From 2aad087ddc0d14214f3d8fd1731a9b2e15f75091 Mon Sep 17 00:00:00 2001 From: Arjun Shankar <arjun.is@lostca.se> Date: Tue, 21 Apr 2015 14:06:31 +0200 Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287] Conflicts: NEWS --- ChangeLog | 6 ++++++ NEWS | 9 ++++++++- resolv/nss_dns/dns-host.c | 3 ++- 3 files changed, 16 insertions(+), 2 deletions(-) diff -Nurp glibc-2.20.orig/ChangeLog glibc-2.20/ChangeLog --- glibc-2.20.orig/ChangeLog 2015-05-01 23:03:43.445700552 +0300 +++ glibc-2.20/ChangeLog 2015-05-01 23:09:41.736465950 +0300 @@ -1,3 +1,9 @@ +2015-04-21 Arjun Shankar <arjun.is@lostca.se> + + [BZ #18287] + * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length + based on padding. (CVE-2015-1781) + 2015-02-26 Andreas Schwab <schwab@suse.de> [BZ #18032] diff -Nurp glibc-2.20.orig/NEWS glibc-2.20/NEWS --- glibc-2.20.orig/NEWS 2015-05-01 23:03:43.445700552 +0300 +++ glibc-2.20/NEWS 2015-05-01 23:14:58.331996997 +0300 @@ -10,7 +10,14 @@ Version 2.20.1 * The following bugs are resolved with this release: 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, - 17625, 17630, 17801, 18032. + 17625, 17630, 17801, 18032, 18287. + +* A buffer overflow in gethostbyname_r and related functions performing DNS + requests has been fixed. If the NSS functions were called with a + misaligned buffer, the buffer length change due to pointer alignment was + not taken into account. This could result in application crashes or, + potentially arbitrary code execution, using crafted, but syntactically + valid DNS responses. (CVE-2015-1781) * CVE-2015-1472 Under certain conditions wscanf can allocate too little memory for the to-be-scanned arguments and overflow the allocated diff -Nurp glibc-2.20.orig/resolv/nss_dns/dns-host.c glibc-2.20/resolv/nss_dns/dns-host.c --- glibc-2.20.orig/resolv/nss_dns/dns-host.c 2014-09-07 11:09:09.000000000 +0300 +++ glibc-2.20/resolv/nss_dns/dns-host.c 2015-05-01 23:09:02.916279320 +0300 @@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int int have_to_map = 0; uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); buffer += pad; - if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad)) + buflen = buflen > pad ? buflen - pad : 0; + if (__glibc_unlikely (buflen < sizeof (struct host_data))) { /* The buffer is too small. */ too_small: