[mickledore] glibc: Fix CVE-2023-5156

Message ID	20231003112955.3031051-1-Deepthi.Hemraj@windriver.com
State	New
Headers	show Return-Path: <Deepthi.Hemraj@windriver.com> ip: 205.220.178.238, mailfrom: prvs=86407c7a81=deepthi.hemraj@windriver.com) From: Deepthi.Hemraj@windriver.com To: openembedded-core@lists.openembedded.org Cc: Randy.MacLeod@windriver.com, Umesh.Kalappa@windriver.com, Naveen.Gowda@windriver.com, Shivaprasad.Moodalappa@windriver.com, Sundeep.Kokkonda@windriver.com, steve@sakoman.com Subject: [mickledore][PATCH] glibc: Fix CVE-2023-5156 Date: Tue, 3 Oct 2023 04:29:55 -0700 Message-Id: <20231003112955.3031051-1-Deepthi.Hemraj@windriver.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0
Series	[mickledore] glibc: Fix CVE-2023-5156 \| expand [mickledore] glibc: Fix CVE-2023-5156

Message ID

20231003112955.3031051-1-Deepthi.Hemraj@windriver.com

State

New

Headers

From: Deepthi.Hemraj@windriver.com
To: openembedded-core@lists.openembedded.org
Cc: Randy.MacLeod@windriver.com, Umesh.Kalappa@windriver.com,
        Naveen.Gowda@windriver.com, Shivaprasad.Moodalappa@windriver.com,
        Sundeep.Kokkonda@windriver.com, steve@sakoman.com
Subject: [mickledore][PATCH] glibc: Fix CVE-2023-5156
Date: Tue,  3 Oct 2023 04:29:55 -0700
Message-Id: <20231003112955.3031051-1-Deepthi.Hemraj@windriver.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 A+ogJ20uiExM3QZ/3ByMD7gG3OrvXR4YCp2epaKXBYUXWSkQrMIs37sBw3LKrpeRyBINvA8hyVo+NG5tM9sd4Ig7SKB4aerMOKNc5XX8d+NTL+IU/Qu3i3NXRvYR2sPJMQSjKir5IIvDqCiM6UFv2EopHikWsK8tdBLggUu5TO3f3T2tFXbgy+Rk9tb22kxXLs+vPmza5MTqSlEsPVWohczG1eJP7Z6kuHx8PQK/E3No9HsLvHG/vVLR5CFNDZVqB+DVoF9CwEuLIzo/W9S1iixUEH9eHAo5Rc4liqpCCfVEFpLoD0g5axe7kIUoVLRfJJz7CIYcgHAvB2fkc/DT8oLZx/mFeGEs9ah5JOGDJc9kaP9J53iNqH6d9zV8L1dzufjzem4ORzI2zVaua4sODZTOfh2ElnEcvYYLnV7HRMZL60W/+ohwvZ1HARIMZ/ZoUUHu2pMOl4w0sOIkITNGOGbgwuEGsXItFh5BdiiZ0bhYB2zwJ9IsNtOOQpob7j9cNy38WmDzbsijyEnifa6R5o+SFM8QLxTMeaf0svjEEPBaDLHPe9xA7ZdvQL9WmQGEewNx939tTqW4/sPm1pEGqDt9v/00n3UOgklyyQai7bFLUrL9cotenV8l80P1Ee8ECKJ2mslPQ8qs4MqKJZFLu9M3J8BioH79FylsiwJZbLLNnvLge+0DJlIXrwkGLG8xVbSHAaN4ASEpIkz9KY0T7ZJB6FLldEl/iVhMYxKE9HUpMTfks6PUR2WTYr+eBl4Aqh+EAzVspcfVAMqjVUjJXT++MI+QssuA1uE2RhX9vH4GWMBuHIUXpYxaZkGRlEkH9gAeofFvBIJxGXv/NAfOFe7ddEGSdqDBzSgILML0MXOcyLWJiLdeC8yVB5Tfbh2BMK3s1qBWVWlK5lzdlxfDW9RSKhhHi9Ih00NXreyZ8SlSfrcR1+Of617s5RRkA+6SpA6O4f79lyRctF9obQgMClRy1XntKLTo4iUO7O47BwLfUIoYdx5hDE6rGthka9zfY6TJd/6DrtWdbnK2jnWVhIbj8878eeUex/wPAZqoZRlS0OQXV1hHmt0U1XoxE9aYIvcBLKYFbh+2EkuQTwrQHBBj7o/s1aJ5+RExm4Cdy6Ip+3IF+tCE7+zPvsZ2L6hufRpJoSupdYLNGCrwNtax6VFA+HinYtOhi2fjcbAgV3sIibktzbk0YWkvzridOvd3oc0fAkRNFM9epD1TQJhgbIyZpn7PIHqQsemIaF0ZARtPFUbYvrbGWKiXkBASy7VURt5a1rTNIN2AsJi4/pO1e5wwJb5bjvwCix8gnuhQdX/7qXj5X/BWptO5asYhQd+LM8VMcCBc3MGkN3/EFggAmT5FR1idCb0784QB+234nNjyxHcVfE8Rjbdsu0ZArv4KEGJ3VHLPBrnbZC4hpe4M00RMxgJvNdXc0hohAs7bPs/RBt/5M2kD6fjoIEaF68L5a1K3HQ5aBcw1zGx5u0POXmMplUzyuSJqeqVxS9Ghsff/+pU5oNMDU11abeE23DqZCdGX/4UQddoUeD1Drzuea32ma3Bx05HnB3CTU33zzfWc1rZh13MnNQpVFydXeVruLI/74l/m7+/GToMq2TRo9Q==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 76ad464d-e74f-4c56-7cc5-08dbc4041bcb
X-MS-Exchange-CrossTenant-AuthSource: PH7PR11MB6449.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Oct 2023 11:30:12.9878
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 I6jFOFi9r63l5fpS0leDuFxp1LofiECoMOV6FAcGJW+5oNR00f0WvyJR43iaMMyKJTVJdutw9A+dde4mPx3kfMieYK1C2rpB85hvPw5VuMY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR11MB7899
X-Proofpoint-GUID: OidiFp18J7Lj978O9qjNGlogk0O1Thr5
X-Proofpoint-ORIG-GUID: c6_H0Vd8meudn3tmyp9SFve4K-Iexe7O
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-10-03_08,2023-10-02_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 bulkscore=0 malwarescore=0
 lowpriorityscore=0 priorityscore=1501 phishscore=0 impostorscore=0
 spamscore=0 clxscore=1015 mlxlogscore=999 adultscore=0 mlxscore=0
 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2309180000 definitions=main-2310030082
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 03 Oct 2023 11:30:29 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/188633

Series

[mickledore] glibc: Fix CVE-2023-5156 | expand

Commit Message

Deepthi H Oct. 3, 2023, 11:29 a.m. UTC

From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>

Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
---
 .../glibc/glibc/0024-CVE-2023-5156-1.patch    | 329 ++++++++++++++++++
 .../glibc/glibc/0024-CVE-2023-5156-2.patch    |  93 +++++
 meta/recipes-core/glibc/glibc_2.37.bb         |   2 +
 3 files changed, 424 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch

Comments

Steve Sakoman Oct. 3, 2023, 6:08 p.m. UTC | #1

Unfortunately this patch doesn't apply (even after I edited for the
previous addition of glibc: fix CVE-2023-4806

ERROR: glibc-2.37-r1 do_patch: Applying patch
'0024-CVE-2023-5156-1.patch' on target directory
'/home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/git'
CmdError('quilt --quiltrc
/home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/recipe-sysroot-native/etc/quiltrc
push', 0, 'stdout: Applying patch 0024-CVE-2023-5156-1.patch
patching file nss/Makefile
Hunk #1 FAILED at 82.
Hunk #2 FAILED at 145.
Hunk #3 FAILED at 180.
Hunk #4 FAILED at 195.
Hunk #5 FAILED at 215.
5 out of 5 hunks FAILED -- rejects in file nss/Makefile
The next patch would create the file nss/nss_test_gai_hv2_canonname.c,
which already exists!  Applying it anyway.
patching file nss/nss_test_gai_hv2_canonname.c
Hunk #1 FAILED at 1.
1 out of 1 hunk FAILED -- rejects in file nss/nss_test_gai_hv2_canonname.c
The next patch would create the file nss/tst-nss-gai-hv2-canonname.c,
which already exists!  Applying it anyway.
patching file nss/tst-nss-gai-hv2-canonname.c
Hunk #1 FAILED at 1.
1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.c
The next patch would create the file nss/tst-nss-gai-hv2-canonname.h,
which already exists!  Applying it anyway.
patching file nss/tst-nss-gai-hv2-canonname.h
Hunk #1 FAILED at 1.
1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.h
The next patch would empty out the file
nss/tst-nss-gai-hv2-canonname.root/postclean.req,
which is already empty!  Applying it anyway.
patching file nss/tst-nss-gai-hv2-canonname.root/postclean.req
The next patch would create the file
nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script,
which already exists!  Applying it anyway.
patching file nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
Hunk #1 FAILED at 1.
1 out of 1 hunk FAILED -- rejects in file
nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
patching file sysdeps/posix/getaddrinfo.c
Hunk #1 FAILED at 120.
Hunk #2 FAILED at 165.
Hunk #3 FAILED at 203.
Hunk #4 succeeded at 248 with fuzz 2 (offset 10 lines).
Hunk #5 FAILED at 271.
Hunk #6 FAILED at 333.
Hunk #7 FAILED at 780.
6 out of 7 hunks FAILED -- rejects in file sysdeps/posix/getaddrinfo.c
Patch 0024-CVE-2023-5156-1.patch can be reverse-applied

Steve

On Tue, Oct 3, 2023 at 1:30 AM <Deepthi.Hemraj@windriver.com> wrote:
>
> From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
>
> Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
> ---
>  .../glibc/glibc/0024-CVE-2023-5156-1.patch    | 329 ++++++++++++++++++
>  .../glibc/glibc/0024-CVE-2023-5156-2.patch    |  93 +++++
>  meta/recipes-core/glibc/glibc_2.37.bb         |   2 +
>  3 files changed, 424 insertions(+)
>  create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
>  create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
>
> diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
> new file mode 100644
> index 0000000000..65afaa446a
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
> @@ -0,0 +1,329 @@
> +From: Siddhesh Poyarekar <siddhesh@sourceware.org>
> +Date: Fri, 15 Sep 2023 17:51:12 +0000 (-0400)
> +Subject: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
> +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994
> +
> +getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
> +
> +When an NSS plugin only implements the _gethostbyname2_r and
> +_getcanonname_r callbacks, getaddrinfo could use memory that was freed
> +during tmpbuf resizing, through h_name in a previous query response.
> +
> +The backing store for res->at->name when doing a query with
> +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
> +gethosts during the query.  For AF_INET6 lookup with AI_ALL |
> +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
> +for a v4 lookup.  In this case, if the first call reallocates tmpbuf
> +enough number of times, resulting in a malloc, th->h_name (that
> +res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
> +Now if the second call to gethosts also causes the plugin callback to
> +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
> +reference in res->at->name.  This then gets dereferenced in the
> +getcanonname_r plugin call, resulting in the use after free.
> +
> +Fix this by copying h_name over and freeing it at the end.  This
> +resolves BZ #30843, which is assigned CVE-2023-4806.
> +
> +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> +
> +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994]
> +
> +CVE: CVE-2023-5156
> +
> +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
> +
> +---
> +
> +diff --git a/nss/Makefile b/nss/Makefile
> +index 06fcdc450f..8a5126ecf3 100644
> +--- a/nss/Makefile
> ++++ b/nss/Makefile
> +@@ -82,6 +82,7 @@ tests-container := \
> +   tst-nss-test3 \
> +   tst-reload1 \
> +   tst-reload2 \
> ++  tst-nss-gai-hv2-canonname \
> + # tests-container
> +
> + # Tests which need libdl
> +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o    = $(filter-out .os,$(object-suffixes))
> + ifeq ($(build-static-nss),yes)
> + tests-static          += tst-nss-static
> + endif
> +-extra-test-objs               += nss_test1.os nss_test2.os nss_test_errno.os
> ++extra-test-objs               += nss_test1.os nss_test2.os nss_test_errno.os \
> ++                         nss_test_gai_hv2_canonname.os
> +
> + include ../Rules
> +
> +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver
> + libof-nss_test1 = extramodules
> + libof-nss_test2 = extramodules
> + libof-nss_test_errno = extramodules
> ++libof-nss_test_gai_hv2_canonname = extramodules
> + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
> +       $(build-module)
> + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
> +       $(build-module)
> + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps)
> +       $(build-module)
> ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \
> ++  $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps)
> ++      $(build-module)
> + $(objpfx)nss_test2.os : nss_test1.c
> + # Use the nss_files suffix for these objects as well.
> + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so
> +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so
> + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \
> +   $(objpfx)/libnss_test_errno.so
> +       $(make-link)
> ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
> ++  $(objpfx)/libnss_test_gai_hv2_canonname.so
> ++      $(make-link)
> + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \
> +       $(objpfx)/libnss_test1.so$(libnss_files.so-version) \
> +       $(objpfx)/libnss_test2.so$(libnss_files.so-version) \
> +-      $(objpfx)/libnss_test_errno.so$(libnss_files.so-version)
> ++      $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
> ++      $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
> +
> + ifeq (yes,$(have-thread-library))
> + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
> +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
> + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
> + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
> + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags
> ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags
> +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c
> +new file mode 100644
> +index 0000000000..4439c83c9f
> +--- /dev/null
> ++++ b/nss/nss_test_gai_hv2_canonname.c
> +@@ -0,0 +1,56 @@
> ++/* NSS service provider that only provides gethostbyname2_r.
> ++   Copyright The GNU Toolchain Authors.
> ++   This file is part of the GNU C Library.
> ++
> ++   The GNU C Library is free software; you can redistribute it and/or
> ++   modify it under the terms of the GNU Lesser General Public
> ++   License as published by the Free Software Foundation; either
> ++   version 2.1 of the License, or (at your option) any later version.
> ++
> ++   The GNU C Library is distributed in the hope that it will be useful,
> ++   but WITHOUT ANY WARRANTY; without even the implied warranty of
> ++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> ++   Lesser General Public License for more details.
> ++
> ++   You should have received a copy of the GNU Lesser General Public
> ++   License along with the GNU C Library; if not, see
> ++   <https://www.gnu.org/licenses/>.  */
> ++
> ++#include <nss.h>
> ++#include <stdlib.h>
> ++#include <string.h>
> ++#include "nss/tst-nss-gai-hv2-canonname.h"
> ++
> ++/* Catch misnamed and functions.  */
> ++#pragma GCC diagnostic error "-Wmissing-prototypes"
> ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname)
> ++
> ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int,
> ++                                                  struct hostent *, char *,
> ++                                                  size_t, int *, int *);
> ++
> ++enum nss_status
> ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af,
> ++                                            struct hostent *result,
> ++                                            char *buffer, size_t buflen,
> ++                                            int *errnop, int *herrnop)
> ++{
> ++  return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop,
> ++                                    herrnop);
> ++}
> ++
> ++enum nss_status
> ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer,
> ++                                          size_t buflen, char **result,
> ++                                          int *errnop, int *h_errnop)
> ++{
> ++  /* We expect QUERYNAME, which is a small enough string that it shouldn't fail
> ++     the test.  */
> ++  if (memcmp (QUERYNAME, name, sizeof (QUERYNAME))
> ++      || buflen < sizeof (QUERYNAME))
> ++    abort ();
> ++
> ++  strncpy (buffer, name, buflen);
> ++  *result = buffer;
> ++  return NSS_STATUS_SUCCESS;
> ++}
> +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
> +new file mode 100644
> +index 0000000000..d5f10c07d6
> +--- /dev/null
> ++++ b/nss/tst-nss-gai-hv2-canonname.c
> +@@ -0,0 +1,63 @@
> ++/* Test NSS query path for plugins that only implement gethostbyname2
> ++   (#30843).
> ++   Copyright The GNU Toolchain Authors.
> ++   This file is part of the GNU C Library.
> ++
> ++   The GNU C Library is free software; you can redistribute it and/or
> ++   modify it under the terms of the GNU Lesser General Public
> ++   License as published by the Free Software Foundation; either
> ++   version 2.1 of the License, or (at your option) any later version.
> ++
> ++   The GNU C Library is distributed in the hope that it will be useful,
> ++   but WITHOUT ANY WARRANTY; without even the implied warranty of
> ++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> ++   Lesser General Public License for more details.
> ++
> ++   You should have received a copy of the GNU Lesser General Public
> ++   License along with the GNU C Library; if not, see
> ++   <https://www.gnu.org/licenses/>.  */
> ++
> ++#include <nss.h>
> ++#include <netdb.h>
> ++#include <stdlib.h>
> ++#include <string.h>
> ++#include <support/check.h>
> ++#include <support/xstdio.h>
> ++#include "nss/tst-nss-gai-hv2-canonname.h"
> ++
> ++#define PREPARE do_prepare
> ++
> ++static void do_prepare (int a, char **av)
> ++{
> ++  FILE *hosts = xfopen ("/etc/hosts", "w");
> ++  for (unsigned i = 2; i < 255; i++)
> ++    {
> ++      fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i);
> ++      fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i);
> ++    }
> ++  xfclose (hosts);
> ++}
> ++
> ++static int
> ++do_test (void)
> ++{
> ++  __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
> ++
> ++  struct addrinfo hints = {};
> ++  struct addrinfo *result = NULL;
> ++
> ++  hints.ai_family = AF_INET6;
> ++  hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;
> ++
> ++  int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result);
> ++
> ++  if (ret != 0)
> ++    FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret));
> ++
> ++  TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME);
> ++
> ++  freeaddrinfo(result);
> ++  return 0;
> ++}
> ++
> ++#include <support/test-driver.c>
> +diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h
> +new file mode 100644
> +index 0000000000..14f2a9cb08
> +--- /dev/null
> ++++ b/nss/tst-nss-gai-hv2-canonname.h
> +@@ -0,0 +1 @@
> ++#define QUERYNAME "test.example.com"
> +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req
> +new file mode 100644
> +index 0000000000..e69de29bb2
> +diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
> +new file mode 100644
> +index 0000000000..31848b4a28
> +--- /dev/null
> ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
> +@@ -0,0 +1,2 @@
> ++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2
> ++su
> +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
> +index 6ae6744fe4..47f421fddf 100644
> +--- a/sysdeps/posix/getaddrinfo.c
> ++++ b/sysdeps/posix/getaddrinfo.c
> +@@ -120,6 +120,7 @@ struct gaih_result
> + {
> +   struct gaih_addrtuple *at;
> +   char *canon;
> ++  char *h_name;
> +   bool free_at;
> +   bool got_ipv6;
> + };
> +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res)
> +   if (res->free_at)
> +     free (res->at);
> +   free (res->canon);
> ++  free (res->h_name);
> +   memset (res, 0, sizeof (*res));
> + }
> +
> +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
> +   return 0;
> + }
> +
> +-/* Convert struct hostent to a list of struct gaih_addrtuple objects.  h_name
> +-   is not copied, and the struct hostent object must not be deallocated
> +-   prematurely.  The new addresses are appended to the tuple array in RES.  */
> ++/* Convert struct hostent to a list of struct gaih_addrtuple objects.  The new
> ++   addresses are appended to the tuple array in RES.  */
> + static bool
> + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
> +                                  struct hostent *h, struct gaih_result *res)
> +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
> +   res->at = array;
> +   res->free_at = true;
> +
> ++  /* Duplicate h_name because it may get reclaimed when the underlying storage
> ++     is freed.  */
> ++  if (res->h_name == NULL)
> ++    {
> ++      res->h_name = __strdup (h->h_name);
> ++      if (res->h_name == NULL)
> ++      return false;
> ++    }
> ++
> +   /* Update the next pointers on reallocation.  */
> +   for (size_t i = 0; i < old; i++)
> +     array[i].next = array + i + 1;
> +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
> +       }
> +       array[i].next = array + i + 1;
> +     }
> +-  array[0].name = h->h_name;
> +   array[count - 1].next = NULL;
> +
> +   return true;
> +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name,
> +    memory allocation failure.  The returned string is allocated on the
> +    heap; the caller has to free it.  */
> + static char *
> +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name)
> ++getcanonname (nss_action_list nip, const char *hname, const char *name)
> + {
> +   nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r");
> +   char *s = (char *) name;
> +   if (cfct != NULL)
> +     {
> +       char buf[256];
> +-      if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf),
> +-                            &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS)
> ++      if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno,
> ++                            &h_errno)) != NSS_STATUS_SUCCESS)
> +       /* If the canonical name cannot be determined, use the passed
> +          string.  */
> +       s = (char *) name;
> +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req,
> +                 if ((req->ai_flags & AI_CANONNAME) != 0
> +                     && res->canon == NULL)
> +                   {
> +-                    char *canonbuf = getcanonname (nip, res->at, name);
> ++                    char *canonbuf = getcanonname (nip, res->h_name, name);
> +                     if (canonbuf == NULL)
> +                       {
> +                         __resolv_context_put (res_ctx);
> diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
> new file mode 100644
> index 0000000000..507db5e13b
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
> @@ -0,0 +1,93 @@
> +From: Romain Geissler <romain.geissler@amadeus.com>
> +Date: Mon, 25 Sep 2023 00:21:51 +0000 (+0100)
> +Subject: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
> +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796
> +
> +Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
> +
> +This patch fixes a very recently added leak in getaddrinfo.
> +
> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> +
> +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796]
> +
> +CVE: CVE-2023-5156
> +
> +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
> +
> +---
> +
> +diff --git a/nss/Makefile b/nss/Makefile
> +index 8a5126ecf3..668ba34b18 100644
> +--- a/nss/Makefile
> ++++ b/nss/Makefile
> +@@ -149,6 +149,15 @@ endif
> + extra-test-objs               += nss_test1.os nss_test2.os nss_test_errno.os \
> +                          nss_test_gai_hv2_canonname.os
> +
> ++ifeq ($(run-built-tests),yes)
> ++ifneq (no,$(PERL))
> ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
> ++endif
> ++endif
> ++
> ++generated += mtrace-tst-nss-gai-hv2-canonname.out \
> ++              tst-nss-gai-hv2-canonname.mtrace
> ++
> + include ../Rules
> +
> + ifeq (yes,$(have-selinux))
> +@@ -217,6 +226,17 @@ endif
> + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
> + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
> +
> ++tst-nss-gai-hv2-canonname-ENV = \
> ++              MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
> ++              LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
> ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
> ++  $(objpfx)tst-nss-gai-hv2-canonname.out
> ++      { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
> ++      || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
> ++      && $(common-objpfx)malloc/mtrace \
> ++      $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
> ++      $(evaluate-test)
> ++
> + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
> + # functions can load testing NSS modules via DT_RPATH.
> + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
> +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
> +index d5f10c07d6..7db53cf09d 100644
> +--- a/nss/tst-nss-gai-hv2-canonname.c
> ++++ b/nss/tst-nss-gai-hv2-canonname.c
> +@@ -21,6 +21,7 @@
> + #include <netdb.h>
> + #include <stdlib.h>
> + #include <string.h>
> ++#include <mcheck.h>
> + #include <support/check.h>
> + #include <support/xstdio.h>
> + #include "nss/tst-nss-gai-hv2-canonname.h"
> +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
> + static int
> + do_test (void)
> + {
> ++  mtrace ();
> ++
> +   __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
> +
> +   struct addrinfo hints = {};
> +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
> +index 47f421fddf..531124958d 100644
> +--- a/sysdeps/posix/getaddrinfo.c
> ++++ b/sysdeps/posix/getaddrinfo.c
> +@@ -1196,9 +1196,7 @@ free_and_return:
> +   if (malloc_name)
> +     free ((char *) name);
> +   free (addrmem);
> +-  if (res.free_at)
> +-    free (res.at);
> +-  free (res.canon);
> ++  gaih_result_reset (&res);
> +
> +   return result;
> + }
> diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
> index caf454f368..b88bc5fc4f 100644
> --- a/meta/recipes-core/glibc/glibc_2.37.bb
> +++ b/meta/recipes-core/glibc/glibc_2.37.bb
> @@ -50,6 +50,8 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
>             file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
>             file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
>             file://0023-CVE-2023-4527.patch \
> +           file://0024-CVE-2023-5156-1.patch \
> +           file://0024-CVE-2023-5156-2.patch \
>  "
>  S = "${WORKDIR}/git"
>  B = "${WORKDIR}/build-${TARGET_SYS}"
> --
> 2.39.0
>

Deepthi.Hemraj@eng.windriver.com Oct. 4, 2023, 9:37 a.m. UTC | #2

There are 2 files in the patch sent and the first patch(0024-CVE-2023-5156-1.patch) is the duplicate of https://lists.openembedded.org/g/openembedded-core/message/188490 (CVE-2023-4806) ( https://lists.openembedded.org/g/openembedded-core/message/188490(CVE-2023-4806) ) which was sent to the mailing list.
Will I have to drop the (0024-CVE-2023-5156-1.patch) and send the second patch as a V2 ??

Steve Sakoman Oct. 4, 2023, 2:27 p.m. UTC | #3

> There are 2 files in the patch sent and the first patch(0024-CVE-2023-5156-1.patch) is the duplicate of
> https://lists.openembedded.org/g/openembedded-core/message/188490 (CVE-2023-4806) which was sent to the mailing list.
> Will I have to drop the (0024-CVE-2023-5156-1.patch) and send the second patch as a V2 ??

Actually I'd prefer that you do an update to the latest head of
release/2.37/master since it includes the fixes for CVE-2023-4806,
CVE-2023-5156, and the newly announced CVE-2023-4911)

Is this something you can do quickly?  I'd like to fast track that fix.

Steve



On Tue, Oct 3, 2023 at 8:08 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> Unfortunately this patch doesn't apply (even after I edited for the
> previous addition of glibc: fix CVE-2023-4806
>
> ERROR: glibc-2.37-r1 do_patch: Applying patch
> '0024-CVE-2023-5156-1.patch' on target directory
> '/home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/git'
> CmdError('quilt --quiltrc
> /home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/recipe-sysroot-native/etc/quiltrc
> push', 0, 'stdout: Applying patch 0024-CVE-2023-5156-1.patch
> patching file nss/Makefile
> Hunk #1 FAILED at 82.
> Hunk #2 FAILED at 145.
> Hunk #3 FAILED at 180.
> Hunk #4 FAILED at 195.
> Hunk #5 FAILED at 215.
> 5 out of 5 hunks FAILED -- rejects in file nss/Makefile
> The next patch would create the file nss/nss_test_gai_hv2_canonname.c,
> which already exists!  Applying it anyway.
> patching file nss/nss_test_gai_hv2_canonname.c
> Hunk #1 FAILED at 1.
> 1 out of 1 hunk FAILED -- rejects in file nss/nss_test_gai_hv2_canonname.c
> The next patch would create the file nss/tst-nss-gai-hv2-canonname.c,
> which already exists!  Applying it anyway.
> patching file nss/tst-nss-gai-hv2-canonname.c
> Hunk #1 FAILED at 1.
> 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.c
> The next patch would create the file nss/tst-nss-gai-hv2-canonname.h,
> which already exists!  Applying it anyway.
> patching file nss/tst-nss-gai-hv2-canonname.h
> Hunk #1 FAILED at 1.
> 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.h
> The next patch would empty out the file
> nss/tst-nss-gai-hv2-canonname.root/postclean.req,
> which is already empty!  Applying it anyway.
> patching file nss/tst-nss-gai-hv2-canonname.root/postclean.req
> The next patch would create the file
> nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script,
> which already exists!  Applying it anyway.
> patching file nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
> Hunk #1 FAILED at 1.
> 1 out of 1 hunk FAILED -- rejects in file
> nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
> patching file sysdeps/posix/getaddrinfo.c
> Hunk #1 FAILED at 120.
> Hunk #2 FAILED at 165.
> Hunk #3 FAILED at 203.
> Hunk #4 succeeded at 248 with fuzz 2 (offset 10 lines).
> Hunk #5 FAILED at 271.
> Hunk #6 FAILED at 333.
> Hunk #7 FAILED at 780.
> 6 out of 7 hunks FAILED -- rejects in file sysdeps/posix/getaddrinfo.c
> Patch 0024-CVE-2023-5156-1.patch can be reverse-applied
>
> Steve
>
> On Tue, Oct 3, 2023 at 1:30 AM <Deepthi.Hemraj@windriver.com> wrote:
> >
> > From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
> >
> > Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
> > ---
> >  .../glibc/glibc/0024-CVE-2023-5156-1.patch    | 329 ++++++++++++++++++
> >  .../glibc/glibc/0024-CVE-2023-5156-2.patch    |  93 +++++
> >  meta/recipes-core/glibc/glibc_2.37.bb         |   2 +
> >  3 files changed, 424 insertions(+)
> >  create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
> >  create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
> >
> > diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
> > new file mode 100644
> > index 0000000000..65afaa446a
> > --- /dev/null
> > +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
> > @@ -0,0 +1,329 @@
> > +From: Siddhesh Poyarekar <siddhesh@sourceware.org>
> > +Date: Fri, 15 Sep 2023 17:51:12 +0000 (-0400)
> > +Subject: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
> > +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994
> > +
> > +getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
> > +
> > +When an NSS plugin only implements the _gethostbyname2_r and
> > +_getcanonname_r callbacks, getaddrinfo could use memory that was freed
> > +during tmpbuf resizing, through h_name in a previous query response.
> > +
> > +The backing store for res->at->name when doing a query with
> > +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
> > +gethosts during the query.  For AF_INET6 lookup with AI_ALL |
> > +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
> > +for a v4 lookup.  In this case, if the first call reallocates tmpbuf
> > +enough number of times, resulting in a malloc, th->h_name (that
> > +res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
> > +Now if the second call to gethosts also causes the plugin callback to
> > +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
> > +reference in res->at->name.  This then gets dereferenced in the
> > +getcanonname_r plugin call, resulting in the use after free.
> > +
> > +Fix this by copying h_name over and freeing it at the end.  This
> > +resolves BZ #30843, which is assigned CVE-2023-4806.
> > +
> > +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> > +
> > +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994]
> > +
> > +CVE: CVE-2023-5156
> > +
> > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
> > +
> > +---
> > +
> > +diff --git a/nss/Makefile b/nss/Makefile
> > +index 06fcdc450f..8a5126ecf3 100644
> > +--- a/nss/Makefile
> > ++++ b/nss/Makefile
> > +@@ -82,6 +82,7 @@ tests-container := \
> > +   tst-nss-test3 \
> > +   tst-reload1 \
> > +   tst-reload2 \
> > ++  tst-nss-gai-hv2-canonname \
> > + # tests-container
> > +
> > + # Tests which need libdl
> > +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o    = $(filter-out .os,$(object-suffixes))
> > + ifeq ($(build-static-nss),yes)
> > + tests-static          += tst-nss-static
> > + endif
> > +-extra-test-objs               += nss_test1.os nss_test2.os nss_test_errno.os
> > ++extra-test-objs               += nss_test1.os nss_test2.os nss_test_errno.os \
> > ++                         nss_test_gai_hv2_canonname.os
> > +
> > + include ../Rules
> > +
> > +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver
> > + libof-nss_test1 = extramodules
> > + libof-nss_test2 = extramodules
> > + libof-nss_test_errno = extramodules
> > ++libof-nss_test_gai_hv2_canonname = extramodules
> > + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
> > +       $(build-module)
> > + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
> > +       $(build-module)
> > + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps)
> > +       $(build-module)
> > ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \
> > ++  $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps)
> > ++      $(build-module)
> > + $(objpfx)nss_test2.os : nss_test1.c
> > + # Use the nss_files suffix for these objects as well.
> > + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so
> > +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so
> > + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \
> > +   $(objpfx)/libnss_test_errno.so
> > +       $(make-link)
> > ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
> > ++  $(objpfx)/libnss_test_gai_hv2_canonname.so
> > ++      $(make-link)
> > + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \
> > +       $(objpfx)/libnss_test1.so$(libnss_files.so-version) \
> > +       $(objpfx)/libnss_test2.so$(libnss_files.so-version) \
> > +-      $(objpfx)/libnss_test_errno.so$(libnss_files.so-version)
> > ++      $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
> > ++      $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
> > +
> > + ifeq (yes,$(have-thread-library))
> > + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
> > +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
> > + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
> > + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
> > + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags
> > ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags
> > +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c
> > +new file mode 100644
> > +index 0000000000..4439c83c9f
> > +--- /dev/null
> > ++++ b/nss/nss_test_gai_hv2_canonname.c
> > +@@ -0,0 +1,56 @@
> > ++/* NSS service provider that only provides gethostbyname2_r.
> > ++   Copyright The GNU Toolchain Authors.
> > ++   This file is part of the GNU C Library.
> > ++
> > ++   The GNU C Library is free software; you can redistribute it and/or
> > ++   modify it under the terms of the GNU Lesser General Public
> > ++   License as published by the Free Software Foundation; either
> > ++   version 2.1 of the License, or (at your option) any later version.
> > ++
> > ++   The GNU C Library is distributed in the hope that it will be useful,
> > ++   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > ++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> > ++   Lesser General Public License for more details.
> > ++
> > ++   You should have received a copy of the GNU Lesser General Public
> > ++   License along with the GNU C Library; if not, see
> > ++   <https://www.gnu.org/licenses/>.  */
> > ++
> > ++#include <nss.h>
> > ++#include <stdlib.h>
> > ++#include <string.h>
> > ++#include "nss/tst-nss-gai-hv2-canonname.h"
> > ++
> > ++/* Catch misnamed and functions.  */
> > ++#pragma GCC diagnostic error "-Wmissing-prototypes"
> > ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname)
> > ++
> > ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int,
> > ++                                                  struct hostent *, char *,
> > ++                                                  size_t, int *, int *);
> > ++
> > ++enum nss_status
> > ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af,
> > ++                                            struct hostent *result,
> > ++                                            char *buffer, size_t buflen,
> > ++                                            int *errnop, int *herrnop)
> > ++{
> > ++  return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop,
> > ++                                    herrnop);
> > ++}
> > ++
> > ++enum nss_status
> > ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer,
> > ++                                          size_t buflen, char **result,
> > ++                                          int *errnop, int *h_errnop)
> > ++{
> > ++  /* We expect QUERYNAME, which is a small enough string that it shouldn't fail
> > ++     the test.  */
> > ++  if (memcmp (QUERYNAME, name, sizeof (QUERYNAME))
> > ++      || buflen < sizeof (QUERYNAME))
> > ++    abort ();
> > ++
> > ++  strncpy (buffer, name, buflen);
> > ++  *result = buffer;
> > ++  return NSS_STATUS_SUCCESS;
> > ++}
> > +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
> > +new file mode 100644
> > +index 0000000000..d5f10c07d6
> > +--- /dev/null
> > ++++ b/nss/tst-nss-gai-hv2-canonname.c
> > +@@ -0,0 +1,63 @@
> > ++/* Test NSS query path for plugins that only implement gethostbyname2
> > ++   (#30843).
> > ++   Copyright The GNU Toolchain Authors.
> > ++   This file is part of the GNU C Library.
> > ++
> > ++   The GNU C Library is free software; you can redistribute it and/or
> > ++   modify it under the terms of the GNU Lesser General Public
> > ++   License as published by the Free Software Foundation; either
> > ++   version 2.1 of the License, or (at your option) any later version.
> > ++
> > ++   The GNU C Library is distributed in the hope that it will be useful,
> > ++   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > ++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> > ++   Lesser General Public License for more details.
> > ++
> > ++   You should have received a copy of the GNU Lesser General Public
> > ++   License along with the GNU C Library; if not, see
> > ++   <https://www.gnu.org/licenses/>.  */
> > ++
> > ++#include <nss.h>
> > ++#include <netdb.h>
> > ++#include <stdlib.h>
> > ++#include <string.h>
> > ++#include <support/check.h>
> > ++#include <support/xstdio.h>
> > ++#include "nss/tst-nss-gai-hv2-canonname.h"
> > ++
> > ++#define PREPARE do_prepare
> > ++
> > ++static void do_prepare (int a, char **av)
> > ++{
> > ++  FILE *hosts = xfopen ("/etc/hosts", "w");
> > ++  for (unsigned i = 2; i < 255; i++)
> > ++    {
> > ++      fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i);
> > ++      fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i);
> > ++    }
> > ++  xfclose (hosts);
> > ++}
> > ++
> > ++static int
> > ++do_test (void)
> > ++{
> > ++  __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
> > ++
> > ++  struct addrinfo hints = {};
> > ++  struct addrinfo *result = NULL;
> > ++
> > ++  hints.ai_family = AF_INET6;
> > ++  hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;
> > ++
> > ++  int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result);
> > ++
> > ++  if (ret != 0)
> > ++    FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret));
> > ++
> > ++  TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME);
> > ++
> > ++  freeaddrinfo(result);
> > ++  return 0;
> > ++}
> > ++
> > ++#include <support/test-driver.c>
> > +diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h
> > +new file mode 100644
> > +index 0000000000..14f2a9cb08
> > +--- /dev/null
> > ++++ b/nss/tst-nss-gai-hv2-canonname.h
> > +@@ -0,0 +1 @@
> > ++#define QUERYNAME "test.example.com"
> > +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req
> > +new file mode 100644
> > +index 0000000000..e69de29bb2
> > +diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
> > +new file mode 100644
> > +index 0000000000..31848b4a28
> > +--- /dev/null
> > ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
> > +@@ -0,0 +1,2 @@
> > ++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2
> > ++su
> > +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
> > +index 6ae6744fe4..47f421fddf 100644
> > +--- a/sysdeps/posix/getaddrinfo.c
> > ++++ b/sysdeps/posix/getaddrinfo.c
> > +@@ -120,6 +120,7 @@ struct gaih_result
> > + {
> > +   struct gaih_addrtuple *at;
> > +   char *canon;
> > ++  char *h_name;
> > +   bool free_at;
> > +   bool got_ipv6;
> > + };
> > +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res)
> > +   if (res->free_at)
> > +     free (res->at);
> > +   free (res->canon);
> > ++  free (res->h_name);
> > +   memset (res, 0, sizeof (*res));
> > + }
> > +
> > +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
> > +   return 0;
> > + }
> > +
> > +-/* Convert struct hostent to a list of struct gaih_addrtuple objects.  h_name
> > +-   is not copied, and the struct hostent object must not be deallocated
> > +-   prematurely.  The new addresses are appended to the tuple array in RES.  */
> > ++/* Convert struct hostent to a list of struct gaih_addrtuple objects.  The new
> > ++   addresses are appended to the tuple array in RES.  */
> > + static bool
> > + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
> > +                                  struct hostent *h, struct gaih_result *res)
> > +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
> > +   res->at = array;
> > +   res->free_at = true;
> > +
> > ++  /* Duplicate h_name because it may get reclaimed when the underlying storage
> > ++     is freed.  */
> > ++  if (res->h_name == NULL)
> > ++    {
> > ++      res->h_name = __strdup (h->h_name);
> > ++      if (res->h_name == NULL)
> > ++      return false;
> > ++    }
> > ++
> > +   /* Update the next pointers on reallocation.  */
> > +   for (size_t i = 0; i < old; i++)
> > +     array[i].next = array + i + 1;
> > +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
> > +       }
> > +       array[i].next = array + i + 1;
> > +     }
> > +-  array[0].name = h->h_name;
> > +   array[count - 1].next = NULL;
> > +
> > +   return true;
> > +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name,
> > +    memory allocation failure.  The returned string is allocated on the
> > +    heap; the caller has to free it.  */
> > + static char *
> > +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name)
> > ++getcanonname (nss_action_list nip, const char *hname, const char *name)
> > + {
> > +   nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r");
> > +   char *s = (char *) name;
> > +   if (cfct != NULL)
> > +     {
> > +       char buf[256];
> > +-      if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf),
> > +-                            &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS)
> > ++      if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno,
> > ++                            &h_errno)) != NSS_STATUS_SUCCESS)
> > +       /* If the canonical name cannot be determined, use the passed
> > +          string.  */
> > +       s = (char *) name;
> > +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req,
> > +                 if ((req->ai_flags & AI_CANONNAME) != 0
> > +                     && res->canon == NULL)
> > +                   {
> > +-                    char *canonbuf = getcanonname (nip, res->at, name);
> > ++                    char *canonbuf = getcanonname (nip, res->h_name, name);
> > +                     if (canonbuf == NULL)
> > +                       {
> > +                         __resolv_context_put (res_ctx);
> > diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
> > new file mode 100644
> > index 0000000000..507db5e13b
> > --- /dev/null
> > +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
> > @@ -0,0 +1,93 @@
> > +From: Romain Geissler <romain.geissler@amadeus.com>
> > +Date: Mon, 25 Sep 2023 00:21:51 +0000 (+0100)
> > +Subject: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
> > +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796
> > +
> > +Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
> > +
> > +This patch fixes a very recently added leak in getaddrinfo.
> > +
> > +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> > +
> > +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796]
> > +
> > +CVE: CVE-2023-5156
> > +
> > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
> > +
> > +---
> > +
> > +diff --git a/nss/Makefile b/nss/Makefile
> > +index 8a5126ecf3..668ba34b18 100644
> > +--- a/nss/Makefile
> > ++++ b/nss/Makefile
> > +@@ -149,6 +149,15 @@ endif
> > + extra-test-objs               += nss_test1.os nss_test2.os nss_test_errno.os \
> > +                          nss_test_gai_hv2_canonname.os
> > +
> > ++ifeq ($(run-built-tests),yes)
> > ++ifneq (no,$(PERL))
> > ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
> > ++endif
> > ++endif
> > ++
> > ++generated += mtrace-tst-nss-gai-hv2-canonname.out \
> > ++              tst-nss-gai-hv2-canonname.mtrace
> > ++
> > + include ../Rules
> > +
> > + ifeq (yes,$(have-selinux))
> > +@@ -217,6 +226,17 @@ endif
> > + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
> > + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
> > +
> > ++tst-nss-gai-hv2-canonname-ENV = \
> > ++              MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
> > ++              LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
> > ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
> > ++  $(objpfx)tst-nss-gai-hv2-canonname.out
> > ++      { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
> > ++      || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
> > ++      && $(common-objpfx)malloc/mtrace \
> > ++      $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
> > ++      $(evaluate-test)
> > ++
> > + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
> > + # functions can load testing NSS modules via DT_RPATH.
> > + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
> > +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
> > +index d5f10c07d6..7db53cf09d 100644
> > +--- a/nss/tst-nss-gai-hv2-canonname.c
> > ++++ b/nss/tst-nss-gai-hv2-canonname.c
> > +@@ -21,6 +21,7 @@
> > + #include <netdb.h>
> > + #include <stdlib.h>
> > + #include <string.h>
> > ++#include <mcheck.h>
> > + #include <support/check.h>
> > + #include <support/xstdio.h>
> > + #include "nss/tst-nss-gai-hv2-canonname.h"
> > +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
> > + static int
> > + do_test (void)
> > + {
> > ++  mtrace ();
> > ++
> > +   __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
> > +
> > +   struct addrinfo hints = {};
> > +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
> > +index 47f421fddf..531124958d 100644
> > +--- a/sysdeps/posix/getaddrinfo.c
> > ++++ b/sysdeps/posix/getaddrinfo.c
> > +@@ -1196,9 +1196,7 @@ free_and_return:
> > +   if (malloc_name)
> > +     free ((char *) name);
> > +   free (addrmem);
> > +-  if (res.free_at)
> > +-    free (res.at);
> > +-  free (res.canon);
> > ++  gaih_result_reset (&res);
> > +
> > +   return result;
> > + }
> > diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
> > index caf454f368..b88bc5fc4f 100644
> > --- a/meta/recipes-core/glibc/glibc_2.37.bb
> > +++ b/meta/recipes-core/glibc/glibc_2.37.bb
> > @@ -50,6 +50,8 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> >             file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
> >             file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
> >             file://0023-CVE-2023-4527.patch \
> > +           file://0024-CVE-2023-5156-1.patch \
> > +           file://0024-CVE-2023-5156-2.patch \
> >  "
> >  S = "${WORKDIR}/git"
> >  B = "${WORKDIR}/build-${TARGET_SYS}"
> > --
> > 2.39.0
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#188648): https://lists.openembedded.org/g/openembedded-core/message/188648
> Mute This Topic: https://lists.openembedded.org/mt/101731788/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Yash Shinde Oct. 5, 2023, 11:10 a.m. UTC | #4

On Wed, Oct 4, 2023 at 07:57 PM, Steve Sakoman wrote:

> 
> 
>> There are 2 files in the patch sent and the first
>> patch(0024-CVE-2023-5156-1.patch) is the duplicate of
>> https://lists.openembedded.org/g/openembedded-core/message/188490 (CVE-2023-4806)
>> which was sent to the mailing list.
>> Will I have to drop the (0024-CVE-2023-5156-1.patch) and send the second
>> patch as a V2 ??
> 
> Actually I'd prefer that you do an update to the latest head of
> release/2.37/master since it includes the fixes for CVE-2023-4806,
> CVE-2023-5156, and the newly announced CVE-2023-4911)
> 
> Is this something you can do quickly? I'd like to fast track that fix.
> 
> Steve

The glibc updates to the latest head of release/2.37/master are sent here, https://lists.openembedded.org/g/openembedded-core/message/188717

Regards,

Yash.

> 
> 
> On Tue, Oct 3, 2023 at 8:08 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> 
>> Unfortunately this patch doesn't apply (even after I edited for the
>> previous addition of glibc: fix CVE-2023-4806
>> 
>> ERROR: glibc-2.37-r1 do_patch: Applying patch
>> '0024-CVE-2023-5156-1.patch' on target directory
>> '/home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/git'
>> 
>> CmdError('quilt --quiltrc
>> /home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/recipe-sysroot-native/etc/quiltrc
>> 
>> push', 0, 'stdout: Applying patch 0024-CVE-2023-5156-1.patch
>> patching file nss/Makefile
>> Hunk #1 FAILED at 82.
>> Hunk #2 FAILED at 145.
>> Hunk #3 FAILED at 180.
>> Hunk #4 FAILED at 195.
>> Hunk #5 FAILED at 215.
>> 5 out of 5 hunks FAILED -- rejects in file nss/Makefile
>> The next patch would create the file nss/nss_test_gai_hv2_canonname.c,
>> which already exists! Applying it anyway.
>> patching file nss/nss_test_gai_hv2_canonname.c
>> Hunk #1 FAILED at 1.
>> 1 out of 1 hunk FAILED -- rejects in file nss/nss_test_gai_hv2_canonname.c
>> 
>> The next patch would create the file nss/tst-nss-gai-hv2-canonname.c,
>> which already exists! Applying it anyway.
>> patching file nss/tst-nss-gai-hv2-canonname.c
>> Hunk #1 FAILED at 1.
>> 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.c
>> The next patch would create the file nss/tst-nss-gai-hv2-canonname.h,
>> which already exists! Applying it anyway.
>> patching file nss/tst-nss-gai-hv2-canonname.h
>> Hunk #1 FAILED at 1.
>> 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.h
>> The next patch would empty out the file
>> nss/tst-nss-gai-hv2-canonname.root/postclean.req,
>> which is already empty! Applying it anyway.
>> patching file nss/tst-nss-gai-hv2-canonname.root/postclean.req
>> The next patch would create the file
>> nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script,
>> which already exists! Applying it anyway.
>> patching file
>> nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
>> Hunk #1 FAILED at 1.
>> 1 out of 1 hunk FAILED -- rejects in file
>> nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
>> patching file sysdeps/posix/getaddrinfo.c
>> Hunk #1 FAILED at 120.
>> Hunk #2 FAILED at 165.
>> Hunk #3 FAILED at 203.
>> Hunk #4 succeeded at 248 with fuzz 2 (offset 10 lines).
>> Hunk #5 FAILED at 271.
>> Hunk #6 FAILED at 333.
>> Hunk #7 FAILED at 780.
>> 6 out of 7 hunks FAILED -- rejects in file sysdeps/posix/getaddrinfo.c
>> Patch 0024-CVE-2023-5156-1.patch can be reverse-applied
>> 
>> Steve
>> 
>> On Tue, Oct 3, 2023 at 1:30 AM <Deepthi.Hemraj@windriver.com> wrote:
>> 
>>> From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
>>> 
>>> Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
>>> ---
>>> .../glibc/glibc/0024-CVE-2023-5156-1.patch | 329 ++++++++++++++++++
>>> .../glibc/glibc/0024-CVE-2023-5156-2.patch | 93 +++++
>>> meta/recipes-core/glibc/glibc_2.37.bb | 2 +
>>> 3 files changed, 424 insertions(+)
>>> create mode 100644
>>> meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
>>> create mode 100644
>>> meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
>>> 
>>> diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
>>> b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
>>> new file mode 100644
>>> index 0000000000..65afaa446a
>>> --- /dev/null
>>> +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
>>> @@ -0,0 +1,329 @@
>>> +From: Siddhesh Poyarekar <siddhesh@sourceware.org>
>>> +Date: Fri, 15 Sep 2023 17:51:12 +0000 (-0400)
>>> +Subject: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
>>> +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994
>>> 
>>> +
>>> +getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
>>> +
>>> +When an NSS plugin only implements the _gethostbyname2_r and
>>> +_getcanonname_r callbacks, getaddrinfo could use memory that was freed
>>> +during tmpbuf resizing, through h_name in a previous query response.
>>> +
>>> +The backing store for res->at->name when doing a query with
>>> +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
>>> +gethosts during the query. For AF_INET6 lookup with AI_ALL |
>>> +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
>>> +for a v4 lookup. In this case, if the first call reallocates tmpbuf
>>> +enough number of times, resulting in a malloc, th->h_name (that
>>> +res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
>>> +Now if the second call to gethosts also causes the plugin callback to
>>> +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
>>> +reference in res->at->name. This then gets dereferenced in the
>>> +getcanonname_r plugin call, resulting in the use after free.
>>> +
>>> +Fix this by copying h_name over and freeing it at the end. This
>>> +resolves BZ #30843, which is assigned CVE-2023-4806.
>>> +
>>> +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
>>> +
>>> +Upstream-Status: Backport [ https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994
>>> ]
>>> +
>>> +CVE: CVE-2023-5156
>>> +
>>> +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
>>> +
>>> +---
>>> +
>>> +diff --git a/nss/Makefile b/nss/Makefile
>>> +index 06fcdc450f..8a5126ecf3 100644
>>> +--- a/nss/Makefile
>>> ++++ b/nss/Makefile
>>> +@@ -82,6 +82,7 @@ tests-container := \
>>> + tst-nss-test3 \
>>> + tst-reload1 \
>>> + tst-reload2 \
>>> ++ tst-nss-gai-hv2-canonname \
>>> + # tests-container
>>> +
>>> + # Tests which need libdl
>>> +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out
>>> .os,$(object-suffixes))
>>> + ifeq ($(build-static-nss),yes)
>>> + tests-static += tst-nss-static
>>> + endif
>>> +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os
>>> ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
>>> ++ nss_test_gai_hv2_canonname.os
>>> +
>>> + include ../Rules
>>> +
>>> +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS +=
>>> -Wl,--dynamic-list=nss_test.ver
>>> + libof-nss_test1 = extramodules
>>> + libof-nss_test2 = extramodules
>>> + libof-nss_test_errno = extramodules
>>> ++libof-nss_test_gai_hv2_canonname = extramodules
>>> + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
>>> + $(build-module)
>>> + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
>>> + $(build-module)
>>> + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os
>>> $(link-libc-deps)
>>> + $(build-module)
>>> ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \
>>> ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps)
>>> ++ $(build-module)
>>> + $(objpfx)nss_test2.os : nss_test1.c
>>> + # Use the nss_files suffix for these objects as well.
>>> + $(objpfx)/libnss_test1.so$(libnss_files.so-version):
>>> $(objpfx)/libnss_test1.so
>>> +@@ -195,10 +201,14 @@
>>> $(objpfx)/libnss_test2.so$(libnss_files.so-version):
>>> $(objpfx)/libnss_test2.so
>>> + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \
>>> + $(objpfx)/libnss_test_errno.so
>>> + $(make-link)
>>> ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
>>> ++ $(objpfx)/libnss_test_gai_hv2_canonname.so
>>> ++ $(make-link)
>>> + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \
>>> + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \
>>> + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \
>>> +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version)
>>> ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
>>> ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
>>> +
>>> + ifeq (yes,$(have-thread-library))
>>> + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
>>> +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
>>> + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
>>> + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
>>> + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags
>>> ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags
>>> +diff --git a/nss/nss_test_gai_hv2_canonname.c
>>> b/nss/nss_test_gai_hv2_canonname.c
>>> +new file mode 100644
>>> +index 0000000000..4439c83c9f
>>> +--- /dev/null
>>> ++++ b/nss/nss_test_gai_hv2_canonname.c
>>> +@@ -0,0 +1,56 @@
>>> ++/* NSS service provider that only provides gethostbyname2_r.
>>> ++ Copyright The GNU Toolchain Authors.
>>> ++ This file is part of the GNU C Library.
>>> ++
>>> ++ The GNU C Library is free software; you can redistribute it and/or
>>> ++ modify it under the terms of the GNU Lesser General Public
>>> ++ License as published by the Free Software Foundation; either
>>> ++ version 2.1 of the License, or (at your option) any later version.
>>> ++
>>> ++ The GNU C Library is distributed in the hope that it will be useful,
>>> ++ but WITHOUT ANY WARRANTY; without even the implied warranty of
>>> ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>>> ++ Lesser General Public License for more details.
>>> ++
>>> ++ You should have received a copy of the GNU Lesser General Public
>>> ++ License along with the GNU C Library; if not, see
>>> ++ < https://www.gnu.org/licenses/ >. */
>>> ++
>>> ++#include <nss.h>
>>> ++#include <stdlib.h>
>>> ++#include <string.h>
>>> ++#include "nss/tst-nss-gai-hv2-canonname.h"
>>> ++
>>> ++/* Catch misnamed and functions. */
>>> ++#pragma GCC diagnostic error "-Wmissing-prototypes"
>>> ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname)
>>> ++
>>> ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int,
>>> ++ struct hostent *, char *,
>>> ++ size_t, int *, int *);
>>> ++
>>> ++enum nss_status
>>> ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af,
>>> ++ struct hostent *result,
>>> ++ char *buffer, size_t buflen,
>>> ++ int *errnop, int *herrnop)
>>> ++{
>>> ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen,
>>> errnop,
>>> ++ herrnop);
>>> ++}
>>> ++
>>> ++enum nss_status
>>> ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char
>>> *buffer,
>>> ++ size_t buflen, char **result,
>>> ++ int *errnop, int *h_errnop)
>>> ++{
>>> ++ /* We expect QUERYNAME, which is a small enough string that it
>>> shouldn't fail
>>> ++ the test. */
>>> ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME))
>>> ++ || buflen < sizeof (QUERYNAME))
>>> ++ abort ();
>>> ++
>>> ++ strncpy (buffer, name, buflen);
>>> ++ *result = buffer;
>>> ++ return NSS_STATUS_SUCCESS;
>>> ++}
>>> +diff --git a/nss/tst-nss-gai-hv2-canonname.c
>>> b/nss/tst-nss-gai-hv2-canonname.c
>>> +new file mode 100644
>>> +index 0000000000..d5f10c07d6
>>> +--- /dev/null
>>> ++++ b/nss/tst-nss-gai-hv2-canonname.c
>>> +@@ -0,0 +1,63 @@
>>> ++/* Test NSS query path for plugins that only implement gethostbyname2
>>> ++ (#30843).
>>> ++ Copyright The GNU Toolchain Authors.
>>> ++ This file is part of the GNU C Library.
>>> ++
>>> ++ The GNU C Library is free software; you can redistribute it and/or
>>> ++ modify it under the terms of the GNU Lesser General Public
>>> ++ License as published by the Free Software Foundation; either
>>> ++ version 2.1 of the License, or (at your option) any later version.
>>> ++
>>> ++ The GNU C Library is distributed in the hope that it will be useful,
>>> ++ but WITHOUT ANY WARRANTY; without even the implied warranty of
>>> ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>>> ++ Lesser General Public License for more details.
>>> ++
>>> ++ You should have received a copy of the GNU Lesser General Public
>>> ++ License along with the GNU C Library; if not, see
>>> ++ < https://www.gnu.org/licenses/ >. */
>>> ++
>>> ++#include <nss.h>
>>> ++#include <netdb.h>
>>> ++#include <stdlib.h>
>>> ++#include <string.h>
>>> ++#include <support/check.h>
>>> ++#include <support/xstdio.h>
>>> ++#include "nss/tst-nss-gai-hv2-canonname.h"
>>> ++
>>> ++#define PREPARE do_prepare
>>> ++
>>> ++static void do_prepare (int a, char **av)
>>> ++{
>>> ++ FILE *hosts = xfopen ("/etc/hosts", "w");
>>> ++ for (unsigned i = 2; i < 255; i++)
>>> ++ {
>>> ++ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i);
>>> ++ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i);
>>> ++ }
>>> ++ xfclose (hosts);
>>> ++}
>>> ++
>>> ++static int
>>> ++do_test (void)
>>> ++{
>>> ++ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
>>> ++
>>> ++ struct addrinfo hints = {};
>>> ++ struct addrinfo *result = NULL;
>>> ++
>>> ++ hints.ai_family = AF_INET6;
>>> ++ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;
>>> ++
>>> ++ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result);
>>> ++
>>> ++ if (ret != 0)
>>> ++ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret));
>>> ++
>>> ++ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME);
>>> ++
>>> ++ freeaddrinfo(result);
>>> ++ return 0;
>>> ++}
>>> ++
>>> ++#include <support/test-driver.c>
>>> +diff --git a/nss/tst-nss-gai-hv2-canonname.h
>>> b/nss/tst-nss-gai-hv2-canonname.h
>>> +new file mode 100644
>>> +index 0000000000..14f2a9cb08
>>> +--- /dev/null
>>> ++++ b/nss/tst-nss-gai-hv2-canonname.h
>>> +@@ -0,0 +1 @@
>>> ++#define QUERYNAME "test.example.com"
>>> +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req
>>> b/nss/tst-nss-gai-hv2-canonname.root/postclean.req
>>> +new file mode 100644
>>> +index 0000000000..e69de29bb2
>>> +diff --git
>>> a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
>>> b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
>>> +new file mode 100644
>>> +index 0000000000..31848b4a28
>>> +--- /dev/null
>>> ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
>>> 
>>> +@@ -0,0 +1,2 @@
>>> ++cp $B/nss/libnss_test_gai_hv2_canonname.so
>>> $L/libnss_test_gai_hv2_canonname.so.2
>>> ++su
>>> +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
>>> +index 6ae6744fe4..47f421fddf 100644
>>> +--- a/sysdeps/posix/getaddrinfo.c
>>> ++++ b/sysdeps/posix/getaddrinfo.c
>>> +@@ -120,6 +120,7 @@ struct gaih_result
>>> + {
>>> + struct gaih_addrtuple *at;
>>> + char *canon;
>>> ++ char *h_name;
>>> + bool free_at;
>>> + bool got_ipv6;
>>> + };
>>> +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res)
>>> + if (res->free_at)
>>> + free (res->at);
>>> + free (res->canon);
>>> ++ free (res->h_name);
>>> + memset (res, 0, sizeof (*res));
>>> + }
>>> +
>>> +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct
>>> gaih_typeproto *tp,
>>> + return 0;
>>> + }
>>> +
>>> +-/* Convert struct hostent to a list of struct gaih_addrtuple objects.
>>> h_name
>>> +- is not copied, and the struct hostent object must not be deallocated
>>> +- prematurely. The new addresses are appended to the tuple array in RES.
>>> */
>>> ++/* Convert struct hostent to a list of struct gaih_addrtuple objects.
>>> The new
>>> ++ addresses are appended to the tuple array in RES. */
>>> + static bool
>>> + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int
>>> family,
>>> + struct hostent *h, struct gaih_result *res)
>>> +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct
>>> addrinfo *req, int family,
>>> + res->at = array;
>>> + res->free_at = true;
>>> +
>>> ++ /* Duplicate h_name because it may get reclaimed when the underlying
>>> storage
>>> ++ is freed. */
>>> ++ if (res->h_name == NULL)
>>> ++ {
>>> ++ res->h_name = __strdup (h->h_name);
>>> ++ if (res->h_name == NULL)
>>> ++ return false;
>>> ++ }
>>> ++
>>> + /* Update the next pointers on reallocation. */
>>> + for (size_t i = 0; i < old; i++)
>>> + array[i].next = array + i + 1;
>>> +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct
>>> addrinfo *req, int family,
>>> + }
>>> + array[i].next = array + i + 1;
>>> + }
>>> +- array[0].name = h->h_name;
>>> + array[count - 1].next = NULL;
>>> +
>>> + return true;
>>> +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family,
>>> const char *name,
>>> + memory allocation failure. The returned string is allocated on the
>>> + heap; the caller has to free it. */
>>> + static char *
>>> +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char
>>> *name)
>>> ++getcanonname (nss_action_list nip, const char *hname, const char *name)
>>> + {
>>> + nss_getcanonname_r *cfct = __nss_lookup_function (nip,
>>> "getcanonname_r");
>>> + char *s = (char *) name;
>>> + if (cfct != NULL)
>>> + {
>>> + char buf[256];
>>> +- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf),
>>> +- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS)
>>> ++ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno,
>>> ++ &h_errno)) != NSS_STATUS_SUCCESS)
>>> + /* If the canonical name cannot be determined, use the passed
>>> + string. */
>>> + s = (char *) name;
>>> +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct
>>> addrinfo *req,
>>> + if ((req->ai_flags & AI_CANONNAME) != 0
>>> + && res->canon == NULL)
>>> + {
>>> +- char *canonbuf = getcanonname (nip, res->at, name);
>>> ++ char *canonbuf = getcanonname (nip, res->h_name, name);
>>> + if (canonbuf == NULL)
>>> + {
>>> + __resolv_context_put (res_ctx);
>>> diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
>>> b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
>>> new file mode 100644
>>> index 0000000000..507db5e13b
>>> --- /dev/null
>>> +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
>>> @@ -0,0 +1,93 @@
>>> +From: Romain Geissler <romain.geissler@amadeus.com>
>>> +Date: Mon, 25 Sep 2023 00:21:51 +0000 (+0100)
>>> +Subject: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806
>>> [BZ #30843]
>>> +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796
>>> 
>>> +
>>> +Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ
>>> #30843]
>>> +
>>> +This patch fixes a very recently added leak in getaddrinfo.
>>> +
>>> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
>>> +
>>> +Upstream-Status: Backport [ https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796
>>> ]
>>> +
>>> +CVE: CVE-2023-5156
>>> +
>>> +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
>>> +
>>> +---
>>> +
>>> +diff --git a/nss/Makefile b/nss/Makefile
>>> +index 8a5126ecf3..668ba34b18 100644
>>> +--- a/nss/Makefile
>>> ++++ b/nss/Makefile
>>> +@@ -149,6 +149,15 @@ endif
>>> + extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
>>> + nss_test_gai_hv2_canonname.os
>>> +
>>> ++ifeq ($(run-built-tests),yes)
>>> ++ifneq (no,$(PERL))
>>> ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
>>> ++endif
>>> ++endif
>>> ++
>>> ++generated += mtrace-tst-nss-gai-hv2-canonname.out \
>>> ++ tst-nss-gai-hv2-canonname.mtrace
>>> ++
>>> + include ../Rules
>>> +
>>> + ifeq (yes,$(have-selinux))
>>> +@@ -217,6 +226,17 @@ endif
>>> + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
>>> + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
>>> +
>>> ++tst-nss-gai-hv2-canonname-ENV = \
>>> ++ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
>>> ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
>>> ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
>>> ++ $(objpfx)tst-nss-gai-hv2-canonname.out
>>> ++ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
>>> ++ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; )
>>> \
>>> ++ && $(common-objpfx)malloc/mtrace \
>>> ++ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
>>> ++ $(evaluate-test)
>>> ++
>>> + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
>>> + # functions can load testing NSS modules via DT_RPATH.
>>> + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
>>> +diff --git a/nss/tst-nss-gai-hv2-canonname.c
>>> b/nss/tst-nss-gai-hv2-canonname.c
>>> +index d5f10c07d6..7db53cf09d 100644
>>> +--- a/nss/tst-nss-gai-hv2-canonname.c
>>> ++++ b/nss/tst-nss-gai-hv2-canonname.c
>>> +@@ -21,6 +21,7 @@
>>> + #include <netdb.h>
>>> + #include <stdlib.h>
>>> + #include <string.h>
>>> ++#include <mcheck.h>
>>> + #include <support/check.h>
>>> + #include <support/xstdio.h>
>>> + #include "nss/tst-nss-gai-hv2-canonname.h"
>>> +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
>>> + static int
>>> + do_test (void)
>>> + {
>>> ++ mtrace ();
>>> ++
>>> + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
>>> +
>>> + struct addrinfo hints = {};
>>> +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
>>> +index 47f421fddf..531124958d 100644
>>> +--- a/sysdeps/posix/getaddrinfo.c
>>> ++++ b/sysdeps/posix/getaddrinfo.c
>>> +@@ -1196,9 +1196,7 @@ free_and_return:
>>> + if (malloc_name)
>>> + free ((char *) name);
>>> + free (addrmem);
>>> +- if (res.free_at)
>>> +- free (res.at);
>>> +- free (res.canon);
>>> ++ gaih_result_reset (&res);
>>> +
>>> + return result;
>>> + }
>>> diff --git a/meta/recipes-core/glibc/glibc_2.37.bb
>>> b/meta/recipes-core/glibc/glibc_2.37.bb
>>> index caf454f368..b88bc5fc4f 100644
>>> --- a/meta/recipes-core/glibc/glibc_2.37.bb
>>> +++ b/meta/recipes-core/glibc/glibc_2.37.bb
>>> @@ -50,6 +50,8 @@ SRC_URI =
>>> "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
>>> file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
>>> file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
>>> file://0023-CVE-2023-4527.patch \
>>> + file://0024-CVE-2023-5156-1.patch \
>>> + file://0024-CVE-2023-5156-2.patch \
>>> "
>>> S = "${WORKDIR}/git"
>>> B = "${WORKDIR}/build-${TARGET_SYS}"
>>> --
>>> 2.39.0
>> 
>> 
> 
>

diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
new file mode 100644
index 0000000000..65afaa446a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch
@@ -0,0 +1,329 @@ 
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Fri, 15 Sep 2023 17:51:12 +0000 (-0400)
+Subject: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
+X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994
+
+getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
+
+When an NSS plugin only implements the _gethostbyname2_r and
+_getcanonname_r callbacks, getaddrinfo could use memory that was freed
+during tmpbuf resizing, through h_name in a previous query response.
+
+The backing store for res->at->name when doing a query with
+gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
+gethosts during the query.  For AF_INET6 lookup with AI_ALL |
+AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
+for a v4 lookup.  In this case, if the first call reallocates tmpbuf
+enough number of times, resulting in a malloc, th->h_name (that
+res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
+Now if the second call to gethosts also causes the plugin callback to
+return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
+reference in res->at->name.  This then gets dereferenced in the
+getcanonname_r plugin call, resulting in the use after free.
+
+Fix this by copying h_name over and freeing it at the end.  This
+resolves BZ #30843, which is assigned CVE-2023-4806.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994]
+
+CVE: CVE-2023-5156
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/nss/Makefile b/nss/Makefile
+index 06fcdc450f..8a5126ecf3 100644
+--- a/nss/Makefile
++++ b/nss/Makefile
+@@ -82,6 +82,7 @@ tests-container := \
+   tst-nss-test3 \
+   tst-reload1 \
+   tst-reload2 \
++  tst-nss-gai-hv2-canonname \
+ # tests-container
+
+ # Tests which need libdl
+@@ -145,7 +146,8 @@ libnss_compat-inhibit-o	= $(filter-out .os,$(object-suffixes))
+ ifeq ($(build-static-nss),yes)
+ tests-static		+= tst-nss-static
+ endif
+-extra-test-objs		+= nss_test1.os nss_test2.os nss_test_errno.os
++extra-test-objs		+= nss_test1.os nss_test2.os nss_test_errno.os \
++			   nss_test_gai_hv2_canonname.os
+
+ include ../Rules
+
+@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver
+ libof-nss_test1 = extramodules
+ libof-nss_test2 = extramodules
+ libof-nss_test_errno = extramodules
++libof-nss_test_gai_hv2_canonname = extramodules
+ $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps)
+ 	$(build-module)
+ $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps)
+ 	$(build-module)
+ $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps)
+ 	$(build-module)
++$(objpfx)/libnss_test_gai_hv2_canonname.so: \
++  $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps)
++	$(build-module)
+ $(objpfx)nss_test2.os : nss_test1.c
+ # Use the nss_files suffix for these objects as well.
+ $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so
+@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so
+ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \
+   $(objpfx)/libnss_test_errno.so
+ 	$(make-link)
++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \
++  $(objpfx)/libnss_test_gai_hv2_canonname.so
++	$(make-link)
+ $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \
+ 	$(objpfx)/libnss_test1.so$(libnss_files.so-version) \
+ 	$(objpfx)/libnss_test2.so$(libnss_files.so-version) \
+-	$(objpfx)/libnss_test_errno.so$(libnss_files.so-version)
++	$(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \
++	$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version)
+
+ ifeq (yes,$(have-thread-library))
+ $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library)
+@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags
+ LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags
+ LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags
+ LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags
++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags
+diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c
+new file mode 100644
+index 0000000000..4439c83c9f
+--- /dev/null
++++ b/nss/nss_test_gai_hv2_canonname.c
+@@ -0,0 +1,56 @@
++/* NSS service provider that only provides gethostbyname2_r.
++   Copyright The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <nss.h>
++#include <stdlib.h>
++#include <string.h>
++#include "nss/tst-nss-gai-hv2-canonname.h"
++
++/* Catch misnamed and functions.  */
++#pragma GCC diagnostic error "-Wmissing-prototypes"
++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname)
++
++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int,
++						    struct hostent *, char *,
++						    size_t, int *, int *);
++
++enum nss_status
++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af,
++					      struct hostent *result,
++					      char *buffer, size_t buflen,
++					      int *errnop, int *herrnop)
++{
++  return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop,
++				      herrnop);
++}
++
++enum nss_status
++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer,
++					    size_t buflen, char **result,
++					    int *errnop, int *h_errnop)
++{
++  /* We expect QUERYNAME, which is a small enough string that it shouldn't fail
++     the test.  */
++  if (memcmp (QUERYNAME, name, sizeof (QUERYNAME))
++      || buflen < sizeof (QUERYNAME))
++    abort ();
++
++  strncpy (buffer, name, buflen);
++  *result = buffer;
++  return NSS_STATUS_SUCCESS;
++}
+diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
+new file mode 100644
+index 0000000000..d5f10c07d6
+--- /dev/null
++++ b/nss/tst-nss-gai-hv2-canonname.c
+@@ -0,0 +1,63 @@
++/* Test NSS query path for plugins that only implement gethostbyname2
++   (#30843).
++   Copyright The GNU Toolchain Authors.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <nss.h>
++#include <netdb.h>
++#include <stdlib.h>
++#include <string.h>
++#include <support/check.h>
++#include <support/xstdio.h>
++#include "nss/tst-nss-gai-hv2-canonname.h"
++
++#define PREPARE do_prepare
++
++static void do_prepare (int a, char **av)
++{
++  FILE *hosts = xfopen ("/etc/hosts", "w");
++  for (unsigned i = 2; i < 255; i++)
++    {
++      fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i);
++      fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i);
++    }
++  xfclose (hosts);
++}
++
++static int
++do_test (void)
++{
++  __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
++
++  struct addrinfo hints = {};
++  struct addrinfo *result = NULL;
++
++  hints.ai_family = AF_INET6;
++  hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME;
++
++  int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result);
++
++  if (ret != 0)
++    FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret));
++
++  TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME);
++
++  freeaddrinfo(result);
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h
+new file mode 100644
+index 0000000000..14f2a9cb08
+--- /dev/null
++++ b/nss/tst-nss-gai-hv2-canonname.h
+@@ -0,0 +1 @@
++#define QUERYNAME "test.example.com"
+diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req
+new file mode 100644
+index 0000000000..e69de29bb2
+diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
+new file mode 100644
+index 0000000000..31848b4a28
+--- /dev/null
++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script
+@@ -0,0 +1,2 @@
++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2
++su
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 6ae6744fe4..47f421fddf 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -120,6 +120,7 @@ struct gaih_result
+ {
+   struct gaih_addrtuple *at;
+   char *canon;
++  char *h_name;
+   bool free_at;
+   bool got_ipv6;
+ };
+@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res)
+   if (res->free_at)
+     free (res->at);
+   free (res->canon);
++  free (res->h_name);
+   memset (res, 0, sizeof (*res));
+ }
+
+@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
+   return 0;
+ }
+
+-/* Convert struct hostent to a list of struct gaih_addrtuple objects.  h_name
+-   is not copied, and the struct hostent object must not be deallocated
+-   prematurely.  The new addresses are appended to the tuple array in RES.  */
++/* Convert struct hostent to a list of struct gaih_addrtuple objects.  The new
++   addresses are appended to the tuple array in RES.  */
+ static bool
+ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
+ 				   struct hostent *h, struct gaih_result *res)
+@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
+   res->at = array;
+   res->free_at = true;
+
++  /* Duplicate h_name because it may get reclaimed when the underlying storage
++     is freed.  */
++  if (res->h_name == NULL)
++    {
++      res->h_name = __strdup (h->h_name);
++      if (res->h_name == NULL)
++	return false;
++    }
++
+   /* Update the next pointers on reallocation.  */
+   for (size_t i = 0; i < old; i++)
+     array[i].next = array + i + 1;
+@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family,
+ 	}
+       array[i].next = array + i + 1;
+     }
+-  array[0].name = h->h_name;
+   array[count - 1].next = NULL;
+
+   return true;
+@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name,
+    memory allocation failure.  The returned string is allocated on the
+    heap; the caller has to free it.  */
+ static char *
+-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name)
++getcanonname (nss_action_list nip, const char *hname, const char *name)
+ {
+   nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r");
+   char *s = (char *) name;
+   if (cfct != NULL)
+     {
+       char buf[256];
+-      if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf),
+-			      &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS)
++      if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno,
++			      &h_errno)) != NSS_STATUS_SUCCESS)
+ 	/* If the canonical name cannot be determined, use the passed
+ 	   string.  */
+ 	s = (char *) name;
+@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req,
+ 		  if ((req->ai_flags & AI_CANONNAME) != 0
+ 		      && res->canon == NULL)
+ 		    {
+-		      char *canonbuf = getcanonname (nip, res->at, name);
++		      char *canonbuf = getcanonname (nip, res->h_name, name);
+ 		      if (canonbuf == NULL)
+ 			{
+ 			  __resolv_context_put (res_ctx);
diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
new file mode 100644
index 0000000000..507db5e13b
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch
@@ -0,0 +1,93 @@ 
+From: Romain Geissler <romain.geissler@amadeus.com>
+Date: Mon, 25 Sep 2023 00:21:51 +0000 (+0100)
+Subject: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
+X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796
+
+Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
+
+This patch fixes a very recently added leak in getaddrinfo.
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796]
+
+CVE: CVE-2023-5156
+
+Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
+
+---
+
+diff --git a/nss/Makefile b/nss/Makefile
+index 8a5126ecf3..668ba34b18 100644
+--- a/nss/Makefile
++++ b/nss/Makefile
+@@ -149,6 +149,15 @@ endif
+ extra-test-objs		+= nss_test1.os nss_test2.os nss_test_errno.os \
+ 			   nss_test_gai_hv2_canonname.os
+
++ifeq ($(run-built-tests),yes)
++ifneq (no,$(PERL))
++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
++endif
++endif
++
++generated += mtrace-tst-nss-gai-hv2-canonname.out \
++		tst-nss-gai-hv2-canonname.mtrace
++
+ include ../Rules
+
+ ifeq (yes,$(have-selinux))
+@@ -217,6 +226,17 @@ endif
+ $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
+ $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+
++tst-nss-gai-hv2-canonname-ENV = \
++		MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
++		LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
++  $(objpfx)tst-nss-gai-hv2-canonname.out
++	{ test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
++	|| ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
++	&& $(common-objpfx)malloc/mtrace \
++	$(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
++	$(evaluate-test)
++
+ # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
+ # functions can load testing NSS modules via DT_RPATH.
+ LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
+diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
+index d5f10c07d6..7db53cf09d 100644
+--- a/nss/tst-nss-gai-hv2-canonname.c
++++ b/nss/tst-nss-gai-hv2-canonname.c
+@@ -21,6 +21,7 @@
+ #include <netdb.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <mcheck.h>
+ #include <support/check.h>
+ #include <support/xstdio.h>
+ #include "nss/tst-nss-gai-hv2-canonname.h"
+@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
+ static int
+ do_test (void)
+ {
++  mtrace ();
++
+   __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
+
+   struct addrinfo hints = {};
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 47f421fddf..531124958d 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -1196,9 +1196,7 @@ free_and_return:
+   if (malloc_name)
+     free ((char *) name);
+   free (addrmem);
+-  if (res.free_at)
+-    free (res.at);
+-  free (res.canon);
++  gaih_result_reset (&res);
+
+   return result;
+ }
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index caf454f368..b88bc5fc4f 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -50,6 +50,8 @@  SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
            file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
            file://0023-CVE-2023-4527.patch \
+           file://0024-CVE-2023-5156-1.patch \
+           file://0024-CVE-2023-5156-2.patch \
 "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"