Bug 981942
Summary: | CVE-2013-7424 glibc: ping6 with idn causes crash | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Chris Hills <chaz> | ||||
Component: | glibc | Assignee: | Siddhesh Poyarekar <spoyarek> | ||||
Status: | CLOSED ERRATA | QA Contact: | Arjun Shankar <ashankar> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.4 | CC: | ashankar, fweimer, mfranc, mnewsome, pfrankli, spoyarek | ||||
Target Milestone: | rc | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | glibc-2.12-1.135.el6 | Doc Type: | Bug Fix | ||||
Doc Text: |
Name lookup of internationalized domain names using getaddrinfo could result in the calling program crashing with an abort. This update fixes the getaddrinfo code to resolve the crash.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-10-14 04:41:48 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1186614 | ||||||
Attachments: |
|
Description
Chris Hills
2013-07-07 08:04:57 UTC
Created attachment 770465 [details]
full backtrace during the crash
The respective code from ping6.c:
struct addrinfo hints, *ai;
int gai;
...
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_flags = AI_IDN;
gai = getaddrinfo(target, NULL, &hints, &ai); // <--- crash here
if (gai) {
fprintf(stderr, "unknown host\n");
exit(2);
}
Switching to glibc. (gdb) bt #0 0x00007ff8cc255895 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ff8cc257075 in abort () at abort.c:92 #2 0x00007ff8cc2937a7 in __libc_message (do_abort=2, fmt=0x7ff8cc37af80 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198 #3 0x00007ff8cc2990d6 in malloc_printerr (action=3, str=0x7ff8cc37afb0 "munmap_chunk(): invalid pointer", ptr=<value optimized out>) at malloc.c:6311 #4 0x00007ff8cc2f3252 in gaih_inet ( name=0x7fff88db2536 "தளம்.பாராளுமன்றம்.இலங்கை.", service=<value optimized out>, req=<value optimized out>, pai=<value optimized out>, naddrs=0x7fff88db1d48) at ../sysdeps/posix/getaddrinfo.c:1250 #5 0x00007ff8cc2f5da0 in getaddrinfo ( name=0x7fff88db2536 "தளம்.பாராளுமன்றம்.இலங்கை.", service=<value optimized out>, hints=0x7fff88db1dc0, pai=0x7fff88db1e18) at ../sysdeps/posix/getaddrinfo.c:2361 #6 0x00007ff8cc7db2f5 in main () The problem is like this: * In gaih_inet we pass this IDN to __idna_to_ascii_lz to get back a canonicalized name we can use. * If the output string of __idna_to_ascii_lz (second argument) has a different pointer value from the IDN then we assume a string has been allocated that we need to free. * Later we free name (the static string). The disconnect is that we did not assign `name' to the new value `p' which needs to be freed. The upstream code is this: ~~~ /* In case the output string is the same as the input string no new string has been allocated. */ if (p != name) { name = p; malloc_name = true; } ~~~ The rhel-6.5 code is this: ~~~ 432 /* In case the output string is the same as the input string 433 no new string has been allocated. */ 434 if (p != name) 435 malloc_name = true; ~~~ The upstream fix is this: commit 2e96f1c73b06e81da59ef7fffa426dc201875f31 Author: Andreas Schwab <schwab> Date: Thu Aug 4 15:42:10 2011 -0400 Fix encoding name for IDN in getaddrinfo ~~~ diff --git a/ChangeLog b/ChangeLog index fbacbd5..0392853 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2011-07-26 Andreas Schwab <schwab> + + * sysdeps/posix/getaddrinfo.c (gaih_inet): Don't discard result of + encoding to ACE if AI_IDN. + 2011-08-01 Jakub Jelinek <jakub> * sysdeps/ieee754/dbl-64/k_rem_pio2.c (__kernel_rem_pio2): Fix up fq diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index 6d574c5..a5aafe9 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -432,7 +432,10 @@ gaih_inet (const char *name, const struct gaih_service *service, /* In case the output string is the same as the input string no new string has been allocated. */ if (p != name) - malloc_name = true; + { + name = p; + malloc_name = true; + } } #endif ~~~ According to http://sourceware.org/glibc/wiki/Glibc%20Timeline, that fixed happened in the 2.15 development cycle which would not have been in rhel-6.5 which uses 2.12. This fix needs backporting to correct this issue. Moving to rhel-6.6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-1391.html |