2063142 – glibc: NSS framework can report incorrect lookup result if function lookup clobbers errno

Bug 2063142 - glibc: NSS framework can report incorrect lookup result if function lookup clobbers errno

Summary: glibc: NSS framework can report incorrect lookup result if function lookup cl...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	glibc
Sub Component:
Version:	9.0
Hardware:	All
OS:	All
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	9.1
Assignee:	Florian Weimer
QA Contact:	Sergey Kolosov
Docs Contact:	Jacob Taylor Valdez
URL:
Whiteboard:
Depends On:	2063230
Blocks:	2061727
TreeView+	depends on / blocked

Reported:	2022-03-11 11:07 UTC by Florian Weimer
Modified:	2023-07-18 14:29 UTC (History)
CC List:	8 users (show)
Fixed In Version:	glibc-2.34-29.el9
Doc Type:	Bug Fix
Doc Text:	.`glibc` now restores errno after loading an NSS module Previously, the Name Service Switch (NSS) implementation in `glibc` set errno incorrectly during database enumeration using functions such as `getpwent()` if the last NSS module did not provide any data. As a result, applications using these enumeration functions incorrectly observed errors and failed. `glibc` now restores errno after loading an NSS module and, as a result, applications using these functions no longer fail.
Clone Of:	2061727
Environment:
Last Closed:	2022-11-15 11:11:43 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-115330	None	None	None	2022-03-11 11:11:31 UTC
Red Hat Product Errata	RHBA-2022:8272	None	None	None	2022-11-15 11:12:06 UTC
Sourceware	28953	P2	RESOLVED	NSS lookup result can be incorrect if function lookup clobbers errno	2022-03-11 11:07:41 UTC

Description Florian Weimer 2022-03-11 11:07:41 UTC

+++ This bug was initially created as a clone of Bug #2061727 +++

From the upstream bug report:

This originated in a downstream bug report. The slightly incorrect reproducer looks like this:

#include <sys/types.h>
#include <pwd.h>
#include <errno.h>
#include <stdio.h>

int main(void)
{
    struct passwd *pw;
    errno = 0;
    setpwent();
    while ((pw = getpwent()) != NULL) {
        errno = 0;
        printf("%d: %s\n", pw->pw_uid, pw->pw_name);
    }
    printf("getpwent errno = %d (%m)\n", errno);
    endpwent();
    return 0;
}

(The upstream commit includes a proper test.)

And the last NSS module has an ELF constructor that clobbers errno, but its lookup function does not return any data. The errno value from the ELF constructor then leaks into the getpwent result.

Upstream commit (already backported to 2.34):

commit 9bdf92c79d63b42f931101bb6df87129c408b0c4
Author: Florian Weimer <fweimer>
Date:   Fri Mar 11 08:23:56 2022 +0100

    nss: Protect against errno changes in function lookup (bug 28953)
    
    dlopen may clobber errno.  The nss_test_errno module uses an ELF
    constructor to achieve that, but there could be internal errors
    during dlopen that cause this, too.  Therefore, the NSS framework
    has to guard against such errno clobbers.
    
    __nss_module_get_function is currently the only function that calls
    __nss_module_load, so it is sufficient to save and restore errno
    around this call.
    
    Reviewed-by: Carlos O'Donell <carlos>

Comment 6 errata-xmlrpc 2022-11-15 11:11:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (glibc bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8272

Note You need to log in before you can comment on or make changes to this bug.