Page MenuHomeFreeBSD
Differential D26204

fix integer underflow in getgrnam_r and getpwnam_r
ClosedPublic
Actions

Authored by asomers on Aug 26 2020, 7:30 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, May 3, 9:54 AM
Unknown Object (File)
Wed, May 1, 6:41 AM
Unknown Object (File)
Mar 29 2024, 9:18 AM
Unknown Object (File)
Mar 15 2024, 6:43 PM
Unknown Object (File)
Mar 8 2024, 3:27 AM
Unknown Object (File)
Mar 8 2024, 3:27 AM
Unknown Object (File)
Mar 8 2024, 3:27 AM
Unknown Object (File)
Feb 4 2024, 4:42 PM
View All 48 Files
Subscribers
imp
markj

Details

Reviewers
pi
trasz
markj
Commits
rS368085: MFC r365910:
rS365910: fix integer underflow in getgrnam_r and getpwnam_r
Summary

fix integer underflow in getgrnam_r and getpwnam_r

Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
return ERANGE instead of 0.

Fix the user's buffer size check, and add a correct check for a too-small
nscd buffer.

PR: 248932

Test Plan

Tested on 11.4-RELEASE with nscd and ldap. Could not reproduce
on head.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

asomers created this revision.Aug 26 2020, 7:30 PM
Herald added a subscriber: imp. · View Herald TranscriptAug 26 2020, 7:30 PM
asomers requested review of this revision.Aug 26 2020, 7:30 PM
Harbormaster completed remote builds in B33180: Diff 76261.Aug 26 2020, 7:30 PM
asomers added a comment.Sep 11 2020, 10:57 PM

ping @pi @trasz . Are either of you able to review this change?

trasz added inline comments.Sep 15 2020, 8:32 PM
lib/libc/gen/getgrent.c
338 ↗(On Diff #76261)

I don't quite understand this code, but... what's 'p', and aren't you using its uninitialized value?

asomers added inline comments.Sep 19 2020, 5:40 PM
lib/libc/gen/getgrent.c
338 ↗(On Diff #76261)

You're right. I copied the _ALIGN(p) - (size_t)p from a few lines below, but p isn't initialized yet. Surprising that the compiler didn't warn about it.

asomers updated this revision to Diff 77225.Sep 19 2020, 6:04 PM

Fix uninitialized value read in the first version of the diff

Harbormaster completed remote builds in B33651: Diff 77225.Sep 19 2020, 6:04 PM
markj added a subscriber: markj.Sep 19 2020, 6:27 PM
markj added inline comments.
lib/libc/gen/getgrent.c
337 ↗(On Diff #77225)

Just for my understanding: orig_buf_size is the size of the buffer to which we're copying results, and buffer_size is the size of the cached data returned by nscd?

344 ↗(On Diff #77225)

In nscd's on_read_request_process() I see that if the agent's lookup function returns NS_NOTFOUND, nscd seemingly writes negative_data, which is a single nul byte. Is that the source of these short reads? Doesn't getpwent() have the same problem?

344 ↗(On Diff #77225)

Sorry, I missed that you also modified getpwent().

355 ↗(On Diff #77225)

This brace should be on the preceding line. There are several instances of this in the diff.

markj added inline comments.Sep 19 2020, 6:33 PM
lib/libc/gen/getgrent.c
347 ↗(On Diff #77225)

Should this be NS_NOTFOUND? Hard to say unless we know exactly why nscd sends small buffers.

asomers marked 4 inline comments as done.Sep 19 2020, 6:34 PM
asomers added inline comments.
lib/libc/gen/getgrent.c
337 ↗(On Diff #77225)

Yes.

355 ↗(On Diff #77225)

Fixed. Note that the brace on line 338 needs its own line; otherwise it overflows 80 columns.

asomers updated this revision to Diff 77227.Sep 19 2020, 6:34 PM
asomers marked 2 inline comments as done.

Style changes

Harbormaster completed remote builds in B33652: Diff 77227.Sep 19 2020, 6:34 PM
asomers updated this revision to Diff 77228.Sep 19 2020, 6:52 PM

return NS_NOTFOUND instead of NS_UNAVAIL if nscd returns 1 byte

Harbormaster completed remote builds in B33653: Diff 77228.Sep 19 2020, 6:52 PM
markj accepted this revision.Sep 19 2020, 7:04 PM

Seems reasonable to me.

lib/libc/gen/getgrent.c
355 ↗(On Diff #77225)

The usual way to handle that is to break the conditional, as is done in getpwent.c:392.

This revision is now accepted and ready to land.Sep 19 2020, 7:04 PM
asomers added inline comments.Sep 19 2020, 7:06 PM
lib/libc/gen/getgrent.c
347 ↗(On Diff #77225)

Probably so. At the very least, it's no more wrong than NS_UNAVAIL. I'll change it.

Closed by commit rS365910: fix integer underflow in getgrnam_r and getpwnam_r (authored by asomers). · Explain WhySep 19 2020, 7:08 PM
This revision was automatically updated to reflect the committed changes.
asomers added a commit: rS365910: fix integer underflow in getgrnam_r and getpwnam_r.
asomers added a commit: rS368085: MFC r365910:.Nov 26 2020, 11:34 PM

Revision Contents
Changeset List

PathSize
head/
lib/
libc/
gen/
17 lines
11 lines

Diff 77229

View Options

head/lib/libc/gen/getgrent.c

Loading...
View Options

head/lib/libc/gen/getpwent.c

Loading...