Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo()

[Siddhesh Poyarekar <siddhesh.poyarekar () gmail com>]

On Tue, Oct 3, 2023 at 3:18 PM Solar Designer <solar () openwall com> wrote:
> I wish someone more knowledgeable about this specific issue would post
> this, but since no one did, let me do it.
>
> Current upstream glibc NEWS contains these entries:

We're in the process of setting up a glibc CNA, so we will hopefully
send out upstream advisories more regularly once we've got that in
place.

> > CVE-2023-4806: When an NSS plugin only implements the
> > _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
> > memory that was freed during buffer resizing, potentially causing a
> > crash or read or write to arbitrary memory.
> >
> > CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
> > an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
> > AI_ALL and AI_V4MAPPED flags set.
>
> Apparently, CVE-2023-4806 has existed for ages, whereas CVE-2023-5156
> only existed for ~10 days last month.

CVE-2023-5156 was a regression from the fix to CVE-2023-4806; we
requested a separate CVE for the benefit of distributions that may
have already released the fix for the first CVE.

> Bug 30843 (CVE-2023-4806) - potential use-after-free in getcanonname:
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=30843
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=973fe93a5675c42798b2161c6f29c01b0e243994
>
> Main upstream commit:
>
> > commit 973fe93a5675c42798b2161c6f29c01b0e243994
> > Author: Siddhesh Poyarekar <siddhesh () sourceware org>
> > Date:   Fri Sep 15 13:51:12 2023 -0400
> >
> >     getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806)
> >
> >     When an NSS plugin only implements the _gethostbyname2_r and
> >     _getcanonname_r callbacks, getaddrinfo could use memory that was freed
> >     during tmpbuf resizing, through h_name in a previous query response.
> >
> >     The backing store for res->at->name when doing a query with
> >     gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in
> >     gethosts during the query.  For AF_INET6 lookup with AI_ALL |
> >     AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second
> >     for a v4 lookup.  In this case, if the first call reallocates tmpbuf
> >     enough number of times, resulting in a malloc, th->h_name (that
> >     res->at->name refers to) ends up on a heap allocated storage in tmpbuf.
> >     Now if the second call to gethosts also causes the plugin callback to
> >     return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF
> >     reference in res->at->name.  This then gets dereferenced in the
> >     getcanonname_r plugin call, resulting in the use after free.
> >
> >     Fix this by copying h_name over and freeing it at the end.  This
> >     resolves BZ #30843, which is assigned CVE-2023-4806.
> >
> >     Signed-off-by: Siddhesh Poyarekar <siddhesh () sourceware org>
>
> also backported by upstream to branches all the way back to 2.34, but
> apparently even older are affected.

Yes, I've checked back to 2.28 for rhel-8; in fact that was where I
discovered the bug first and had hoped that my refactor had fixed it
like in case of CVE-2023-4813, but unfortunately it wasn't :/

Thanks,
Sid