Uploaded image for project: 'Cost Management'
  1. Cost Management
  2. COST-4985

CVE-2024-33599 glibc: stack-based buffer overflow in netgroup cache [services-cost-management-default]

XMLWordPrintable

      Security Tracking Issue

      Do not make this issue public.

      Impact: Important
      Reported Date: 25-Apr-2024
      Resolve Bug By: 24-Jun-2024

      In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then.

      Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

      Flaw:

      CVE-2024-33599 glibc: stack-based buffer overflow in netgroup cache
      https://bugzilla.redhat.com/show_bug.cgi?id=2277202

      A stack-based buffer overflow in nscd was reported and assigned CVE-2024-33599.

      Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=31677

      nscd/netgroupcache.c (addinnetgrX):

      497 struct indataset
      498

      { 499 struct datahead head; 500 innetgroup_response_header resp; 501 }

      *dataset
      502 = (struct indataset *) mempool_alloc (db,
      503 sizeof (*dataset) + req->key_len,
      504 1);

      mempool_alloc fails and returns NULL.

      This is possible if posix_fallocate fails and the retry fails.

      505 struct indataset dataset_mem;
      506 bool cacheable = true;
      507 if (__glibc_unlikely (dataset == NULL))
      508

      { 509 cacheable = false; 510 dataset = &dataset_mem; This structure has no room for req->key_len material. 511 }

      512
      513 datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
      514 sizeof (innetgroup_response_header),
      515 he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
      516 /* Set the notfound status and timeout based on the result from
      517 getnetgrent. */
      518 dataset->head.notfound = result->head.notfound;
      519 dataset->head.timeout = timeout;
      520
      521 dataset->resp.version = NSCD_VERSION;
      522 dataset->resp.found = result->resp.found;
      523 /* Until we find a matching entry the result is 0. */
      524 dataset->resp.result = 0;
      525
      526 char *key_copy = memcpy ((char *) (dataset + 1), group, req->key_len);

      This copies up to req->key_len material to a structure that has no storage space for it.

      This was detected by static code analysis.

      It will only happen in the case the database runs out of memory/storage while expanding the netgroup cache.

      The group entries overwrite other data on the stack after dataset_mem.

      The workaround is not to cache the netgroup if this is impacting the use of the application.

            mskarbek Michael Skarbek
            rh-ee-rgatica Robb Gatica
            Kent Aycoth, Kevan Holdaway
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: