diff options
-rw-r--r-- | meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch | 219 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.38.bb | 1 |
2 files changed, 220 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch b/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch new file mode 100644 index 0000000000..7d9adf6a66 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch | |||
@@ -0,0 +1,219 @@ | |||
1 | From 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Wed, 13 Sep 2023 14:10:56 +0200 | ||
4 | Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses | ||
5 | in no-aaaa mode | ||
6 | |||
7 | Without passing alt_dns_packet_buffer, __res_context_search can only | ||
8 | store 2048 bytes (what fits into dns_packet_buffer). However, | ||
9 | the function returns the total packet size, and the subsequent | ||
10 | DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end | ||
11 | of the stack-allocated buffer. | ||
12 | |||
13 | Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa | ||
14 | stub resolver option") and bug 30842. | ||
15 | |||
16 | (cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d) | ||
17 | |||
18 | Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f] | ||
19 | CVE: CVE-2023-4527 | ||
20 | |||
21 | Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> | ||
22 | |||
23 | --- | ||
24 | NEWS | 7 ++ | ||
25 | resolv/Makefile | 2 + | ||
26 | resolv/nss_dns/dns-host.c | 2 +- | ||
27 | resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++ | ||
28 | 4 files changed, 139 insertions(+), 1 deletion(-) | ||
29 | create mode 100644 resolv/tst-resolv-noaaaa-vc.c | ||
30 | |||
31 | diff --git a/NEWS b/NEWS | ||
32 | --- a/NEWS | ||
33 | +++ b/NEWS | ||
34 | @@ -126,6 +126,7 @@ | ||
35 | [30477] libc: [RISCV]: time64 does not work on riscv32 | ||
36 | [30515] dynamic-link: _dl_find_object incorrectly returns 1 during | ||
37 | early startup | ||
38 | + [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) | ||
39 | [30527] network: resolv_conf lock not unlocked on allocation failure | ||
40 | [30550] math: powerpc64le: GCC-specific code for isinf() is being used | ||
41 | on clang | ||
42 | @@ -157,6 +158,12 @@ | ||
43 | heap and prints it to the target log file, potentially revealing a | ||
44 | portion of the contents of the heap. | ||
45 | |||
46 | + CVE-2023-4527: If the system is configured in no-aaaa mode via | ||
47 | + /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address | ||
48 | + family, and a DNS response is received over TCP that is larger than | ||
49 | + 2048 bytes, getaddrinfo may potentially disclose stack contents via | ||
50 | + the returned address data, or crash. | ||
51 | + | ||
52 | The following bugs are resolved with this release: | ||
53 | |||
54 | [12154] network: Cannot resolve hosts which have wildcard aliases | ||
55 | diff --git a/resolv/Makefile b/resolv/Makefile | ||
56 | --- a/resolv/Makefile | ||
57 | +++ b/resolv/Makefile | ||
58 | @@ -102,6 +102,7 @@ | ||
59 | tst-resolv-invalid-cname \ | ||
60 | tst-resolv-network \ | ||
61 | tst-resolv-noaaaa \ | ||
62 | + tst-resolv-noaaaa-vc \ | ||
63 | tst-resolv-nondecimal \ | ||
64 | tst-resolv-res_init-multi \ | ||
65 | tst-resolv-search \ | ||
66 | @@ -293,6 +294,7 @@ | ||
67 | $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ | ||
68 | $(shared-thread-library) | ||
69 | $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) | ||
70 | +$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) | ||
71 | $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) | ||
72 | $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) | ||
73 | $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) | ||
74 | diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c | ||
75 | --- a/resolv/nss_dns/dns-host.c | ||
76 | +++ b/resolv/nss_dns/dns-host.c | ||
77 | @@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, | ||
78 | { | ||
79 | n = __res_context_search (ctx, name, C_IN, T_A, | ||
80 | dns_packet_buffer, sizeof (dns_packet_buffer), | ||
81 | - NULL, NULL, NULL, NULL, NULL); | ||
82 | + &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); | ||
83 | if (n >= 0) | ||
84 | status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, | ||
85 | &abuf, pat, errnop, herrnop, ttlp); | ||
86 | diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c | ||
87 | new file mode 100644 | ||
88 | --- /dev/null | ||
89 | +++ b/resolv/tst-resolv-noaaaa-vc.c | ||
90 | @@ -0,0 +1,129 @@ | ||
91 | +/* Test the RES_NOAAAA resolver option with a large response. | ||
92 | + Copyright (C) 2022-2023 Free Software Foundation, Inc. | ||
93 | + This file is part of the GNU C Library. | ||
94 | + | ||
95 | + The GNU C Library is free software; you can redistribute it and/or | ||
96 | + modify it under the terms of the GNU Lesser General Public | ||
97 | + License as published by the Free Software Foundation; either | ||
98 | + version 2.1 of the License, or (at your option) any later version. | ||
99 | + | ||
100 | + The GNU C Library is distributed in the hope that it will be useful, | ||
101 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
102 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
103 | + Lesser General Public License for more details. | ||
104 | + | ||
105 | + You should have received a copy of the GNU Lesser General Public | ||
106 | + License along with the GNU C Library; if not, see | ||
107 | + <https://www.gnu.org/licenses/>. */ | ||
108 | + | ||
109 | +#include <errno.h> | ||
110 | +#include <netdb.h> | ||
111 | +#include <resolv.h> | ||
112 | +#include <stdbool.h> | ||
113 | +#include <stdlib.h> | ||
114 | +#include <support/check.h> | ||
115 | +#include <support/check_nss.h> | ||
116 | +#include <support/resolv_test.h> | ||
117 | +#include <support/support.h> | ||
118 | +#include <support/xmemstream.h> | ||
119 | + | ||
120 | +/* Used to keep track of the number of queries. */ | ||
121 | +static volatile unsigned int queries; | ||
122 | + | ||
123 | +/* If true, add a large TXT record at the start of the answer section. */ | ||
124 | +static volatile bool stuff_txt; | ||
125 | + | ||
126 | +static void | ||
127 | +response (const struct resolv_response_context *ctx, | ||
128 | + struct resolv_response_builder *b, | ||
129 | + const char *qname, uint16_t qclass, uint16_t qtype) | ||
130 | +{ | ||
131 | + /* If not using TCP, just force its use. */ | ||
132 | + if (!ctx->tcp) | ||
133 | + { | ||
134 | + struct resolv_response_flags flags = {.tc = true}; | ||
135 | + resolv_response_init (b, flags); | ||
136 | + resolv_response_add_question (b, qname, qclass, qtype); | ||
137 | + return; | ||
138 | + } | ||
139 | + | ||
140 | + /* The test needs to send four queries, the first three are used to | ||
141 | + grow the NSS buffer via the ERANGE handshake. */ | ||
142 | + ++queries; | ||
143 | + TEST_VERIFY (queries <= 4); | ||
144 | + | ||
145 | + /* AAAA queries are supposed to be disabled. */ | ||
146 | + TEST_COMPARE (qtype, T_A); | ||
147 | + TEST_COMPARE (qclass, C_IN); | ||
148 | + TEST_COMPARE_STRING (qname, "example.com"); | ||
149 | + | ||
150 | + struct resolv_response_flags flags = {}; | ||
151 | + resolv_response_init (b, flags); | ||
152 | + resolv_response_add_question (b, qname, qclass, qtype); | ||
153 | + | ||
154 | + resolv_response_section (b, ns_s_an); | ||
155 | + | ||
156 | + if (stuff_txt) | ||
157 | + { | ||
158 | + resolv_response_open_record (b, qname, qclass, T_TXT, 60); | ||
159 | + int zero = 0; | ||
160 | + for (int i = 0; i <= 15000; ++i) | ||
161 | + resolv_response_add_data (b, &zero, sizeof (zero)); | ||
162 | + resolv_response_close_record (b); | ||
163 | + } | ||
164 | + | ||
165 | + for (int i = 0; i < 200; ++i) | ||
166 | + { | ||
167 | + resolv_response_open_record (b, qname, qclass, qtype, 60); | ||
168 | + char ipv4[4] = {192, 0, 2, i + 1}; | ||
169 | + resolv_response_add_data (b, &ipv4, sizeof (ipv4)); | ||
170 | + resolv_response_close_record (b); | ||
171 | + } | ||
172 | +} | ||
173 | + | ||
174 | +static int | ||
175 | +do_test (void) | ||
176 | +{ | ||
177 | + struct resolv_test *obj = resolv_test_start | ||
178 | + ((struct resolv_redirect_config) | ||
179 | + { | ||
180 | + .response_callback = response | ||
181 | + }); | ||
182 | + | ||
183 | + _res.options |= RES_NOAAAA; | ||
184 | + | ||
185 | + for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) | ||
186 | + { | ||
187 | + queries = 0; | ||
188 | + stuff_txt = do_stuff_txt; | ||
189 | + | ||
190 | + struct addrinfo *ai = NULL; | ||
191 | + int ret; | ||
192 | + ret = getaddrinfo ("example.com", "80", | ||
193 | + &(struct addrinfo) | ||
194 | + { | ||
195 | + .ai_family = AF_UNSPEC, | ||
196 | + .ai_socktype = SOCK_STREAM, | ||
197 | + }, &ai); | ||
198 | + | ||
199 | + char *expected_result; | ||
200 | + { | ||
201 | + struct xmemstream mem; | ||
202 | + xopen_memstream (&mem); | ||
203 | + for (int i = 0; i < 200; ++i) | ||
204 | + fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1); | ||
205 | + xfclose_memstream (&mem); | ||
206 | + expected_result = mem.buffer; | ||
207 | + } | ||
208 | + | ||
209 | + check_addrinfo ("example.com", ai, ret, expected_result); | ||
210 | + | ||
211 | + free (expected_result); | ||
212 | + freeaddrinfo (ai); | ||
213 | + } | ||
214 | + | ||
215 | + resolv_test_end (obj); | ||
216 | + return 0; | ||
217 | +} | ||
218 | + | ||
219 | +#include <support/test-driver.c> | ||
diff --git a/meta/recipes-core/glibc/glibc_2.38.bb b/meta/recipes-core/glibc/glibc_2.38.bb index 32ccb888f0..237458d066 100644 --- a/meta/recipes-core/glibc/glibc_2.38.bb +++ b/meta/recipes-core/glibc/glibc_2.38.bb | |||
@@ -51,6 +51,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
51 | file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ | 51 | file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ |
52 | file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ | 52 | file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \ |
53 | file://0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch \ | 53 | file://0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch \ |
54 | file://0024-CVE-2023-4527.patch \ | ||
54 | " | 55 | " |
55 | S = "${WORKDIR}/git" | 56 | S = "${WORKDIR}/git" |
56 | B = "${WORKDIR}/build-${TARGET_SYS}" | 57 | B = "${WORKDIR}/build-${TARGET_SYS}" |