Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 3 Oct 2023 15:47:06 -0400
From: Siddhesh Poyarekar <siddhesh.poyarekar@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2023-4806, CVE-2023-5156: glibc: potential
 use-after-free in getaddrinfo()

On Tue, Oct 3, 2023 at 3:18 PM Solar Designer <solar@...nwall.com> wrote:
> I wish someone more knowledgeable about this specific issue would post
> this, but since no one did, let me do it.
>
> Current upstream glibc NEWS contains these entries:

We're in the process of setting up a glibc CNA, so we will hopefully
send out upstream advisories more regularly once we've got that in
place.

>
> > CVE-2023-4806: When an NSS plugin only implements the
> > _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
> > memory that was freed during buffer resizing, potentially causing a
> > crash or read or write to arbitrary memory.
> >
> > CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
> > an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
> > AI_ALL and AI_V4MAPPED flags set.
>
> Apparently, CVE-2023-4806 has existed for ages, whereas CVE-2023-5156
> only existed for ~10 days last month.

CVE-2023-5156 was a regression from the fix to CVE-2023-4806; we
requested a separate CVE for the benefit of distributions that may
have already released the fix for the first CVE.

>
> Bug 30843 (CVE-2023-4806) - potential use-after-free in getcanonname:
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=30843
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=973fe93a5675c42798b2161c6f29c01b0e243994
>
> Main upstream commit:
>
> > commit 973fe93a5675c42798b2161c6f29c01b0e243994
> > Author: Siddhesh Poyarekar <siddhesh@...rceware.org>
> > Date:   Fri Sep 15 13:51:12 2023 -0400
> >
> >     getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
> >
> >     When an NSS plugin only implements the _gethostbyname2_r and
> >     _getcanonname_r callbacks, getaddrinfo could use memory that was freed
> >     during tmpbuf resizing, through h_name in a previous query response.
> >
> >     The backing store for res->at->name when doing a query with
> >     gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
> >     gethosts during the query.  For AF_INET6 lookup with AI_ALL |
> >     AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
> >     for a v4 lookup.  In this case, if the first call reallocates tmpbuf
> >     enough number of times, resulting in a malloc, th->h_name (that
> >     res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
> >     Now if the second call to gethosts also causes the plugin callback to
> >     return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
> >     reference in res->at->name.  This then gets dereferenced in the
> >     getcanonname_r plugin call, resulting in the use after free.
> >
> >     Fix this by copying h_name over and freeing it at the end.  This
> >     resolves BZ #30843, which is assigned CVE-2023-4806.
> >
> >     Signed-off-by: Siddhesh Poyarekar <siddhesh@...rceware.org>
>
> also backported by upstream to branches all the way back to 2.34, but
> apparently even older are affected.

Yes, I've checked back to 2.28 for rhel-8; in fact that was where I
discovered the bug first and had hoped that my refactor had fixed it
like in case of CVE-2023-4813, but unfortunately it wasn't :/

Thanks,
Sid

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.