Bug 1437147 - Fix for thread cancellation of IdM functions incorrect in rhel-6.9.
Summary: Fix for thread cancellation of IdM functions incorrect in rhel-6.9.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glibc
Version: 6.9
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Carlos O'Donell
QA Contact: Sergey Kolosov
Vladimír Slávik
URL:
Whiteboard:
: 1394704 1437111 (view as bug list)
Depends On:
Blocks: 1504312 1437618 1507613
TreeView+ depends on / blocked
 
Reported: 2017-03-29 15:51 UTC by Carlos O'Donell
Modified: 2020-07-16 09:21 UTC (History)
13 users (show)

Fixed In Version: glibc-2.12-1.210.el6
Doc Type: Bug Fix
Doc Text:
Thread cancellation support for APIs depending on `/etc/hosts.conf` A defect in thread-cancellation support for the `setmntent()` function could cause the function to fail and return an error where it was expected to succeed. Consequently, programs that rely on `setmntent()` could fail to start. The `setmntent()` function has been fixed, and now works as expected. In addition, the `setttyent()` and `setnetgrent()` functions, and all APIs that rely on the `/etc/hosts.conf` file, have been enhanced to provide improved support for thread cancellation.
Clone Of:
: 1437618 (view as bug list)
Environment:
Last Closed: 2018-06-19 05:14:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1012343 0 unspecified CLOSED Thread issue in glibc can cause the application to not get any identity information 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2018:1879 0 None None None 2018-06-19 05:15:07 UTC

Internal Links: 1012343

Description Carlos O'Donell 2017-03-29 15:51:43 UTC
The fix for bug 1012343:
https://bugzilla.redhat.com/show_bug.cgi?id=1012343

It results in an unterminated string being passed as a mode to fopen which results in the potential use of uninitialized data.

--- a/misc/mntent_r.c
+++ b/misc/mntent_r.c
@@ -40,10 +40,10 @@
 __setmntent (const char *file, const char *mode)
 {
   /* Extend the mode parameter with "c" to disable cancellation in the
-     I/O functions.  */
+     I/O functions and "e" to set FD_CLOEXEC.  */
   size_t modelen = strlen (mode);
   char newmode[modelen + 2];
-  memcpy (mempcpy (newmode, mode, modelen), "c", 2);
+  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
   FILE *result = fopen (file, newmode);

   if (result != NULL)

The newmode should be size modelen + 3 and the memcpy should copy 3 bytes.

An audit revealed that also needed are cancellation fixes for:

getttyent.c
files-netgrp.c
res_hconf.c

So we must fix those up also.

The fix for bug 952422 fixed the cancellation issue with getsysstats.c already.

Comment 2 Carlos O'Donell 2017-03-29 15:55:17 UTC
Fist reported here: https://blogs.oracle.com/wim/entry/oracle_linux_6_update_9

(Via bug 1012343 comment 21.)

Comment 3 Carlos O'Donell 2017-03-29 15:56:05 UTC
*** Bug 1437111 has been marked as a duplicate of this bug. ***

Comment 5 Carlos O'Donell 2017-03-29 17:44:52 UTC
Fixes complete and undergoing internal review.

Comment 8 Carlos O'Donell 2017-03-30 01:34:09 UTC
(In reply to Carlos O'Donell from comment #0)
> Contains a defect that results in a 1-byte buffer overflow.

This statement is incorrect. It results in an unterminated string being passed as a mode to fopen which results in the potential use of uninitialized data.

Comment 16 Florian Weimer 2017-04-03 08:42:43 UTC
*** Bug 1394704 has been marked as a duplicate of this bug. ***

Comment 22 errata-xmlrpc 2018-06-19 05:14:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1879


Note You need to log in before you can comment on or make changes to this bug.