This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/19791] Assertion failure in res_query.c with un-connectable name server addresses
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 19 Apr 2016 22:47:10 +0000
- Subject: [Bug network/19791] Assertion failure in res_query.c with un-connectable name server addresses
- Auto-submitted: auto-generated
- References: <bug-19791-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=19791
--- Comment #22 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.18/master has been updated
via 2eb35ebfb291f773c1ba7939601a049acb4f3706 (commit)
via 3ac88d96513b73b69fdc64d9c2f17cc38257a828 (commit)
from eca182fcad77681d5ebe9ab49f91d33ed85d8289 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2eb35ebfb291f773c1ba7939601a049acb4f3706
commit 2eb35ebfb291f773c1ba7939601a049acb4f3706
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Apr 19 17:38:19 2016 -0500
resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
second fallback mode for DNS requests), there is a code path which
returns early, before *resplen2 is initialized. This happens if the
name server address is immediately recognized as invalid (because of
lack of protocol support, or if it is a broadcast address such
255.255.255.255, or another invalid address).
If this happens and *resplen2 was non-zero (which is the case if a
previous query resulted in a failure), __libc_res_nquery would reuse
an existing second answer buffer. This answer has been previously
identified as unusable (for example, it could be an NXDOMAIN
response). Due to the presence of a second answer, no name server
switching will occur. The result is a name resolution failure,
although a successful resolution would have been possible if name
servers have been switched and queries had proceeded along the search
path.
The above paragraph still simplifies the situation. Before glibc
2.23, if the second answer needed malloc, the stub resolver would
still attempt to reuse the second answer, but this is not possible
because __libc_res_nsearch has freed it, after the unsuccessful call
to __libc_res_nquerydomain, and set the buffer pointer to NULL. This
eventually leads to an assertion failure in __libc_res_nquery:
/* Make sure both hp and hp2 are defined */
assert((hp != NULL) && (hp2 != NULL));
If assertions are disabled, the consequence is a NULL pointer
dereference on the next line.
Starting with glibc 2.23, as a result of commit
e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
stack-based buffer overflow (Bug 18665)), the second answer is always
allocated with malloc. This means that the assertion failure happens
with small responses as well because there is no buffer to reuse, as
soon as there is a name resolution failure which triggers a search for
an answer along the search path.
This commit addresses the issue by ensuring that *resplen2 is
initialized before the send_dg function returns.
This commit also addresses a bug where an invalid second reply is
incorrectly returned as a valid to the caller.
(cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3ac88d96513b73b69fdc64d9c2f17cc38257a828
commit 3ac88d96513b73b69fdc64d9c2f17cc38257a828
Author: Carlos O'Donell <carlos@systemhalted.org>
Date: Tue Apr 19 17:38:09 2016 -0500
CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
(cherry pick from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 24 ++++
NEWS | 14 ++
resolv/nss_dns/dns-host.c | 111 +++++++++++++++-
resolv/res_query.c | 3 +
resolv/res_send.c | 325 +++++++++++++++++++++++++++++++++------------
5 files changed, 391 insertions(+), 86 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.