Bug#967938: libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent

2020-08-05 Thread Jinpu Wang 
Hi Florian,

On Wed, Aug 5, 2020 at 6:44 PM Florian Weimer  wrote:
>
> * Jinpu Wang:
>
> > Dear Maintainer:
> >
> > Sorry, add some missing information below:
> >
> > After update to Buster, the systemd-sysusers are segfaulting every time.
> > After search around, I found following bugreport in glibc
> > https://sourceware.org/legacy-ml/libc-alpha/2016-06/msg01015.html
> >
> > I backported to the fix to 2.28-10, it fixed the problem.
> >
> > glibc upstream have a different fix for it in 2.32, see
> >  https://sourceware.org/bugzilla/show_bug.cgi?id=20338
> >
> > I think it's still easier to backport the fix in msg01015.html to 2.28 
> > version,
> > patch attached in the initial report.
>
> The patch from 2016 is incomplete because it does not seek back to the
> original file position, so the next call of fgetsgent_r skips over the
> entry that could not be fully parsed.
Thanks for quick response,  can you provide a minimum bugfix, which
can be easily backported to old version like 2.28?
as you also make the bug 20338 as a security hole.

Regards!
Jinpu

Processed: forcibly merging 967938 967940

2020-08-05 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> forcemerge 967938 967940
Bug #967938 [libc6] libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent
Bug #967940 [libc6] libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent
Merged 967938 967940
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
967938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967938
967940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967940
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: bug 967938 is forwarded to https://sourceware.org/bugzilla/show_bug.cgi?id=20338

2020-08-05 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> forwarded 967938 https://sourceware.org/bugzilla/show_bug.cgi?id=20338
Bug #967938 [libc6] libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent
Bug #967940 [libc6] libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent
Set Bug forwarded-to-address to 
'https://sourceware.org/bugzilla/show_bug.cgi?id=20338'.
Set Bug forwarded-to-address to 
'https://sourceware.org/bugzilla/show_bug.cgi?id=20338'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
967938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967938
967940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967940
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#967938: libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent

2020-08-05 Thread Florian Weimer 
* Jinpu Wang:

> Dear Maintainer:
>
> Sorry, add some missing information below:
>
> After update to Buster, the systemd-sysusers are segfaulting every time.
> After search around, I found following bugreport in glibc
> https://sourceware.org/legacy-ml/libc-alpha/2016-06/msg01015.html
>
> I backported to the fix to 2.28-10, it fixed the problem.
>
> glibc upstream have a different fix for it in 2.32, see
>  https://sourceware.org/bugzilla/show_bug.cgi?id=20338
>
> I think it's still easier to backport the fix in msg01015.html to 2.28 
> version,
> patch attached in the initial report.

The patch from 2016 is incomplete because it does not seek back to the
original file position, so the next call of fgetsgent_r skips over the
entry that could not be fully parsed.

Bug#967938: libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent

2020-08-05 Thread Jinpu Wang 
Dear Maintainer:

Sorry, add some missing information below:

After update to Buster, the systemd-sysusers are segfaulting every time.
After search around, I found following bugreport in glibc
https://sourceware.org/legacy-ml/libc-alpha/2016-06/msg01015.html

I backported to the fix to 2.28-10, it fixed the problem.

glibc upstream have a different fix for it in 2.32, see
 https://sourceware.org/bugzilla/show_bug.cgi?id=20338

I think it's still easier to backport the fix in msg01015.html to 2.28 version,
patch attached in the initial report.


-- 
Jinpu Wang
Linux Kernel Developer

Application Support (IONOS Cloud)

1&1 IONOS SE | Greifswalder Str. 207 | 10405 Berlin | Germany
Phone:
E-mail: jinpu.w...@cloud.ionos.com | Web: www.ionos.de

Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 24498

Vorstand: Dr. Christian Böing, Hüseyin Dogan, Dr. Martin Endreß,
Hans-Henning Kettler, Arthur Mai, Matthias Steinberg, Achim Weiß
Aufsichtsratsvorsitzender: Markus Kadelke


Member of United Internet

Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie
bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu
speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch
immer zu verwenden.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient of this e-mail, you are hereby
notified that saving, distribution or use of the content of this
e-mail in any way is prohibited. If you have received this e-mail in
error, please notify the sender and delete the e-mail.

Bug#967940: libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent

2020-08-05 Thread Jinpu Wang 
Package: libc6
Version: 2.28-10
Severity: normal
Tags: patch upstream

Dear Maintainer:

After update to Buster, the systemd-sysusers are segfaulting every time.
After search around, I found following bugreport in glibc
https://sourceware.org/legacy-ml/libc-alpha/2016-06/msg01015.html

I backported to the fix to 2.28-10, it fixed the problem.

glibc upstream have a different fix for it in 2.32, see
 https://sourceware.org/bugzilla/show_bug.cgi?id=20338

I think it's still easier to backport old 2.28 version
 

-- System Information:
Debian Release: 10.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.56-pserver (SMP w/64 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libc6 depends on:
ii  libgcc1  1:8.3.0-6

Versions of packages libc6 recommends:
ii  libidn2-0  2.0.5-1+deb10u1

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.71
pn  glibc-doc  
ii  libc-l10n  2.28-10
ii  locales2.28-10

-- debconf information:
  glibc/restart-services:
  glibc/kernel-not-supported:
  glibc/disable-screensaver:
  libraries/restart-without-asking: false
  glibc/restart-failed:
  glibc/upgrade: true
  glibc/kernel-too-old:

Bug#967938: libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent

2020-08-05 Thread Jinpu Wang 
Subject: libc6: systemd-sysusers SEGV due to glibc bug in fgetgsent
Package: libc6
Version: 2.28-10
Severity: normal
Tags: patch upstream

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
 ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 10.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.56-pserver (SMP w/64 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libc6 depends on:
ii  libgcc1  1:8.3.0-6

Versions of packages libc6 recommends:
ii  libidn2-0  2.0.5-1+deb10u1

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.71
pn  glibc-doc  
ii  libc-l10n  2.28-10
ii  locales2.28-10

-- debconf information:
  glibc/restart-services:
  glibc/kernel-not-supported:
  glibc/disable-screensaver:
  libraries/restart-without-asking: false
  glibc/restart-failed:
  glibc/upgrade: true
  glibc/kernel-too-old:


-- 
Jinpu Wang
Linux Kernel Developer

Application Support (IONOS Cloud)

1&1 IONOS SE | Greifswalder Str. 207 | 10405 Berlin | Germany
Phone:
E-mail: jinpu.w...@cloud.ionos.com | Web: www.ionos.de

Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 24498

Vorstand: Dr. Christian Böing, Hüseyin Dogan, Dr. Martin Endreß,
Hans-Henning Kettler, Arthur Mai, Matthias Steinberg, Achim Weiß
Aufsichtsratsvorsitzender: Markus Kadelke


Member of United Internet

Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie
bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu
speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch
immer zu verwenden.

This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient of this e-mail, you are hereby
notified that saving, distribution or use of the content of this
e-mail in any way is prohibited. If you have received this e-mail in
error, please notify the sender and delete the e-mail.
From 6a6ac1d51ef9efcc60db0a9fa874fa9539392627 Mon Sep 17 00:00:00 2001
From: Jack Wang 
Date: Tue, 4 Aug 2020 15:05:27 +0200
Subject: [PATCH 1/3] gshadow: Handle the parser's full buffer error code

The fgetgsent function isn't handling errors from parse_line.  That
means it can run out of buffer space when adding pointers to group
members and exit early without setting all members of the static result
struct.  The static result's members will remain pointing at buffer
locations from the previous line, which have been overwritten with
incompatible data, causing segfaults after it is returned normally.

https://sourceware.org/legacy-ml/libc-alpha/2016-06/msg01015.html

Signed-off-by: Jack Wang 
---
 gshadow/fgetsgent_r.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/gshadow/fgetsgent_r.c b/gshadow/fgetsgent_r.c
index 13a5b181cb9b..d41ae98b3595 100644
--- a/gshadow/fgetsgent_r.c
+++ b/gshadow/fgetsgent_r.c
@@ -37,6 +37,7 @@ __fgetsgent_r (FILE *stream, struct sgrp *resbuf, char *buffer, size_t buflen,
 	   struct sgrp **result)
 {
   char *p;
+  int rc;
 
   _IO_flockfile (stream);
   do
@@ -64,11 +65,18 @@ __fgetsgent_r (FILE *stream, struct sgrp *resbuf, char *buffer, size_t buflen,
 } while (*p == '\0' || *p == '#' ||	/* Ignore empty and comment lines.  */
 	 /* Parse the line.  If it is invalid, loop to
 		get the next line of the file to parse.  */
-	 ! parse_line (buffer, (void *) resbuf, (void *) buffer, buflen,
-			   ));
+	 ! (rc =parse_line (buffer, (void *) resbuf, (void *) buffer, buflen,
+			   )));
 
   _IO_funlockfile (stream);
 
+  if (rc < 0)
+  {
+	  *result = NULL;
+	  __set_errno (ERANGE);
+	  return errno;
+  }
+
   *result = resbuf;
   return 0;
 }
-- 
2.25.1