From patchwork Tue Sep 12 16:18:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 75769 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 6AE47385843E for ; Tue, 12 Sep 2023 16:18:56 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 428913858D3C for ; Tue, 12 Sep 2023 16:18:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 428913858D3C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1694535521; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=11F4CluJZvf6EIzZTxTNkOxCRP6alFz31xY1fNEa3xU=; b=dlbTdS1SX384/kE4kx3hofss8UDE4sqYdwS3gkjwZ2GNTkfPS73w417eXJctfGB/bDpYn6 GojQ9z0RgAdxqcX4DHPThL5glKSqpxH4YPUio6oLWQHhsj2tO+PsveuKvFdWAIGZr2dQ1j sSRaI8XZJdpUl4xU6bqZ6pnqoXfkBTo= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-536-V_93djgJN_CbJiB3kiHwXg-1; Tue, 12 Sep 2023 12:18:40 -0400 X-MC-Unique: V_93djgJN_CbJiB3kiHwXg-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1549E3800BBC for ; Tue, 12 Sep 2023 16:18:40 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.2.16.67]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 908F764687 for ; Tue, 12 Sep 2023 16:18:39 +0000 (UTC) From: Florian Weimer To: libc-alpha@sourceware.org Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode Date: Tue, 12 Sep 2023 18:18:38 +0200 Message-ID: <87a5tr5pr5.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-10.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Without passing alt_dns_packet_buffer, __res_context_search can only store 2048 bytes (what fits into dns_packet_buffer). However, the function returns the total packet size, and the subsequent DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end of the stack-allocated buffer. Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa stub resolver option") and bug 30842. --- NEWS | 6 +- resolv/Makefile | 2 + resolv/nss_dns/dns-host.c | 2 +- resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 137 insertions(+), 2 deletions(-) base-commit: a43003ebf674f7af8c4b8d6d1b682244f1a28719 diff --git a/NEWS b/NEWS index 60a0371be9..a48c32e76f 100644 --- a/NEWS +++ b/NEWS @@ -42,7 +42,11 @@ Changes to build and runtime requirements: Security related changes: - [Add security related changes here] + CVE-2023-4527: If the system is configured in no-aaaa mode via + /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address + family, and a DNS response is received over TCP that is larger than + 2048 bytes, getaddrinfo may potentially disclose stack contents via + the returned address data, or crash. The following bugs are resolved with this release: diff --git a/resolv/Makefile b/resolv/Makefile index 054b1fa36c..2f99eb3862 100644 --- a/resolv/Makefile +++ b/resolv/Makefile @@ -102,6 +102,7 @@ tests += \ tst-resolv-invalid-cname \ tst-resolv-network \ tst-resolv-noaaaa \ + tst-resolv-noaaaa-vc \ tst-resolv-nondecimal \ tst-resolv-res_init-multi \ tst-resolv-search \ @@ -293,6 +294,7 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \ $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ $(shared-thread-library) $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) +$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index c8b77bbc35..119dc9f00f 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, { n = __res_context_search (ctx, name, C_IN, T_A, dns_packet_buffer, sizeof (dns_packet_buffer), - NULL, NULL, NULL, NULL, NULL); + &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); if (n >= 0) status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, &abuf, pat, errnop, herrnop, ttlp); diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c new file mode 100644 index 0000000000..9f5aebd99f --- /dev/null +++ b/resolv/tst-resolv-noaaaa-vc.c @@ -0,0 +1,129 @@ +/* Test the RES_NOAAAA resolver option with a large response. + Copyright (C) 2022-2023 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* Used to keep track of the number of queries. */ +static volatile unsigned int queries; + +/* If true, add a large TXT record at the start of the answer section. */ +static volatile bool stuff_txt; + +static void +response (const struct resolv_response_context *ctx, + struct resolv_response_builder *b, + const char *qname, uint16_t qclass, uint16_t qtype) +{ + /* If not using TCP, just force its use. */ + if (!ctx->tcp) + { + struct resolv_response_flags flags = {.tc = true}; + resolv_response_init (b, flags); + resolv_response_add_question (b, qname, qclass, qtype); + return; + } + + /* The test needs to send four queries, the first three are used to + grow the NSS buffer via the ERANGE handshake. */ + ++queries; + TEST_VERIFY (queries <= 4); + + /* AAAA queries are supposed to be disabled. */ + TEST_COMPARE (qtype, T_A); + TEST_COMPARE (qclass, C_IN); + TEST_COMPARE_STRING (qname, "example.com"); + + struct resolv_response_flags flags = {}; + resolv_response_init (b, flags); + resolv_response_add_question (b, qname, qclass, qtype); + + resolv_response_section (b, ns_s_an); + + if (stuff_txt) + { + resolv_response_open_record (b, qname, qclass, T_TXT, 60); + int zero = 0; + for (int i = 0; i <= 15000; ++i) + resolv_response_add_data (b, &zero, sizeof (zero)); + resolv_response_close_record (b); + } + + for (int i = 0; i < 200; ++i) + { + resolv_response_open_record (b, qname, qclass, qtype, 60); + char ipv4[4] = {192, 0, 2, i + 1}; + resolv_response_add_data (b, &ipv4, sizeof (ipv4)); + resolv_response_close_record (b); + } +} + +static int +do_test (void) +{ + struct resolv_test *obj = resolv_test_start + ((struct resolv_redirect_config) + { + .response_callback = response + }); + + _res.options |= RES_NOAAAA; + + for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) + { + queries = 0; + stuff_txt = do_stuff_txt; + + struct addrinfo *ai = NULL; + int ret; + ret = getaddrinfo ("example.com", "80", + &(struct addrinfo) + { + .ai_family = AF_UNSPEC, + .ai_socktype = SOCK_STREAM, + }, &ai); + + char *expected_result; + { + struct xmemstream mem; + xopen_memstream (&mem); + for (int i = 0; i < 200; ++i) + fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1); + xfclose_memstream (&mem); + expected_result = mem.buffer; + } + + check_addrinfo ("example.com", ai, ret, expected_result); + + free (expected_result); + freeaddrinfo (ai); + } + + resolv_test_end (obj); + return 0; +} + +#include