Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 21 Oct 2022 01:25:50 +0800
From: Tom Shen <sjiagc.dev@...il.com>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: gethostbyname2_r returns invalid IPv6 address if DNS
 server replies IPv4 address

I tested the fix in your earlier email locally with my own test code and
getent in Alpine Linux 3.16.2. They both crashed. After debugging, I found
in gethostbyname2_r we should return non-zero if no address is returned.
Then gethostbyname2 will return NULL. I also check the Linux doc, it says:

> Return Value
> The gethostbyname() and gethostbyaddr() functions return the hostent
structure or *a NULL pointer if an error occurs*. On error, the h_errno
variable holds an error number. When non-NULL, the return value may point
at static data, see the notes below.

Based on your patch (except the "for (i=nq-1; i>=0; i--)"), I made a minor
change to address it. Tested with command getent hosts, it works well with
my CoreDNS. Although the h_errno is better to be NO_DATA rather than
HOST_NOT_FOUND, I think it's not a big issue.

The diff file attached.

Tom Shen

On Thu, Oct 20, 2022 at 8:52 AM Rich Felker <dalias@...c.org> wrote:

> On Thu, Oct 20, 2022 at 12:00:46AM +0800, Tom Shen wrote:
> > > Right. I'm saying the maintainers of this version of getent should be
> > > informed that they're using a backwards nonstandard function here and
> > > that it would work better with getaddrinfo.
> >
> > The getent Linux manual states that when using database hosts,
> > gethostbyname2 would be called.
> > https://man7.org/linux/man-pages/man1/getent.1.html . Maybe we can
> persuade
> > the third party service to use getent ahosts.
>
> Uhg, lovely that it's specified like that... But really, it only needs
> to behave "as if" it did that, which can be done better using
> getaddrinfo with the right options to get the behavior the legacy APIs
> would have given, but in a better way. So I think it's still worth
> pursuing this kind of improvement too. Orthogonal to your problem
> report, though.
>
> > > I inquired about this and got the response that there might not be an
> > > explicit rule against it, "much like no RFC prohibits you from eating
> > > glass". :-) I don't see how the behavior makes any sense though. There
> > > is a risk that strict stub resolvers could consider these packets
> > > non-answers and timeout/fail rather than returning a response, and
> > > like you found, a chance that buggy stub resolvers not doing
> > > sufficient validation could misinterpret the answers. I'm not clear
> > > where these wrong-type answers could give useful results, especially
> > > not anything more-useful than just returning NODATA in place of the v6
> > > result you want to suppress.
> >
> > True. Maybe we should not use this "rewrite type AAAA A" feature in
> > CoreDNS. Just on Internet there are some posts suggested it to fix the
> name
> > resolution issues caused by unexpected IPv6 logic. We already removed it
> > from our system since an incident. I am not an expert in DNS though, so
> > cannot comment more about the standards.
> >
> > Anyway, although rewriting the DNS request type may make no sense, we
> > should either return correct IPv6 address (e.g. ::ffff:10.96.36.74) or
> IPv4
> > address (10.96.36.74) or NODATA, rather than an invalid IPv6 address
> > (a60:244a::) :-). I got your point in last email, and I also have the
> same
> > idea, returning NODATA is a good (or only) solution. In getent hosts
> > command, when getting empty result for AF_INET6, it will call
> > gethostbyname2 with AF_INET (this is also the behavior of glibc's getent
> > https://codebrowser.dev/glibc/glibc/nss/getent.c.html), then we will get
> > correct IPv4 address.
> >
> > > But I have a proposed fix here.
> >
> > Thank you so much, Rich! Your change looks better than what I would do. I
> > will try it out. If tested good, would we merge the fix into later
> releases?
>
> Yes, I'm getting it merged now. Thanks for the report. In some sense
> this was a long-known issue (that "malicious" nameservers could give
> wrong-RR-type answers -- see CVE-2017-15650) and it's nice to finally
> have good reason to put in the attention to fixing it.
>
> Rich
>

Content of type "text/html" skipped

Download attachment "gethostbyname2_r.diff" of type "application/octet-stream" (410 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.