Bug 981942 - CVE-2013-7424 glibc: ping6 with idn causes crash
Summary: CVE-2013-7424 glibc: ping6 with idn causes crash
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glibc
Version: 6.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Siddhesh Poyarekar
QA Contact: Arjun Shankar
Depends On:
Blocks: CVE-2013-7424
TreeView+ depends on / blocked
Reported: 2013-07-07 08:04 UTC by Chris Hills
Modified: 2015-09-14 00:23 UTC (History)
6 users (show)

Fixed In Version: glibc-2.12-1.135.el6
Doc Type: Bug Fix
Doc Text:
Name lookup of internationalized domain names using getaddrinfo could result in the calling program crashing with an abort. This update fixes the getaddrinfo code to resolve the crash.
Clone Of:
Last Closed: 2014-10-14 04:41:48 UTC
Target Upstream Version:

Attachments (Terms of Use)
full backtrace during the crash (4.02 KB, text/plain)
2013-07-08 12:45 UTC, Jan Synacek
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1391 normal SHIPPED_LIVE Moderate: glibc security, bug fix, and enhancement update 2014-10-14 01:11:04 UTC

Description Chris Hills 2013-07-07 08:04:57 UTC
Description of problem:
When supplying an internationalized domain name to ping6 it causes a crash in ping6.

Version-Release number of selected component (if applicable):

How reproducible:
Every time, on both x86_64 and x86.

Steps to Reproduce:
1. Open a terminal.
2. Enter the command `ping6 தளம்.பாராளுமன்றம்.இலங்கை.`

Actual results:
ping6 crashes

Expected results:
ping6 does not crash.

Additional info:
# ping6 தளம்.பாராளுமன்றம்.இலங்கை.
*** glibc detected *** ping6: munmap_chunk(): invalid pointer: 0xbfb787a6 ***
======= Backtrace: =========
======= Memory map: ========
001fa000-00217000 r-xp 00000000 fd:01 16845      /lib/libgcc_s-4.4.7-20120601.so.1
00217000-00218000 rw-p 0001d000 fd:01 16845      /lib/libgcc_s-4.4.7-20120601.so.1
002c8000-002dd000 r-xp 00000000 fd:01 19806      /lib/libresolv-2.12.so
002dd000-002de000 ---p 00015000 fd:01 19806      /lib/libresolv-2.12.so
002de000-002df000 r--p 00015000 fd:01 19806      /lib/libresolv-2.12.so
002df000-002e0000 rw-p 00016000 fd:01 19806      /lib/libresolv-2.12.so
002e0000-002e2000 rw-p 00000000 00:00 0
00676000-00694000 r-xp 00000000 fd:01 30540      /lib/ld-2.12.so
00694000-00695000 r--p 0001d000 fd:01 30540      /lib/ld-2.12.so
00695000-00696000 rw-p 0001e000 fd:01 30540      /lib/ld-2.12.so
006d1000-006d6000 r-xp 00000000 fd:01 8399       /lib/libnss_dns-2.12.so
006d6000-006d7000 r--p 00004000 fd:01 8399       /lib/libnss_dns-2.12.so
006d7000-006d8000 rw-p 00005000 fd:01 8399       /lib/libnss_dns-2.12.so
007a9000-007d6000 r-xp 00000000 fd:01 8387       /lib/libcidn-2.12.so
007d6000-007d7000 r--p 0002c000 fd:01 8387       /lib/libcidn-2.12.so
007d7000-007d8000 rw-p 0002d000 fd:01 8387       /lib/libcidn-2.12.so
00bb6000-00bbe000 r-xp 00000000 fd:01 18000      /bin/ping6
00bbe000-00bbf000 rw-p 00007000 fd:01 18000      /bin/ping6
00bbf000-00be1000 rw-p 00000000 00:00 0
00caa000-00cb6000 r-xp 00000000 fd:01 8401       /lib/libnss_files-2.12.so
00cb6000-00cb7000 r--p 0000b000 fd:01 8401       /lib/libnss_files-2.12.so
00cb7000-00cb8000 rw-p 0000c000 fd:01 8401       /lib/libnss_files-2.12.so
00d77000-00f07000 r-xp 00000000 fd:01 30541      /lib/libc-2.12.so
00f07000-00f08000 ---p 00190000 fd:01 30541      /lib/libc-2.12.so
00f08000-00f0a000 r--p 00190000 fd:01 30541      /lib/libc-2.12.so
00f0a000-00f0b000 rw-p 00192000 fd:01 30541      /lib/libc-2.12.so
00f0b000-00f0e000 rw-p 00000000 00:00 0
00fcf000-00fd0000 r-xp 00000000 00:00 0          [vdso]
02860000-02881000 rw-p 00000000 00:00 0          [heap]
b75b2000-b77b2000 r--p 00000000 fd:01 8359       /usr/lib/locale/locale-archive
b77b2000-b77b3000 rw-p 00000000 00:00 0
b77b8000-b77ba000 rw-p 00000000 00:00 0
bfb64000-bfb79000 rw-p 00000000 00:00 0          [stack]
Aborted (core dumped)

Comment 2 Jan Synacek 2013-07-08 12:45:10 UTC
Created attachment 770465 [details]
full backtrace during the crash

The respective code from ping6.c:

struct addrinfo hints, *ai;
int gai;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET6;
hints.ai_flags = AI_IDN;
gai = getaddrinfo(target, NULL, &hints, &ai); // <--- crash here
if (gai) {
	fprintf(stderr, "unknown host\n");

Comment 3 Jan Synacek 2013-07-08 12:48:40 UTC
Switching to glibc.

Comment 4 Carlos O'Donell 2013-07-08 13:54:18 UTC
(gdb) bt
#0  0x00007ff8cc255895 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ff8cc257075 in abort () at abort.c:92
#2  0x00007ff8cc2937a7 in __libc_message (do_abort=2, fmt=0x7ff8cc37af80 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007ff8cc2990d6 in malloc_printerr (action=3, str=0x7ff8cc37afb0 "munmap_chunk(): invalid pointer", 
    ptr=<value optimized out>) at malloc.c:6311
#4  0x00007ff8cc2f3252 in gaih_inet (
    name=0x7fff88db2536 "தளம்.பாராளுமன்றம்.இலங்கை.", 
    service=<value optimized out>, req=<value optimized out>, pai=<value optimized out>, naddrs=0x7fff88db1d48)
    at ../sysdeps/posix/getaddrinfo.c:1250
#5  0x00007ff8cc2f5da0 in getaddrinfo (
    name=0x7fff88db2536 "தளம்.பாராளுமன்றம்.இலங்கை.", 
    service=<value optimized out>, hints=0x7fff88db1dc0, pai=0x7fff88db1e18) at ../sysdeps/posix/getaddrinfo.c:2361
#6  0x00007ff8cc7db2f5 in main ()

The problem is like this:

* In gaih_inet we pass this IDN to __idna_to_ascii_lz to get back a canonicalized name we can use.
* If the output string of __idna_to_ascii_lz (second argument) has a different pointer value from the IDN then we assume a string has been allocated that we need to free.
* Later we free name (the static string).

The disconnect is that we did not assign `name' to the new value `p' which needs to be freed.

The upstream code is this:
          /* In case the output string is the same as the input string
             no new string has been allocated.  */
          if (p != name)
              name = p;
              malloc_name = true;

The rhel-6.5 code is this:
 432           /* In case the output string is the same as the input string
 433              no new string has been allocated.  */
 434           if (p != name)
 435             malloc_name = true;

The upstream fix is this:

commit 2e96f1c73b06e81da59ef7fffa426dc201875f31
Author: Andreas Schwab <schwab@redhat.com>
Date:   Thu Aug 4 15:42:10 2011 -0400

    Fix encoding name for IDN in getaddrinfo

diff --git a/ChangeLog b/ChangeLog
index fbacbd5..0392853 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2011-07-26  Andreas Schwab  <schwab@redhat.com>
+       * sysdeps/posix/getaddrinfo.c (gaih_inet): Don't discard result of
+       encoding to ACE if AI_IDN.
 2011-08-01  Jakub Jelinek  <jakub@redhat.com>
        * sysdeps/ieee754/dbl-64/k_rem_pio2.c (__kernel_rem_pio2): Fix up fq
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index 6d574c5..a5aafe9 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -432,7 +432,10 @@ gaih_inet (const char *name, const struct gaih_service *service,
          /* In case the output string is the same as the input string
             no new string has been allocated.  */
          if (p != name)
-           malloc_name = true;
+           {
+             name = p;
+             malloc_name = true;
+           }

According to http://sourceware.org/glibc/wiki/Glibc%20Timeline, that fixed happened in the 2.15 development cycle which would not have been in rhel-6.5 which uses 2.12.

This fix needs backporting to correct this issue.

Moving to rhel-6.6.

Comment 7 errata-xmlrpc 2014-10-14 04:41:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.