Avoid UAF in getcanonname (CVE-2023-4806) When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. This is a minimal RHEL-8-specific fix. Test case differences from upstream: - The test module needs to explicitly link against libnss_files on RHEL-8; upstream libnss_files is built into libc.so. - Test module code was adapted to not use the upstream NSS module convenience macros. This change is adapted from the following commit from upstream: commit 973fe93a5675c42798b2161c6f29c01b0e243994 Author: Siddhesh Poyarekar Date: Fri Sep 15 13:51:12 2023 -0400 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar diff --git a/nss/Makefile b/nss/Makefile index cfb255c6e7a3a4de..5829a2539306ddb5 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -66,7 +66,8 @@ xtests = bug-erange tests-container = \ tst-nss-db-endpwent \ tst-nss-db-endgrent \ - tst-nss-gai-actions + tst-nss-gai-actions \ + tst-nss-gai-hv2-canonname # Tests which need libdl ifeq (yes,$(build-shared)) @@ -132,7 +133,8 @@ routines += $(libnss_files-routines) static-only-routines += $(libnss_files-routines) tests-static += tst-nss-static endif -extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os +extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ + nss_test_gai_hv2_canonname.os include ../Rules @@ -169,12 +171,17 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver libof-nss_test1 = extramodules libof-nss_test2 = extramodules libof-nss_test_errno = extramodules +libof-nss_test_gai_hv2_canonname = extramodules $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) $(build-module) $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) $(build-module) $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) $(build-module) +$(objpfx)/libnss_test_gai_hv2_canonname.so: \ + $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) \ + $(objpfx)/libnss_files.so + $(build-module) $(objpfx)nss_test2.os : nss_test1.c ifdef libnss_test1.so-version $(objpfx)/libnss_test1.so$(libnss_test1.so-version): $(objpfx)/libnss_test1.so @@ -187,10 +194,14 @@ endif $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ $(objpfx)/libnss_test_errno.so $(make-link) +$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ + $(objpfx)/libnss_test_gai_hv2_canonname.so + $(make-link) $(patsubst %,$(objpfx)%.out,$(tests)) : \ $(objpfx)/libnss_test1.so$(libnss_test1.so-version) \ $(objpfx)/libnss_test2.so$(libnss_test2.so-version) \ - $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ + $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) ifeq (yes,$(have-thread-library)) $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c new file mode 100644 index 0000000000000000..4195d7d24fdd5f6d --- /dev/null +++ b/nss/nss_test_gai_hv2_canonname.c @@ -0,0 +1,64 @@ +/* NSS service provider that only provides gethostbyname2_r. + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include "nss/tst-nss-gai-hv2-canonname.h" + +/* Catch misnamed and functions. */ +#pragma GCC diagnostic error "-Wmissing-prototypes" + +extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, + struct hostent *, char *, + size_t, int *, int *); + +enum nss_status +_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *, int, struct hostent + *, char *, size_t, int *, int *); + +enum nss_status +_nss_test_gai_hv2_canonname_getcanonname_r (const char *, char *, size_t, char + **, int *, int *); + +enum nss_status +_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, + struct hostent *result, + char *buffer, size_t buflen, + int *errnop, int *herrnop) +{ + return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, + herrnop); +} + +enum nss_status +_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, + size_t buflen, char **result, + int *errnop, int *h_errnop) +{ + /* We expect QUERYNAME, which is a small enough string that it shouldn't fail + the test. */ + if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) + || buflen < sizeof (QUERYNAME)) + abort (); + + strncpy (buffer, name, buflen); + *result = buffer; + return NSS_STATUS_SUCCESS; +} diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c new file mode 100644 index 0000000000000000..d5f10c07d6a90773 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.c @@ -0,0 +1,63 @@ +/* Test NSS query path for plugins that only implement gethostbyname2 + (#30843). + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include "nss/tst-nss-gai-hv2-canonname.h" + +#define PREPARE do_prepare + +static void do_prepare (int a, char **av) +{ + FILE *hosts = xfopen ("/etc/hosts", "w"); + for (unsigned i = 2; i < 255; i++) + { + fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); + fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); + } + xfclose (hosts); +} + +static int +do_test (void) +{ + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); + + struct addrinfo hints = {}; + struct addrinfo *result = NULL; + + hints.ai_family = AF_INET6; + hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; + + int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); + + if (ret != 0) + FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); + + TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); + + freeaddrinfo(result); + return 0; +} + +#include diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h new file mode 100644 index 0000000000000000..14f2a9cb0867dff9 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.h @@ -0,0 +1 @@ +#define QUERYNAME "test.example.com" diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req new file mode 100644 index 0000000000000000..e69de29bb2d1d643 diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script new file mode 100644 index 0000000000000000..31848b4a28524af6 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script @@ -0,0 +1,2 @@ +cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 +su diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index 4fa963644af8b7d5..46046504a6858f2e 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -233,7 +233,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, } array[i].next = array + i + 1; } - array[0].name = h->h_name; array[count - 1].next = NULL; *result = array; @@ -287,6 +286,18 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, } \ *pat = addrmem; \ \ + /* Store h_name so that it survives accidental deallocation when \ + gethosts is called again and tmpbuf gets reallocated. */ \ + if (h_name == NULL && th.h_name != NULL) \ + { \ + h_name = __strdup (th.h_name); \ + if (h_name == NULL) \ + { \ + __resolv_context_put (res_ctx); \ + result = -EAI_SYSTEM; \ + goto free_and_return; \ + } \ + } \ if (localcanon != NULL && canon == NULL) \ { \ canonbuf = __strdup (localcanon); \ @@ -323,15 +334,15 @@ typedef enum nss_status (*nss_getcanonname_r) memory allocation failure. The returned string is allocated on the heap; the caller has to free it. */ static char * -getcanonname (service_user *nip, struct gaih_addrtuple *at, const char *name) +getcanonname (service_user *nip, const char *hname, const char *name) { nss_getcanonname_r cfct = __nss_lookup_function (nip, "getcanonname_r"); char *s = (char *) name; if (cfct != NULL) { char buf[256]; - if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), - &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) + if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, + &h_errno)) != NSS_STATUS_SUCCESS) /* If the canonical name cannot be determined, use the passed string. */ s = (char *) name; @@ -349,6 +360,7 @@ gaih_inet (const char *name, const struct gaih_service *service, struct gaih_addrtuple *at = NULL; bool got_ipv6 = false; const char *canon = NULL; + char *h_name = NULL; const char *orig_name = name; /* Reserve stack memory for the scratch buffer in the getaddrinfo @@ -919,7 +931,7 @@ gaih_inet (const char *name, const struct gaih_service *service, if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL) { - canonbuf = getcanonname (nip, at, name); + canonbuf = getcanonname (nip, h_name, name); if (canonbuf == NULL) { __resolv_context_enable_inet6 @@ -1169,6 +1181,7 @@ gaih_inet (const char *name, const struct gaih_service *service, free ((char *) name); free (addrmem); free (canonbuf); + free (h_name); return result; }