glibc: fix CVE-2023-4527

Upstream-Status: Backport[https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f] (From OE-Core rev: 66b6133b5e623f39d9c26dae3097035dafd41f60) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yash Shinde <Yash.Shinde@windriver.com> 2023-09-24 08:22:21 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-09-26 10:35:28 +0100
commit: 82dfa7b8ac5661134da21307d07d9ea2ed3ac6ea (patch)
tree: b0cdff4c10d87c4f779b54e8dbd0e8e0f4336c82 /meta/recipes-core/glibc
parent: fc6b2a989b6c4fabca2bfb7ee5e9727cf950994f (diff)
download: poky-82dfa7b8ac5661134da21307d07d9ea2ed3ac6ea.tar.gz
2 files changed, 220 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch
new file mode 100644
index 0000000000..7d9adf6a66
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch
@@ -0,0 +1,219 @@
+From 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 13 Sep 2023 14:10:56 +0200
+Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses
+ in no-aaaa mode
+Without passing alt_dns_packet_buffer, __res_context_search can only
+store 2048 bytes (what fits into dns_packet_buffer).  However,
+the function returns the total packet size, and the subsequent
+DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
+of the stack-allocated buffer.
+Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
+stub resolver option") and bug 30842.
+(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f]
+CVE: CVE-2023-4527
+Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
+---
+ NEWS                          |   7 ++
+ resolv/Makefile               |   2 +
+ resolv/nss_dns/dns-host.c     |   2 +-
+ resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++
+ 4 files changed, 139 insertions(+), 1 deletion(-)
+ create mode 100644 resolv/tst-resolv-noaaaa-vc.c
+diff --git a/NEWS b/NEWS
+--- a/NEWS
+++ b/NEWS
+@@ -126,6 +126,7 @@
+   [30477] libc: [RISCV]: time64 does not work on riscv32
+   [30515] dynamic-link: _dl_find_object incorrectly returns 1 during
+     early startup
+  [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
+   [30527] network: resolv_conf lock not unlocked on allocation failure
+   [30550] math: powerpc64le: GCC-specific code for isinf() is being used
+     on clang
+@@ -157,6 +158,12 @@
+   heap and prints it to the target log file, potentially revealing a
+   portion of the contents of the heap.
+  CVE-2023-4527: If the system is configured in no-aaaa mode via
+  /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
+  family, and a DNS response is received over TCP that is larger than
+  2048 bytes, getaddrinfo may potentially disclose stack contents via
+  the returned address data, or crash.
+
+ The following bugs are resolved with this release:
+   [12154] network: Cannot resolve hosts which have wildcard aliases
+diff --git a/resolv/Makefile b/resolv/Makefile
+--- a/resolv/Makefile
+++ b/resolv/Makefile
+@@ -102,6 +102,7 @@
+   tst-resolv-invalid-cname \
+   tst-resolv-network \
+   tst-resolv-noaaaa \
+  tst-resolv-noaaaa-vc \
+   tst-resolv-nondecimal \
+   tst-resolv-res_init-multi \
+   tst-resolv-search \
+@@ -293,6 +294,7 @@
+ $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \
+   $(shared-thread-library)
+ $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library)
+$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
+@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+     {
+       n = __res_context_search (ctx, name, C_IN, T_A,
+                                dns_packet_buffer, sizeof (dns_packet_buffer),
+-                               NULL, NULL, NULL, NULL, NULL);
+                               &alt_dns_packet_buffer, NULL, NULL, NULL, NULL);
+       if (n >= 0)
+        status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n,
+                                        &abuf, pat, errnop, herrnop, ttlp);
+diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c
+new file mode 100644
+--- /dev/null
+++ b/resolv/tst-resolv-noaaaa-vc.c
+@@ -0,0 +1,129 @@
+/* Test the RES_NOAAAA resolver option with a large response.
+   Copyright (C) 2022-2023 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/check_nss.h>
+#include <support/resolv_test.h>
+#include <support/support.h>
+#include <support/xmemstream.h>
+
+/* Used to keep track of the number of queries.  */
+static volatile unsigned int queries;
+
+/* If true, add a large TXT record at the start of the answer section.  */
+static volatile bool stuff_txt;
+
+static void
+response (const struct resolv_response_context *ctx,
+          struct resolv_response_builder *b,
+          const char *qname, uint16_t qclass, uint16_t qtype)
+{
+  /* If not using TCP, just force its use.  */
+  if (!ctx->tcp)
+    {
+      struct resolv_response_flags flags = {.tc = true};
+      resolv_response_init (b, flags);
+      resolv_response_add_question (b, qname, qclass, qtype);
+      return;
+    }
+
+  /* The test needs to send four queries, the first three are used to
+     grow the NSS buffer via the ERANGE handshake.  */
+  ++queries;
+  TEST_VERIFY (queries <= 4);
+
+  /* AAAA queries are supposed to be disabled.  */
+  TEST_COMPARE (qtype, T_A);
+  TEST_COMPARE (qclass, C_IN);
+  TEST_COMPARE_STRING (qname, "example.com");
+
+  struct resolv_response_flags flags = {};
+  resolv_response_init (b, flags);
+  resolv_response_add_question (b, qname, qclass, qtype);
+
+  resolv_response_section (b, ns_s_an);
+
+  if (stuff_txt)
+    {
+      resolv_response_open_record (b, qname, qclass, T_TXT, 60);
+      int zero = 0;
+      for (int i = 0; i <= 15000; ++i)
+        resolv_response_add_data (b, &zero, sizeof (zero));
+      resolv_response_close_record (b);
+    }
+
+  for (int i = 0; i < 200; ++i)
+    {
+      resolv_response_open_record (b, qname, qclass, qtype, 60);
+      char ipv4[4] = {192, 0, 2, i + 1};
+      resolv_response_add_data (b, &ipv4, sizeof (ipv4));
+      resolv_response_close_record (b);
+    }
+}
+
+static int
+do_test (void)
+{
+  struct resolv_test *obj = resolv_test_start
+    ((struct resolv_redirect_config)
+     {
+       .response_callback = response
+     });
+
+  _res.options |= RES_NOAAAA;
+
+  for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt)
+    {
+      queries = 0;
+      stuff_txt = do_stuff_txt;
+
+      struct addrinfo *ai = NULL;
+      int ret;
+      ret = getaddrinfo ("example.com", "80",
+                         &(struct addrinfo)
+                         {
+                           .ai_family = AF_UNSPEC,
+                           .ai_socktype = SOCK_STREAM,
+                         }, &ai);
+
+      char *expected_result;
+      {
+        struct xmemstream mem;
+        xopen_memstream (&mem);
+        for (int i = 0; i < 200; ++i)
+          fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1);
+        xfclose_memstream (&mem);
+        expected_result = mem.buffer;
+      }
+
+      check_addrinfo ("example.com", ai, ret, expected_result);
+
+      free (expected_result);
+      freeaddrinfo (ai);
+    }
+
+  resolv_test_end (obj);
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc_2.38.bb b/meta/recipes-core/glibc/glibc_2.38.bb
index 32ccb888f0..237458d066 100644
--- a/meta/recipes-core/glibc/glibc_2.38.bb
+++ b/meta/recipes-core/glibc/glibc_2.38.bb
@@ -51,6 +51,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
           file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
           file://0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch \
+           file://0024-CVE-2023-4527.patch \
 "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Yash Shinde <Yash.Shinde@windriver.com>	2023-09-24 08:22:21 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-09-26 10:35:28 +0100
commit	82dfa7b8ac5661134da21307d07d9ea2ed3ac6ea (patch)
tree	b0cdff4c10d87c4f779b54e8dbd0e8e0f4336c82 /meta/recipes-core/glibc
parent	fc6b2a989b6c4fabca2bfb7ee5e9727cf950994f (diff)
download	poky-82dfa7b8ac5661134da21307d07d9ea2ed3ac6ea.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch new file mode 100644 index 0000000000..7d9adf6a66 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch
@@ -0,0 +1,219 @@
		1	From 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Wed, 13 Sep 2023 14:10:56 +0200
		4	Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses
		5	in no-aaaa mode
		6
		7	Without passing alt_dns_packet_buffer, __res_context_search can only
		8	store 2048 bytes (what fits into dns_packet_buffer). However,
		9	the function returns the total packet size, and the subsequent
		10	DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
		11	of the stack-allocated buffer.
		12
		13	Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
		14	stub resolver option") and bug 30842.
		15
		16	(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
		17
		18	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f]
		19	CVE: CVE-2023-4527
		20
		21	Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
		22
		23	---
		24	NEWS \| 7 ++
		25	resolv/Makefile \| 2 +
		26	resolv/nss_dns/dns-host.c \| 2 +-
		27	resolv/tst-resolv-noaaaa-vc.c \| 129 ++++++++++++++++++++++++++++++++++
		28	4 files changed, 139 insertions(+), 1 deletion(-)
		29	create mode 100644 resolv/tst-resolv-noaaaa-vc.c
		30
		31	diff --git a/NEWS b/NEWS
		32	--- a/NEWS
		33	+++ b/NEWS
		34	@@ -126,6 +126,7 @@
		35	[30477] libc: [RISCV]: time64 does not work on riscv32
		36	[30515] dynamic-link: _dl_find_object incorrectly returns 1 during
		37	early startup
		38	+ [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
		39	[30527] network: resolv_conf lock not unlocked on allocation failure
		40	[30550] math: powerpc64le: GCC-specific code for isinf() is being used
		41	on clang
		42	@@ -157,6 +158,12 @@
		43	heap and prints it to the target log file, potentially revealing a
		44	portion of the contents of the heap.
		45
		46	+ CVE-2023-4527: If the system is configured in no-aaaa mode via
		47	+ /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
		48	+ family, and a DNS response is received over TCP that is larger than
		49	+ 2048 bytes, getaddrinfo may potentially disclose stack contents via
		50	+ the returned address data, or crash.
		51	+
		52	The following bugs are resolved with this release:
		53
		54	[12154] network: Cannot resolve hosts which have wildcard aliases
		55	diff --git a/resolv/Makefile b/resolv/Makefile
		56	--- a/resolv/Makefile
		57	+++ b/resolv/Makefile
		58	@@ -102,6 +102,7 @@
		59	tst-resolv-invalid-cname \
		60	tst-resolv-network \
		61	tst-resolv-noaaaa \
		62	+ tst-resolv-noaaaa-vc \
		63	tst-resolv-nondecimal \
		64	tst-resolv-res_init-multi \
		65	tst-resolv-search \
		66	@@ -293,6 +294,7 @@
		67	$(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \
		68	$(shared-thread-library)
		69	$(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library)
		70	+$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library)
		71	$(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
		72	$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
		73	$(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
		74	diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
		75	--- a/resolv/nss_dns/dns-host.c
		76	+++ b/resolv/nss_dns/dns-host.c
		77	@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char name, struct gaih_addrtuple *pat,
		78	{
		79	n = __res_context_search (ctx, name, C_IN, T_A,
		80	dns_packet_buffer, sizeof (dns_packet_buffer),
		81	- NULL, NULL, NULL, NULL, NULL);
		82	+ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL);
		83	if (n >= 0)
		84	status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n,
		85	&abuf, pat, errnop, herrnop, ttlp);
		86	diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c
		87	new file mode 100644
		88	--- /dev/null
		89	+++ b/resolv/tst-resolv-noaaaa-vc.c
		90	@@ -0,0 +1,129 @@
		91	+/* Test the RES_NOAAAA resolver option with a large response.
		92	+ Copyright (C) 2022-2023 Free Software Foundation, Inc.
		93	+ This file is part of the GNU C Library.
		94	+
		95	+ The GNU C Library is free software; you can redistribute it and/or
		96	+ modify it under the terms of the GNU Lesser General Public
		97	+ License as published by the Free Software Foundation; either
		98	+ version 2.1 of the License, or (at your option) any later version.
		99	+
		100	+ The GNU C Library is distributed in the hope that it will be useful,
		101	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
		102	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		103	+ Lesser General Public License for more details.
		104	+
		105	+ You should have received a copy of the GNU Lesser General Public
		106	+ License along with the GNU C Library; if not, see
		107	+ <https://www.gnu.org/licenses/>. */
		108	+
		109	+#include <errno.h>
		110	+#include <netdb.h>
		111	+#include <resolv.h>
		112	+#include <stdbool.h>
		113	+#include <stdlib.h>
		114	+#include <support/check.h>
		115	+#include <support/check_nss.h>
		116	+#include <support/resolv_test.h>
		117	+#include <support/support.h>
		118	+#include <support/xmemstream.h>
		119	+
		120	+/* Used to keep track of the number of queries. */
		121	+static volatile unsigned int queries;
		122	+
		123	+/* If true, add a large TXT record at the start of the answer section. */
		124	+static volatile bool stuff_txt;
		125	+
		126	+static void
		127	+response (const struct resolv_response_context *ctx,
		128	+ struct resolv_response_builder *b,
		129	+ const char *qname, uint16_t qclass, uint16_t qtype)
		130	+{
		131	+ /* If not using TCP, just force its use. */
		132	+ if (!ctx->tcp)
		133	+ {
		134	+ struct resolv_response_flags flags = {.tc = true};
		135	+ resolv_response_init (b, flags);
		136	+ resolv_response_add_question (b, qname, qclass, qtype);
		137	+ return;
		138	+ }
		139	+
		140	+ /* The test needs to send four queries, the first three are used to
		141	+ grow the NSS buffer via the ERANGE handshake. */
		142	+ ++queries;
		143	+ TEST_VERIFY (queries <= 4);
		144	+
		145	+ /* AAAA queries are supposed to be disabled. */
		146	+ TEST_COMPARE (qtype, T_A);
		147	+ TEST_COMPARE (qclass, C_IN);
		148	+ TEST_COMPARE_STRING (qname, "example.com");
		149	+
		150	+ struct resolv_response_flags flags = {};
		151	+ resolv_response_init (b, flags);
		152	+ resolv_response_add_question (b, qname, qclass, qtype);
		153	+
		154	+ resolv_response_section (b, ns_s_an);
		155	+
		156	+ if (stuff_txt)
		157	+ {
		158	+ resolv_response_open_record (b, qname, qclass, T_TXT, 60);
		159	+ int zero = 0;
		160	+ for (int i = 0; i <= 15000; ++i)
		161	+ resolv_response_add_data (b, &zero, sizeof (zero));
		162	+ resolv_response_close_record (b);
		163	+ }
		164	+
		165	+ for (int i = 0; i < 200; ++i)
		166	+ {
		167	+ resolv_response_open_record (b, qname, qclass, qtype, 60);
		168	+ char ipv4[4] = {192, 0, 2, i + 1};
		169	+ resolv_response_add_data (b, &ipv4, sizeof (ipv4));
		170	+ resolv_response_close_record (b);
		171	+ }
		172	+}
		173	+
		174	+static int
		175	+do_test (void)
		176	+{
		177	+ struct resolv_test *obj = resolv_test_start
		178	+ ((struct resolv_redirect_config)
		179	+ {
		180	+ .response_callback = response
		181	+ });
		182	+
		183	+ _res.options \|= RES_NOAAAA;
		184	+
		185	+ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt)
		186	+ {
		187	+ queries = 0;
		188	+ stuff_txt = do_stuff_txt;
		189	+
		190	+ struct addrinfo *ai = NULL;
		191	+ int ret;
		192	+ ret = getaddrinfo ("example.com", "80",
		193	+ &(struct addrinfo)
		194	+ {
		195	+ .ai_family = AF_UNSPEC,
		196	+ .ai_socktype = SOCK_STREAM,
		197	+ }, &ai);
		198	+
		199	+ char *expected_result;
		200	+ {
		201	+ struct xmemstream mem;
		202	+ xopen_memstream (&mem);
		203	+ for (int i = 0; i < 200; ++i)
		204	+ fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1);
		205	+ xfclose_memstream (&mem);
		206	+ expected_result = mem.buffer;
		207	+ }
		208	+
		209	+ check_addrinfo ("example.com", ai, ret, expected_result);
		210	+
		211	+ free (expected_result);
		212	+ freeaddrinfo (ai);
		213	+ }
		214	+
		215	+ resolv_test_end (obj);
		216	+ return 0;
		217	+}
		218	+
		219	+#include <support/test-driver.c>


diff --git a/meta/recipes-core/glibc/glibc_2.38.bb b/meta/recipes-core/glibc/glibc_2.38.bb index 32ccb888f0..237458d066 100644 --- a/meta/recipes-core/glibc/glibc_2.38.bb +++ b/meta/recipes-core/glibc/glibc_2.38.bb
@@ -51,6 +51,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
51	file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \	51	file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
52	file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \	52	file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
53	file://0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch \	53	file://0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch \
		54	file://0024-CVE-2023-4527.patch \
54	"	55	"
55	S = "${WORKDIR}/git"	56	S = "${WORKDIR}/git"
56	B = "${WORKDIR}/build-${TARGET_SYS}"	57	B = "${WORKDIR}/build-${TARGET_SYS}"