This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch ibm/2.18/master updated. glibc-2.18-168-g335863e


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, ibm/2.18/master has been updated
       via  335863ea7cbc2c4c2a1947039565b781cf488a8f (commit)
       via  53d405329ab189725e72b317f18cd939c6ad240a (commit)
      from  3c7fb252298c48ef424e65fe63ea818d688f1088 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=335863ea7cbc2c4c2a1947039565b781cf488a8f

commit 335863ea7cbc2c4c2a1947039565b781cf488a8f
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Mar 25 16:35:46 2015 +0100

    Separate internal state between getXXent and getXXbyYY NSS calls (bug 18007)
    
    Conflicts:
    	NEWS
    	nss/nss_files/files-hosts.c

diff --git a/ChangeLog b/ChangeLog
index a12d0b7..5c4e039 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,41 @@
+2015-05-11  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #18007]
+	* nis/nss_compat/compat-grp.c (internal_endgrent): Don't call
+	nss_endgrent.
+	(_nss_compat_endgrent): Call nss_endgrent.
+	* nis/nss_compat/compat-pwd.c (internal_endpwent): Don't call
+	nss_endpwent.
+	(_nss_compat_endpwent): Call nss_endpwent.
+	* nis/nss_compat/compat-spwd.c (internal_setspent): Add parameter
+	needent, call nss_setspent only if non-zero.
+	(_nss_compat_setspent, _nss_compat_getspent_r): Pass non-zero.
+	(internal_endspent): Don't call nss_endspent.
+	(_nss_compat_endspent): Call nss_endspent.
+	* nss/nss_files/files-XXX.c (position, last_use, keep_stream):
+	Remove.  All uses removed.
+	(internal_setent): Remove parameter stayopen, add parameter
+	stream.  Use it instead of global variable.
+	(CONCAT(_nss_files_set,ENTNAME)): Pass global stream.
+	(internal_endent, internal_getent): Add parameter stream.  Use it
+	instead of global variable.
+	(CONCAT(_nss_files_end,ENTNAME))
+	(CONCAT(_nss_files_get,ENTNAME_r)): Pass global stream.
+	(_nss_files_get##name##_r): Pass local stream.  Remove locking.
+	* nss/nss_files/files-alias.c (position, last_use): Remove.  All
+	uses removed.
+	(internal_setent, internal_endent): Add parameter stream.  Use it
+	instead of global variable.
+	(_nss_files_setaliasent, _nss_files_endaliasent): Pass global
+	stream.
+	(get_next_alias): Add parameter stream.
+	(_nss_files_getaliasent_r): Pass global stream.
+	(_nss_files_getaliasbyname_r): Pass local stream.  Remove locking.
+	* nss/nss_files/files-hosts.c (_nss_files_gethostbyname3_r)
+	(_nss_files_gethostbyname4_r): Pass local stream to
+	internal_setent, internal_getent and internal_endent.  Remove
+	locking.
+
 2015-04-29  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #18007]
diff --git a/NEWS b/NEWS
index 47ca8e6..23ef099 100644
--- a/NEWS
+++ b/NEWS
@@ -15,10 +15,9 @@ Version 2.18.1
   16618, 16885, 16916, 16943, 16958, 17048, 17137, 17187, 17325, 17625,
   17630, 18007, 18104, 18287.
 
-* CVE-2014-8121 The NSS files backend would reset the file pointer used by
-  the get*ent functions if any of the query functions for the same database
-  are used during the iteration, causing a denial-of-service condition in
-  some applications.
+* CVE-2014-8121 The NSS backends shared internal state between the getXXent
+  and getXXbyYY NSS calls for the same database, causing a denial-of-service
+  condition in some applications.
 
 * A buffer overflow in gethostbyname_r and related functions performing DNS
   requests has been fixed.  If the NSS functions were called with a
diff --git a/nis/nss_compat/compat-grp.c b/nis/nss_compat/compat-grp.c
index 72a9a7a..aace6b9 100644
--- a/nis/nss_compat/compat-grp.c
+++ b/nis/nss_compat/compat-grp.c
@@ -194,9 +194,6 @@ _nss_compat_setgrent (int stayopen)
 static enum nss_status
 internal_endgrent (ent_t *ent)
 {
-  if (nss_endgrent)
-    nss_endgrent ();
-
   if (ent->stream != NULL)
     {
       fclose (ent->stream);
@@ -222,6 +219,9 @@ _nss_compat_endgrent (void)
 
   __libc_lock_lock (lock);
 
+  if (nss_endgrent)
+    nss_endgrent ();
+
   result = internal_endgrent (&ext_ent);
 
   __libc_lock_unlock (lock);
diff --git a/nis/nss_compat/compat-pwd.c b/nis/nss_compat/compat-pwd.c
index f934fb2..1c0000e 100644
--- a/nis/nss_compat/compat-pwd.c
+++ b/nis/nss_compat/compat-pwd.c
@@ -311,9 +311,6 @@ _nss_compat_setpwent (int stayopen)
 static enum nss_status
 internal_endpwent (ent_t *ent)
 {
-  if (nss_endpwent)
-    nss_endpwent ();
-
   if (ent->stream != NULL)
     {
       fclose (ent->stream);
@@ -346,6 +343,9 @@ _nss_compat_endpwent (void)
 
   __libc_lock_lock (lock);
 
+  if (nss_endpwent)
+    nss_endpwent ();
+
   result = internal_endpwent (&ext_ent);
 
   __libc_lock_unlock (lock);
diff --git a/nis/nss_compat/compat-spwd.c b/nis/nss_compat/compat-spwd.c
index e854b28..ed67c43 100644
--- a/nis/nss_compat/compat-spwd.c
+++ b/nis/nss_compat/compat-spwd.c
@@ -169,7 +169,7 @@ copy_spwd_changes (struct spwd *dest, struct spwd *src,
 }
 
 static enum nss_status
-internal_setspent (ent_t *ent, int stayopen)
+internal_setspent (ent_t *ent, int stayopen, int needent)
 {
   enum nss_status status = NSS_STATUS_SUCCESS;
 
@@ -239,7 +239,7 @@ internal_setspent (ent_t *ent, int stayopen)
 
   give_spwd_free (&ent->pwd);
 
-  if (status == NSS_STATUS_SUCCESS && nss_setspent)
+  if (needent && status == NSS_STATUS_SUCCESS && nss_setspent)
     ent->setent_status = nss_setspent (stayopen);
 
   return status;
@@ -256,7 +256,7 @@ _nss_compat_setspent (int stayopen)
   if (ni == NULL)
     init_nss_interface ();
 
-  result = internal_setspent (&ext_ent, stayopen);
+  result = internal_setspent (&ext_ent, stayopen, 1);
 
   __libc_lock_unlock (lock);
 
@@ -267,9 +267,6 @@ _nss_compat_setspent (int stayopen)
 static enum nss_status
 internal_endspent (ent_t *ent)
 {
-  if (nss_endspent)
-    nss_endspent ();
-
   if (ent->stream != NULL)
     {
       fclose (ent->stream);
@@ -303,6 +300,9 @@ _nss_compat_endspent (void)
 
   __libc_lock_lock (lock);
 
+  if (nss_endspent)
+    nss_endspent ();
+
   result = internal_endspent (&ext_ent);
 
   __libc_lock_unlock (lock);
@@ -658,7 +658,7 @@ _nss_compat_getspent_r (struct spwd *pwd, char *buffer, size_t buflen,
     init_nss_interface ();
 
   if (ext_ent.stream == NULL)
-    result = internal_setspent (&ext_ent, 1);
+    result = internal_setspent (&ext_ent, 1, 1);
 
   if (result == NSS_STATUS_SUCCESS)
     result = internal_getspent_r (pwd, &ext_ent, buffer, buflen, errnop);
@@ -830,7 +830,7 @@ _nss_compat_getspnam_r (const char *name, struct spwd *pwd,
 
   __libc_lock_unlock (lock);
 
-  result = internal_setspent (&ent, 0);
+  result = internal_setspent (&ent, 0, 0);
 
   if (result == NSS_STATUS_SUCCESS)
     result = internal_getspnam_r (name, pwd, &ent, buffer, buflen, errnop);
diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
index b3207e2..489dc5d 100644
--- a/nss/nss_files/files-XXX.c
+++ b/nss/nss_files/files-XXX.c
@@ -60,24 +60,23 @@
 /* Locks the static variables in this file.  */
 __libc_lock_define_initialized (static, lock)
 
-/* Maintenance of the shared stream open on the database file.  */
+/* Maintenance of the stream open on the database file.  For getXXent
+   operations the stream needs to be held open across calls, the other
+   getXXbyYY operations all use their own stream.  */
 
 static FILE *stream;
-static fpos_t position;
-static enum { nouse, getent, getby } last_use;
-static int keep_stream;
 
 /* Open database file if not already opened.  */
 static enum nss_status
-internal_setent (int stayopen)
+internal_setent (FILE **stream)
 {
   enum nss_status status = NSS_STATUS_SUCCESS;
 
-  if (stream == NULL)
+  if (*stream == NULL)
     {
-      stream = fopen (DATAFILE, "rce");
+      *stream = fopen (DATAFILE, "rce");
 
-      if (stream == NULL)
+      if (*stream == NULL)
 	status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL;
       else
 	{
@@ -90,7 +89,7 @@ internal_setent (int stayopen)
 	      int result;
 	      int flags;
 
-	      result = flags = fcntl (fileno (stream), F_GETFD, 0);
+	      result = flags = fcntl (fileno (*stream), F_GETFD, 0);
 	      if (result >= 0)
 		{
 # ifdef O_CLOEXEC
@@ -100,15 +99,15 @@ internal_setent (int stayopen)
 # endif
 		    {
 		      flags |= FD_CLOEXEC;
-		      result = fcntl (fileno (stream), F_SETFD, flags);
+		      result = fcntl (fileno (*stream), F_SETFD, flags);
 		    }
 		}
 	      if (result < 0)
 		{
 		  /* Something went wrong.  Close the stream and return a
 		     failure.  */
-		  fclose (stream);
-		  stream = NULL;
+		  fclose (*stream);
+		  *stream = NULL;
 		  status = NSS_STATUS_UNAVAIL;
 		}
 	    }
@@ -116,11 +115,7 @@ internal_setent (int stayopen)
 	}
     }
   else
-    rewind (stream);
-
-  /* Remember STAYOPEN flag.  */
-  if (stream != NULL)
-    keep_stream |= stayopen;
+    rewind (*stream);
 
   return status;
 }
@@ -134,16 +129,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
 
   __libc_lock_lock (lock);
 
-  status = internal_setent (1);
-
-  if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
-    {
-      fclose (stream);
-      stream = NULL;
-      status = NSS_STATUS_UNAVAIL;
-    }
-
-  last_use = getent;
+  status = internal_setent (&stream);
 
   __libc_lock_unlock (lock);
 
@@ -153,12 +139,12 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
 
 /* Close the database file.  */
 static void
-internal_endent (void)
+internal_endent (FILE **stream)
 {
-  if (stream != NULL)
+  if (*stream != NULL)
     {
-      fclose (stream);
-      stream = NULL;
+      fclose (*stream);
+      *stream = NULL;
     }
 }
 
@@ -169,10 +155,7 @@ CONCAT(_nss_files_end,ENTNAME) (void)
 {
   __libc_lock_lock (lock);
 
-  internal_endent ();
-
-  /* Reset STAYOPEN flag.  */
-  keep_stream = 0;
+  internal_endent (&stream);
 
   __libc_lock_unlock (lock);
 
@@ -182,7 +165,7 @@ CONCAT(_nss_files_end,ENTNAME) (void)
 /* Parsing the database file into `struct STRUCTURE' data structures.  */
 
 static enum nss_status
-internal_getent (struct STRUCTURE *result,
+internal_getent (FILE *stream, struct STRUCTURE *result,
 		 char *buffer, size_t buflen, int *errnop H_ERRNO_PROTO
 		 EXTRA_ARGS_DECL)
 {
@@ -255,45 +238,14 @@ CONCAT(_nss_files_get,ENTNAME_r) (struct STRUCTURE *result, char *buffer,
     {
       int save_errno = errno;
 
-      status = internal_setent (0);
+      status = internal_setent (&stream);
 
       __set_errno (save_errno);
-
-      if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
-	{
-	  fclose (stream);
-	  stream = NULL;
-	  status = NSS_STATUS_UNAVAIL;
-	}
     }
 
   if (status == NSS_STATUS_SUCCESS)
-    {
-      /* If the last use was not by the getent function we need the
-	 position the stream.  */
-      if (last_use != getent)
-	{
-	  if (fsetpos (stream, &position) < 0)
-	    status = NSS_STATUS_UNAVAIL;
-	  else
-	    last_use = getent;
-	}
-
-      if (status == NSS_STATUS_SUCCESS)
-	{
-	  status = internal_getent (result, buffer, buflen, errnop
-				    H_ERRNO_ARG EXTRA_ARGS_VALUE);
-
-	  /* Remember this position if we were successful.  If the
-	     operation failed we give the user a chance to repeat the
-	     operation (perhaps the buffer was too small).  */
-	  if (status == NSS_STATUS_SUCCESS)
-	    fgetpos (stream, &position);
-	  else
-	    /* We must make sure we reposition the stream the next call.  */
-	    last_use = nouse;
-	}
-    }
+    status = internal_getent (stream, result, buffer, buflen, errnop
+			      H_ERRNO_ARG EXTRA_ARGS_VALUE);
 
   __libc_lock_unlock (lock);
 
@@ -319,27 +271,20 @@ _nss_files_get##name##_r (proto,					      \
 			  size_t buflen, int *errnop H_ERRNO_PROTO)	      \
 {									      \
   enum nss_status status;						      \
+  FILE *stream = NULL;							      \
 									      \
-  __libc_lock_lock (lock);						      \
-									      \
-  /* Reset file pointer to beginning or open file.  */			      \
-  status = internal_setent (keep_stream);				      \
+  /* Open file.  */							      \
+  status = internal_setent (&stream);					      \
 									      \
   if (status == NSS_STATUS_SUCCESS)					      \
     {									      \
-      /* Tell getent function that we have repositioned the file pointer.  */ \
-      last_use = getby;							      \
-									      \
-      while ((status = internal_getent (result, buffer, buflen, errnop	      \
+      while ((status = internal_getent (stream, result, buffer, buflen, errnop \
 					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
 	     == NSS_STATUS_SUCCESS)					      \
 	{ break_if_match }						      \
 									      \
-      if (! keep_stream)						      \
-	internal_endent ();						      \
+      internal_endent (&stream);					      \
     }									      \
 									      \
-  __libc_lock_unlock (lock);						      \
-									      \
   return status;							      \
 }
diff --git a/nss/nss_files/files-alias.c b/nss/nss_files/files-alias.c
index 8e9cd60..650e075 100644
--- a/nss/nss_files/files-alias.c
+++ b/nss/nss_files/files-alias.c
@@ -33,23 +33,23 @@
 /* Locks the static variables in this file.  */
 __libc_lock_define_initialized (static, lock)
 
-/* Maintenance of the shared stream open on the database file.  */
+/* Maintenance of the stream open on the database file.  For getXXent
+   operations the stream needs to be held open across calls, the other
+   getXXbyYY operations all use their own stream.  */
 
 static FILE *stream;
-static fpos_t position;
-static enum { nouse, getent, getby } last_use;
 
 
 static enum nss_status
-internal_setent (void)
+internal_setent (FILE **stream)
 {
   enum nss_status status = NSS_STATUS_SUCCESS;
 
-  if (stream == NULL)
+  if (*stream == NULL)
     {
-      stream = fopen ("/etc/aliases", "rce");
+      *stream = fopen ("/etc/aliases", "rce");
 
-      if (stream == NULL)
+      if (*stream == NULL)
 	status = errno == EAGAIN ? NSS_STATUS_TRYAGAIN : NSS_STATUS_UNAVAIL;
       else
 	{
@@ -62,7 +62,7 @@ internal_setent (void)
 	      int result;
 	      int flags;
 
-	      result = flags = fcntl (fileno (stream), F_GETFD, 0);
+	      result = flags = fcntl (fileno (*stream), F_GETFD, 0);
 	      if (result >= 0)
 		{
 # ifdef O_CLOEXEC
@@ -72,14 +72,14 @@ internal_setent (void)
 # endif
 		    {
 		      flags |= FD_CLOEXEC;
-		      result = fcntl (fileno (stream), F_SETFD, flags);
+		      result = fcntl (fileno (*stream), F_SETFD, flags);
 		    }
 		}
 	      if (result < 0)
 		{
 		  /* Something went wrong.  Close the stream and return a
 		     failure.  */
-		  fclose (stream);
+		  fclose (*stream);
 		  stream = NULL;
 		  status = NSS_STATUS_UNAVAIL;
 		}
@@ -88,7 +88,7 @@ internal_setent (void)
 	}
     }
   else
-    rewind (stream);
+    rewind (*stream);
 
   return status;
 }
@@ -102,16 +102,7 @@ _nss_files_setaliasent (void)
 
   __libc_lock_lock (lock);
 
-  status = internal_setent ();
-
-  if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
-    {
-      fclose (stream);
-      stream = NULL;
-      status = NSS_STATUS_UNAVAIL;
-    }
-
-  last_use = getent;
+  status = internal_setent (&stream);
 
   __libc_lock_unlock (lock);
 
@@ -121,12 +112,12 @@ _nss_files_setaliasent (void)
 
 /* Close the database file.  */
 static void
-internal_endent (void)
+internal_endent (FILE **stream)
 {
-  if (stream != NULL)
+  if (*stream != NULL)
     {
-      fclose (stream);
-      stream = NULL;
+      fclose (*stream);
+      *stream = NULL;
     }
 }
 
@@ -137,7 +128,7 @@ _nss_files_endaliasent (void)
 {
   __libc_lock_lock (lock);
 
-  internal_endent ();
+  internal_endent (&stream);
 
   __libc_lock_unlock (lock);
 
@@ -146,7 +137,7 @@ _nss_files_endaliasent (void)
 
 /* Parsing the database file into `struct aliasent' data structures.  */
 static enum nss_status
-get_next_alias (const char *match, struct aliasent *result,
+get_next_alias (FILE *stream, const char *match, struct aliasent *result,
 		char *buffer, size_t buflen, int *errnop)
 {
   enum nss_status status = NSS_STATUS_NOTFOUND;
@@ -397,35 +388,16 @@ _nss_files_getaliasent_r (struct aliasent *result, char *buffer, size_t buflen,
 
   /* Be prepared that the set*ent function was not called before.  */
   if (stream == NULL)
-    status = internal_setent ();
+    status = internal_setent (&stream);
 
   if (status == NSS_STATUS_SUCCESS)
     {
-      /* If the last use was not by the getent function we need the
-	 position the stream.  */
-      if (last_use != getent)
-	{
-	  if (fsetpos (stream, &position) < 0)
-	    status = NSS_STATUS_UNAVAIL;
-	  else
-	    last_use = getent;
-	}
+      result->alias_local = 1;
 
-      if (status == NSS_STATUS_SUCCESS)
-	{
-	  result->alias_local = 1;
-
-	  /* Read lines until we get a definite result.  */
-	  do
-	    status = get_next_alias (NULL, result, buffer, buflen, errnop);
-	  while (status == NSS_STATUS_RETURN);
-
-	  /* If we successfully read an entry remember this position.  */
-	  if (status == NSS_STATUS_SUCCESS)
-	    fgetpos (stream, &position);
-	  else
-	    last_use = nouse;
-	}
+      /* Read lines until we get a definite result.  */
+      do
+	status = get_next_alias (stream, NULL, result, buffer, buflen, errnop);
+      while (status == NSS_STATUS_RETURN);
     }
 
   __libc_lock_unlock (lock);
@@ -440,6 +412,7 @@ _nss_files_getaliasbyname_r (const char *name, struct aliasent *result,
 {
   /* Return next entry in host file.  */
   enum nss_status status = NSS_STATUS_SUCCESS;
+  FILE *stream = NULL;
 
   if (name == NULL)
     {
@@ -447,11 +420,8 @@ _nss_files_getaliasbyname_r (const char *name, struct aliasent *result,
       return NSS_STATUS_UNAVAIL;
     }
 
-  __libc_lock_lock (lock);
-
-  /* Open the stream or rest it.  */
-  status = internal_setent ();
-  last_use = getby;
+  /* Open the stream.  */
+  status = internal_setent (&stream);
 
   if (status == NSS_STATUS_SUCCESS)
     {
@@ -459,13 +429,11 @@ _nss_files_getaliasbyname_r (const char *name, struct aliasent *result,
 
       /* Read lines until we get a definite result.  */
       do
-	status = get_next_alias (name, result, buffer, buflen, errnop);
+	status = get_next_alias (stream, name, result, buffer, buflen, errnop);
       while (status == NSS_STATUS_RETURN);
     }
 
-  internal_endent ();
-
-  __libc_lock_unlock (lock);
+  internal_endent (&stream);
 
   return status;
 }
diff --git a/nss/nss_files/files-hosts.c b/nss/nss_files/files-hosts.c
index 6db2535..2a74d06 100644
--- a/nss/nss_files/files-hosts.c
+++ b/nss/nss_files/files-hosts.c
@@ -105,22 +105,18 @@ _nss_files_get##name##_r (proto,					      \
 			  struct STRUCTURE *result, char *buffer,	      \
 			  size_t buflen, int *errnop H_ERRNO_PROTO)	      \
 {									      \
-  uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct hostent_data);    \
+  FILE *stream = NULL;							      \
+  uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct hostent_data); \
   buffer += pad;							      \
   buflen = buflen > pad ? buflen - pad : 0;				      \
 									      \
-  __libc_lock_lock (lock);						      \
-									      \
-  /* Reset file pointer to beginning or open file.  */			      \
-  enum nss_status status = internal_setent (keep_stream);		      \
+  /* Open file.  */							      \
+  enum nss_status status = internal_setent (&stream);			      \
 									      \
   if (status == NSS_STATUS_SUCCESS)					      \
     {									      \
-      /* Tell getent function that we have repositioned the file pointer.  */ \
-      last_use = getby;							      \
-									      \
-      while ((status = internal_getent (result, buffer, buflen, errnop	      \
-					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
+      while ((status = internal_getent (stream, result, buffer, buflen,       \
+					errnop H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
 	     == NSS_STATUS_SUCCESS)					      \
 	{ break_if_match }						      \
 									      \
@@ -144,9 +140,9 @@ _nss_files_get##name##_r (proto,					      \
 	  bufferend = (char *) &result->h_aliases[naliases + 1];	      \
 									      \
 	again:								      \
-	  while ((status = internal_getent (&tmp_result_buf, tmp_buffer,      \
-					    tmp_buflen, errnop H_ERRNO_ARG    \
-					    EXTRA_ARGS_VALUE))		      \
+	  while ((status = internal_getent (stream, &tmp_result_buf,	      \
+					    tmp_buffer, tmp_buflen, errnop    \
+					    H_ERRNO_ARG EXTRA_ARGS_VALUE))    \
 		 == NSS_STATUS_SUCCESS)					      \
 	    {								      \
 	      int matches = 1;						      \
@@ -321,12 +317,9 @@ _nss_files_get##name##_r (proto,					      \
 	}								      \
 									      \
 									      \
-      if (! keep_stream)						      \
-	internal_endent ();						      \
+      internal_endent (&stream);					      \
     }									      \
 									      \
-  __libc_lock_unlock (lock);						      \
-									      \
   return status;							      \
 }
 
@@ -365,22 +358,18 @@ DB_LOOKUP (hostbyaddr, ,,,
 	   }, const void *addr, socklen_t len, int af)
 #undef EXTRA_ARGS_VALUE
 
-
 enum nss_status
 _nss_files_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
 			     char *buffer, size_t buflen, int *errnop,
 			     int *herrnop, int32_t *ttlp)
 {
-  __libc_lock_lock (lock);
+  FILE *stream = NULL;
 
-  /* Reset file pointer to beginning or open file.  */
-  enum nss_status status = internal_setent (keep_stream);
+  /* Open file.  */
+  enum nss_status status = internal_setent (&stream);
 
   if (status == NSS_STATUS_SUCCESS)
     {
-      /* Tell getent function that we have repositioned the file pointer.  */
-      last_use = getby;
-
       bool any = false;
       bool got_canon = false;
       while (1)
@@ -392,7 +381,7 @@ _nss_files_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
 	  buflen = buflen > pad ? buflen - pad : 0;
 
 	  struct hostent result;
-	  status = internal_getent (&result, buffer, buflen, errnop
+	  status = internal_getent (stream, &result, buffer, buflen, errnop
 				    H_ERRNO_ARG, AF_UNSPEC, 0);
 	  if (status != NSS_STATUS_SUCCESS)
 	    break;
@@ -468,8 +457,7 @@ _nss_files_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
 	  status = NSS_STATUS_SUCCESS;
 	}
 
-      if (! keep_stream)
-	internal_endent ();
+      internal_endent (&stream);
     }
   else if (status == NSS_STATUS_TRYAGAIN)
     {
@@ -482,7 +470,5 @@ _nss_files_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
       *herrnop = NO_DATA;
     }
 
-  __libc_lock_unlock (lock);
-
   return status;
 }

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=53d405329ab189725e72b317f18cd939c6ad240a

commit 53d405329ab189725e72b317f18cd939c6ad240a
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 29 14:41:25 2015 +0200

    CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
    
    Robin Hack discovered Samba would enter an infinite loop processing
    certain quota-related requests.  We eventually tracked this down to a
    glibc issue.
    
    Running a (simplified) test case under strace shows that /etc/passwd
    is continuously opened and closed:
    
    â?¦
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    lseek(3, 0, SEEK_SET)                   = 0
    read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
    lseek(3, 2717, SEEK_SET)                = 2717
    close(3)                                = 0
    open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
    lseek(3, 0, SEEK_CUR)                   = 0
    â?¦
    
    The lookup function implementation in
    nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
    supposed skip closing the input file if it was already open.
    
      /* Reset file pointer to beginning or open file.  */			      \
      status = internal_setent (keep_stream);				      \
    									      \
      if (status == NSS_STATUS_SUCCESS)					      \
        {									      \
          /* Tell getent function that we have repositioned the file pointer.  */ \
          last_use = getby;							      \
    									      \
          while ((status = internal_getent (result, buffer, buflen, errnop	      \
    					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
    	     == NSS_STATUS_SUCCESS)					      \
    	{ break_if_match }						      \
    									      \
          if (! keep_stream)						      \
    	internal_endent ();						      \
        }									      \
    
    keep_stream is initialized from the stayopen flag in internal_setent.
    internal_setent is called from the set*ent implementation as:
    
      status = internal_setent (stayopen);
    
    However, for non-host database, this flag is always 0, per the
    STAYOPEN magic in nss/getXXent_r.c.
    
    Thus, the fix is this:
    
    -  status = internal_setent (stayopen);
    +  status = internal_setent (1);
    
    This is not a behavioral change even for the hosts database (where the
    application can specify the stayopen flag) because with a call to
    sethostent(0), the file handle is still not closed in the
    implementation of gethostent.
    
    Conflicts:
    	NEWS

diff --git a/ChangeLog b/ChangeLog
index f006275..a12d0b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-04-29  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #18007]
+	* nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen.
+	(CVE-2014-8121)
+	* nss/tst-nss-getpwent.c: New file.
+	* nss/Makefile (tests): Add new test.
+
 2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
 
 	[BZ #18287]
diff --git a/NEWS b/NEWS
index 48bd9ed..47ca8e6 100644
--- a/NEWS
+++ b/NEWS
@@ -13,7 +13,12 @@ Version 2.18.1
   15723, 15734, 15735, 15797, 15892, 15895, 15909, 15915, 15917, 15946,
   15996, 16072, 16150, 16169, 16387, 16414, 16430, 16431, 16510, 16617,
   16618, 16885, 16916, 16943, 16958, 17048, 17137, 17187, 17325, 17625,
-  17630, 18104, 18287.
+  17630, 18007, 18104, 18287.
+
+* CVE-2014-8121 The NSS files backend would reset the file pointer used by
+  the get*ent functions if any of the query functions for the same database
+  are used during the iteration, causing a denial-of-service condition in
+  some applications.
 
 * A buffer overflow in gethostbyname_r and related functions performing DNS
   requests has been fixed.  If the NSS functions were called with a
diff --git a/nss/Makefile b/nss/Makefile
index ae2e5f6..914b460 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -37,7 +37,7 @@ install-bin             := getent makedb
 makedb-modules = xmalloc hash-string
 extra-objs		+= $(makedb-modules:=.o)
 
-tests			= test-netdb tst-nss-test1 test-digits-dots
+tests			= test-netdb tst-nss-test1 test-digits-dots tst-nss-getpwent
 xtests			= bug-erange
 
 include ../Makeconfig
diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
index 082d1ea..b3207e2 100644
--- a/nss/nss_files/files-XXX.c
+++ b/nss/nss_files/files-XXX.c
@@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
 
   __libc_lock_lock (lock);
 
-  status = internal_setent (stayopen);
+  status = internal_setent (1);
 
   if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
     {
diff --git a/nss/tst-nss-getpwent.c b/nss/tst-nss-getpwent.c
new file mode 100644
index 0000000..f2e8abc
--- /dev/null
+++ b/nss/tst-nss-getpwent.c
@@ -0,0 +1,118 @@
+/* Copyright (C) 2015 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int
+do_test (void)
+{
+  /* Count the number of entries in the password database, and fetch
+     data from the first and last entries.  */
+  size_t count = 0;
+  struct passwd * pw;
+  char *first_name = NULL;
+  uid_t first_uid = 0;
+  char *last_name = NULL;
+  uid_t last_uid = 0;
+  setpwent ();
+  while ((pw  = getpwent ()) != NULL)
+    {
+      if (first_name == NULL)
+	{
+	  first_name = strdup (pw->pw_name);
+	  if (first_name == NULL)
+	    {
+	      printf ("strdup: %m\n");
+	      return 1;
+	    }
+	  first_uid = pw->pw_uid;
+	}
+
+      free (last_name);
+      last_name = strdup (pw->pw_name);
+      if (last_name == NULL)
+	{
+	  printf ("strdup: %m\n");
+	  return 1;
+	}
+      last_uid = pw->pw_uid;
+      ++count;
+    }
+  endpwent ();
+
+  if (count == 0)
+    {
+      printf ("No entries in the password database.\n");
+      return 0;
+    }
+
+  /* Try again, this time interleaving with name-based and UID-based
+     lookup operations.  The counts do not match if the interleaved
+     lookups affected the enumeration.  */
+  size_t new_count = 0;
+  setpwent ();
+  while ((pw  = getpwent ()) != NULL)
+    {
+      if (new_count == count)
+	{
+	  printf ("Additional entry in the password database.\n");
+	  return 1;
+	}
+      ++new_count;
+      struct passwd *pw2 = getpwnam (first_name);
+      if (pw2 == NULL)
+	{
+	  printf ("getpwnam (%s) failed: %m\n", first_name);
+	  return 1;
+	}
+      pw2 = getpwnam (last_name);
+      if (pw2 == NULL)
+	{
+	  printf ("getpwnam (%s) failed: %m\n", last_name);
+	  return 1;
+	}
+      pw2 = getpwuid (first_uid);
+      if (pw2 == NULL)
+	{
+	  printf ("getpwuid (%llu) failed: %m\n",
+		  (unsigned long long) first_uid);
+	  return 1;
+	}
+      pw2 = getpwuid (last_uid);
+      if (pw2 == NULL)
+	{
+	  printf ("getpwuid (%llu) failed: %m\n",
+		  (unsigned long long) last_uid);
+	  return 1;
+	}
+    }
+  endpwent ();
+  if (new_count < count)
+    {
+      printf ("Missing entry in the password database.\n");
+      return 1;
+    }
+
+  return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                    |   46 ++++++++++++++++
 NEWS                         |    6 ++-
 nis/nss_compat/compat-grp.c  |    6 +-
 nis/nss_compat/compat-pwd.c  |    6 +-
 nis/nss_compat/compat-spwd.c |   16 +++---
 nss/Makefile                 |    2 +-
 nss/nss_files/files-XXX.c    |  109 ++++++++++-----------------------------
 nss/nss_files/files-alias.c  |   90 ++++++++++----------------------
 nss/nss_files/files-hosts.c  |   44 +++++----------
 nss/tst-nss-getpwent.c       |  118 ++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 255 insertions(+), 188 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]