CVE-2026-0915: Stack memory disclosure in getnetbyaddr

Resolves: RHEL-141850
2026-02-12 15:17:05 +01:00 · 2026-02-12 15:17:05 +01:00 · eae38d8010
commit eae38d8010
parent 949d465bf8
1 changed files with 70 additions and 0 deletions
--- a/glibc-RHEL-141850.patch
+++ b/glibc-RHEL-141850.patch
@ -0,0 +1,70 @@
+commit e56ff82d5034ec66c6a78f517af6faa427f65b0b
+Author: Carlos O'Donell <carlos@redhat.com>
+Date:   Thu Jan 15 15:09:38 2026 -0500
+
+    resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
+    
+    The default network value of zero for net was never tested for and
+    results in a DNS query constructed from uninitialized stack bytes.
+    The solution is to provide a default query for the case where net
+    is zero.
+    
+    Adding a test case for this was straight forward given the existence of
+    tst-resolv-network and if the test is added without the fix you observe
+    this failure:
+    
+    FAIL: resolv/tst-resolv-network
+    original exit status 1
+    error: tst-resolv-network.c:174: invalid QNAME: \146\218\129\128
+    error: 1 test failures
+    
+    With a random QNAME resulting from the use of uninitialized stack bytes.
+    
+    After the fix the test passes.
+    
+    Additionally verified using wireshark before and after to ensure
+    on-the-wire bytes for the DNS query were as expected.
+    
+    No regressions on x86_64.
+    
+    Reviewed-by: Florian Weimer <fweimer@redhat.com>
+
+diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
+index 74b78959c230a8e3..1912fef6f2284c2d 100644
+--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
+@@ -208,6 +208,10 @@ _nss_dns_getnetbyaddr_r (uint32_t net, int type, struct netent *result,
+       sprintf (qbuf, "%u.%u.%u.%u.in-addr.arpa", net_bytes[3], net_bytes[2],
+ 	       net_bytes[1], net_bytes[0]);
+       break;
+    default:
+      /* Default network (net is originally zero).  */
+      strcpy (qbuf, "0.0.0.0.in-addr.arpa");
+      break;
+     }
+ 
+   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
+diff --git a/resolv/tst-resolv-network.c b/resolv/tst-resolv-network.c
+index 156cb5692b6a9a28..febb447f60814498 100644
+--- a/resolv/tst-resolv-network.c
+++ b/resolv/tst-resolv-network.c
+@@ -46,6 +46,9 @@ handle_code (const struct resolv_response_context *ctx,
+ {
+   switch (code)
+     {
+    case 0:
+      send_ptr (b, qname, qclass, qtype, "0.in-addr.arpa");
+      break;
+     case 1:
+       send_ptr (b, qname, qclass, qtype, "1.in-addr.arpa");
+       break;
+@@ -265,6 +268,9 @@ do_test (void)
+                 "error: TRY_AGAIN\n");
+ 
+   /* Lookup by address, success cases.  */
+  check_reverse (0,
+                 "name: 0.in-addr.arpa\n"
+                 "net: 0x00000000\n");
+   check_reverse (1,
+                  "name: 1.in-addr.arpa\n"
+                  "net: 0x00000001\n");