Bug 1437147

Summary: Fix for thread cancellation of IdM functions incorrect in rhel-6.9.
Product: Red Hat Enterprise Linux 6 Reporter: Carlos O'Donell <codonell>
Component: glibcAssignee: Carlos O'Donell <codonell>
Status: CLOSED ERRATA QA Contact: Sergey Kolosov <skolosov>
Severity: high Docs Contact: Vladimír Slávik <vslavik>
Priority: urgent    
Version: 6.9CC: ashankar, bgollahe, fdanapfe, fweimer, jreznik, mcermak, mnewsome, pfrankli, salmy, skolosov, tgummels, thomas.oulevey, vslavik
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glibc-2.12-1.210.el6 Doc Type: Bug Fix
Doc Text:
Thread cancellation support for APIs depending on `/etc/hosts.conf` A defect in thread-cancellation support for the `setmntent()` function could cause the function to fail and return an error where it was expected to succeed. Consequently, programs that rely on `setmntent()` could fail to start. The `setmntent()` function has been fixed, and now works as expected. In addition, the `setttyent()` and `setnetgrent()` functions, and all APIs that rely on the `/etc/hosts.conf` file, have been enhanced to provide improved support for thread cancellation.
 Story Points: ---
Clone Of:
: 1437618 (view as bug list) Environment:
Last Closed: 2018-06-19 05:14:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1437618, 1504312, 1507613    

Description Carlos O'Donell 2017-03-29 15:51:43 UTC 
The fix for bug 1012343:
https://bugzilla.redhat.com/show_bug.cgi?id=1012343

It results in an unterminated string being passed as a mode to fopen which results in the potential use of uninitialized data.

--- a/misc/mntent_r.c
+++ b/misc/mntent_r.c
@@ -40,10 +40,10 @@
 __setmntent (const char *file, const char *mode)
 {
   /* Extend the mode parameter with "c" to disable cancellation in the
-     I/O functions.  */
+     I/O functions and "e" to set FD_CLOEXEC.  */
   size_t modelen = strlen (mode);
   char newmode[modelen + 2];
-  memcpy (mempcpy (newmode, mode, modelen), "c", 2);
+  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
   FILE *result = fopen (file, newmode);

   if (result != NULL)

The newmode should be size modelen + 3 and the memcpy should copy 3 bytes.

An audit revealed that also needed are cancellation fixes for:

getttyent.c
files-netgrp.c
res_hconf.c

So we must fix those up also.

The fix for bug 952422 fixed the cancellation issue with getsysstats.c already.
Comment 2 Carlos O'Donell 2017-03-29 15:55:17 UTC 
Fist reported here: https://blogs.oracle.com/wim/entry/oracle_linux_6_update_9

(Via bug 1012343 comment 21.)
Comment 3 Carlos O'Donell 2017-03-29 15:56:05 UTC 
*** Bug 1437111 has been marked as a duplicate of this bug. ***
Comment 5 Carlos O'Donell 2017-03-29 17:44:52 UTC 
Fixes complete and undergoing internal review.
Comment 8 Carlos O'Donell 2017-03-30 01:34:09 UTC 
(In reply to Carlos O'Donell from comment #0)
> Contains a defect that results in a 1-byte buffer overflow.

This statement is incorrect. It results in an unterminated string being passed as a mode to fopen which results in the potential use of uninitialized data.
Comment 16 Florian Weimer 2017-04-03 08:42:43 UTC 
*** Bug 1394704 has been marked as a duplicate of this bug. ***
Comment 22 errata-xmlrpc 2018-06-19 05:14:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1879