Bug 248932 - integer underflow in grp_unmarshal_func triggered by nscd
Summary: integer underflow in grp_unmarshal_func triggered by nscd
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.4-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: Alan Somers
URL: https://reviews.freebsd.org/D26204
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-26 17:01 UTC by Alan Somers
Modified: 2020-09-19 19:09 UTC (History)
1 user (show)

See Also:


Attachments
Fix integer underflow in getgrent.c (749 bytes, patch)
2020-08-26 17:01 UTC, Alan Somers
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Somers freebsd_committer 2020-08-26 17:01:50 UTC
Created attachment 217545 [details]
Fix integer underflow in getgrent.c

When calling getgrnam_r for nonexistent group "root", nscd will for some reason return a 1-byte buffer.  This triggers an underflow from an unsigned integer comparison, causing grp_unmarshal_func to return ERANGE.  That, in turn, may lead applications to repeat the call with ever-larger buffers.

I haven't tried to debug nscd yet, but I think the correct thing to do in this case is for grp_unmarshall_func to return NS_UNAVAIL.  That's what the attached patch does.

Steps to Reproduce:
* Install pkg from git head (prior to https://github.com/freebsd/pkg/pull/1873 pkg would ignore ERANGE errors)
* enable nscd.  I'm using it with LDAP, and in my nsswitch.conf I have "group: files cache ldap", but I don't think the order matters.
* Try to install a package that sets the group ownership of one or more files to "root" (which does not exist).

It will print errors like:
pkg: getgrnam_r: Result too large
Comment 1 Alan Somers freebsd_committer 2020-09-19 18:15:18 UTC
Code review in progress
Comment 2 commit-hook freebsd_committer 2020-09-19 19:09:22 UTC
A commit references this bug:

Author: asomers
Date: Sat Sep 19 19:08:28 UTC 2020
New revision: 365910
URL: https://svnweb.freebsd.org/changeset/base/365910

Log:
  fix integer underflow in getgrnam_r and getpwnam_r

  Sometimes nscd(8) will return a 1-byte buffer for a nonexistent entry. This
  triggered an integer underflow in grp_unmarshal_func, causing getgrnam_r to
  return ERANGE instead of 0.

  Fix the user's buffer size check, and add a correct check for a too-small
  nscd buffer.

  PR:		248932
  Event:		September 2020 Bugathon
  Reviewed by:	markj
  MFC after:	2 weeks
  Sponsored by:	Axcient
  Differential Revision: https://reviews.freebsd.org/D26204

Changes:
  head/lib/libc/gen/getgrent.c
  head/lib/libc/gen/getpwent.c