[Bug libc/20338] New: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] New: Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

            Bug ID: 20338
           Summary: Parsing of /etc/gshadow can return bad pointers
                    causing segfaults in applications
           Product: glibc
           Version: 2.21
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: fedora.dm0 at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Specifically structured /etc/gshadow entries can cause fgetgsent() to return
invalid pointers that cause applications to segfault on dereference.

One line must fit into the character buffer (1024 bytes, unless a previous line
was longer) but have enough group members such that

     line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) > 1024.

The parser would return early to avoid overflow, leaving the static result
struct pointing to pointers from the previous line which are now invalid,
causing segfaults when those pointers are dereferenced.

See the following for a test program and a patch:

https://sourceware.org/ml/libc-alpha/2016-06/msg01015.html

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2016-07-11
     Ever confirmed|0                           |1

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

fedora.dm0 at gmail dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fedora.dm0 at gmail dot com

--- Comment #1 from fedora.dm0 at gmail dot com ---
Created attachment 9705
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9705&action=edit
gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

--- Comment #2 from fedora.dm0 at gmail dot com ---
Can this be applied to make it into the next release?

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

howaboutsynergy at pm dot me changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |howaboutsynergy at pm dot me

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

Jason Perrin <jasonvperrin at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jasonvperrin at gmail dot com

--- Comment #3 from Jason Perrin <jasonvperrin at gmail dot com> ---
This is affecting us too (specifically this bug, leading to
https://github.com/systemd/systemd/issues/6512 in systemd, which then leads to
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1848614 when installing
tomcat9 on Ubuntu bionic). Any updates on this, the patch attached, or anything
we can do to help get the patch merged?

Thanks for your work on glibc!

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com
           See Also|                            |https://github.com/systemd/
                   |                            |systemd/issues/6512

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.redhat.com
                   |                            |/show_bug.cgi?id=1793577

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
Patches posted:
https://sourceware.org/pipermail/libc-alpha/2020-July/116430.html

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.32
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.32 via:

commit 2add4235ef674988948155f9a8f60a8c7b09bcff
Author: Florian Weimer <[hidden email]>
Date:   Thu Jul 16 17:31:20 2020 +0200

    gshadow: Implement fgetsgent_r using __nss_fgetent_r (bug 20338)

    Tested-by: Carlos O'Donell <[hidden email]>
    Reviewed-by: Carlos O'Donell <[hidden email]>

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/20338] Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=20338

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-

--- Comment #6 from Florian Weimer <fweimer at redhat dot com> ---
I'm flagging this as security- because the affected files contain trusted
content.

--
You are receiving this mail because:
You are on the CC list for the bug.