Bug 163538 - NSCD buffer overflow for large gids
NSCD buffer overflow for large gids
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks: 164815
  Show dependency treegraph
 
Reported: 2005-07-18 14:18 EDT by Ivan Gyurdiev
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-22 06:52:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 1113 None None None Never

  None (edit)
Description Ivan Gyurdiev 2005-07-18 14:18:32 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050623 Fedora/1.0.4-5 Firefox/1.0.4

Description of problem:
diff -aru glibc-orig/nscd/grpcache.c glibc-nscd-fix/nscd/grpcache.c
--- glibc-orig/nscd/grpcache.c  2005-02-22 17:53:39.000000000 -0500
+++ glibc-nscd-fix/nscd/grpcache.c      2005-07-18 01:36:20.000000000 -0400
@@ -167,7 +167,7 @@
       char *gr_name;
       char *cp;
       const size_t key_len = strlen (key);
-      const size_t buf_len = 3 + sizeof (grp->gr_gid) + key_len + 1;
+      const size_t buf_len = 3 * sizeof (grp->gr_gid) + key_len + 1;
       char *buf = alloca (buf_len);
       ssize_t n;
       size_t cnt;


Version-Release number of selected component (if applicable):
glibc-2.3.90-2

How reproducible:
Didn't try


Additional info:
Comment 1 Jakub Jelinek 2005-07-18 15:33:52 EDT
This really isn't an overflow, as snprintf is used.  With nscd built without
-DNDEBUG, there would be an assertion failure, but Red Hat/Fedora glibcs are
built with -DNDEBUG, so all that will happen is that uninitialized bytes
will be added as cache entry keys.
Comment 3 Jakub Jelinek 2005-07-22 06:52:25 EDT
Should be fixed in glibc-2.3.90-3 and above.
Comment 6 Rudi Chiarito 2005-08-03 13:59:05 EDT
I am seeing this in the latest FC4 testing glibc/nscd (glibc-2.3.5-10.2):

30677: Reloading "14339447" in password cache!
*** Segmentation fault
Register dump:

 EAX: 00000001   EBX: 00e7aca0   ECX: 0000008c   EDX: 00000005
 ESI: b726b3b8   EDI: 6e54a504   EBP: b7067db4   ESP: b7067bac

 EIP: 00e72836   EFLAGS: 00010a13

 CS: 0073   DS: 007b   ES: 007b   FS: 0000   GS: 0033   SS: 007b

 Trap: 0000000e   Error: 00000004   OldMask: 00000000
 ESP/signal: b7067bac   CR2: 6e54a518

Backtrace:
/lib/libSegFault.so[0x483115]
[0x1ad420]
nscd[0xe6d6a0]
/lib/libpthread.so.0[0xdb7b80]
/lib/libc.so.6(__clone+0x5e)[0x6d99ae]

Is it the same bug or a variant thereof? The patch/report mention GIDs, but in
my case it's a large UID. Should I file this as a separate bug for FC4, not Raw
Hide? I am not sure what the procedure is in such a case.

Any chance that the glibc in testing can be fixed before release, if this patch
fixes the problem I am seeing?
Comment 7 Jakub Jelinek 2005-08-05 17:51:06 EDT
Re #6: That has certainly nothing to do with that: a) the above bug is fixed in
2.3.5-10.2 b) the bug used to be only in group handling code, not uid.
Please file a new bugreport instead, install glibc-debuginfo and get a real
backtrace, the above is not helpful.

Note You need to log in before you can comment on or make changes to this bug.