[PATCH 2/2] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow

[PATCH 2/2] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow

[Haris Okanovic]

Backport Arjun Shankar's patch for CVE-2015-1781:

A buffer overflow flaw was found in the way glibc's gethostbyname_r() and
other related functions computed the size of a buffer when passed a
misaligned buffer as input. An attacker able to make an application call
any of these functions with a misaligned buffer could use this flaw to
crash the application or, potentially, execute arbitrary code with the
permissions of the user running the application.

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Signed-off-by: Ken Sharp <ken.sharp@ni.com>
Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
---
Natinst-CAR-ID: 525428
Natinst-ReviewBoard-ID: 96712
---
 ...81-resolv-nss_dns-dns-host.c-buffer-overf.patch | 43 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.20.bb              |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
new file mode 100644
index 0000000..c02fa12
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
@@ -0,0 +1,43 @@
+From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun.is@lostca.se>
+Date: Tue, 21 Apr 2015 14:06:31 +0200
+Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
+ [BZ#18287]
+
+Upstream-Status: Backport
+https://sourceware.org/bugzilla/show_bug.cgi?id=18287
+---
+ resolv/nss_dns/dns-host.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -608,21 +608,22 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+   int n, ancount, qdcount;
+   int haveanswer, had_error;
+   char *bp, **ap, **hap;
+   char tbuf[MAXDNAME];
+   const char *tname;
+   int (*name_ok) (const char *);
+   u_char packtmp[NS_MAXCDNAME];
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
++  buflen = buflen > pad ? buflen - pad : 0;
++  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
+     {
+       /* The buffer is too small.  */
+     too_small:
+       *errnop = ERANGE;
+       *h_errnop = NETDB_INTERNAL;
+       return NSS_STATUS_TRYAGAIN;
+     }
+   host_data = (struct host_data *) buffer;
+   linebuflen = buflen - sizeof (struct host_data);
+   if (buflen - sizeof (struct host_data) != linebuflen)
+-- 
+2.2.2
+
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index e3427dd..ba62fc3 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -47,6 +47,7 @@ CVEPATCHES = "\
         file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
         file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
         file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
+        file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
     "
 LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
2.2.2

Re: [PATCH 1/2] glibc: CVE-2015-1472: wscanf allocates too little memory

[Haris Okanovic]

On 05/07/2015 06:19 PM, Haris Okanovic wrote:
> Backport Paul Pluzhnikov's glibc patch for CVE-2015-1472:
>
> Under certain conditions wscanf can allocate too little memory for the
> to-be-scanned arguments and overflow the allocated buffer.  The
> implementation now correctly computes the required buffer size when
> using malloc.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=16618
>
> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
> Signed-off-by: Ken Sharp <ken.sharp@ni.com>
> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
> ---

Note that this patch is to apply to the Dizzy branch of 
openembedded-core (glibc 2.20). It might cleanly apply to other branches 
also using glibc 2.20, but I've only tested with Dizzy.

CVE-2015-1472 is fixed in glibc 2.21 and later.

Thanks,
Haris

Re: [PATCH 2/2] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow

[Haris Okanovic]

On 05/07/2015 06:19 PM, Haris Okanovic wrote:
> Backport Arjun Shankar's patch for CVE-2015-1781:
>
> A buffer overflow flaw was found in the way glibc's gethostbyname_r() and
> other related functions computed the size of a buffer when passed a
> misaligned buffer as input. An attacker able to make an application call
> any of these functions with a misaligned buffer could use this flaw to
> crash the application or, potentially, execute arbitrary code with the
> permissions of the user running the application.
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=18287
>
> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
> Signed-off-by: Ken Sharp <ken.sharp@ni.com>
> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
> ---

Note that this patch is to apply to the Dizzy branch of 
openembedded-core (glibc 2.20). It might cleanly apply to other branches 
also using glibc 2.20, but I've only tested with Dizzy.

CVE-2015-1781 is fixed in glibc 2.22 and later.

Thanks,
Haris

Re: [PATCH 2/2] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 4197 bytes --]

this is ok

> On May 8, 2015, at 7:28 AM, Haris Okanovic <haris.okanovic@ni.com> wrote:
> 
> Backport Arjun Shankar's patch for CVE-2015-1781:
> 
> A buffer overflow flaw was found in the way glibc's gethostbyname_r() and
> other related functions computed the size of a buffer when passed a
> misaligned buffer as input. An attacker able to make an application call
> any of these functions with a misaligned buffer could use this flaw to
> crash the application or, potentially, execute arbitrary code with the
> permissions of the user running the application.
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=18287
> 
> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
> Signed-off-by: Ken Sharp <ken.sharp@ni.com>
> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
> ---
> Natinst-CAR-ID: 525428
> Natinst-ReviewBoard-ID: 96712
> ---
> ...81-resolv-nss_dns-dns-host.c-buffer-overf.patch | 43 ++++++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.20.bb              |  1 +
> 2 files changed, 44 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
> 
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
> new file mode 100644
> index 0000000..c02fa12
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
> @@ -0,0 +1,43 @@
> +From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
> +From: Arjun Shankar <arjun.is@lostca.se>
> +Date: Tue, 21 Apr 2015 14:06:31 +0200
> +Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
> + [BZ#18287]
> +
> +Upstream-Status: Backport
> +https://sourceware.org/bugzilla/show_bug.cgi?id=18287
> +---
> + resolv/nss_dns/dns-host.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
> +index b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 100644
> +--- a/resolv/nss_dns/dns-host.c
> ++++ b/resolv/nss_dns/dns-host.c
> +@@ -608,21 +608,22 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
> +   int n, ancount, qdcount;
> +   int haveanswer, had_error;
> +   char *bp, **ap, **hap;
> +   char tbuf[MAXDNAME];
> +   const char *tname;
> +   int (*name_ok) (const char *);
> +   u_char packtmp[NS_MAXCDNAME];
> +   int have_to_map = 0;
> +   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
> +   buffer += pad;
> +-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
> ++  buflen = buflen > pad ? buflen - pad : 0;
> ++  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
> +     {
> +       /* The buffer is too small.  */
> +     too_small:
> +       *errnop = ERANGE;
> +       *h_errnop = NETDB_INTERNAL;
> +       return NSS_STATUS_TRYAGAIN;
> +     }
> +   host_data = (struct host_data *) buffer;
> +   linebuflen = buflen - sizeof (struct host_data);
> +   if (buflen - sizeof (struct host_data) != linebuflen)
> +--
> +2.2.2
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
> index e3427dd..ba62fc3 100644
> --- a/meta/recipes-core/glibc/glibc_2.20.bb
> +++ b/meta/recipes-core/glibc/glibc_2.20.bb
> @@ -47,6 +47,7 @@ CVEPATCHES = "\
>         file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
>         file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
>         file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
> +        file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
>     "
> LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
>       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
> --
> 2.2.2
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]

Re: [PATCH 1/2] glibc: CVE-2015-1472: wscanf allocates too little memory

[akuster808]

Haris,

thanks. I will stage this on my dizzy next branch.

please include [Dizzy/fido] in the subject line if a patch meant for a 
specific release. it will help route patches.
regards,
Armin

On 05/08/2015 08:47 AM, Haris Okanovic wrote:
> On 05/07/2015 06:19 PM, Haris Okanovic wrote:
>> Backport Paul Pluzhnikov's glibc patch for CVE-2015-1472:
>>
>> Under certain conditions wscanf can allocate too little memory for the
>> to-be-scanned arguments and overflow the allocated buffer.  The
>> implementation now correctly computes the required buffer size when
>> using malloc.
>>
>> https://sourceware.org/bugzilla/show_bug.cgi?id=16618
>>
>> Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
>> Signed-off-by: Ken Sharp <ken.sharp@ni.com>
>> Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
>> ---
>
> Note that this patch is to apply to the Dizzy branch of
> openembedded-core (glibc 2.20). It might cleanly apply to other branches
> also using glibc 2.20, but I've only tested with Dizzy.
>
> CVE-2015-1472 is fixed in glibc 2.21 and later.
>
> Thanks,
> Haris

Re: [PATCH 2/2] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 407 bytes --]

On 8 May 2015 at 16:50, Haris Okanovic <haris.okanovic@ni.com> wrote:

> Note that this patch is to apply to the Dizzy branch of openembedded-core (
> glibc 2.20). It might cleanly apply to other branches also using glibc
> 2.20, but I've only tested with Dizzy.
>
> CVE-2015-1781 is fixed in glibc 2.22 and later.
>

Will you be able to port this to master which is currently glibc 2.21?

Ross

[-- Attachment #2: Type: text/html, Size: 889 bytes --]

Re: [PATCH 2/2] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow

[Haris Okanovic]

On 05/14/2015 03:39 PM, Burton, Ross wrote:
> Will you be able to port this to master which is currently glibc 2.21?

Sure. I'll post a second patch to oe-core for master (glibc 2.21) once I 
test it out. It'll be the same .patch file for glibc's source, but a 
different change in the bb recipe.

The original patch I sent earlier still applies to other branches that 
use glibc 2.20. E.g. Dizzy.

Haris