From: GNU Libc Maintainers Date: Tue, 30 Apr 2024 21:57:11 +0000 (+0200) Subject: local-CVE-2024-33600-nscd X-Git-Tag: archive/raspbian/2.31-13+rpi1+deb11u10^2~2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0ada9539a315524aad30b45f7323579db0b8f0d5;p=glibc.git local-CVE-2024-33600-nscd commit 69c58d5ef9f584ea198bd00f7964d364d0e6b921 Author: Florian Weimer Date: Thu Apr 25 15:00:45 2024 +0200 CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677) Using alloca matches what other caches do. The request length is bounded by MAXKEYLEN. Reviewed-by: Carlos O'Donell (cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa) commit 304ce5fe466c4762b21b36c26926a4657b59b53e Author: Florian Weimer Date: Thu Apr 25 15:01:07 2024 +0200 CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678) If we failed to add a not-found response to the cache, the dataset point can be null, resulting in a null pointer dereference. Reviewed-by: Siddhesh Poyarekar (cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa) Gbp-Pq: Topic any Gbp-Pq: Name local-CVE-2024-33600-nscd.patch --- diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c index a833ef039..e936b698c 100644 --- a/nscd/netgroupcache.c +++ b/nscd/netgroupcache.c @@ -148,7 +148,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, /* No such service. */ cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, &key_copy); - goto writeout; + goto maybe_cache_add; } memset (&data, '\0', sizeof (data)); @@ -349,7 +349,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, { cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, &key_copy); - goto writeout; + goto maybe_cache_add; } total = buffilled; @@ -411,14 +411,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, } if (he == NULL && fd != -1) - { - /* We write the dataset before inserting it to the database - since while inserting this thread might block and so would - unnecessarily let the receiver wait. */ - writeout: + /* We write the dataset before inserting it to the database since + while inserting this thread might block and so would + unnecessarily let the receiver wait. */ writeall (fd, &dataset->resp, dataset->head.recsize); - } + maybe_cache_add: if (cacheable) { /* If necessary, we also propagate the data to disk. */ @@ -514,14 +512,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, sizeof (innetgroup_response_header), - he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); + he == NULL ? 0 : dh->nreloads + 1, + result == NULL ? db->negtimeout : result->head.ttl); /* Set the notfound status and timeout based on the result from getnetgrent. */ - dataset->head.notfound = result->head.notfound; + dataset->head.notfound = result == NULL || result->head.notfound; dataset->head.timeout = timeout; dataset->resp.version = NSCD_VERSION; - dataset->resp.found = result->resp.found; + dataset->resp.found = result != NULL && result->resp.found; /* Until we find a matching entry the result is 0. */ dataset->resp.result = 0; @@ -569,7 +568,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, goto out; } - if (he == NULL) + /* addgetnetgrentX may have already sent a notfound response. Do + not send another one. */ + if (he == NULL && dataset->resp.found) { /* We write the dataset before inserting it to the database since while inserting this thread might block and so would