Bug 163538

Summary: NSCD buffer overflow for large gids
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: drepper, nutello, roland
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-22 10:52:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 164815    

Description Ivan Gyurdiev 2005-07-18 18:18:32 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050623 Fedora/1.0.4-5 Firefox/1.0.4

Description of problem:
diff -aru glibc-orig/nscd/grpcache.c glibc-nscd-fix/nscd/grpcache.c
--- glibc-orig/nscd/grpcache.c  2005-02-22 17:53:39.000000000 -0500
+++ glibc-nscd-fix/nscd/grpcache.c      2005-07-18 01:36:20.000000000 -0400
@@ -167,7 +167,7 @@
       char *gr_name;
       char *cp;
       const size_t key_len = strlen (key);
-      const size_t buf_len = 3 + sizeof (grp->gr_gid) + key_len + 1;
+      const size_t buf_len = 3 * sizeof (grp->gr_gid) + key_len + 1;
       char *buf = alloca (buf_len);
       ssize_t n;
       size_t cnt;


Version-Release number of selected component (if applicable):
glibc-2.3.90-2

How reproducible:
Didn't try


Additional info:
Comment 1 Jakub Jelinek 2005-07-18 19:33:52 UTC 
This really isn't an overflow, as snprintf is used.  With nscd built without
-DNDEBUG, there would be an assertion failure, but Red Hat/Fedora glibcs are
built with -DNDEBUG, so all that will happen is that uninitialized bytes
will be added as cache entry keys.
Comment 3 Jakub Jelinek 2005-07-22 10:52:25 UTC 
Should be fixed in glibc-2.3.90-3 and above.
Comment 6 Rudi Chiarito 2005-08-03 17:59:05 UTC 
I am seeing this in the latest FC4 testing glibc/nscd (glibc-2.3.5-10.2):

30677: Reloading "14339447" in password cache!
*** Segmentation fault
Register dump:

 EAX: 00000001   EBX: 00e7aca0   ECX: 0000008c   EDX: 00000005
 ESI: b726b3b8   EDI: 6e54a504   EBP: b7067db4   ESP: b7067bac

 EIP: 00e72836   EFLAGS: 00010a13

 CS: 0073   DS: 007b   ES: 007b   FS: 0000   GS: 0033   SS: 007b

 Trap: 0000000e   Error: 00000004   OldMask: 00000000
 ESP/signal: b7067bac   CR2: 6e54a518

Backtrace:
/lib/libSegFault.so[0x483115]
[0x1ad420]
nscd[0xe6d6a0]
/lib/libpthread.so.0[0xdb7b80]
/lib/libc.so.6(__clone+0x5e)[0x6d99ae]

Is it the same bug or a variant thereof? The patch/report mention GIDs, but in
my case it's a large UID. Should I file this as a separate bug for FC4, not Raw
Hide? I am not sure what the procedure is in such a case.

Any chance that the glibc in testing can be fixed before release, if this patch
fixes the problem I am seeing?
Comment 7 Jakub Jelinek 2005-08-05 21:51:06 UTC 
Re #6: That has certainly nothing to do with that: a) the above bug is fixed in
2.3.5-10.2 b) the bug used to be only in group handling code, not uid.
Please file a new bugreport instead, install glibc-debuginfo and get a real
backtrace, the above is not helpful.