Bug 248932 - integer underflow in grp_unmarshal_func triggered by nscd
Summary: integer underflow in grp_unmarshal_func triggered by nscd
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.4-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: Alan Somers
URL: https://reviews.freebsd.org/D26204
Keywords:
: 130749 225260 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-08-26 17:01 UTC by Alan Somers
Modified: 2021-06-19 00:17 UTC (History)
4 users (show)

See Also:

Attachments
Fix integer underflow in getgrent.c (749 bytes, patch)
2020-08-26 17:01 UTC, Alan Somers 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Somers freebsd_committer freebsd_triage 2020-08-26 17:01:50 UTC 
Created attachment 217545 [details]
Fix integer underflow in getgrent.c

When calling getgrnam_r for nonexistent group "root", nscd will for some reason return a 1-byte buffer.  This triggers an underflow from an unsigned integer comparison, causing grp_unmarshal_func to return ERANGE.  That, in turn, may lead applications to repeat the call with ever-larger buffers.

I haven't tried to debug nscd yet, but I think the correct thing to do in this case is for grp_unmarshall_func to return NS_UNAVAIL.  That's what the attached patch does.

Steps to Reproduce:
* Install pkg from git head (prior to https://github.com/freebsd/pkg/pull/1873 pkg would ignore ERANGE errors)
* enable nscd.  I'm using it with LDAP, and in my nsswitch.conf I have "group: files cache ldap", but I don't think the order matters.
* Try to install a package that sets the group ownership of one or more files to "root" (which does not exist).

It will print errors like:
pkg: getgrnam_r: Result too large
Comment 1 Alan Somers freebsd_committer freebsd_triage 2020-09-19 18:15:18 UTC 
Code review in progress
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-09-19 19:09:22 UTC 
A commit references this bug:

Author: asomers
Date: Sat Sep 19 19:08:28 UTC 2020
New revision: 365910
URL: https://svnweb.freebsd.org/changeset/base/365910

Log:
  fix integer underflow in getgrnam_r and getpwnam_r

  Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
  triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
  return ERANGE instead of 0.

  Fix the user's buffer size check, and add a correct check for a too-small
  nscd buffer.

  PR:		248932
  Event:		September 2020 Bugathon
  Reviewed by:	markj
  MFC after:	2 weeks
  Sponsored by:	Axcient
  Differential Revision: https://reviews.freebsd.org/D26204

Changes:
  head/lib/libc/gen/getgrent.c
  head/lib/libc/gen/getpwent.c
Comment 3 Mark Johnston freebsd_committer freebsd_triage 2020-11-26 19:50:13 UTC 
Is there any reason not to MFC the change?  If so, can we close this PR?
Comment 4 commit-hook freebsd_committer freebsd_triage 2020-11-26 23:34:20 UTC 
A commit references this bug:

Author: asomers
Date: Thu Nov 26 23:34:03 UTC 2020
New revision: 368085
URL: https://svnweb.freebsd.org/changeset/base/368085

Log:
  MFC r365910:

  fix integer underflow in getgrnam_r and getpwnam_r

  Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
  triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
  return ERANGE instead of 0.

  Fix the user's buffer size check, and add a correct check for a too-small
  nscd buffer.

  PR:		248932
  Event:		September 2020 Bugathon
  Reviewed by:	markj
  Sponsored by:	Axcient
  Differential Revision: https://reviews.freebsd.org/D26204

Changes:
_U  stable/12/
  stable/12/lib/libc/gen/getgrent.c
  stable/12/lib/libc/gen/getpwent.c
Comment 5 Alan Somers freebsd_committer freebsd_triage 2021-06-02 21:26:02 UTC 
*** Bug 225260 has been marked as a duplicate of this bug. ***
Comment 6 Alan Somers freebsd_committer freebsd_triage 2021-06-19 00:17:42 UTC 
*** Bug 130749 has been marked as a duplicate of this bug. ***