getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during tmpbuf resizing, through h_name in a previous query response.
The backing store for res->at->name when doing a query with
gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
gethosts during the query. For AF_INET6 lookup with AI_ALL |
AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
for a v4 lookup. In this case, if the first call reallocates tmpbuf
enough number of times, resulting in a malloc, th->h_name (that
res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
Now if the second call to gethosts also causes the plugin callback to
return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
reference in res->at->name. This then gets dereferenced in the
getcanonname_r plugin call, resulting in the use after free.
Fix this by copying h_name over and freeing it at the end. This
resolves BZ #30843, which is assigned CVE-2023-4806.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-16 01:51:12 +08:00
|
|
|
/* Test NSS query path for plugins that only implement gethostbyname2
|
|
|
|
(#30843).
|
|
|
|
Copyright The GNU Toolchain Authors.
|
|
|
|
This file is part of the GNU C Library.
|
|
|
|
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
|
|
modify it under the terms of the GNU Lesser General Public
|
|
|
|
License as published by the Free Software Foundation; either
|
|
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
|
|
License along with the GNU C Library; if not, see
|
|
|
|
<https://www.gnu.org/licenses/>. */
|
|
|
|
|
|
|
|
#include <nss.h>
|
|
|
|
#include <netdb.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
2023-09-25 08:21:51 +08:00
|
|
|
#include <mcheck.h>
|
getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during tmpbuf resizing, through h_name in a previous query response.
The backing store for res->at->name when doing a query with
gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
gethosts during the query. For AF_INET6 lookup with AI_ALL |
AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
for a v4 lookup. In this case, if the first call reallocates tmpbuf
enough number of times, resulting in a malloc, th->h_name (that
res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
Now if the second call to gethosts also causes the plugin callback to
return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
reference in res->at->name. This then gets dereferenced in the
getcanonname_r plugin call, resulting in the use after free.
Fix this by copying h_name over and freeing it at the end. This
resolves BZ #30843, which is assigned CVE-2023-4806.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-16 01:51:12 +08:00
|
|
|
#include <support/check.h>
|
|
|
|
#include <support/xstdio.h>
|
|
|
|
#include "nss/tst-nss-gai-hv2-canonname.h"
|
|
|
|
|
|
|
|
#define PREPARE do_prepare
|
|
|
|
|
|
|
|
static void do_prepare (int a, char **av)
|
|
|
|
{
|
|
|
|
FILE *hosts = xfopen ("/etc/hosts", "w");
|
|
|
|
for (unsigned i = 2; i < 255; i++)
|
|
|
|
{
|
|
|
|
fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i);
|
|
|
|
fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i);
|
|
|
|
}
|
|
|
|
xfclose (hosts);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
do_test (void)
|
|
|
|
{
|
2023-09-25 08:21:51 +08:00
|
|
|
mtrace ();
|
|
|
|
|
getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
When an NSS plugin only implements the _gethostbyname2_r and
_getcanonname_r callbacks, getaddrinfo could use memory that was freed
during tmpbuf resizing, through h_name in a previous query response.
The backing store for res->at->name when doing a query with
gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
gethosts during the query. For AF_INET6 lookup with AI_ALL |
AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
for a v4 lookup. In this case, if the first call reallocates tmpbuf
enough number of times, resulting in a malloc, th->h_name (that
res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
Now if the second call to gethosts also causes the plugin callback to
return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
reference in res->at->name. This then gets dereferenced in the
getcanonname_r plugin call, resulting in the use after free.
Fix this by copying h_name over and freeing it at the end. This
resolves BZ #30843, which is assigned CVE-2023-4806.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
2023-09-16 01:51:12 +08:00
|
|
|
__nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
|
|
|
|
|
|
|
|
struct addrinfo hints = {};
|
|
|
|
struct addrinfo *result = NULL;
|
|
|
|
|
|
|
|
hints.ai_family = AF_INET6;
|
|
|
|
hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;
|
|
|
|
|
|
|
|
int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result);
|
|
|
|
|
|
|
|
if (ret != 0)
|
|
|
|
FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret));
|
|
|
|
|
|
|
|
TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME);
|
|
|
|
|
|
|
|
freeaddrinfo(result);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#include <support/test-driver.c>
|