Parsing of /etc/gshadow can return bad pointers causing segfaults in applications
Bug #1890535 reported by
Malte Schmidt
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GLibC |
Fix Released
|
Medium
|
|||
glibc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
This bug is already solved upstream (https:/
It indirectly causes systemd-sysusers on 20.04/focal to fail (https:/
Changed in glibc: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
Changed in glibc (Ubuntu): | |
status: | New → Fix Released |
To post a comment you must log in.
Specifically structured /etc/gshadow entries can cause fgetgsent() to return invalid pointers that cause applications to segfault on dereference.
One line must fit into the character buffer (1024 bytes, unless a previous line was longer) but have enough group members such that
line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) > 1024.
The parser would return early to avoid overflow, leaving the static result struct pointing to pointers from the previous line which are now invalid, causing segfaults when those pointers are dereferenced.
See the following for a test program and a patch:
https:/ /sourceware. org/ml/ libc-alpha/ 2016-06/ msg01015. html