Bug 248932

Summary: integer underflow in grp_unmarshal_func triggered by nscd
Product: Base System Reporter: Alan Somers <asomers>
Component: binAssignee: Alan Somers <asomers>
Status: Closed FIXED    
Severity: Affects Only Me CC: andrey.zonov, markj, matthias.pfaller, pi
Priority: ---    
Version: 11.4-RELEASE   
Hardware: Any   
OS: Any   
URL: https://reviews.freebsd.org/D26204
Attachments:
Description Flags
Fix integer underflow in getgrent.c none

Description Alan Somers freebsd_committer freebsd_triage 2020-08-26 17:01:50 UTC 
Created attachment 217545 [details]
Fix integer underflow in getgrent.c

When calling getgrnam_r for nonexistent group "root", nscd will for some reason return a 1-byte buffer.  This triggers an underflow from an unsigned integer comparison, causing grp_unmarshal_func to return ERANGE.  That, in turn, may lead applications to repeat the call with ever-larger buffers.

I haven't tried to debug nscd yet, but I think the correct thing to do in this case is for grp_unmarshall_func to return NS_UNAVAIL.  That's what the attached patch does.

Steps to Reproduce:
* Install pkg from git head (prior to https://github.com/freebsd/pkg/pull/1873 pkg would ignore ERANGE errors)
* enable nscd.  I'm using it with LDAP, and in my nsswitch.conf I have "group: files cache ldap", but I don't think the order matters.
* Try to install a package that sets the group ownership of one or more files to "root" (which does not exist).

It will print errors like:
pkg: getgrnam_r: Result too large
Comment 1 Alan Somers freebsd_committer freebsd_triage 2020-09-19 18:15:18 UTC 
Code review in progress
Comment 2 commit-hook freebsd_committer freebsd_triage 2020-09-19 19:09:22 UTC 
A commit references this bug:

Author: asomers
Date: Sat Sep 19 19:08:28 UTC 2020
New revision: 365910
URL: https://svnweb.freebsd.org/changeset/base/365910

Log:
  fix integer underflow in getgrnam_r and getpwnam_r

  Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
  triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
  return ERANGE instead of 0.

  Fix the user's buffer size check, and add a correct check for a too-small
  nscd buffer.

  PR:		248932
  Event:		September 2020 Bugathon
  Reviewed by:	markj
  MFC after:	2 weeks
  Sponsored by:	Axcient
  Differential Revision: https://reviews.freebsd.org/D26204

Changes:
  head/lib/libc/gen/getgrent.c
  head/lib/libc/gen/getpwent.c
Comment 3 Mark Johnston freebsd_committer freebsd_triage 2020-11-26 19:50:13 UTC 
Is there any reason not to MFC the change?  If so, can we close this PR?
Comment 4 commit-hook freebsd_committer freebsd_triage 2020-11-26 23:34:20 UTC 
A commit references this bug:

Author: asomers
Date: Thu Nov 26 23:34:03 UTC 2020
New revision: 368085
URL: https://svnweb.freebsd.org/changeset/base/368085

Log:
  MFC r365910:

  fix integer underflow in getgrnam_r and getpwnam_r

  Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
  triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
  return ERANGE instead of 0.

  Fix the user's buffer size check, and add a correct check for a too-small
  nscd buffer.

  PR:		248932
  Event:		September 2020 Bugathon
  Reviewed by:	markj
  Sponsored by:	Axcient
  Differential Revision: https://reviews.freebsd.org/D26204

Changes:
_U  stable/12/
  stable/12/lib/libc/gen/getgrent.c
  stable/12/lib/libc/gen/getpwent.c
Comment 5 Alan Somers freebsd_committer freebsd_triage 2021-06-02 21:26:02 UTC 
*** Bug 225260 has been marked as a duplicate of this bug. ***
Comment 6 Alan Somers freebsd_committer freebsd_triage 2021-06-19 00:17:42 UTC 
*** Bug 130749 has been marked as a duplicate of this bug. ***