| Message ID | 20230922171157.65-1-romain.geissler@amadeus.com |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 778BD38582A9 for <patchwork@sourceware.org>; Fri, 22 Sep 2023 17:13:14 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2054.outbound.protection.outlook.com [40.107.104.54]) by sourceware.org (Postfix) with ESMTPS id 532453858D28 for <libc-alpha@sourceware.org>; Fri, 22 Sep 2023 17:12:47 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 532453858D28 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=amadeus.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=amadeus.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZbnPXnRmq9g4xPxgFb3UNpNfFNHv7Byh5PXAMjJ4RCBG3ntLrELHj0Ni1p3bm2hf/ynAlhrZeUiKybGcr5//AtFi2aS+YzO1MEZg+kSmdJ0TiCacKgAV+Ab2PlGPN4UeXaxZ0yEG2vuWgSNuks9DILn3vLteOk3K2En0vtNmbkVKQPQ2GdOyLtNL/uxK8shTCU4KMkZmWP/SmVI/VY+w60IJ9OyYHZuHkcAI81IjmJjPZHV2Sw4+WPLj6HYO9+zEVGfZLeCpqxUGm3+mDSnjY+tutmoGBHFjCtdgE+NdoeDR4KeMC9+bzHAt2iGtZH5lc2XAwiW3XZnk7IDRA35aYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dQpaVYe0hSsCmeKiAHcEagTz3d3MldkKSjUE3YlmiCE=; b=KDfoWiQVZ0AL98VTF7nBmoWh74FXzMqPgEk/jEii3dAxQacAvFcbMPu8nS4uH5/oZaXsj+BWTUmIPghti4ply1+AXdpe/cl6LTzDm353iMUWGhSXAK3T681R5plI/VwJ32KVhz8vrimQMAxcqzI9OluYshN05G3L9YE2jNFUyGAoRvy63DiX+l6GUxcw+BaWT30mKFlhpoatWFNTodlW3klu9MQYBFVtRxeORq15lklcKzrptaTq2C0iN80wq8C8RKxS1dz3jlMf0VXz5HRkfExLMiTTdxvkpjtzkEQowxS8xRhoGclwT7oIDK3jpOD7A45GEcc2G0VFY+l20pWV6A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 171.17.131.35) smtp.rcpttodomain=sourceware.org smtp.mailfrom=amadeus.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=amadeus.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amadeus.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dQpaVYe0hSsCmeKiAHcEagTz3d3MldkKSjUE3YlmiCE=; b=b5XX2VTtVsoBegI3zTA1WEsgD0WzdZ0Y5HuWXV2CTDx+Z/FKq+UnzHxrFbwgB6UO+ancfIOjyickcSlNDAaFuSRBrpBwg0u/kinxkTzIPYQEI+TlUD2fMBBEJG+PunJU4FAHNipAB69pcWwjteycdabCZRMmwfhwGQ81WcLtUwRvzEKwk2AFJnmU2eF5BrPVjnL9wonnHoeaZ7dHlVTbvrAYk7FSmHNUFBl4fMK5i2qmesbKWE4GZez0ucoSPs24wM75G+MJBo6NfrVWHQwvwBdPo5yKjB1XSEZejY80QIjH/sgdbL4YzUhImhR0ZCSga2kFMc02X5SNhhefhHMWUw== Received: from AM6P195CA0001.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:81::14) by GV2PR10MB7558.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:dc::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.23; Fri, 22 Sep 2023 17:12:44 +0000 Received: from AM2PEPF0001C70E.eurprd05.prod.outlook.com (2603:10a6:209:81:cafe::e8) by AM6P195CA0001.outlook.office365.com (2603:10a6:209:81::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.32 via Frontend Transport; Fri, 22 Sep 2023 17:12:44 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 171.17.131.35) smtp.mailfrom=amadeus.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=amadeus.com; Received-SPF: Pass (protection.outlook.com: domain of amadeus.com designates 171.17.131.35 as permitted sender) receiver=protection.outlook.com; client-ip=171.17.131.35; helo=smtpexch.amadeus.com; pr=C Received: from smtpexch.amadeus.com (171.17.131.35) by AM2PEPF0001C70E.mail.protection.outlook.com (10.167.16.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.20 via Frontend Transport; Fri, 22 Sep 2023 17:12:44 +0000 Received: from MUCEX20MBX001.iis.amadeus.net (172.19.131.74) by smtpexch.amadeus.com (172.19.134.54) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.25; Fri, 22 Sep 2023 17:11:43 +0000 Received: from b2c0fece6092.rnd.amadeus.net (10.64.176.26) by MUCEX20MBX001.iis.amadeus.net (172.19.131.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.25; Fri, 22 Sep 2023 17:12:43 +0000 From: Romain Geissler <romain.geissler@amadeus.com> To: <libc-alpha@sourceware.org> CC: <romain.geissler@amadeus.com> Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806. Date: Fri, 22 Sep 2023 17:11:58 +0000 Message-ID: <20230922171157.65-1-romain.geissler@amadeus.com> X-Mailer: git-send-email 2.39.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: MUCEXHYBP02.iis.amadeus.net (172.19.131.108) To MUCEX20MBX001.iis.amadeus.net (172.19.131.74) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C70E:EE_|GV2PR10MB7558:EE_ X-MS-Office365-Filtering-Correlation-Id: ed0f356b-47bc-40da-b079-08dbbb8f230f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Jf7WotLwdtAWqmSbKGZOSok8KDy9Bl+sSDGP5STumKMFl4kzH/CSmD5yecR0zVwoeFeWP42OMzAmTEM8wOr29NTMv5jsj3bsviODWr3yJ09xS7Sbjjo9/LT5/L73dWMMd116cOu2OVFfens4vkgrdcMoGNb4erb5XN2kj9V9kZ8GD7013U1tGMb7Li5YFUnEOvqmgvP6A1ANOrOnrCch0lqH0tkrqbJlODiGzP3IFB1oIxZYk9AYiRWwQ9vRy71Xam7qFXMrprJU2ehGT28z3DcTelEWGsYpZk2r02dkbMXtiTm/C5hG73I7drFJhQ4oEZY64hvwVVDKT4aOhYkRQOoTNSkB0/YsogTgYQmiUDX3SaO8Py0UHAgklTDjmqRrcA4v9WzfWTfC0jSDT3Y28+RLGvbxwWdHtKN3eiqeMKk+O+Vtfhc/ryVQeKonEeqwVjrqY7qFfZNZz8RquyC1N0gZDkJPe44+TMgc3iTmYOfT/+F5n7hDFN/Rgv8rFkfB5DrYbi/csZfTHT1tMwYv02Ist+eIyLafuGRlKWd+g6CBxiLatC5ErCSmeZBqoIF++2+0L+IFR5eU5NVQKsZ+Bjb3MI/Wd/RsA1x3Cy2MgHXss4bndSPxxPKdNifqmmwSXrwhOqypTajQiRLAC66tEWk6PAiQ88Nl+3O0QS+/nrE5SEqOv5pJBl9JMkjWq9p1WIVQaaUpi6ePj3s4E7nfD+RMair0ZAhROD9ze6jDpIgkCVz6YsJIABG7yFY11qNw9pVUV/7U0QLDULPYr+h84xGaJnAMSrOTLca+HB1GYuSZRG9uuBJ+0muZIG1y9BSy X-Forefront-Antispam-Report: CIP:171.17.131.35; CTRY:DE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:smtpexch.amadeus.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230031)(4636009)(396003)(136003)(346002)(376002)(39860400002)(1800799009)(186009)(230921699003)(451199024)(82310400011)(46966006)(36840700001)(40470700004)(36756003)(40480700001)(40460700003)(107886003)(2616005)(26005)(1076003)(336012)(82960400001)(5660300002)(2906002)(86362001)(44832011)(6916009)(8936002)(8676002)(82740400003)(81166007)(36860700001)(356005)(41300700001)(70206006)(70586007)(316002)(47076005)(478600001)(83380400001)(4326008)(6666004)(36900700001); DIR:OUT; SFP:1101; X-OriginatorOrg: amadeus.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Sep 2023 17:12:44.5224 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ed0f356b-47bc-40da-b079-08dbbb8f230f X-MS-Exchange-CrossTenant-Id: b3f4f7c2-72ce-4192-aba4-d6c7719b5766 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=b3f4f7c2-72ce-4192-aba4-d6c7719b5766; Ip=[171.17.131.35]; Helo=[smtpexch.amadeus.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C70E.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2PR10MB7558 X-Spam-Status: No, score=-11.0 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org |
| Series |
Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806.
|
|
Checks
| Context | Check | Description |
|---|---|---|
| redhat-pt-bot/TryBot-apply_patch | success | Patch applied to master at the time it was sent |
| redhat-pt-bot/TryBot-32bit | success | Build for i686 |
| linaro-tcwg-bot/tcwg_glibc_build--master-arm | fail | Patch failed to apply |
| linaro-tcwg-bot/tcwg_glibc_check--master-arm | fail | Patch failed to apply |
| linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 | fail | Patch failed to apply |
| linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 | fail | Patch failed to apply |
Commit Message
Romain Geissler
Sept. 22, 2023, 5:11 p.m. UTC
This patch fixes a very recently added leak in getaddrinfo (which was backported on release branches too). I didn't spend much more than 5 minutes on investigating the code to end up with this patch, so it may be wrong. Quickly testing it on my side, it seems to work for me, but it definitely needs review from people who actually know this part of the code ;) Running a stripped down version of the newly added test nss/nss_test_gai_hv2_canonname.c with valgrind results in exposure of the leak: > cat test.c int main() { char aHostName[256]; gethostname(aHostName,255); struct addrinfo hints = {}; struct addrinfo *result = NULL; hints.ai_family = AF_INET6; hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; int ret = getaddrinfo(aHostName, NULL, &hints, &result); if (ret != 0) return 1; freeaddrinfo(result); return 0; } > /opt/1A/toolchain/x86_64-v19/bin/gcc -g -o test test.c > /opt/1A/toolchain/x86_64-v19/build-pack/default/bin/valgrind --leak-check=full ./test ... (snapped) ==68017== 37 bytes in 1 blocks are definitely lost in loss record 1 of 1 ==68017== at 0x4840745: malloc (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/build-pack/19.0.81.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==68017== by 0x48E7CDA: strdup (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6) ==68017== by 0x4936582: convert_hostent_to_gaih_addrtuple.isra.0 (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6) ==68017== by 0x4936787: gethosts (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6) ==68017== by 0x4938F37: getaddrinfo (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6) ==68017== by 0x4011A5: main (test.c:17) ... (snapped) --- sysdeps/posix/getaddrinfo.c | 1 + 1 file changed, 1 insertion(+)
Comments
I think it may need an "if != NULL" check on it, in case we're exiting due to error. The only time h_name is set is via __strdup but that __strdup may fail.
> Le 22 sept. 2023 à 22:26, DJ Delorie <dj@redhat.com> a écrit : > > > I think it may need an "if != NULL" check on it, in case we're exiting > due to error. The only time h_name is set is via __strdup but that > __strdup may fail. > Isn’t it fine to call free(NULL) (which should normally be a no-op) ? Or you suggest this to save a jump to a function for optimization reasons ?
Romain GEISSLER <romain.geissler@amadeus.com> writes: > Isn’t it fine to call free(NULL) (which should normally be a no-op) ? > Or you suggest this to save a jump to a function for optimization > reasons ? Nope, I'm just showing my age again. Of course it's fine to free(NULL) these days ;-) There's a bunch of conditionals around that code, but they're checking some other flag variable. LGTM Reviewed-by: DJ Delorie <dj@redhat.com>
On 2023-09-22 18:11, Romain Geissler wrote: > This patch fixes a very recently added leak in getaddrinfo (which was > backported on release branches too). > > I didn't spend much more than 5 minutes on investigating the code to end > up with this patch, so it may be wrong. Quickly testing it on my side, > it seems to work for me, but it definitely needs review from people who > actually know this part of the code ;) > Nice catch, thank you for noticing. > Running a stripped down version of the newly added test > nss/nss_test_gai_hv2_canonname.c with valgrind results in exposure of > the leak: > >> cat test.c > > int main() > { > char aHostName[256]; > gethostname(aHostName,255); > > struct addrinfo hints = {}; > struct addrinfo *result = NULL; > > hints.ai_family = AF_INET6; > hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; > > int ret = getaddrinfo(aHostName, NULL, &hints, &result); > > if (ret != 0) > return 1; > freeaddrinfo(result); > return 0; > } > >> /opt/1A/toolchain/x86_64-v19/bin/gcc -g -o test test.c >> /opt/1A/toolchain/x86_64-v19/build-pack/default/bin/valgrind --leak-check=full ./test > ... (snapped) > ==68017== 37 bytes in 1 blocks are definitely lost in loss record 1 of 1 > ==68017== at 0x4840745: malloc (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/build-pack/19.0.81.0/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) > ==68017== by 0x48E7CDA: strdup (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6) > ==68017== by 0x4936582: convert_hostent_to_gaih_addrtuple.isra.0 (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6) > ==68017== by 0x4936787: gethosts (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6) > ==68017== by 0x4938F37: getaddrinfo (in /remote/tools/Linux/2.6/1A/toolchain/x86_64-v19.0.81/lib/libc.so.6) > ==68017== by 0x4011A5: main (test.c:17) > ... (snapped) > --- > sysdeps/posix/getaddrinfo.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c > index b4e8ea3880a..5f5bc3fd51f 100644 > --- a/sysdeps/posix/getaddrinfo.c > +++ b/sysdeps/posix/getaddrinfo.c > @@ -1199,6 +1199,7 @@ free_and_return: > if (res.free_at) > free (res.at); > free (res.canon); > + free (res.h_name); Could you please consolidate all of this into a gaih_result_reset (&res) call? There's an additional memset, but that should be negligible overhead for a cleaner abstraction. Thanks, Sid
On 2023-09-22 23:21, Siddhesh Poyarekar wrote: >> diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c >> index b4e8ea3880a..5f5bc3fd51f 100644 >> --- a/sysdeps/posix/getaddrinfo.c >> +++ b/sysdeps/posix/getaddrinfo.c >> @@ -1199,6 +1199,7 @@ free_and_return: >> if (res.free_at) >> free (res.at); >> free (res.canon); >> + free (res.h_name); > > Could you please consolidate all of this into a gaih_result_reset (&res) > call? There's an additional memset, but that should be negligible > overhead for a cleaner abstraction. > Oh, and it would be fabulous if you could quote the original bug number (BZ #30843) in the v2 and add a leak check test case (see resolv/tst-leaks* for an example) but I won't block the fix on that. Thanks! Sid
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index b4e8ea3880a..5f5bc3fd51f 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -1199,6 +1199,7 @@ free_and_return: if (res.free_at) free (res.at); free (res.canon); + free (res.h_name); return result; }