!704 [sync] PR-701: fix:CVE-2023-4086 CVE-2023-5156

From: @openeuler-sync-bot Reviewed-by: @liqingqing_1229 Signed-off-by: @liqingqing_1229
2023-09-26 08:46:49 +00:00 · 2023-09-26 08:46:49 +00:00 · 3ac148a4ad
commit 3ac148a4ad
parent 3382c2c8dd c07b6a456a
2 changed files with 154 additions and 1 deletions
--- a/backport-CVE-2023-4806.patch
+++ b/backport-CVE-2023-4806.patch
@ -0,0 +1,149 @@
+From 973fe93a5675c42798b2161c6f29c01b0e243994 Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Fri, 15 Sep 2023 13:51:12 -0400
+Subject: [PATCH] getaddrinfo: Fix use after free in getcanonname
+ (CVE-2023-4806)
+
+When an NSS plugin only implements the _gethostbyname2_r and
+_getcanonname_r callbacks, getaddrinfo could use memory that was freed
+during tmpbuf resizing, through h_name in a previous query response.
+
+The backing store for res->at->name when doing a query with
+gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
+gethosts during the query.  For AF_INET6 lookup with AI_ALL |
+AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
+for a v4 lookup.  In this case, if the first call reallocates tmpbuf
+enough number of times, resulting in a malloc, th->h_name (that
+res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
+Now if the second call to gethosts also causes the plugin callback to
+return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
+reference in res->at->name.  This then gets dereferenced in the
+getcanonname_r plugin call, resulting in the use after free.
+
+Fix this by copying h_name over and freeing it at the end.  This
+resolves BZ #30843, which is assigned CVE-2023-4806.
+
+Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+---
+ sysdeps/posix/getaddrinfo.c | 36 +++++++++++++++++++++++++++++-------
+ 1 file changed, 29 insertions(+), 7 deletions(-)
+
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 9f1cde27..07fbf441 100644
+--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
+@@ -106,6 +106,12 @@ struct gaih_servtuple
+     int port;
+   };
+ 
+struct gaih_result
+{
+	char *h_name;
+	bool malloc_h_name;
+};
+
+ static const struct gaih_servtuple nullserv;
+ 
+ 
+@@ -197,7 +203,8 @@ static bool
+ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
+ 				   int family,
+ 				   struct hostent *h,
+-				   struct gaih_addrtuple **result)
+				   struct gaih_addrtuple **result,
+				   struct gaih_result *res)
+ {
+   while (*result)
+     result = &(*result)->next;
+@@ -216,6 +223,16 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
+   if (array == NULL)
+     return false;
+ 
+  /* Duplicate h_name because it may get reclaimed when the underlying storage
+     is freed.  */
+  if (res->h_name == NULL)
+    {
+      res->h_name = __strdup (h->h_name);
+      res->malloc_h_name = true;
+      if (res->h_name == NULL)
+        return false;
+    }
+
+   for (size_t i = 0; i < count; ++i)
+     {
+       if (family == AF_INET && req->ai_family == AF_INET6)
+@@ -232,7 +249,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
+ 	}
+       array[i].next = array + i + 1;
+     }
+-  array[0].name = h->h_name;
+   array[count - 1].next = NULL;
+ 
+   *result = array;
+@@ -275,7 +291,7 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
+     }									      \
+   else if (status == NSS_STATUS_SUCCESS)				      \
+     {									      \
+-      if (!convert_hostent_to_gaih_addrtuple (req, _family, &th, &addrmem))   \
+      if (!convert_hostent_to_gaih_addrtuple (req, _family, &th, &addrmem, &res))   \
+ 	{								      \
+ 	  __resolv_context_put (res_ctx);				      \
+ 	  result = -EAI_SYSTEM;						      \
+@@ -307,14 +323,14 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
+    memory allocation failure.  The returned string is allocated on the
+    heap; the caller has to free it.  */
+ static char *
+-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name)
+getcanonname (nss_action_list nip, const char *hname, const char *name)
+ {
+   nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r");
+   char *s = (char *) name;
+   if (cfct != NULL)
+     {
+       char buf[256];
+-      if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf),
+      if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf),
+ 			      &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS)
+ 	/* If the canonical name cannot be determined, use the passed
+ 	   string.  */
+@@ -335,6 +351,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+   const char *canon = NULL;
+   const char *orig_name = name;
+ 
+  struct gaih_result res = {0};
+
+   /* Reserve stack memory for the scratch buffer in the getaddrinfo
+      function.  */
+   size_t alloca_used = sizeof (struct scratch_buffer);
+@@ -574,7 +592,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 		    {
+ 		      /* We found data, convert it.  */
+ 		      if (!convert_hostent_to_gaih_addrtuple
+-			  (req, AF_INET, h, &addrmem))
+			  (req, AF_INET, h, &addrmem, &res))
+ 			{
+ 			  result = -EAI_MEMORY;
+ 			  goto free_and_return;
+@@ -858,7 +876,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 			  if ((req->ai_flags & AI_CANONNAME) != 0
+ 			      && canon == NULL)
+ 			    {
+-			      canonbuf = getcanonname (nip, at, name);
+			      canonbuf = getcanonname (nip, res.h_name, name);
+ 			      if (canonbuf == NULL)
+ 				{
+ 				  __resolv_context_put (res_ctx);
+@@ -1101,6 +1119,10 @@ gaih_inet (const char *name, const struct gaih_service *service,
+   free (addrmem);
+   free (canonbuf);
+ 
+  if (res.malloc_h_name){
+    free (res.h_name);
+  }
+
+   return result;
+ }
+ 
+-- 
+2.33.0
+
--- a/glibc.spec
+++ b/glibc.spec
@ -70,7 +70,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.34
-Release: 	134
+Release: 	135
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -275,6 +275,7 @@ Patch184: time-Fix-use-after-free-in-getdate.patch
 Patch185: time-strftime_l-Avoid-an-unbounded-alloca.patch
 Patch186: backport-string-strerror-must-not-return-NULL-bug-30555.patch
 Patch187: backport-CVE-2023-4813.patch
+Patch188: backport-CVE-2023-4806.patch

 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch 
@ -1498,6 +1499,9 @@ fi
 %endif

 %changelog
+* Mon Sep 25 2023 zhanghao<zhanghao383@huawei.com> - 2.34-135
+- fix CVE-2023-4806 CVE-2023-5156
+
 * Sat Sep 23 2023 zhanghao<zhanghao383@huawei.com> - 2.34-134
 - fix CVE-2023-4813