Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 981942 - CVE-2013-7424 glibc: ping6 with idn causes crash
CVE-2013-7424 glibc: ping6 with idn causes crash
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glibc (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Siddhesh Poyarekar
Arjun Shankar
: Security
Depends On:
Blocks: CVE-2013-7424
  Show dependency treegraph
 
Reported: 2013-07-07 04:04 EDT by Chris Hills
Modified: 2015-09-13 20:23 EDT (History)
6 users (show)

See Also:
Fixed In Version: glibc-2.12-1.135.el6
Doc Type: Bug Fix
Doc Text:
Name lookup of internationalized domain names using getaddrinfo could result in the calling program crashing with an abort. This update fixes the getaddrinfo code to resolve the crash.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 00:41:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
full backtrace during the crash (4.02 KB, text/plain)
2013-07-08 08:45 EDT, Jan Synacek 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1391 normal SHIPPED_LIVE Moderate: glibc security, bug fix, and enhancement update 2014-10-13 21:11:04 EDT

  None (edit)
Description Chris Hills 2013-07-07 04:04:57 EDT 
Description of problem:
When supplying an internationalized domain name to ping6 it causes a crash in ping6.

Version-Release number of selected component (if applicable):
iputils-20071127-17.el6_4.x86_64

How reproducible:
Every time, on both x86_64 and x86.

Steps to Reproduce:
1. Open a terminal.
2. Enter the command `ping6 தளம்.பாராளுமன்றம்.இலங்கை.`

Actual results:
ping6 crashes

Expected results:
ping6 does not crash.

Additional info:
# ping6 தளம்.பாராளுமன்றம்.இலங்கை.
*** glibc detected *** ping6: munmap_chunk(): invalid pointer: 0xbfb787a6 ***
======= Backtrace: =========
/lib/libc.so.6(+0x390e31)[0xde7e31]
/lib/libc.so.6(+0x3e6c86)[0xe3dc86]
/lib/libc.so.6(getaddrinfo+0x15b)[0xe403db]
ping6(main+0x5da)[0xbb8aba]
/lib/libc.so.6(__libc_start_main+0xe6)[0xd8dce6]
ping6(+0x1551)[0xbb7551]
======= Memory map: ========
001fa000-00217000 r-xp 00000000 fd:01 16845      /lib/libgcc_s-4.4.7-20120601.so.1
00217000-00218000 rw-p 0001d000 fd:01 16845      /lib/libgcc_s-4.4.7-20120601.so.1
002c8000-002dd000 r-xp 00000000 fd:01 19806      /lib/libresolv-2.12.so
002dd000-002de000 ---p 00015000 fd:01 19806      /lib/libresolv-2.12.so
002de000-002df000 r--p 00015000 fd:01 19806      /lib/libresolv-2.12.so
002df000-002e0000 rw-p 00016000 fd:01 19806      /lib/libresolv-2.12.so
002e0000-002e2000 rw-p 00000000 00:00 0
00676000-00694000 r-xp 00000000 fd:01 30540      /lib/ld-2.12.so
00694000-00695000 r--p 0001d000 fd:01 30540      /lib/ld-2.12.so
00695000-00696000 rw-p 0001e000 fd:01 30540      /lib/ld-2.12.so
006d1000-006d6000 r-xp 00000000 fd:01 8399       /lib/libnss_dns-2.12.so
006d6000-006d7000 r--p 00004000 fd:01 8399       /lib/libnss_dns-2.12.so
006d7000-006d8000 rw-p 00005000 fd:01 8399       /lib/libnss_dns-2.12.so
007a9000-007d6000 r-xp 00000000 fd:01 8387       /lib/libcidn-2.12.so
007d6000-007d7000 r--p 0002c000 fd:01 8387       /lib/libcidn-2.12.so
007d7000-007d8000 rw-p 0002d000 fd:01 8387       /lib/libcidn-2.12.so
00bb6000-00bbe000 r-xp 00000000 fd:01 18000      /bin/ping6
00bbe000-00bbf000 rw-p 00007000 fd:01 18000      /bin/ping6
00bbf000-00be1000 rw-p 00000000 00:00 0
00caa000-00cb6000 r-xp 00000000 fd:01 8401       /lib/libnss_files-2.12.so
00cb6000-00cb7000 r--p 0000b000 fd:01 8401       /lib/libnss_files-2.12.so
00cb7000-00cb8000 rw-p 0000c000 fd:01 8401       /lib/libnss_files-2.12.so
00d77000-00f07000 r-xp 00000000 fd:01 30541      /lib/libc-2.12.so
00f07000-00f08000 ---p 00190000 fd:01 30541      /lib/libc-2.12.so
00f08000-00f0a000 r--p 00190000 fd:01 30541      /lib/libc-2.12.so
00f0a000-00f0b000 rw-p 00192000 fd:01 30541      /lib/libc-2.12.so
00f0b000-00f0e000 rw-p 00000000 00:00 0
00fcf000-00fd0000 r-xp 00000000 00:00 0          [vdso]
02860000-02881000 rw-p 00000000 00:00 0          [heap]
b75b2000-b77b2000 r--p 00000000 fd:01 8359       /usr/lib/locale/locale-archive
b77b2000-b77b3000 rw-p 00000000 00:00 0
b77b8000-b77ba000 rw-p 00000000 00:00 0
bfb64000-bfb79000 rw-p 00000000 00:00 0          [stack]
Aborted (core dumped)
Comment 2 Jan Synacek 2013-07-08 08:45:10 EDT 
Created attachment 770465 [details]
full backtrace during the crash

The respective code from ping6.c:

struct addrinfo hints, *ai;
int gai;
...
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_flags = AI_IDN;
gai = getaddrinfo(target, NULL, &hints, &ai); // <--- crash here
if (gai) {
	fprintf(stderr, "unknown host\n");
	exit(2);
}
Comment 3 Jan Synacek 2013-07-08 08:48:40 EDT 
Switching to glibc.
Comment 4 Carlos O'Donell 2013-07-08 09:54:18 EDT 
(gdb) bt
#0  0x00007ff8cc255895 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ff8cc257075 in abort () at abort.c:92
#2  0x00007ff8cc2937a7 in __libc_message (do_abort=2, fmt=0x7ff8cc37af80 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007ff8cc2990d6 in malloc_printerr (action=3, str=0x7ff8cc37afb0 "munmap_chunk(): invalid pointer", 
    ptr=<value optimized out>) at malloc.c:6311
#4  0x00007ff8cc2f3252 in gaih_inet (
    name=0x7fff88db2536 "தளம்.பாராளுமன்றம்.இலங்கை.", 
    service=<value optimized out>, req=<value optimized out>, pai=<value optimized out>, naddrs=0x7fff88db1d48)
    at ../sysdeps/posix/getaddrinfo.c:1250
#5  0x00007ff8cc2f5da0 in getaddrinfo (
    name=0x7fff88db2536 "தளம்.பாராளுமன்றம்.இலங்கை.", 
    service=<value optimized out>, hints=0x7fff88db1dc0, pai=0x7fff88db1e18) at ../sysdeps/posix/getaddrinfo.c:2361
#6  0x00007ff8cc7db2f5 in main ()


The problem is like this:

* In gaih_inet we pass this IDN to __idna_to_ascii_lz to get back a canonicalized name we can use.
* If the output string of __idna_to_ascii_lz (second argument) has a different pointer value from the IDN then we assume a string has been allocated that we need to free.
* Later we free name (the static string).

The disconnect is that we did not assign `name' to the new value `p' which needs to be freed.

The upstream code is this:
~~~
          /* In case the output string is the same as the input string
             no new string has been allocated.  */
          if (p != name)
            {
              name = p;
              malloc_name = true;
            }
~~~

The rhel-6.5 code is this:
~~~
 432           /* In case the output string is the same as the input string
 433              no new string has been allocated.  */
 434           if (p != name)
 435             malloc_name = true;
~~~

The upstream fix is this:

commit 2e96f1c73b06e81da59ef7fffa426dc201875f31
Author: Andreas Schwab <schwab@redhat.com>
Date:   Thu Aug 4 15:42:10 2011 -0400

    Fix encoding name for IDN in getaddrinfo

~~~
diff --git a/ChangeLog b/ChangeLog
index fbacbd5..0392853 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-07-26  Andreas Schwab  <schwab@redhat.com>
+
+       * sysdeps/posix/getaddrinfo.c (gaih_inet): Don't discard result of
+       encoding to ACE if AI_IDN.
+
 2011-08-01  Jakub Jelinek  <jakub@redhat.com>
 
        * sysdeps/ieee754/dbl-64/k_rem_pio2.c (__kernel_rem_pio2): Fix up fq
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index 6d574c5..a5aafe9 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -432,7 +432,10 @@ gaih_inet (const char *name, const struct gaih_service *service,
          /* In case the output string is the same as the input string
             no new string has been allocated.  */
          if (p != name)
-           malloc_name = true;
+           {
+             name = p;
+             malloc_name = true;
+           }
        }
 #endif
~~~

According to http://sourceware.org/glibc/wiki/Glibc%20Timeline, that fixed happened in the 2.15 development cycle which would not have been in rhel-6.5 which uses 2.12.

This fix needs backporting to correct this issue.

Moving to rhel-6.6.
Comment 7 errata-xmlrpc 2014-10-14 00:41:48 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1391.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.