
@@ -216,6 +225,17 @@ endif
$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
$(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+tst-nss-gai-hv2-canonname-ENV = \
+ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
+ $(objpfx)tst-nss-gai-hv2-canonname.out
+ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
+ && $(common-objpfx)malloc/mtrace \
+ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
+ $(evaluate-test)
+
# Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
# functions can load testing NSS modules via DT_RPATH.
LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
index d5f10c07d6a90773..7db53cf09da8dcb6 100644
--- a/nss/tst-nss-gai-hv2-canonname.c
+++ b/nss/tst-nss-gai-hv2-canonname.c
@@ -21,6 +21,7 @@
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
+#include <mcheck.h>
#include <support/check.h>
#include <support/xstdio.h>
#include "nss/tst-nss-gai-hv2-canonname.h"
@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
static int
do_test (void)
{
+ mtrace ();
+
__nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
struct addrinfo hints = {};
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index 10dc63542f337693..d6046a707f1d742a 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -1196,9 +1196,7 @@ free_and_return:
if (malloc_name)
free ((char *) name);
free (addrmem);
- if (res.free_at)
- free (res.at);
- free (res.canon);
+ gaih_result_reset (&res);
return result;
}

View File

@ -155,7 +155,7 @@ end \
Summary: The GNU libc libraries Summary: The GNU libc libraries
Name: glibc Name: glibc
Version: %{glibcversion} Version: %{glibcversion}
Release: 83%{?dist}.6 Release: 83%{?dist}.7
# In general, GPLv2+ is used by programs, LGPLv2+ is used for # In general, GPLv2+ is used by programs, LGPLv2+ is used for
# libraries. # libraries.
@ -768,6 +768,8 @@ Patch531: glibc-RHEL-2426-11.patch
Patch532: glibc-RHEL-2426-12.patch Patch532: glibc-RHEL-2426-12.patch
Patch533: glibc-RHEL-2426-13.patch Patch533: glibc-RHEL-2426-13.patch
Patch534: glibc-RHEL-3000.patch Patch534: glibc-RHEL-3000.patch
Patch535: glibc-RHEL-2426-14.patch
Patch536: glibc-RHEL-2426-15.patch
############################################################################## ##############################################################################
# Continued list of core "glibc" package information: # Continued list of core "glibc" package information:
@ -2925,6 +2927,9 @@ update_gconv_modules_cache ()
%endif %endif
%changelog %changelog
* Mon Sep 25 2023 Florian Weimer <fweimer@redhat.com> - 2.34-83.7
- Fix memory leak regression in getaddrinfo (RHEL-2426)
* Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-83.6 * Tue Sep 19 2023 Carlos O'Donell <carlos@redhat.com> - 2.34-83.6
- CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-3000) - CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation (RHEL-3000)