!691 fix CVE-2023-4527

From: @liqingqing_1229 Reviewed-by: @yang_yanchao Signed-off-by: @yang_yanchao
2023-09-16 03:47:23 +00:00 · 2023-09-16 03:47:23 +00:00 · f21fe5b5e6
commit f21fe5b5e6
parent 4af1e2df23 34bca268b0
2 changed files with 226 additions and 1 deletions
--- a/CVE-2023-4527-Stack-read-overflow-with-large-TCP-res.patch
+++ b/CVE-2023-4527-Stack-read-overflow-with-large-TCP-res.patch
@ -0,0 +1,221 @@
+From b25508dd774b617f99419bdc3cf2ace4560cd2d6 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 13 Sep 2023 14:10:56 +0200
+Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses
+ in no-aaaa mode
+
+Without passing alt_dns_packet_buffer, __res_context_search can only
+store 2048 bytes (what fits into dns_packet_buffer).  However,
+the function returns the total packet size, and the subsequent
+DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
+of the stack-allocated buffer.
+
+Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
+stub resolver option") and bug 30842.
+
+(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
+---
+ NEWS                          |   9 +++
+ resolv/Makefile               |   2 +
+ resolv/nss_dns/dns-host.c     |   2 +-
+ resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++
+ 4 files changed, 141 insertions(+), 1 deletion(-)
+ create mode 100644 resolv/tst-resolv-noaaaa-vc.c
+
+diff --git a/NEWS b/NEWS
+index 64596d5d09..dfee278a9c 100644
+--- a/NEWS
+++ b/NEWS
+@@ -7,12 +7,21 @@ using `glibc' in the "product" field.
+ 
+ Version 2.38.1
+ 
+Security related changes:
+
+  CVE-2023-4527: If the system is configured in no-aaaa mode via
+  /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
+  family, and a DNS response is received over TCP that is larger than
+  2048 bytes, getaddrinfo may potentially disclose stack contents via
+  the returned address data, or crash.
+
+ The following bugs are resolved with this release:
+ 
+   [30723] posix_memalign repeatedly scans long bin lists
+   [30785] Always call destructors in reverse constructor order
+   [30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with
+     -D_FILE_OFFSET_BITS=64
+  [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
+ 
+ 
+ Version 2.38
+diff --git a/resolv/Makefile b/resolv/Makefile
+index 054b1fa36c..2f99eb3862 100644
+--- a/resolv/Makefile
+++ b/resolv/Makefile
+@@ -102,6 +102,7 @@ tests += \
+   tst-resolv-invalid-cname \
+   tst-resolv-network \
+   tst-resolv-noaaaa \
+  tst-resolv-noaaaa-vc \
+   tst-resolv-nondecimal \
+   tst-resolv-res_init-multi \
+   tst-resolv-search \
+@@ -293,6 +294,7 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \
+ $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \
+   $(shared-thread-library)
+ $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library)
+$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 1d60c51f5e..5d0ab30de6 100644
+--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
+@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+     {
+       n = __res_context_search (ctx, name, C_IN, T_A,
+ 				dns_packet_buffer, sizeof (dns_packet_buffer),
+-				NULL, NULL, NULL, NULL, NULL);
+				&alt_dns_packet_buffer, NULL, NULL, NULL, NULL);
+       if (n >= 0)
+ 	status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n,
+ 					&abuf, pat, errnop, herrnop, ttlp);
+diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c
+new file mode 100644
+index 0000000000..9f5aebd99f
+--- /dev/null
+++ b/resolv/tst-resolv-noaaaa-vc.c
+@@ -0,0 +1,129 @@
+/* Test the RES_NOAAAA resolver option with a large response.
+   Copyright (C) 2022-2023 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/check_nss.h>
+#include <support/resolv_test.h>
+#include <support/support.h>
+#include <support/xmemstream.h>
+
+/* Used to keep track of the number of queries.  */
+static volatile unsigned int queries;
+
+/* If true, add a large TXT record at the start of the answer section.  */
+static volatile bool stuff_txt;
+
+static void
+response (const struct resolv_response_context *ctx,
+          struct resolv_response_builder *b,
+          const char *qname, uint16_t qclass, uint16_t qtype)
+{
+  /* If not using TCP, just force its use.  */
+  if (!ctx->tcp)
+    {
+      struct resolv_response_flags flags = {.tc = true};
+      resolv_response_init (b, flags);
+      resolv_response_add_question (b, qname, qclass, qtype);
+      return;
+    }
+
+  /* The test needs to send four queries, the first three are used to
+     grow the NSS buffer via the ERANGE handshake.  */
+  ++queries;
+  TEST_VERIFY (queries <= 4);
+
+  /* AAAA queries are supposed to be disabled.  */
+  TEST_COMPARE (qtype, T_A);
+  TEST_COMPARE (qclass, C_IN);
+  TEST_COMPARE_STRING (qname, "example.com");
+
+  struct resolv_response_flags flags = {};
+  resolv_response_init (b, flags);
+  resolv_response_add_question (b, qname, qclass, qtype);
+
+  resolv_response_section (b, ns_s_an);
+
+  if (stuff_txt)
+    {
+      resolv_response_open_record (b, qname, qclass, T_TXT, 60);
+      int zero = 0;
+      for (int i = 0; i <= 15000; ++i)
+        resolv_response_add_data (b, &zero, sizeof (zero));
+      resolv_response_close_record (b);
+    }
+
+  for (int i = 0; i < 200; ++i)
+    {
+      resolv_response_open_record (b, qname, qclass, qtype, 60);
+      char ipv4[4] = {192, 0, 2, i + 1};
+      resolv_response_add_data (b, &ipv4, sizeof (ipv4));
+      resolv_response_close_record (b);
+    }
+}
+
+static int
+do_test (void)
+{
+  struct resolv_test *obj = resolv_test_start
+    ((struct resolv_redirect_config)
+     {
+       .response_callback = response
+     });
+
+  _res.options |= RES_NOAAAA;
+
+  for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt)
+    {
+      queries = 0;
+      stuff_txt = do_stuff_txt;
+
+      struct addrinfo *ai = NULL;
+      int ret;
+      ret = getaddrinfo ("example.com", "80",
+                         &(struct addrinfo)
+                         {
+                           .ai_family = AF_UNSPEC,
+                           .ai_socktype = SOCK_STREAM,
+                         }, &ai);
+
+      char *expected_result;
+      {
+        struct xmemstream mem;
+        xopen_memstream (&mem);
+        for (int i = 0; i < 200; ++i)
+          fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1);
+        xfclose_memstream (&mem);
+        expected_result = mem.buffer;
+      }
+
+      check_addrinfo ("example.com", ai, ret, expected_result);
+
+      free (expected_result);
+      freeaddrinfo (ai);
+    }
+
+  resolv_test_end (obj);
+  return 0;
+}
+
+#include <support/test-driver.c>
+-- 
+2.33.0
+
--- a/glibc.spec
+++ b/glibc.spec
@ -67,7 +67,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.38
-Release: 	8
+Release: 	9
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -105,6 +105,7 @@ Patch16: elf-Fix-_dl_close_worker-compile-error-with-Werror-a.patch
 Patch17: 0003-elf-Remove-unused-l_text_end-field-from-struct-link_.patch
 Patch18: 0004-elf-Move-l_init_called_next-to-old-place-of-l_text_e.patch
 Patch19: 0005-NEWS-Add-the-2.38.1-bug-list.patch
+Patch20: CVE-2023-4527-Stack-read-overflow-with-large-TCP-res.patch

 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: locale-delete-no-hard-link-to-avoid-all_language-pac.patch 
@ -1319,6 +1320,9 @@ fi
 %endif

 %changelog
+* Fri Sep 15 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-9
+- fix CVE-2023-4527
+
 * Mon Sep 11 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-8
 - backport patches from glibc upstream 2.38 branch