Bug 1195729 (CVE-2015-0283)
| Summary: | CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> | ||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | abokovoy, dpal, mkosek, mprpic, nalin, rcritten, sbose, security-response-team | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: |
It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time.
|
Story Points: | --- | ||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2019-06-08 02:39:02 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | 1202995, 1202996, 1206049 | ||||||||||
| Bug Blocks: | 1195735 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Martin Prpič
2015-02-24 13:26:13 UTC
Created attachment 994786 [details]
patch 1 makes use of libnss_sss.so.2 directly
First patch in a series to fix the issue. We have two separate problems that cause deadlock: one is resizing issue (coming in patch 2) and another is traversing of NSS stack for all requests for user/group names (patch 1). The latter is amplifying the issue with realloc() because nss_files.so.2 is always in the NSS stack and will always lock up access to /etc/group or /etc/passwd for other threads.
Created attachment 994788 [details]
patch 2 store the length of reallocated chunk
Patch 2 makes sure we remember new size of the reallocated memory.
Created attachment 995077 [details]
patch 3 make default nss buffer larger
Patch 3 makes sure the default buffer size is of reasonable size -- initial buffer size for getgrnam/getgrgid in glibc is about 1KiB while for typical AD environments group information may occupy a larger space. Use 16KiB by default.
Comment on attachment 995077 [details]
patch 3 make default nss buffer larger
wrong MIME type
Splitting IPA memory corruption issue when using get_user_grouplist() to separate bug 1205200 with the CVE-2015-1827 assigned. Created slapi-nis tracking bugs for this issue: Affects: fedora-all [bug 1206049] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0728 https://rhn.redhat.com/errata/RHSA-2015-0728.html freeipa-4.1.4-1.fc22, slapi-nis-0.54.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. freeipa-4.1.4-1.fc21, slapi-nis-0.54.2-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |