Parsing of /etc/gshadow can return bad pointers causing segfaults in applications

Bug #1890535 reported by Malte Schmidt
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
GLibC
Fix Released
Medium
glibc (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Confirmed
Undecided
Unassigned

Bug Description

This bug is already solved upstream (https://sourceware.org/bugzilla/show_bug.cgi?id=20338) in 2.32 and has to be backported.

It indirectly causes systemd-sysusers on 20.04/focal to fail (https://github.com/systemd/systemd/issues/6512).

Revision history for this message
In , dm0 (fedora-dm0) wrote :

Specifically structured /etc/gshadow entries can cause fgetgsent() to return invalid pointers that cause applications to segfault on dereference.

One line must fit into the character buffer (1024 bytes, unless a previous line was longer) but have enough group members such that

     line length + alignment + sizeof(char *) * (#adm + 1 + #mem + 1) > 1024.

The parser would return early to avoid overflow, leaving the static result struct pointing to pointers from the previous line which are now invalid, causing segfaults when those pointers are dereferenced.

See the following for a test program and a patch:

https://sourceware.org/ml/libc-alpha/2016-06/msg01015.html

Revision history for this message
In , dm0 (fedora-dm0) wrote :

Created attachment 9705
gshadow: Sync fgetsgent_r.c with grp/fgetgrent_r.c

Revision history for this message
In , dm0 (fedora-dm0) wrote :

Can this be applied to make it into the next release?

Revision history for this message
In , Jason Perrin (jvperrin) wrote :

This is affecting us too (specifically this bug, leading to https://github.com/systemd/systemd/issues/6512 in systemd, which then leads to https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1848614 when installing tomcat9 on Ubuntu bionic). Any updates on this, the patch attached, or anything we can do to help get the patch merged?

Thanks for your work on glibc!

Revision history for this message
In , Florian Weimer (fweimer) wrote :
Revision history for this message
In , Florian Weimer (fweimer) wrote :

Fixed for glibc 2.32 via:

commit 2add4235ef674988948155f9a8f60a8c7b09bcff
Author: Florian Weimer <email address hidden>
Date: Thu Jul 16 17:31:20 2020 +0200

    gshadow: Implement fgetsgent_r using __nss_fgetent_r (bug 20338)

    Tested-by: Carlos O'Donell <email address hidden>
    Reviewed-by: Carlos O'Donell <email address hidden>

Revision history for this message
In , Florian Weimer (fweimer) wrote :

I'm flagging this as security- because the affected files contain trusted content.

Changed in glibc:
importance: Unknown → Medium
status: Unknown → Fix Released
Balint Reczey (rbalint)
Changed in glibc (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in glibc (Ubuntu Focal):
status: New → Confirmed
Revision history for this message
Nicolas KAROLAK (nikaro) wrote :

This bug affect us in Bionic, can the fix be backported for this release?

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Do you have a test case for this? I tried the one from the systemd bug report in a focal container and it seemed to work fine.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.