Bug 844309 - (CVE-2013-4357) VUL-0: CVE-2013-4357: glibc: another getaddrinfo stack overflow?
(CVE-2013-4357)
VUL-0: CVE-2013-4357: glibc: another getaddrinfo stack overflow?
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Andreas Schwab
Security Team bot
maint:released:sle11-sp3:57442 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-07 14:36 UTC by Marcus Meissner
Modified: 2019-05-01 16:09 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
krahmer: needinfo? (skliu)


Attachments
getaliasbyname.c (1.73 KB, text/plain)
2014-05-06 15:10 UTC, Marcus Meissner
Details
getaliasbyname_r.c (1.51 KB, text/plain)
2014-05-06 15:13 UTC, Marcus Meissner
Details
getaddrinfo.c (1.97 KB, text/plain)
2014-05-06 15:15 UTC, Marcus Meissner
Details
getservbyname.c (1.75 KB, text/plain)
2014-05-06 15:16 UTC, Marcus Meissner
Details
getservbyport.c (1.47 KB, text/plain)
2014-05-06 15:17 UTC, Marcus Meissner
Details
getservbyport_r.c (1.56 KB, text/plain)
2014-05-06 15:18 UTC, Marcus Meissner
Details
glob.c (310 bytes, text/plain)
2014-05-06 15:19 UTC, Marcus Meissner
Details
getaddrinfo.c (2.00 KB, text/x-c++src)
2014-05-13 15:19 UTC, Marcus Meissner
Details
getaliasbyname.c (1.76 KB, text/x-c++src)
2014-05-13 15:20 UTC, Marcus Meissner
Details
getaliasbyname_r.c (1.54 KB, text/x-c++src)
2014-05-13 15:20 UTC, Marcus Meissner
Details
glob.c (339 bytes, text/x-c++src)
2014-05-13 15:21 UTC, Marcus Meissner
Details
getservbyname.c (1.78 KB, text/x-c++src)
2014-05-13 15:23 UTC, Marcus Meissner
Details
getservbyname_r.c (1.06 KB, text/x-c++src)
2014-05-13 15:24 UTC, Marcus Meissner
Details
getservbyport.c (1.50 KB, text/x-c++src)
2014-05-13 15:25 UTC, Marcus Meissner
Details
getservbyport_r.c (1.59 KB, text/x-c++src)
2014-05-13 15:26 UTC, Marcus Meissner
Details
getservbyname.c (1.76 KB, text/plain)
2014-05-13 15:41 UTC, Andreas Schwab
Details
getaddrinfo.c (1.93 KB, text/plain)
2014-05-13 15:44 UTC, Andreas Schwab
Details
getaliasbyname.c (1.74 KB, text/plain)
2014-05-13 15:47 UTC, Andreas Schwab
Details
getaliasbyname_r.c (1.51 KB, text/plain)
2014-05-13 15:50 UTC, Andreas Schwab
Details
glob.c (345 bytes, text/plain)
2014-05-13 15:53 UTC, Andreas Schwab
Details
getservbyname_r.c (1009 bytes, text/plain)
2014-05-13 15:56 UTC, Andreas Schwab
Details
getsrvbyport.c (1.48 KB, text/plain)
2014-05-13 15:58 UTC, Andreas Schwab
Details
getservbyport_r.c (1.53 KB, text/plain)
2014-05-13 16:02 UTC, Andreas Schwab
Details
bnc-844309.c (4.82 KB, text/plain)
2014-05-22 15:25 UTC, Marcus Meissner
Details
getservbyname.c (1.76 KB, text/plain)
2014-05-23 13:52 UTC, Marcus Meissner
Details
getaddrinfo.c (1.93 KB, text/plain)
2014-05-23 13:53 UTC, Marcus Meissner
Details
getaliasbyname.c (1.74 KB, text/plain)
2014-05-23 13:53 UTC, Marcus Meissner
Details
bnc-844309 test cases (3.35 KB, application/gzip)
2014-09-11 07:09 UTC, Liu Shukui
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-07 14:36:47 UTC
CVE-2013-4357

from rh bugzilla:

It was reported [1],[2] that there are potential security problems with allocating memory in glibc's getaddrinfo() function.  As noted in the posting to the oss-security mailing list:

"I believe the analysis in this bug report is incorrect.  The security 
implications are unclear.  A straight copy of a long name to a stack 
buffer should trigger a crash because it hits the guard page, but even 
that could be a problem for daemons.

On the other hand, it's impossible to know for sure that no GCC version 
ever lays out the stack in such a way that we end up with a problem. 
Multi-threaded programs linking in script interpreters are more exposed 
to these problems, too."


[1] http://sourceware.org/bugzilla/show_bug.cgi?id=12671
[2] http://www.openwall.com/lists/oss-security/2013/08/22/4


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4357
https://bugzilla.redhat.com/show_bug.cgi?id=1009643
Comment 1 Swamp Workflow Management 2013-10-11 07:41:22 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2014-03-04 16:36:59 UTC
The SWAMPID for this issue is 56533.
This issue was rated as low.
Please submit fixed packages until 2014-04-01.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 6 SMASH SMASH 2014-04-22 14:31:10 UTC
Affected packages:

SLE-11-SP2: glibc.i686, glibc
Comment 7 Marcus Meissner 2014-05-06 15:10:57 UTC
Created attachment 588864 [details]
getaliasbyname.c


gcc -o getaliasbyname getaliasbyname.c

./getaliasbyname 11000000
Comment 8 Marcus Meissner 2014-05-06 15:13:38 UTC
Created attachment 588865 [details]
getaliasbyname_r.c

gcc -o getaliasbyname_r getaliasbyname_r.c
./getaliasbyname_r 11000000
Comment 9 Marcus Meissner 2014-05-06 15:15:13 UTC
Created attachment 588866 [details]
getaddrinfo.c

gcc -o getaddrinfo getaddrinfo.c
./getaddrinfo 150000000
Comment 10 Marcus Meissner 2014-05-06 15:16:22 UTC
Created attachment 588867 [details]
getservbyname.c

gcc -g -o getservbyname getservbyname.c && ./getservbyname 150000000
Comment 11 Marcus Meissner 2014-05-06 15:17:35 UTC
Created attachment 588868 [details]
getservbyport.c

gcc -g -o getservbyport getservbyport.c && ./getservbyport 150000000
Comment 12 Marcus Meissner 2014-05-06 15:18:52 UTC
Created attachment 588869 [details]
getservbyport_r.c

gcc -g -o getservbyport_r getservbyport_r.c && ./getservbyport_r 15000000
Comment 13 Marcus Meissner 2014-05-06 15:19:50 UTC
Created attachment 588870 [details]
glob.c

gcc -o glob glob.c -g && ./glob 150000000
Comment 14 Marcus Meissner 2014-05-07 09:35:36 UTC
Hi Marcus,
Thank you so much.
I have executed the attached programs and there are still Segmentation =
faults after update.

for getaddrinfo.c (from comment 9):

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b73c79 in nscd_getserv_r () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7b73c79 in nscd_getserv_r () from /lib64/libc.so.6
#1  0x00007ffff7b7433b in __nscd_getservbyname_r () from /lib64/libc.so.6
#2  0x00007ffff7b5a44b in getservbyname_r@@GLIBC_2.2.5 () from /lib64/libc.=
so.6
#3  0x00007ffff7b2823a in gaih_inet_serv () from /lib64/libc.so.6
#4  0x00007ffff7b28c68 in gaih_inet () from /lib64/libc.so.6
#5  0x00007ffff7b2bfc6 in getaddrinfo () from /lib64/libc.so.6
#6  0x000000000040077b in main ()


Bug is not in a resolved state so no need to reopen it.
But we should reject the patch I think.
Comment 15 Marcus Meissner 2014-05-07 11:47:52 UTC
(last comment was copy and paste from a mail from the QAler)
Comment 16 Andreas Schwab 2014-05-07 13:12:00 UTC
#c9 is INVALID.
Comment 17 Marcus Meissner 2014-05-07 13:17:49 UTC
what is invalid? just the missing \0   ?
Comment 18 Marcus Meissner 2014-05-08 10:00:03 UTC
getaddrinfo comes into this codepath:


273       size_t keylen = strlen (name) + (protocol ? 1 + strlen (protocol) : 0);
274       char key[keylen + 1];

#1  0x00007fffee709d69 in _nss_nis_getservbyname_r (name=0x7fffeeb1f010 'A' <repeats 200 times>..., protocol=0x7ffff7b92d72 <gaih_inet_typeproto+50> "udp", serv=0x7fffffffd6e0, 
    buffer=0x7fffffffd2b0 "# \n", buflen=1024, errnop=0x7ffff7fd06a8) at nss_nis/nis-service.c:277
277       char *cp = stpcpy (key, name);


=> dynamic stack allocation without bounds checking.
Comment 19 Marcus Meissner 2014-05-08 10:04:17 UTC
getservbyname 150000000 runs into this codepath:

nscd/nscd_getserv_r.c

static int
nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
                request_type type, struct servent *resultbuf,
                char *buf, size_t buflen, struct servent **result)
..
  size_t protolen = proto == NULL ? 0 : strlen (proto);
  size_t keylen = critlen + 1 + protolen + 1;
  char *key = alloca (keylen);

unbound alloca
Comment 20 Marcus Meissner 2014-05-13 15:19:37 UTC
Created attachment 589738 [details]
getaddrinfo.c

added \0 terminator
Comment 21 Marcus Meissner 2014-05-13 15:20:37 UTC
Created attachment 589739 [details]
getaliasbyname.c
Comment 22 Marcus Meissner 2014-05-13 15:20:59 UTC
Created attachment 589740 [details]
getaliasbyname_r.c
Comment 23 Marcus Meissner 2014-05-13 15:21:27 UTC
Created attachment 589741 [details]
glob.c
Comment 24 Marcus Meissner 2014-05-13 15:23:39 UTC
Created attachment 589742 [details]
getservbyname.c
Comment 25 Marcus Meissner 2014-05-13 15:24:13 UTC
Created attachment 589743 [details]
getservbyname_r.c
Comment 26 Marcus Meissner 2014-05-13 15:25:27 UTC
Created attachment 589744 [details]
getservbyport.c
Comment 27 Marcus Meissner 2014-05-13 15:26:44 UTC
Created attachment 589745 [details]
getservbyport_r.c
Comment 28 Andreas Schwab 2014-05-13 15:41:09 UTC
Created attachment 589748 [details]
getservbyname.c

Remove stupidity.
Comment 29 Andreas Schwab 2014-05-13 15:44:16 UTC
Created attachment 589750 [details]
getaddrinfo.c

Remove stupidity.
Comment 30 Andreas Schwab 2014-05-13 15:47:09 UTC
Created attachment 589751 [details]
getaliasbyname.c

Remove stupidity.
Comment 31 Andreas Schwab 2014-05-13 15:50:53 UTC
Created attachment 589753 [details]
getaliasbyname_r.c

Remove stupidity.
Comment 32 Andreas Schwab 2014-05-13 15:53:09 UTC
Created attachment 589754 [details]
glob.c
Comment 33 Andreas Schwab 2014-05-13 15:56:30 UTC
Created attachment 589755 [details]
getservbyname_r.c
Comment 34 Andreas Schwab 2014-05-13 15:58:53 UTC
Created attachment 589756 [details]
getsrvbyport.c
Comment 35 Andreas Schwab 2014-05-13 16:02:47 UTC
Created attachment 589757 [details]
getservbyport_r.c
Comment 36 Viktor Kijasev 2014-05-14 12:05:29 UTC
(In reply to comment #29)
> Created an attachment (id=589750) [details]
> getaddrinfo.c
> 
> Remove stupidity.

I have tried and I am receiving this:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ae9577 in mempcpy () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7ae9577 in mempcpy () from /lib64/libc.so.6
#1  0x00007ffff7b73c4e in nscd_getserv_r () from /lib64/libc.so.6
#2  0x00007ffff7b7430b in __nscd_getservbyname_r () from /lib64/libc.so.6
#3  0x00007ffff7b5a41b in getservbyname_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#4  0x00007ffff7b2821a in gaih_inet_serv () from /lib64/libc.so.6
#5  0x00007ffff7b28c48 in gaih_inet () from /lib64/libc.so.6
#6  0x00007ffff7b2bfa6 in getaddrinfo () from /lib64/libc.so.6
#7  0x000000000040073e in main ()
(gdb) q

~/tmpglibc # rpm -qa|grep nscd
nscd-2.11.3-17.60.1
libnscd-32bit-2.0.2-73.18
libnscd-2.0.2-73.18
:~/tmpglibc # rpm -qa|grep glibc
glibc-profile-2.11.3-17.60.1
glibc-i18ndata-2.11.3-17.60.1
glibc-info-2.11.3-17.60.1
glibc-2.11.3-17.60.1
glibc-profile-32bit-2.11.3-17.60.1
glibc-devel-32bit-2.11.3-17.60.1
glibc-devel-2.11.3-17.60.1
glibc-html-2.11.3-17.60.1
glibc-32bit-2.11.3-17.60.1
glibc-locale-2.11.3-17.60.1
glibc-locale-32bit-2.11.3-17.60.1
Comment 37 Marcus Meissner 2014-05-14 12:58:56 UTC
nscd/nscd_getserv_r.c

static int
nscd_getserv_r 

still has an unbound alloca():

  size_t protolen = proto == NULL ? 0 : strlen (proto);
  size_t keylen = critlen + 1 + protolen + 1;
  char *key = alloca (keylen);
  memcpy (__mempcpy (__mempcpy (key, crit, critlen),
                     "/", 1), proto ?: "", protolen + 1);
Comment 38 Viktor Kijasev 2014-05-14 13:41:56 UTC
(In reply to comment #35)
> Created an attachment (id=589757) [details]
> getservbyport_r.c

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b73c49 in nscd_getserv_r () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7b73c49 in nscd_getserv_r () from /lib64/libc.so.6
#1  0x00007ffff7b74284 in __nscd_getservbyport_r () from /lib64/libc.so.6
#2  0x00007ffff7b5a822 in getservbyport_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#3  0x0000000000400721 in main (argc=2, argv=0x7fffffffe2e8) at bnc-844309-getservbyport_r2.c:46
(gdb) q
Comment 39 Viktor Kijasev 2014-05-14 13:43:26 UTC
(In reply to comment #34)
> Created an attachment (id=589756) [details]
> getsrvbyport.c

:~/tmpglibc # gdb --args ./getservbyport 150000000
...

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ae9d22 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7ae9d22 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7b73c60 in nscd_getserv_r () from /lib64/libc.so.6
#2  0x00007ffff7b74284 in __nscd_getservbyport_r () from /lib64/libc.so.6
#3  0x00007ffff7b5a822 in getservbyport_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#4  0x00007ffff7b5a5a2 in getservbyport () from /lib64/libc.so.6
#5  0x00000000004006ed in main (argc=2, argv=0x7fffffffe2e8) at bnc-844309-getservbyport2.c:45
(gdb) q
Comment 40 Viktor Kijasev 2014-05-14 13:44:35 UTC
(In reply to comment #33)
> Created an attachment (id=589755) [details]
> getservbyname_r.c

~/tmpglibc # gdb --args ./getservbyname_r 15000000
...

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b73c49 in nscd_getserv_r () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7b73c49 in nscd_getserv_r () from /lib64/libc.so.6
#1  0x00007ffff7b7430b in __nscd_getservbyname_r () from /lib64/libc.so.6
#2  0x00007ffff7b5a41b in getservbyname_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#3  0x0000000000400721 in main (argc=2, argv=0x7fffffffe2e8) at bnc-844309-getservbyname_r2.c:36
(gdb) q
Comment 41 Viktor Kijasev 2014-05-14 13:47:33 UTC
(In reply to comment #32)
> Created an attachment (id=589754) [details]
> glob.c

fletcher:~/tmpglibc # gdb --args ./glob 150000000
...

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ae9d56 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7ae9d56 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7b102b9 in glob_in_dir () from /lib64/libc.so.6
#2  0x00007ffff7b10ef9 in glob64 () from /lib64/libc.so.6
#3  0x000000000040069f in main (argc=2, argv=0x7fffffffe2f8) at bnc-844309-glob2.c:19
(gdb) q

This was OK on sled11sp3-i386 with the previoues version
packages on rivers.qam.suse.de (sled11sp3-i386):
glibc                         : 2.11.3-17.56.2  update needed
Comment 42 Viktor Kijasev 2014-05-14 13:50:44 UTC
(In reply to comment #30)
> Created an attachment (id=589751) [details]
> getaliasbyname.c
> 
> Remove stupidity.

OK, was OK with the older version as well.
Comment 43 Viktor Kijasev 2014-05-14 13:52:23 UTC
(In reply to comment #28)
> Created an attachment (id=589748) [details]
> getservbyname.c
> 
> Remove stupidity.

fletcher:~/tmpglibc # gdb --args ./getservbyname 150000000
...

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ae9d13 in memcpy () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff7ae9d13 in memcpy () from /lib64/libc.so.6
#1  0x00007ffff7b73c60 in nscd_getserv_r () from /lib64/libc.so.6
#2  0x00007ffff7b7430b in __nscd_getservbyname_r () from /lib64/libc.so.6
#3  0x00007ffff7b5a41b in getservbyname_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#4  0x00007ffff7b5a18b in getservbyname () from /lib64/libc.so.6
#5  0x00000000004006eb in main (argc=2, argv=0x7fffffffe2e8) at bnc-844309-getservbyname2.c:57
(gdb) q
Comment 44 SMASH SMASH 2014-05-15 12:31:41 UTC
Affected packages:

SLE-11-SP2: glibc, glibc.i686
Comment 45 Viktor Kijasev 2014-05-20 08:31:21 UTC
(In reply to comment #2)
> See also <http://sourceware.org/bugzilla/show_bug.cgi?id=16071> and
> <http://sourceware.org/bugzilla/show_bug.cgi?id=16072>.

Hi, do you have a reproducer for this one as well?
I have prepared something (according http://sourceware.org/bugzilla/show_bug.cgi?id=16072), and there are still problems with AF_INET and AF_INET6 (AF_UNSPEC is OK)

getaddrinfo: Memory allocation failure
*** glibc detected *** ./bnc-844309: free(): invalid pointer: 0x0000000000652828 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x76808)[0x7f77d4bbc808]
/lib64/libc.so.6(cfree+0x6c)[0x7f77d4bc184c]
/lib64/libc.so.6(freeaddrinfo+0x20)[0x7f77d4c098d0]
./bnc-844309[0x4008b4]
./bnc-844309[0x400b5f]
/lib64/libc.so.6(__libc_start_main+0xe6)[0x7f77d4b64c16]
./bnc-844309[0x400709]
======= Memory map: ========
00400000-00402000 r-xp 00000000 fd:02 715530                             /root/tmpglibc/bnc-844309
00601000-00602000 r--p 00001000 fd:02 715530                             /root/tmpglibc/bnc-844309
00602000-00603000 rw-p 00002000 fd:02 715530                             /root/tmpglibc/bnc-844309
00603000-013e0000 rw-p 00000000 00:00 0                                  [heap]
7f7650000000-7f7650021000 rw-p 00000000 00:00 0 
7f7650021000-7f7654000000 ---p 00000000 00:00 0 
7f77d4723000-7f77d4738000 r-xp 00000000 fd:02 237654                     /lib64/libgcc_s.so.1
7f77d4738000-7f77d4937000 ---p 00015000 fd:02 237654                     /lib64/libgcc_s.so.1
7f77d4937000-7f77d4938000 r--p 00014000 fd:02 237654                     /lib64/libgcc_s.so.1
7f77d4938000-7f77d4939000 rw-p 00015000 fd:02 237654                     /lib64/libgcc_s.so.1
7f77d4939000-7f77d4945000 r-xp 00000000 fd:02 238020                     /lib64/libnss_files-2.11.3.so
7f77d4945000-7f77d4b44000 ---p 0000c000 fd:02 238020                     /lib64/libnss_files-2.11.3.so
7f77d4b44000-7f77d4b45000 r--p 0000b000 fd:02 238020                     /lib64/libnss_files-2.11.3.so
7f77d4b45000-7f77d4b46000 rw-p 0000c000 fd:02 238020                     /lib64/libnss_files-2.11.3.so
7f77d4b46000-7f77d4cb6000 r-xp 00000000 fd:02 237573                     /lib64/libc-2.11.3.so
7f77d4cb6000-7f77d4eb5000 ---p 00170000 fd:02 237573                     /lib64/libc-2.11.3.so
7f77d4eb5000-7f77d4eb9000 r--p 0016f000 fd:02 237573                     /lib64/libc-2.11.3.so
7f77d4eb9000-7f77d4eba000 rw-p 00173000 fd:02 237573                     /lib64/libc-2.11.3.so
7f77d4eba000-7f77d4ebf000 rw-p 00000000 00:00 0 
7f77d4ebf000-7f77d4ede000 r-xp 00000000 fd:02 238075                     /lib64/ld-2.11.3.so
7f77d509d000-7f77d50a0000 rw-p 00000000 00:00 0 
7f77d50db000-7f77d50dd000 rw-p 00000000 00:00 0 
7f77d50dd000-7f77d50de000 r--p 0001e000 fd:02 238075                     /lib64/ld-2.11.3.so
7f77d50de000-7f77d50df000 rw-p 0001f000 fd:02 238075                     /lib64/ld-2.11.3.so
7f77d50df000-7f77d50e0000 rw-p 00000000 00:00 0 
7fff9e3db000-7fff9e3fc000 rw-p 00000000 00:00 0                          [stack]
7fff9e3ff000-7fff9e400000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Comment 46 Andreas Schwab 2014-05-20 13:57:44 UTC
Worksforme.
Comment 47 Viktor Kijasev 2014-05-20 14:54:56 UTC
(In reply to comment #46)
> Worksforme.

Hi Andreas, so it is good.
And it means you have a reproducer; could you be so kind to attach it here?
Comment 48 Andreas Schwab 2014-05-20 15:22:22 UTC
Reproducer for what??
Comment 49 Viktor Kijasev 2014-05-20 15:36:51 UTC
(In reply to comment #48)
> Reproducer for what??

https://sourceware.org/bugzilla/show_bug.cgi?id=16072

Adding a large number of IPv6 entries for a host in /etc/hosts and then querying it results in a segmentation fault.

How reproducible:

Always

Steps to Reproduce:
  1. Create 50K '127.0.0.1 host-fubar' entries, and 50K '::1 host-fubar' entries in '/etc/hosts'.
  2. Call getaddrinfo for 'node' = "host-fubar", no 'flags' set, and AF_INET in 'hints->ai_family'.

Which in my case looks like:
    hints.ai_family = AF_INET;

      error = getaddrinfo(hostname, NULL, &hints, &res);
      if (error) 
      {
         fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(error));	  
      } 
    freeaddrinfo(res); 

How you tested it?
Comment 50 Andreas Schwab 2014-05-20 15:47:39 UTC
Exactly like that, except omitting the ovious bug.
Comment 51 Viktor Kijasev 2014-05-20 17:08:17 UTC
(In reply to comment #50)
> Exactly like that, except omitting the ovious bug.

Which is ...
Comment 52 Sebastian Krahmer 2014-05-21 06:06:54 UTC
Viktor, which of the attached reproducers are you using? If thats
a different one, can you attach it here? I'll check the reproducer for
mistakes.
Comment 53 Andreas Schwab 2014-05-22 09:33:30 UTC
(In reply to comment #51)
> Which is ...

The missing else.
Comment 54 Marcus Meissner 2014-05-22 15:25:59 UTC
Created attachment 591713 [details]
bnc-844309.c

adjusted testcase.

the bad pattern:
      error = getaddrinfo(hostname, NULL, &hints, &res);
      if (error) 
              fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(error));          
      freeaddrinfo(res); 

was changed to:
      if (error) 
              fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(error));          
      else
              freeaddrinfo(res); 

as "res" is invalid in the errorcase.
Comment 55 Marcus Meissner 2014-05-23 13:52:31 UTC
Created attachment 591861 [details]
getservbyname.c

replace by fixed version
Comment 56 Marcus Meissner 2014-05-23 13:53:04 UTC
Created attachment 591862 [details]
getaddrinfo.c

replace by actual working version
Comment 57 Marcus Meissner 2014-05-23 13:53:44 UTC
Created attachment 591863 [details]
getaliasbyname.c

replace by working version
Comment 58 Viktor Kijasev 2014-06-03 06:52:40 UTC
(In reply to comment #54)

Thanks a lot.

Last confirmation is needed:
Te issue referred to 
"Create 50K '127.0.0.1 host-fubar' entries, and 50K '::1 host-fubar'
entries in '/etc/hosts'."

With patch there is No SIGSEGV, no other problems.
Just I am not able to process 50K ... entries, at most 45K (for both) on machine with 8GB RAM; usually there is an error: getaddrinfo: Memory allocation failure

The case uses huge amount of memory.
With valgrind I have not found any leak.

Is this expected?
Comment 59 Marcus Meissner 2014-06-03 07:34:05 UTC
running out of memory is expected, as there is no crash -> GOOD
Comment 60 SMASH SMASH 2014-06-04 07:31:52 UTC
Affected packages:

SLE-11-SP2: glibc, glibc.i686
Comment 61 Swamp Workflow Management 2014-06-05 19:56:51 UTC
Update released for: glibc, glibc-64bit, glibc-debuginfo, glibc-debuginfo-64bit, glibc-debugsource, glibc-devel, glibc-devel-64bit, glibc-html, glibc-i18ndata, glibc-info, glibc-locale, glibc-locale-64bit, glibc-obsolete, glibc-profile, glibc-profile-64bit, nscd
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 62 Swamp Workflow Management 2014-06-05 23:04:44 UTC
SUSE-SU-2014:0760-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (low)
Bug References: 836746,844309,847227,854445,863499,872832
CVE References: CVE-2013-4357,CVE-2013-4458
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    glibc-2.11.3-17.62.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    glibc-2.11.3-17.62.1
SUSE Linux Enterprise Server 11 SP3 (src):    glibc-2.11.3-17.62.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    glibc-2.11.3-17.62.1
Comment 65 Andreas Schwab 2014-07-28 10:07:25 UTC
Looks like all updates are released.
Comment 67 SMASH SMASH 2014-09-02 23:36:04 UTC
Affected packages:

SLE-11-SP2: glibc.i686
Comment 74 SMASH SMASH 2014-09-11 07:41:44 UTC
Affected packages:

SLE-11-SP2: glibc.i686, glibc
Comment 75 Andreas Schwab 2014-09-11 08:44:28 UTC
Which testcase is failing?
Comment 78 Swamp Workflow Management 2014-09-15 17:07:06 UTC
SUSE-SU-2014:1129-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 836746,844309,892073,894553,894556
CVE References: CVE-2012-6656,CVE-2013-4357,CVE-2014-5119,CVE-2014-6040
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    glibc-2.11.3-17.45.53.1
Comment 81 Swamp Workflow Management 2015-01-29 00:05:04 UTC
SUSE-SU-2015:0164-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 844309,888860,894553,894556,909053
CVE References: CVE-2012-6656,CVE-2013-4357,CVE-2014-6040
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    glibc-2.11.1-0.62.1
Comment 82 Swamp Workflow Management 2015-01-29 05:05:05 UTC
SUSE-SU-2015:0170-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 844309,882600,894553,894556
CVE References: CVE-2012-6656,CVE-2013-4357,CVE-2014-6040
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    glibc-2.4-31.115.2
Comment 83 Marcus Meissner 2015-01-29 07:06:04 UTC
I think we released all of them now.