Message ID | 20231003112955.3031051-1-Deepthi.Hemraj@windriver.com |
---|---|
State | New |
Headers | show |
Series | [mickledore] glibc: Fix CVE-2023-5156 | expand |
Unfortunately this patch doesn't apply (even after I edited for the previous addition of glibc: fix CVE-2023-4806 ERROR: glibc-2.37-r1 do_patch: Applying patch '0024-CVE-2023-5156-1.patch' on target directory '/home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/git' CmdError('quilt --quiltrc /home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/recipe-sysroot-native/etc/quiltrc push', 0, 'stdout: Applying patch 0024-CVE-2023-5156-1.patch patching file nss/Makefile Hunk #1 FAILED at 82. Hunk #2 FAILED at 145. Hunk #3 FAILED at 180. Hunk #4 FAILED at 195. Hunk #5 FAILED at 215. 5 out of 5 hunks FAILED -- rejects in file nss/Makefile The next patch would create the file nss/nss_test_gai_hv2_canonname.c, which already exists! Applying it anyway. patching file nss/nss_test_gai_hv2_canonname.c Hunk #1 FAILED at 1. 1 out of 1 hunk FAILED -- rejects in file nss/nss_test_gai_hv2_canonname.c The next patch would create the file nss/tst-nss-gai-hv2-canonname.c, which already exists! Applying it anyway. patching file nss/tst-nss-gai-hv2-canonname.c Hunk #1 FAILED at 1. 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.c The next patch would create the file nss/tst-nss-gai-hv2-canonname.h, which already exists! Applying it anyway. patching file nss/tst-nss-gai-hv2-canonname.h Hunk #1 FAILED at 1. 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.h The next patch would empty out the file nss/tst-nss-gai-hv2-canonname.root/postclean.req, which is already empty! Applying it anyway. patching file nss/tst-nss-gai-hv2-canonname.root/postclean.req The next patch would create the file nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script, which already exists! Applying it anyway. patching file nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script Hunk #1 FAILED at 1. 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script patching file sysdeps/posix/getaddrinfo.c Hunk #1 FAILED at 120. Hunk #2 FAILED at 165. Hunk #3 FAILED at 203. Hunk #4 succeeded at 248 with fuzz 2 (offset 10 lines). Hunk #5 FAILED at 271. Hunk #6 FAILED at 333. Hunk #7 FAILED at 780. 6 out of 7 hunks FAILED -- rejects in file sysdeps/posix/getaddrinfo.c Patch 0024-CVE-2023-5156-1.patch can be reverse-applied Steve On Tue, Oct 3, 2023 at 1:30 AM <Deepthi.Hemraj@windriver.com> wrote: > > From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > --- > .../glibc/glibc/0024-CVE-2023-5156-1.patch | 329 ++++++++++++++++++ > .../glibc/glibc/0024-CVE-2023-5156-2.patch | 93 +++++ > meta/recipes-core/glibc/glibc_2.37.bb | 2 + > 3 files changed, 424 insertions(+) > create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch > create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch > > diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch > new file mode 100644 > index 0000000000..65afaa446a > --- /dev/null > +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch > @@ -0,0 +1,329 @@ > +From: Siddhesh Poyarekar <siddhesh@sourceware.org> > +Date: Fri, 15 Sep 2023 17:51:12 +0000 (-0400) > +Subject: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) > +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994 > + > +getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) > + > +When an NSS plugin only implements the _gethostbyname2_r and > +_getcanonname_r callbacks, getaddrinfo could use memory that was freed > +during tmpbuf resizing, through h_name in a previous query response. > + > +The backing store for res->at->name when doing a query with > +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in > +gethosts during the query. For AF_INET6 lookup with AI_ALL | > +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second > +for a v4 lookup. In this case, if the first call reallocates tmpbuf > +enough number of times, resulting in a malloc, th->h_name (that > +res->at->name refers to) ends up on a heap allocated storage in tmpbuf. > +Now if the second call to gethosts also causes the plugin callback to > +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF > +reference in res->at->name. This then gets dereferenced in the > +getcanonname_r plugin call, resulting in the use after free. > + > +Fix this by copying h_name over and freeing it at the end. This > +resolves BZ #30843, which is assigned CVE-2023-4806. > + > +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994] > + > +CVE: CVE-2023-5156 > + > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > + > +--- > + > +diff --git a/nss/Makefile b/nss/Makefile > +index 06fcdc450f..8a5126ecf3 100644 > +--- a/nss/Makefile > ++++ b/nss/Makefile > +@@ -82,6 +82,7 @@ tests-container := \ > + tst-nss-test3 \ > + tst-reload1 \ > + tst-reload2 \ > ++ tst-nss-gai-hv2-canonname \ > + # tests-container > + > + # Tests which need libdl > +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) > + ifeq ($(build-static-nss),yes) > + tests-static += tst-nss-static > + endif > +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os > ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ > ++ nss_test_gai_hv2_canonname.os > + > + include ../Rules > + > +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver > + libof-nss_test1 = extramodules > + libof-nss_test2 = extramodules > + libof-nss_test_errno = extramodules > ++libof-nss_test_gai_hv2_canonname = extramodules > + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) > + $(build-module) > + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) > + $(build-module) > + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) > + $(build-module) > ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \ > ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) > ++ $(build-module) > + $(objpfx)nss_test2.os : nss_test1.c > + # Use the nss_files suffix for these objects as well. > + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so > +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so > + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ > + $(objpfx)/libnss_test_errno.so > + $(make-link) > ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ > ++ $(objpfx)/libnss_test_gai_hv2_canonname.so > ++ $(make-link) > + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ > + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ > + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ > +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) > ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ > ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) > + > + ifeq (yes,$(have-thread-library)) > + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) > +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags > + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags > + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags > + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags > ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags > +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c > +new file mode 100644 > +index 0000000000..4439c83c9f > +--- /dev/null > ++++ b/nss/nss_test_gai_hv2_canonname.c > +@@ -0,0 +1,56 @@ > ++/* NSS service provider that only provides gethostbyname2_r. > ++ Copyright The GNU Toolchain Authors. > ++ This file is part of the GNU C Library. > ++ > ++ The GNU C Library is free software; you can redistribute it and/or > ++ modify it under the terms of the GNU Lesser General Public > ++ License as published by the Free Software Foundation; either > ++ version 2.1 of the License, or (at your option) any later version. > ++ > ++ The GNU C Library is distributed in the hope that it will be useful, > ++ but WITHOUT ANY WARRANTY; without even the implied warranty of > ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > ++ Lesser General Public License for more details. > ++ > ++ You should have received a copy of the GNU Lesser General Public > ++ License along with the GNU C Library; if not, see > ++ <https://www.gnu.org/licenses/>. */ > ++ > ++#include <nss.h> > ++#include <stdlib.h> > ++#include <string.h> > ++#include "nss/tst-nss-gai-hv2-canonname.h" > ++ > ++/* Catch misnamed and functions. */ > ++#pragma GCC diagnostic error "-Wmissing-prototypes" > ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) > ++ > ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, > ++ struct hostent *, char *, > ++ size_t, int *, int *); > ++ > ++enum nss_status > ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, > ++ struct hostent *result, > ++ char *buffer, size_t buflen, > ++ int *errnop, int *herrnop) > ++{ > ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, > ++ herrnop); > ++} > ++ > ++enum nss_status > ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, > ++ size_t buflen, char **result, > ++ int *errnop, int *h_errnop) > ++{ > ++ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail > ++ the test. */ > ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) > ++ || buflen < sizeof (QUERYNAME)) > ++ abort (); > ++ > ++ strncpy (buffer, name, buflen); > ++ *result = buffer; > ++ return NSS_STATUS_SUCCESS; > ++} > +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c > +new file mode 100644 > +index 0000000000..d5f10c07d6 > +--- /dev/null > ++++ b/nss/tst-nss-gai-hv2-canonname.c > +@@ -0,0 +1,63 @@ > ++/* Test NSS query path for plugins that only implement gethostbyname2 > ++ (#30843). > ++ Copyright The GNU Toolchain Authors. > ++ This file is part of the GNU C Library. > ++ > ++ The GNU C Library is free software; you can redistribute it and/or > ++ modify it under the terms of the GNU Lesser General Public > ++ License as published by the Free Software Foundation; either > ++ version 2.1 of the License, or (at your option) any later version. > ++ > ++ The GNU C Library is distributed in the hope that it will be useful, > ++ but WITHOUT ANY WARRANTY; without even the implied warranty of > ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > ++ Lesser General Public License for more details. > ++ > ++ You should have received a copy of the GNU Lesser General Public > ++ License along with the GNU C Library; if not, see > ++ <https://www.gnu.org/licenses/>. */ > ++ > ++#include <nss.h> > ++#include <netdb.h> > ++#include <stdlib.h> > ++#include <string.h> > ++#include <support/check.h> > ++#include <support/xstdio.h> > ++#include "nss/tst-nss-gai-hv2-canonname.h" > ++ > ++#define PREPARE do_prepare > ++ > ++static void do_prepare (int a, char **av) > ++{ > ++ FILE *hosts = xfopen ("/etc/hosts", "w"); > ++ for (unsigned i = 2; i < 255; i++) > ++ { > ++ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); > ++ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); > ++ } > ++ xfclose (hosts); > ++} > ++ > ++static int > ++do_test (void) > ++{ > ++ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); > ++ > ++ struct addrinfo hints = {}; > ++ struct addrinfo *result = NULL; > ++ > ++ hints.ai_family = AF_INET6; > ++ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; > ++ > ++ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); > ++ > ++ if (ret != 0) > ++ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); > ++ > ++ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); > ++ > ++ freeaddrinfo(result); > ++ return 0; > ++} > ++ > ++#include <support/test-driver.c> > +diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h > +new file mode 100644 > +index 0000000000..14f2a9cb08 > +--- /dev/null > ++++ b/nss/tst-nss-gai-hv2-canonname.h > +@@ -0,0 +1 @@ > ++#define QUERYNAME "test.example.com" > +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req > +new file mode 100644 > +index 0000000000..e69de29bb2 > +diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script > +new file mode 100644 > +index 0000000000..31848b4a28 > +--- /dev/null > ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script > +@@ -0,0 +1,2 @@ > ++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 > ++su > +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c > +index 6ae6744fe4..47f421fddf 100644 > +--- a/sysdeps/posix/getaddrinfo.c > ++++ b/sysdeps/posix/getaddrinfo.c > +@@ -120,6 +120,7 @@ struct gaih_result > + { > + struct gaih_addrtuple *at; > + char *canon; > ++ char *h_name; > + bool free_at; > + bool got_ipv6; > + }; > +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) > + if (res->free_at) > + free (res->at); > + free (res->canon); > ++ free (res->h_name); > + memset (res, 0, sizeof (*res)); > + } > + > +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, > + return 0; > + } > + > +-/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name > +- is not copied, and the struct hostent object must not be deallocated > +- prematurely. The new addresses are appended to the tuple array in RES. */ > ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new > ++ addresses are appended to the tuple array in RES. */ > + static bool > + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, > + struct hostent *h, struct gaih_result *res) > +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, > + res->at = array; > + res->free_at = true; > + > ++ /* Duplicate h_name because it may get reclaimed when the underlying storage > ++ is freed. */ > ++ if (res->h_name == NULL) > ++ { > ++ res->h_name = __strdup (h->h_name); > ++ if (res->h_name == NULL) > ++ return false; > ++ } > ++ > + /* Update the next pointers on reallocation. */ > + for (size_t i = 0; i < old; i++) > + array[i].next = array + i + 1; > +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, > + } > + array[i].next = array + i + 1; > + } > +- array[0].name = h->h_name; > + array[count - 1].next = NULL; > + > + return true; > +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, > + memory allocation failure. The returned string is allocated on the > + heap; the caller has to free it. */ > + static char * > +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) > ++getcanonname (nss_action_list nip, const char *hname, const char *name) > + { > + nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); > + char *s = (char *) name; > + if (cfct != NULL) > + { > + char buf[256]; > +- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), > +- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) > ++ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, > ++ &h_errno)) != NSS_STATUS_SUCCESS) > + /* If the canonical name cannot be determined, use the passed > + string. */ > + s = (char *) name; > +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, > + if ((req->ai_flags & AI_CANONNAME) != 0 > + && res->canon == NULL) > + { > +- char *canonbuf = getcanonname (nip, res->at, name); > ++ char *canonbuf = getcanonname (nip, res->h_name, name); > + if (canonbuf == NULL) > + { > + __resolv_context_put (res_ctx); > diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch > new file mode 100644 > index 0000000000..507db5e13b > --- /dev/null > +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch > @@ -0,0 +1,93 @@ > +From: Romain Geissler <romain.geissler@amadeus.com> > +Date: Mon, 25 Sep 2023 00:21:51 +0000 (+0100) > +Subject: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] > +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796 > + > +Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] > + > +This patch fixes a very recently added leak in getaddrinfo. > + > +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > + > +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796] > + > +CVE: CVE-2023-5156 > + > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > + > +--- > + > +diff --git a/nss/Makefile b/nss/Makefile > +index 8a5126ecf3..668ba34b18 100644 > +--- a/nss/Makefile > ++++ b/nss/Makefile > +@@ -149,6 +149,15 @@ endif > + extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ > + nss_test_gai_hv2_canonname.os > + > ++ifeq ($(run-built-tests),yes) > ++ifneq (no,$(PERL)) > ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out > ++endif > ++endif > ++ > ++generated += mtrace-tst-nss-gai-hv2-canonname.out \ > ++ tst-nss-gai-hv2-canonname.mtrace > ++ > + include ../Rules > + > + ifeq (yes,$(have-selinux)) > +@@ -217,6 +226,17 @@ endif > + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so > + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so > + > ++tst-nss-gai-hv2-canonname-ENV = \ > ++ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ > ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so > ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ > ++ $(objpfx)tst-nss-gai-hv2-canonname.out > ++ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ > ++ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \ > ++ && $(common-objpfx)malloc/mtrace \ > ++ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ > ++ $(evaluate-test) > ++ > + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS > + # functions can load testing NSS modules via DT_RPATH. > + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags > +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c > +index d5f10c07d6..7db53cf09d 100644 > +--- a/nss/tst-nss-gai-hv2-canonname.c > ++++ b/nss/tst-nss-gai-hv2-canonname.c > +@@ -21,6 +21,7 @@ > + #include <netdb.h> > + #include <stdlib.h> > + #include <string.h> > ++#include <mcheck.h> > + #include <support/check.h> > + #include <support/xstdio.h> > + #include "nss/tst-nss-gai-hv2-canonname.h" > +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av) > + static int > + do_test (void) > + { > ++ mtrace (); > ++ > + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); > + > + struct addrinfo hints = {}; > +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c > +index 47f421fddf..531124958d 100644 > +--- a/sysdeps/posix/getaddrinfo.c > ++++ b/sysdeps/posix/getaddrinfo.c > +@@ -1196,9 +1196,7 @@ free_and_return: > + if (malloc_name) > + free ((char *) name); > + free (addrmem); > +- if (res.free_at) > +- free (res.at); > +- free (res.canon); > ++ gaih_result_reset (&res); > + > + return result; > + } > diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb > index caf454f368..b88bc5fc4f 100644 > --- a/meta/recipes-core/glibc/glibc_2.37.bb > +++ b/meta/recipes-core/glibc/glibc_2.37.bb > @@ -50,6 +50,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ > file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ > file://0023-CVE-2023-4527.patch \ > + file://0024-CVE-2023-5156-1.patch \ > + file://0024-CVE-2023-5156-2.patch \ > " > S = "${WORKDIR}/git" > B = "${WORKDIR}/build-${TARGET_SYS}" > -- > 2.39.0 >
There are 2 files in the patch sent and the first patch(0024-CVE-2023-5156-1.patch) is the duplicate of https://lists.openembedded.org/g/openembedded-core/message/188490 (CVE-2023-4806) ( https://lists.openembedded.org/g/openembedded-core/message/188490(CVE-2023-4806) ) which was sent to the mailing list. Will I have to drop the (0024-CVE-2023-5156-1.patch) and send the second patch as a V2 ??
> There are 2 files in the patch sent and the first patch(0024-CVE-2023-5156-1.patch) is the duplicate of > https://lists.openembedded.org/g/openembedded-core/message/188490 (CVE-2023-4806) which was sent to the mailing list. > Will I have to drop the (0024-CVE-2023-5156-1.patch) and send the second patch as a V2 ?? Actually I'd prefer that you do an update to the latest head of release/2.37/master since it includes the fixes for CVE-2023-4806, CVE-2023-5156, and the newly announced CVE-2023-4911) Is this something you can do quickly? I'd like to fast track that fix. Steve On Tue, Oct 3, 2023 at 8:08 AM Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> wrote: > > Unfortunately this patch doesn't apply (even after I edited for the > previous addition of glibc: fix CVE-2023-4806 > > ERROR: glibc-2.37-r1 do_patch: Applying patch > '0024-CVE-2023-5156-1.patch' on target directory > '/home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/git' > CmdError('quilt --quiltrc > /home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/recipe-sysroot-native/etc/quiltrc > push', 0, 'stdout: Applying patch 0024-CVE-2023-5156-1.patch > patching file nss/Makefile > Hunk #1 FAILED at 82. > Hunk #2 FAILED at 145. > Hunk #3 FAILED at 180. > Hunk #4 FAILED at 195. > Hunk #5 FAILED at 215. > 5 out of 5 hunks FAILED -- rejects in file nss/Makefile > The next patch would create the file nss/nss_test_gai_hv2_canonname.c, > which already exists! Applying it anyway. > patching file nss/nss_test_gai_hv2_canonname.c > Hunk #1 FAILED at 1. > 1 out of 1 hunk FAILED -- rejects in file nss/nss_test_gai_hv2_canonname.c > The next patch would create the file nss/tst-nss-gai-hv2-canonname.c, > which already exists! Applying it anyway. > patching file nss/tst-nss-gai-hv2-canonname.c > Hunk #1 FAILED at 1. > 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.c > The next patch would create the file nss/tst-nss-gai-hv2-canonname.h, > which already exists! Applying it anyway. > patching file nss/tst-nss-gai-hv2-canonname.h > Hunk #1 FAILED at 1. > 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.h > The next patch would empty out the file > nss/tst-nss-gai-hv2-canonname.root/postclean.req, > which is already empty! Applying it anyway. > patching file nss/tst-nss-gai-hv2-canonname.root/postclean.req > The next patch would create the file > nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script, > which already exists! Applying it anyway. > patching file nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script > Hunk #1 FAILED at 1. > 1 out of 1 hunk FAILED -- rejects in file > nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script > patching file sysdeps/posix/getaddrinfo.c > Hunk #1 FAILED at 120. > Hunk #2 FAILED at 165. > Hunk #3 FAILED at 203. > Hunk #4 succeeded at 248 with fuzz 2 (offset 10 lines). > Hunk #5 FAILED at 271. > Hunk #6 FAILED at 333. > Hunk #7 FAILED at 780. > 6 out of 7 hunks FAILED -- rejects in file sysdeps/posix/getaddrinfo.c > Patch 0024-CVE-2023-5156-1.patch can be reverse-applied > > Steve > > On Tue, Oct 3, 2023 at 1:30 AM <Deepthi.Hemraj@windriver.com> wrote: > > > > From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > > > Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > --- > > .../glibc/glibc/0024-CVE-2023-5156-1.patch | 329 ++++++++++++++++++ > > .../glibc/glibc/0024-CVE-2023-5156-2.patch | 93 +++++ > > meta/recipes-core/glibc/glibc_2.37.bb | 2 + > > 3 files changed, 424 insertions(+) > > create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch > > create mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch > > > > diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch > > new file mode 100644 > > index 0000000000..65afaa446a > > --- /dev/null > > +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch > > @@ -0,0 +1,329 @@ > > +From: Siddhesh Poyarekar <siddhesh@sourceware.org> > > +Date: Fri, 15 Sep 2023 17:51:12 +0000 (-0400) > > +Subject: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) > > +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994 > > + > > +getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) > > + > > +When an NSS plugin only implements the _gethostbyname2_r and > > +_getcanonname_r callbacks, getaddrinfo could use memory that was freed > > +during tmpbuf resizing, through h_name in a previous query response. > > + > > +The backing store for res->at->name when doing a query with > > +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in > > +gethosts during the query. For AF_INET6 lookup with AI_ALL | > > +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second > > +for a v4 lookup. In this case, if the first call reallocates tmpbuf > > +enough number of times, resulting in a malloc, th->h_name (that > > +res->at->name refers to) ends up on a heap allocated storage in tmpbuf. > > +Now if the second call to gethosts also causes the plugin callback to > > +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF > > +reference in res->at->name. This then gets dereferenced in the > > +getcanonname_r plugin call, resulting in the use after free. > > + > > +Fix this by copying h_name over and freeing it at the end. This > > +resolves BZ #30843, which is assigned CVE-2023-4806. > > + > > +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > > + > > +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994] > > + > > +CVE: CVE-2023-5156 > > + > > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > + > > +--- > > + > > +diff --git a/nss/Makefile b/nss/Makefile > > +index 06fcdc450f..8a5126ecf3 100644 > > +--- a/nss/Makefile > > ++++ b/nss/Makefile > > +@@ -82,6 +82,7 @@ tests-container := \ > > + tst-nss-test3 \ > > + tst-reload1 \ > > + tst-reload2 \ > > ++ tst-nss-gai-hv2-canonname \ > > + # tests-container > > + > > + # Tests which need libdl > > +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) > > + ifeq ($(build-static-nss),yes) > > + tests-static += tst-nss-static > > + endif > > +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os > > ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ > > ++ nss_test_gai_hv2_canonname.os > > + > > + include ../Rules > > + > > +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver > > + libof-nss_test1 = extramodules > > + libof-nss_test2 = extramodules > > + libof-nss_test_errno = extramodules > > ++libof-nss_test_gai_hv2_canonname = extramodules > > + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) > > + $(build-module) > > + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) > > + $(build-module) > > + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) > > + $(build-module) > > ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \ > > ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) > > ++ $(build-module) > > + $(objpfx)nss_test2.os : nss_test1.c > > + # Use the nss_files suffix for these objects as well. > > + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so > > +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so > > + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ > > + $(objpfx)/libnss_test_errno.so > > + $(make-link) > > ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ > > ++ $(objpfx)/libnss_test_gai_hv2_canonname.so > > ++ $(make-link) > > + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ > > + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ > > + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ > > +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) > > ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ > > ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) > > + > > + ifeq (yes,$(have-thread-library)) > > + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) > > +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags > > + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags > > + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags > > + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags > > ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags > > +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c > > +new file mode 100644 > > +index 0000000000..4439c83c9f > > +--- /dev/null > > ++++ b/nss/nss_test_gai_hv2_canonname.c > > +@@ -0,0 +1,56 @@ > > ++/* NSS service provider that only provides gethostbyname2_r. > > ++ Copyright The GNU Toolchain Authors. > > ++ This file is part of the GNU C Library. > > ++ > > ++ The GNU C Library is free software; you can redistribute it and/or > > ++ modify it under the terms of the GNU Lesser General Public > > ++ License as published by the Free Software Foundation; either > > ++ version 2.1 of the License, or (at your option) any later version. > > ++ > > ++ The GNU C Library is distributed in the hope that it will be useful, > > ++ but WITHOUT ANY WARRANTY; without even the implied warranty of > > ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > ++ Lesser General Public License for more details. > > ++ > > ++ You should have received a copy of the GNU Lesser General Public > > ++ License along with the GNU C Library; if not, see > > ++ <https://www.gnu.org/licenses/>. */ > > ++ > > ++#include <nss.h> > > ++#include <stdlib.h> > > ++#include <string.h> > > ++#include "nss/tst-nss-gai-hv2-canonname.h" > > ++ > > ++/* Catch misnamed and functions. */ > > ++#pragma GCC diagnostic error "-Wmissing-prototypes" > > ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) > > ++ > > ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, > > ++ struct hostent *, char *, > > ++ size_t, int *, int *); > > ++ > > ++enum nss_status > > ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, > > ++ struct hostent *result, > > ++ char *buffer, size_t buflen, > > ++ int *errnop, int *herrnop) > > ++{ > > ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, > > ++ herrnop); > > ++} > > ++ > > ++enum nss_status > > ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, > > ++ size_t buflen, char **result, > > ++ int *errnop, int *h_errnop) > > ++{ > > ++ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail > > ++ the test. */ > > ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) > > ++ || buflen < sizeof (QUERYNAME)) > > ++ abort (); > > ++ > > ++ strncpy (buffer, name, buflen); > > ++ *result = buffer; > > ++ return NSS_STATUS_SUCCESS; > > ++} > > +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c > > +new file mode 100644 > > +index 0000000000..d5f10c07d6 > > +--- /dev/null > > ++++ b/nss/tst-nss-gai-hv2-canonname.c > > +@@ -0,0 +1,63 @@ > > ++/* Test NSS query path for plugins that only implement gethostbyname2 > > ++ (#30843). > > ++ Copyright The GNU Toolchain Authors. > > ++ This file is part of the GNU C Library. > > ++ > > ++ The GNU C Library is free software; you can redistribute it and/or > > ++ modify it under the terms of the GNU Lesser General Public > > ++ License as published by the Free Software Foundation; either > > ++ version 2.1 of the License, or (at your option) any later version. > > ++ > > ++ The GNU C Library is distributed in the hope that it will be useful, > > ++ but WITHOUT ANY WARRANTY; without even the implied warranty of > > ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU > > ++ Lesser General Public License for more details. > > ++ > > ++ You should have received a copy of the GNU Lesser General Public > > ++ License along with the GNU C Library; if not, see > > ++ <https://www.gnu.org/licenses/>. */ > > ++ > > ++#include <nss.h> > > ++#include <netdb.h> > > ++#include <stdlib.h> > > ++#include <string.h> > > ++#include <support/check.h> > > ++#include <support/xstdio.h> > > ++#include "nss/tst-nss-gai-hv2-canonname.h" > > ++ > > ++#define PREPARE do_prepare > > ++ > > ++static void do_prepare (int a, char **av) > > ++{ > > ++ FILE *hosts = xfopen ("/etc/hosts", "w"); > > ++ for (unsigned i = 2; i < 255; i++) > > ++ { > > ++ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); > > ++ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); > > ++ } > > ++ xfclose (hosts); > > ++} > > ++ > > ++static int > > ++do_test (void) > > ++{ > > ++ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); > > ++ > > ++ struct addrinfo hints = {}; > > ++ struct addrinfo *result = NULL; > > ++ > > ++ hints.ai_family = AF_INET6; > > ++ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; > > ++ > > ++ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); > > ++ > > ++ if (ret != 0) > > ++ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); > > ++ > > ++ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); > > ++ > > ++ freeaddrinfo(result); > > ++ return 0; > > ++} > > ++ > > ++#include <support/test-driver.c> > > +diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h > > +new file mode 100644 > > +index 0000000000..14f2a9cb08 > > +--- /dev/null > > ++++ b/nss/tst-nss-gai-hv2-canonname.h > > +@@ -0,0 +1 @@ > > ++#define QUERYNAME "test.example.com" > > +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req > > +new file mode 100644 > > +index 0000000000..e69de29bb2 > > +diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script > > +new file mode 100644 > > +index 0000000000..31848b4a28 > > +--- /dev/null > > ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script > > +@@ -0,0 +1,2 @@ > > ++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 > > ++su > > +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c > > +index 6ae6744fe4..47f421fddf 100644 > > +--- a/sysdeps/posix/getaddrinfo.c > > ++++ b/sysdeps/posix/getaddrinfo.c > > +@@ -120,6 +120,7 @@ struct gaih_result > > + { > > + struct gaih_addrtuple *at; > > + char *canon; > > ++ char *h_name; > > + bool free_at; > > + bool got_ipv6; > > + }; > > +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) > > + if (res->free_at) > > + free (res->at); > > + free (res->canon); > > ++ free (res->h_name); > > + memset (res, 0, sizeof (*res)); > > + } > > + > > +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, > > + return 0; > > + } > > + > > +-/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name > > +- is not copied, and the struct hostent object must not be deallocated > > +- prematurely. The new addresses are appended to the tuple array in RES. */ > > ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new > > ++ addresses are appended to the tuple array in RES. */ > > + static bool > > + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, > > + struct hostent *h, struct gaih_result *res) > > +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, > > + res->at = array; > > + res->free_at = true; > > + > > ++ /* Duplicate h_name because it may get reclaimed when the underlying storage > > ++ is freed. */ > > ++ if (res->h_name == NULL) > > ++ { > > ++ res->h_name = __strdup (h->h_name); > > ++ if (res->h_name == NULL) > > ++ return false; > > ++ } > > ++ > > + /* Update the next pointers on reallocation. */ > > + for (size_t i = 0; i < old; i++) > > + array[i].next = array + i + 1; > > +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, > > + } > > + array[i].next = array + i + 1; > > + } > > +- array[0].name = h->h_name; > > + array[count - 1].next = NULL; > > + > > + return true; > > +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, > > + memory allocation failure. The returned string is allocated on the > > + heap; the caller has to free it. */ > > + static char * > > +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) > > ++getcanonname (nss_action_list nip, const char *hname, const char *name) > > + { > > + nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); > > + char *s = (char *) name; > > + if (cfct != NULL) > > + { > > + char buf[256]; > > +- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), > > +- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) > > ++ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, > > ++ &h_errno)) != NSS_STATUS_SUCCESS) > > + /* If the canonical name cannot be determined, use the passed > > + string. */ > > + s = (char *) name; > > +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, > > + if ((req->ai_flags & AI_CANONNAME) != 0 > > + && res->canon == NULL) > > + { > > +- char *canonbuf = getcanonname (nip, res->at, name); > > ++ char *canonbuf = getcanonname (nip, res->h_name, name); > > + if (canonbuf == NULL) > > + { > > + __resolv_context_put (res_ctx); > > diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch > > new file mode 100644 > > index 0000000000..507db5e13b > > --- /dev/null > > +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch > > @@ -0,0 +1,93 @@ > > +From: Romain Geissler <romain.geissler@amadeus.com> > > +Date: Mon, 25 Sep 2023 00:21:51 +0000 (+0100) > > +Subject: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] > > +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796 > > + > > +Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] > > + > > +This patch fixes a very recently added leak in getaddrinfo. > > + > > +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > > + > > +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796] > > + > > +CVE: CVE-2023-5156 > > + > > +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> > > + > > +--- > > + > > +diff --git a/nss/Makefile b/nss/Makefile > > +index 8a5126ecf3..668ba34b18 100644 > > +--- a/nss/Makefile > > ++++ b/nss/Makefile > > +@@ -149,6 +149,15 @@ endif > > + extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ > > + nss_test_gai_hv2_canonname.os > > + > > ++ifeq ($(run-built-tests),yes) > > ++ifneq (no,$(PERL)) > > ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out > > ++endif > > ++endif > > ++ > > ++generated += mtrace-tst-nss-gai-hv2-canonname.out \ > > ++ tst-nss-gai-hv2-canonname.mtrace > > ++ > > + include ../Rules > > + > > + ifeq (yes,$(have-selinux)) > > +@@ -217,6 +226,17 @@ endif > > + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so > > + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so > > + > > ++tst-nss-gai-hv2-canonname-ENV = \ > > ++ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ > > ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so > > ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ > > ++ $(objpfx)tst-nss-gai-hv2-canonname.out > > ++ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ > > ++ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \ > > ++ && $(common-objpfx)malloc/mtrace \ > > ++ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ > > ++ $(evaluate-test) > > ++ > > + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS > > + # functions can load testing NSS modules via DT_RPATH. > > + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags > > +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c > > +index d5f10c07d6..7db53cf09d 100644 > > +--- a/nss/tst-nss-gai-hv2-canonname.c > > ++++ b/nss/tst-nss-gai-hv2-canonname.c > > +@@ -21,6 +21,7 @@ > > + #include <netdb.h> > > + #include <stdlib.h> > > + #include <string.h> > > ++#include <mcheck.h> > > + #include <support/check.h> > > + #include <support/xstdio.h> > > + #include "nss/tst-nss-gai-hv2-canonname.h" > > +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av) > > + static int > > + do_test (void) > > + { > > ++ mtrace (); > > ++ > > + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); > > + > > + struct addrinfo hints = {}; > > +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c > > +index 47f421fddf..531124958d 100644 > > +--- a/sysdeps/posix/getaddrinfo.c > > ++++ b/sysdeps/posix/getaddrinfo.c > > +@@ -1196,9 +1196,7 @@ free_and_return: > > + if (malloc_name) > > + free ((char *) name); > > + free (addrmem); > > +- if (res.free_at) > > +- free (res.at); > > +- free (res.canon); > > ++ gaih_result_reset (&res); > > + > > + return result; > > + } > > diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb > > index caf454f368..b88bc5fc4f 100644 > > --- a/meta/recipes-core/glibc/glibc_2.37.bb > > +++ b/meta/recipes-core/glibc/glibc_2.37.bb > > @@ -50,6 +50,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > > file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ > > file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ > > file://0023-CVE-2023-4527.patch \ > > + file://0024-CVE-2023-5156-1.patch \ > > + file://0024-CVE-2023-5156-2.patch \ > > " > > S = "${WORKDIR}/git" > > B = "${WORKDIR}/build-${TARGET_SYS}" > > -- > > 2.39.0 > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#188648): https://lists.openembedded.org/g/openembedded-core/message/188648 > Mute This Topic: https://lists.openembedded.org/mt/101731788/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Wed, Oct 4, 2023 at 07:57 PM, Steve Sakoman wrote: > > >> There are 2 files in the patch sent and the first >> patch(0024-CVE-2023-5156-1.patch) is the duplicate of >> https://lists.openembedded.org/g/openembedded-core/message/188490 (CVE-2023-4806) >> which was sent to the mailing list. >> Will I have to drop the (0024-CVE-2023-5156-1.patch) and send the second >> patch as a V2 ?? > > Actually I'd prefer that you do an update to the latest head of > release/2.37/master since it includes the fixes for CVE-2023-4806, > CVE-2023-5156, and the newly announced CVE-2023-4911) > > Is this something you can do quickly? I'd like to fast track that fix. > > Steve The glibc updates to the latest head of release/2.37/master are sent here, https://lists.openembedded.org/g/openembedded-core/message/188717 Regards, Yash. > > > On Tue, Oct 3, 2023 at 8:08 AM Steve Sakoman via > lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> > wrote: > >> Unfortunately this patch doesn't apply (even after I edited for the >> previous addition of glibc: fix CVE-2023-4806 >> >> ERROR: glibc-2.37-r1 do_patch: Applying patch >> '0024-CVE-2023-5156-1.patch' on target directory >> '/home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/git' >> >> CmdError('quilt --quiltrc >> /home/steve/builds/poky-contrib-mickledore/build/tmp/work/core2-64-poky-linux/glibc/2.37-r1/recipe-sysroot-native/etc/quiltrc >> >> push', 0, 'stdout: Applying patch 0024-CVE-2023-5156-1.patch >> patching file nss/Makefile >> Hunk #1 FAILED at 82. >> Hunk #2 FAILED at 145. >> Hunk #3 FAILED at 180. >> Hunk #4 FAILED at 195. >> Hunk #5 FAILED at 215. >> 5 out of 5 hunks FAILED -- rejects in file nss/Makefile >> The next patch would create the file nss/nss_test_gai_hv2_canonname.c, >> which already exists! Applying it anyway. >> patching file nss/nss_test_gai_hv2_canonname.c >> Hunk #1 FAILED at 1. >> 1 out of 1 hunk FAILED -- rejects in file nss/nss_test_gai_hv2_canonname.c >> >> The next patch would create the file nss/tst-nss-gai-hv2-canonname.c, >> which already exists! Applying it anyway. >> patching file nss/tst-nss-gai-hv2-canonname.c >> Hunk #1 FAILED at 1. >> 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.c >> The next patch would create the file nss/tst-nss-gai-hv2-canonname.h, >> which already exists! Applying it anyway. >> patching file nss/tst-nss-gai-hv2-canonname.h >> Hunk #1 FAILED at 1. >> 1 out of 1 hunk FAILED -- rejects in file nss/tst-nss-gai-hv2-canonname.h >> The next patch would empty out the file >> nss/tst-nss-gai-hv2-canonname.root/postclean.req, >> which is already empty! Applying it anyway. >> patching file nss/tst-nss-gai-hv2-canonname.root/postclean.req >> The next patch would create the file >> nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script, >> which already exists! Applying it anyway. >> patching file >> nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script >> Hunk #1 FAILED at 1. >> 1 out of 1 hunk FAILED -- rejects in file >> nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script >> patching file sysdeps/posix/getaddrinfo.c >> Hunk #1 FAILED at 120. >> Hunk #2 FAILED at 165. >> Hunk #3 FAILED at 203. >> Hunk #4 succeeded at 248 with fuzz 2 (offset 10 lines). >> Hunk #5 FAILED at 271. >> Hunk #6 FAILED at 333. >> Hunk #7 FAILED at 780. >> 6 out of 7 hunks FAILED -- rejects in file sysdeps/posix/getaddrinfo.c >> Patch 0024-CVE-2023-5156-1.patch can be reverse-applied >> >> Steve >> >> On Tue, Oct 3, 2023 at 1:30 AM <Deepthi.Hemraj@windriver.com> wrote: >> >>> From: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> >>> >>> Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> >>> --- >>> .../glibc/glibc/0024-CVE-2023-5156-1.patch | 329 ++++++++++++++++++ >>> .../glibc/glibc/0024-CVE-2023-5156-2.patch | 93 +++++ >>> meta/recipes-core/glibc/glibc_2.37.bb | 2 + >>> 3 files changed, 424 insertions(+) >>> create mode 100644 >>> meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch >>> create mode 100644 >>> meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch >>> >>> diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch >>> b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch >>> new file mode 100644 >>> index 0000000000..65afaa446a >>> --- /dev/null >>> +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch >>> @@ -0,0 +1,329 @@ >>> +From: Siddhesh Poyarekar <siddhesh@sourceware.org> >>> +Date: Fri, 15 Sep 2023 17:51:12 +0000 (-0400) >>> +Subject: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) >>> +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994 >>> >>> + >>> +getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) >>> + >>> +When an NSS plugin only implements the _gethostbyname2_r and >>> +_getcanonname_r callbacks, getaddrinfo could use memory that was freed >>> +during tmpbuf resizing, through h_name in a previous query response. >>> + >>> +The backing store for res->at->name when doing a query with >>> +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in >>> +gethosts during the query. For AF_INET6 lookup with AI_ALL | >>> +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second >>> +for a v4 lookup. In this case, if the first call reallocates tmpbuf >>> +enough number of times, resulting in a malloc, th->h_name (that >>> +res->at->name refers to) ends up on a heap allocated storage in tmpbuf. >>> +Now if the second call to gethosts also causes the plugin callback to >>> +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF >>> +reference in res->at->name. This then gets dereferenced in the >>> +getcanonname_r plugin call, resulting in the use after free. >>> + >>> +Fix this by copying h_name over and freeing it at the end. This >>> +resolves BZ #30843, which is assigned CVE-2023-4806. >>> + >>> +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> >>> + >>> +Upstream-Status: Backport [ https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994 >>> ] >>> + >>> +CVE: CVE-2023-5156 >>> + >>> +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> >>> + >>> +--- >>> + >>> +diff --git a/nss/Makefile b/nss/Makefile >>> +index 06fcdc450f..8a5126ecf3 100644 >>> +--- a/nss/Makefile >>> ++++ b/nss/Makefile >>> +@@ -82,6 +82,7 @@ tests-container := \ >>> + tst-nss-test3 \ >>> + tst-reload1 \ >>> + tst-reload2 \ >>> ++ tst-nss-gai-hv2-canonname \ >>> + # tests-container >>> + >>> + # Tests which need libdl >>> +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out >>> .os,$(object-suffixes)) >>> + ifeq ($(build-static-nss),yes) >>> + tests-static += tst-nss-static >>> + endif >>> +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os >>> ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ >>> ++ nss_test_gai_hv2_canonname.os >>> + >>> + include ../Rules >>> + >>> +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += >>> -Wl,--dynamic-list=nss_test.ver >>> + libof-nss_test1 = extramodules >>> + libof-nss_test2 = extramodules >>> + libof-nss_test_errno = extramodules >>> ++libof-nss_test_gai_hv2_canonname = extramodules >>> + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) >>> + $(build-module) >>> + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) >>> + $(build-module) >>> + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os >>> $(link-libc-deps) >>> + $(build-module) >>> ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \ >>> ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) >>> ++ $(build-module) >>> + $(objpfx)nss_test2.os : nss_test1.c >>> + # Use the nss_files suffix for these objects as well. >>> + $(objpfx)/libnss_test1.so$(libnss_files.so-version): >>> $(objpfx)/libnss_test1.so >>> +@@ -195,10 +201,14 @@ >>> $(objpfx)/libnss_test2.so$(libnss_files.so-version): >>> $(objpfx)/libnss_test2.so >>> + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ >>> + $(objpfx)/libnss_test_errno.so >>> + $(make-link) >>> ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ >>> ++ $(objpfx)/libnss_test_gai_hv2_canonname.so >>> ++ $(make-link) >>> + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ >>> + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ >>> + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ >>> +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) >>> ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ >>> ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) >>> + >>> + ifeq (yes,$(have-thread-library)) >>> + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) >>> +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags >>> + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags >>> + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags >>> + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags >>> ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags >>> +diff --git a/nss/nss_test_gai_hv2_canonname.c >>> b/nss/nss_test_gai_hv2_canonname.c >>> +new file mode 100644 >>> +index 0000000000..4439c83c9f >>> +--- /dev/null >>> ++++ b/nss/nss_test_gai_hv2_canonname.c >>> +@@ -0,0 +1,56 @@ >>> ++/* NSS service provider that only provides gethostbyname2_r. >>> ++ Copyright The GNU Toolchain Authors. >>> ++ This file is part of the GNU C Library. >>> ++ >>> ++ The GNU C Library is free software; you can redistribute it and/or >>> ++ modify it under the terms of the GNU Lesser General Public >>> ++ License as published by the Free Software Foundation; either >>> ++ version 2.1 of the License, or (at your option) any later version. >>> ++ >>> ++ The GNU C Library is distributed in the hope that it will be useful, >>> ++ but WITHOUT ANY WARRANTY; without even the implied warranty of >>> ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >>> ++ Lesser General Public License for more details. >>> ++ >>> ++ You should have received a copy of the GNU Lesser General Public >>> ++ License along with the GNU C Library; if not, see >>> ++ < https://www.gnu.org/licenses/ >. */ >>> ++ >>> ++#include <nss.h> >>> ++#include <stdlib.h> >>> ++#include <string.h> >>> ++#include "nss/tst-nss-gai-hv2-canonname.h" >>> ++ >>> ++/* Catch misnamed and functions. */ >>> ++#pragma GCC diagnostic error "-Wmissing-prototypes" >>> ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) >>> ++ >>> ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, >>> ++ struct hostent *, char *, >>> ++ size_t, int *, int *); >>> ++ >>> ++enum nss_status >>> ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, >>> ++ struct hostent *result, >>> ++ char *buffer, size_t buflen, >>> ++ int *errnop, int *herrnop) >>> ++{ >>> ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, >>> errnop, >>> ++ herrnop); >>> ++} >>> ++ >>> ++enum nss_status >>> ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char >>> *buffer, >>> ++ size_t buflen, char **result, >>> ++ int *errnop, int *h_errnop) >>> ++{ >>> ++ /* We expect QUERYNAME, which is a small enough string that it >>> shouldn't fail >>> ++ the test. */ >>> ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) >>> ++ || buflen < sizeof (QUERYNAME)) >>> ++ abort (); >>> ++ >>> ++ strncpy (buffer, name, buflen); >>> ++ *result = buffer; >>> ++ return NSS_STATUS_SUCCESS; >>> ++} >>> +diff --git a/nss/tst-nss-gai-hv2-canonname.c >>> b/nss/tst-nss-gai-hv2-canonname.c >>> +new file mode 100644 >>> +index 0000000000..d5f10c07d6 >>> +--- /dev/null >>> ++++ b/nss/tst-nss-gai-hv2-canonname.c >>> +@@ -0,0 +1,63 @@ >>> ++/* Test NSS query path for plugins that only implement gethostbyname2 >>> ++ (#30843). >>> ++ Copyright The GNU Toolchain Authors. >>> ++ This file is part of the GNU C Library. >>> ++ >>> ++ The GNU C Library is free software; you can redistribute it and/or >>> ++ modify it under the terms of the GNU Lesser General Public >>> ++ License as published by the Free Software Foundation; either >>> ++ version 2.1 of the License, or (at your option) any later version. >>> ++ >>> ++ The GNU C Library is distributed in the hope that it will be useful, >>> ++ but WITHOUT ANY WARRANTY; without even the implied warranty of >>> ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >>> ++ Lesser General Public License for more details. >>> ++ >>> ++ You should have received a copy of the GNU Lesser General Public >>> ++ License along with the GNU C Library; if not, see >>> ++ < https://www.gnu.org/licenses/ >. */ >>> ++ >>> ++#include <nss.h> >>> ++#include <netdb.h> >>> ++#include <stdlib.h> >>> ++#include <string.h> >>> ++#include <support/check.h> >>> ++#include <support/xstdio.h> >>> ++#include "nss/tst-nss-gai-hv2-canonname.h" >>> ++ >>> ++#define PREPARE do_prepare >>> ++ >>> ++static void do_prepare (int a, char **av) >>> ++{ >>> ++ FILE *hosts = xfopen ("/etc/hosts", "w"); >>> ++ for (unsigned i = 2; i < 255; i++) >>> ++ { >>> ++ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); >>> ++ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); >>> ++ } >>> ++ xfclose (hosts); >>> ++} >>> ++ >>> ++static int >>> ++do_test (void) >>> ++{ >>> ++ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); >>> ++ >>> ++ struct addrinfo hints = {}; >>> ++ struct addrinfo *result = NULL; >>> ++ >>> ++ hints.ai_family = AF_INET6; >>> ++ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; >>> ++ >>> ++ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); >>> ++ >>> ++ if (ret != 0) >>> ++ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); >>> ++ >>> ++ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); >>> ++ >>> ++ freeaddrinfo(result); >>> ++ return 0; >>> ++} >>> ++ >>> ++#include <support/test-driver.c> >>> +diff --git a/nss/tst-nss-gai-hv2-canonname.h >>> b/nss/tst-nss-gai-hv2-canonname.h >>> +new file mode 100644 >>> +index 0000000000..14f2a9cb08 >>> +--- /dev/null >>> ++++ b/nss/tst-nss-gai-hv2-canonname.h >>> +@@ -0,0 +1 @@ >>> ++#define QUERYNAME "test.example.com" >>> +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req >>> b/nss/tst-nss-gai-hv2-canonname.root/postclean.req >>> +new file mode 100644 >>> +index 0000000000..e69de29bb2 >>> +diff --git >>> a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script >>> b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script >>> +new file mode 100644 >>> +index 0000000000..31848b4a28 >>> +--- /dev/null >>> ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script >>> >>> +@@ -0,0 +1,2 @@ >>> ++cp $B/nss/libnss_test_gai_hv2_canonname.so >>> $L/libnss_test_gai_hv2_canonname.so.2 >>> ++su >>> +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c >>> +index 6ae6744fe4..47f421fddf 100644 >>> +--- a/sysdeps/posix/getaddrinfo.c >>> ++++ b/sysdeps/posix/getaddrinfo.c >>> +@@ -120,6 +120,7 @@ struct gaih_result >>> + { >>> + struct gaih_addrtuple *at; >>> + char *canon; >>> ++ char *h_name; >>> + bool free_at; >>> + bool got_ipv6; >>> + }; >>> +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) >>> + if (res->free_at) >>> + free (res->at); >>> + free (res->canon); >>> ++ free (res->h_name); >>> + memset (res, 0, sizeof (*res)); >>> + } >>> + >>> +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct >>> gaih_typeproto *tp, >>> + return 0; >>> + } >>> + >>> +-/* Convert struct hostent to a list of struct gaih_addrtuple objects. >>> h_name >>> +- is not copied, and the struct hostent object must not be deallocated >>> +- prematurely. The new addresses are appended to the tuple array in RES. >>> */ >>> ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. >>> The new >>> ++ addresses are appended to the tuple array in RES. */ >>> + static bool >>> + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int >>> family, >>> + struct hostent *h, struct gaih_result *res) >>> +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct >>> addrinfo *req, int family, >>> + res->at = array; >>> + res->free_at = true; >>> + >>> ++ /* Duplicate h_name because it may get reclaimed when the underlying >>> storage >>> ++ is freed. */ >>> ++ if (res->h_name == NULL) >>> ++ { >>> ++ res->h_name = __strdup (h->h_name); >>> ++ if (res->h_name == NULL) >>> ++ return false; >>> ++ } >>> ++ >>> + /* Update the next pointers on reallocation. */ >>> + for (size_t i = 0; i < old; i++) >>> + array[i].next = array + i + 1; >>> +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct >>> addrinfo *req, int family, >>> + } >>> + array[i].next = array + i + 1; >>> + } >>> +- array[0].name = h->h_name; >>> + array[count - 1].next = NULL; >>> + >>> + return true; >>> +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, >>> const char *name, >>> + memory allocation failure. The returned string is allocated on the >>> + heap; the caller has to free it. */ >>> + static char * >>> +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char >>> *name) >>> ++getcanonname (nss_action_list nip, const char *hname, const char *name) >>> + { >>> + nss_getcanonname_r *cfct = __nss_lookup_function (nip, >>> "getcanonname_r"); >>> + char *s = (char *) name; >>> + if (cfct != NULL) >>> + { >>> + char buf[256]; >>> +- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), >>> +- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) >>> ++ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, >>> ++ &h_errno)) != NSS_STATUS_SUCCESS) >>> + /* If the canonical name cannot be determined, use the passed >>> + string. */ >>> + s = (char *) name; >>> +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct >>> addrinfo *req, >>> + if ((req->ai_flags & AI_CANONNAME) != 0 >>> + && res->canon == NULL) >>> + { >>> +- char *canonbuf = getcanonname (nip, res->at, name); >>> ++ char *canonbuf = getcanonname (nip, res->h_name, name); >>> + if (canonbuf == NULL) >>> + { >>> + __resolv_context_put (res_ctx); >>> diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch >>> b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch >>> new file mode 100644 >>> index 0000000000..507db5e13b >>> --- /dev/null >>> +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch >>> @@ -0,0 +1,93 @@ >>> +From: Romain Geissler <romain.geissler@amadeus.com> >>> +Date: Mon, 25 Sep 2023 00:21:51 +0000 (+0100) >>> +Subject: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 >>> [BZ #30843] >>> +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796 >>> >>> + >>> +Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ >>> #30843] >>> + >>> +This patch fixes a very recently added leak in getaddrinfo. >>> + >>> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> >>> + >>> +Upstream-Status: Backport [ https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796 >>> ] >>> + >>> +CVE: CVE-2023-5156 >>> + >>> +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> >>> + >>> +--- >>> + >>> +diff --git a/nss/Makefile b/nss/Makefile >>> +index 8a5126ecf3..668ba34b18 100644 >>> +--- a/nss/Makefile >>> ++++ b/nss/Makefile >>> +@@ -149,6 +149,15 @@ endif >>> + extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ >>> + nss_test_gai_hv2_canonname.os >>> + >>> ++ifeq ($(run-built-tests),yes) >>> ++ifneq (no,$(PERL)) >>> ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out >>> ++endif >>> ++endif >>> ++ >>> ++generated += mtrace-tst-nss-gai-hv2-canonname.out \ >>> ++ tst-nss-gai-hv2-canonname.mtrace >>> ++ >>> + include ../Rules >>> + >>> + ifeq (yes,$(have-selinux)) >>> +@@ -217,6 +226,17 @@ endif >>> + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so >>> + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so >>> + >>> ++tst-nss-gai-hv2-canonname-ENV = \ >>> ++ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ >>> ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so >>> ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ >>> ++ $(objpfx)tst-nss-gai-hv2-canonname.out >>> ++ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ >>> ++ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) >>> \ >>> ++ && $(common-objpfx)malloc/mtrace \ >>> ++ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ >>> ++ $(evaluate-test) >>> ++ >>> + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS >>> + # functions can load testing NSS modules via DT_RPATH. >>> + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags >>> +diff --git a/nss/tst-nss-gai-hv2-canonname.c >>> b/nss/tst-nss-gai-hv2-canonname.c >>> +index d5f10c07d6..7db53cf09d 100644 >>> +--- a/nss/tst-nss-gai-hv2-canonname.c >>> ++++ b/nss/tst-nss-gai-hv2-canonname.c >>> +@@ -21,6 +21,7 @@ >>> + #include <netdb.h> >>> + #include <stdlib.h> >>> + #include <string.h> >>> ++#include <mcheck.h> >>> + #include <support/check.h> >>> + #include <support/xstdio.h> >>> + #include "nss/tst-nss-gai-hv2-canonname.h" >>> +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av) >>> + static int >>> + do_test (void) >>> + { >>> ++ mtrace (); >>> ++ >>> + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); >>> + >>> + struct addrinfo hints = {}; >>> +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c >>> +index 47f421fddf..531124958d 100644 >>> +--- a/sysdeps/posix/getaddrinfo.c >>> ++++ b/sysdeps/posix/getaddrinfo.c >>> +@@ -1196,9 +1196,7 @@ free_and_return: >>> + if (malloc_name) >>> + free ((char *) name); >>> + free (addrmem); >>> +- if (res.free_at) >>> +- free (res.at); >>> +- free (res.canon); >>> ++ gaih_result_reset (&res); >>> + >>> + return result; >>> + } >>> diff --git a/meta/recipes-core/glibc/glibc_2.37.bb >>> b/meta/recipes-core/glibc/glibc_2.37.bb >>> index caf454f368..b88bc5fc4f 100644 >>> --- a/meta/recipes-core/glibc/glibc_2.37.bb >>> +++ b/meta/recipes-core/glibc/glibc_2.37.bb >>> @@ -50,6 +50,8 @@ SRC_URI = >>> "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ >>> file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ >>> file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ >>> file://0023-CVE-2023-4527.patch \ >>> + file://0024-CVE-2023-5156-1.patch \ >>> + file://0024-CVE-2023-5156-2.patch \ >>> " >>> S = "${WORKDIR}/git" >>> B = "${WORKDIR}/build-${TARGET_SYS}" >>> -- >>> 2.39.0 >> >> > >
diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch new file mode 100644 index 0000000000..65afaa446a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-1.patch @@ -0,0 +1,329 @@ +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Fri, 15 Sep 2023 17:51:12 +0000 (-0400) +Subject: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994 + +getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) + +When an NSS plugin only implements the _gethostbyname2_r and +_getcanonname_r callbacks, getaddrinfo could use memory that was freed +during tmpbuf resizing, through h_name in a previous query response. + +The backing store for res->at->name when doing a query with +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in +gethosts during the query. For AF_INET6 lookup with AI_ALL | +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second +for a v4 lookup. In this case, if the first call reallocates tmpbuf +enough number of times, resulting in a malloc, th->h_name (that +res->at->name refers to) ends up on a heap allocated storage in tmpbuf. +Now if the second call to gethosts also causes the plugin callback to +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF +reference in res->at->name. This then gets dereferenced in the +getcanonname_r plugin call, resulting in the use after free. + +Fix this by copying h_name over and freeing it at the end. This +resolves BZ #30843, which is assigned CVE-2023-4806. + +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=973fe93a5675c42798b2161c6f29c01b0e243994] + +CVE: CVE-2023-5156 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/nss/Makefile b/nss/Makefile +index 06fcdc450f..8a5126ecf3 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -82,6 +82,7 @@ tests-container := \ + tst-nss-test3 \ + tst-reload1 \ + tst-reload2 \ ++ tst-nss-gai-hv2-canonname \ + # tests-container + + # Tests which need libdl +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) + ifeq ($(build-static-nss),yes) + tests-static += tst-nss-static + endif +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ ++ nss_test_gai_hv2_canonname.os + + include ../Rules + +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver + libof-nss_test1 = extramodules + libof-nss_test2 = extramodules + libof-nss_test_errno = extramodules ++libof-nss_test_gai_hv2_canonname = extramodules + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) + $(build-module) ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \ ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) ++ $(build-module) + $(objpfx)nss_test2.os : nss_test1.c + # Use the nss_files suffix for these objects as well. + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ + $(objpfx)/libnss_test_errno.so + $(make-link) ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so ++ $(make-link) + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) + + ifeq (yes,$(have-thread-library)) + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c +new file mode 100644 +index 0000000000..4439c83c9f +--- /dev/null ++++ b/nss/nss_test_gai_hv2_canonname.c +@@ -0,0 +1,56 @@ ++/* NSS service provider that only provides gethostbyname2_r. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <nss.h> ++#include <stdlib.h> ++#include <string.h> ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++/* Catch misnamed and functions. */ ++#pragma GCC diagnostic error "-Wmissing-prototypes" ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) ++ ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, ++ struct hostent *, char *, ++ size_t, int *, int *); ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, ++ struct hostent *result, ++ char *buffer, size_t buflen, ++ int *errnop, int *herrnop) ++{ ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, ++ herrnop); ++} ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, ++ size_t buflen, char **result, ++ int *errnop, int *h_errnop) ++{ ++ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail ++ the test. */ ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) ++ || buflen < sizeof (QUERYNAME)) ++ abort (); ++ ++ strncpy (buffer, name, buflen); ++ *result = buffer; ++ return NSS_STATUS_SUCCESS; ++} +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +new file mode 100644 +index 0000000000..d5f10c07d6 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -0,0 +1,63 @@ ++/* Test NSS query path for plugins that only implement gethostbyname2 ++ (#30843). ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <nss.h> ++#include <netdb.h> ++#include <stdlib.h> ++#include <string.h> ++#include <support/check.h> ++#include <support/xstdio.h> ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++#define PREPARE do_prepare ++ ++static void do_prepare (int a, char **av) ++{ ++ FILE *hosts = xfopen ("/etc/hosts", "w"); ++ for (unsigned i = 2; i < 255; i++) ++ { ++ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); ++ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); ++ } ++ xfclose (hosts); ++} ++ ++static int ++do_test (void) ++{ ++ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); ++ ++ struct addrinfo hints = {}; ++ struct addrinfo *result = NULL; ++ ++ hints.ai_family = AF_INET6; ++ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; ++ ++ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); ++ ++ if (ret != 0) ++ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); ++ ++ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); ++ ++ freeaddrinfo(result); ++ return 0; ++} ++ ++#include <support/test-driver.c> +diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h +new file mode 100644 +index 0000000000..14f2a9cb08 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.h +@@ -0,0 +1 @@ ++#define QUERYNAME "test.example.com" +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req +new file mode 100644 +index 0000000000..e69de29bb2 +diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script +new file mode 100644 +index 0000000000..31848b4a28 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script +@@ -0,0 +1,2 @@ ++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 ++su +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 6ae6744fe4..47f421fddf 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -120,6 +120,7 @@ struct gaih_result + { + struct gaih_addrtuple *at; + char *canon; ++ char *h_name; + bool free_at; + bool got_ipv6; + }; +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) + if (res->free_at) + free (res->at); + free (res->canon); ++ free (res->h_name); + memset (res, 0, sizeof (*res)); + } + +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, + return 0; + } + +-/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name +- is not copied, and the struct hostent object must not be deallocated +- prematurely. The new addresses are appended to the tuple array in RES. */ ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new ++ addresses are appended to the tuple array in RES. */ + static bool + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + struct hostent *h, struct gaih_result *res) +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + res->at = array; + res->free_at = true; + ++ /* Duplicate h_name because it may get reclaimed when the underlying storage ++ is freed. */ ++ if (res->h_name == NULL) ++ { ++ res->h_name = __strdup (h->h_name); ++ if (res->h_name == NULL) ++ return false; ++ } ++ + /* Update the next pointers on reallocation. */ + for (size_t i = 0; i < old; i++) + array[i].next = array + i + 1; +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + } + array[i].next = array + i + 1; + } +- array[0].name = h->h_name; + array[count - 1].next = NULL; + + return true; +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, + memory allocation failure. The returned string is allocated on the + heap; the caller has to free it. */ + static char * +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) ++getcanonname (nss_action_list nip, const char *hname, const char *name) + { + nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); + char *s = (char *) name; + if (cfct != NULL) + { + char buf[256]; +- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), +- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) ++ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, ++ &h_errno)) != NSS_STATUS_SUCCESS) + /* If the canonical name cannot be determined, use the passed + string. */ + s = (char *) name; +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, + if ((req->ai_flags & AI_CANONNAME) != 0 + && res->canon == NULL) + { +- char *canonbuf = getcanonname (nip, res->at, name); ++ char *canonbuf = getcanonname (nip, res->h_name, name); + if (canonbuf == NULL) + { + __resolv_context_put (res_ctx); diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch new file mode 100644 index 0000000000..507db5e13b --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-5156-2.patch @@ -0,0 +1,93 @@ +From: Romain Geissler <romain.geissler@amadeus.com> +Date: Mon, 25 Sep 2023 00:21:51 +0000 (+0100) +Subject: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796 + +Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] + +This patch fixes a very recently added leak in getaddrinfo. + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=ec6b95c3303c700eb89eebeda2d7264cc184a796] + +CVE: CVE-2023-5156 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/nss/Makefile b/nss/Makefile +index 8a5126ecf3..668ba34b18 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -149,6 +149,15 @@ endif + extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ + nss_test_gai_hv2_canonname.os + ++ifeq ($(run-built-tests),yes) ++ifneq (no,$(PERL)) ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out ++endif ++endif ++ ++generated += mtrace-tst-nss-gai-hv2-canonname.out \ ++ tst-nss-gai-hv2-canonname.mtrace ++ + include ../Rules + + ifeq (yes,$(have-selinux)) +@@ -217,6 +226,17 @@ endif + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so + ++tst-nss-gai-hv2-canonname-ENV = \ ++ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ ++ $(objpfx)tst-nss-gai-hv2-canonname.out ++ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ ++ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \ ++ && $(common-objpfx)malloc/mtrace \ ++ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ ++ $(evaluate-test) ++ + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS + # functions can load testing NSS modules via DT_RPATH. + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +index d5f10c07d6..7db53cf09d 100644 +--- a/nss/tst-nss-gai-hv2-canonname.c ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -21,6 +21,7 @@ + #include <netdb.h> + #include <stdlib.h> + #include <string.h> ++#include <mcheck.h> + #include <support/check.h> + #include <support/xstdio.h> + #include "nss/tst-nss-gai-hv2-canonname.h" +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av) + static int + do_test (void) + { ++ mtrace (); ++ + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); + + struct addrinfo hints = {}; +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 47f421fddf..531124958d 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -1196,9 +1196,7 @@ free_and_return: + if (malloc_name) + free ((char *) name); + free (addrmem); +- if (res.free_at) +- free (res.at); +- free (res.canon); ++ gaih_result_reset (&res); + + return result; + } diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb index caf454f368..b88bc5fc4f 100644 --- a/meta/recipes-core/glibc/glibc_2.37.bb +++ b/meta/recipes-core/glibc/glibc_2.37.bb @@ -50,6 +50,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ file://0023-CVE-2023-4527.patch \ + file://0024-CVE-2023-5156-1.patch \ + file://0024-CVE-2023-5156-2.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}"