Segfault in __libc_res_nquerydomain

Bug #1062167 reported by Joern Heissler
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Ubuntu 12.04 contains a bug in the eglibc (libc6) package.
It was introduced here:
http://www.eglibc.org/cgi-bin/viewvc.cgi/trunk/libc/resolv/res_query.c?r1=13759&r2=14662
glibc commit 28b59fca7ae3cfc2d57e0007aaa3793d4b775e97

And fixed here:
http://www.eglibc.org/cgi-bin/viewvc.cgi/trunk/libc/resolv/res_query.c?r1=15869&r2=17385
glibc commit 8fdceb2efda8cf724cfc4444af86b5f135ad3172

Reproduce:
#include <netdb.h>
int main(void)
{
    gethostbyname("." + 1);
}

I believe that the patch is correct.
Can you please apply it to 12.04?

$ lsb_release -rd
Description: Ubuntu 12.04 LTS
Release: 12.04

$ apt-cache policy libc6
libc6:
  Installed: 2.15-0ubuntu10.2
  Candidate: 2.15-0ubuntu10.2
  Version table:
 *** 2.15-0ubuntu10.2 0
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.15-0ubuntu10 0
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

> What you expected to happen
Not a segfault but maybe an error code.

> What happened instead
Segfault.

Tags: patch
Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

Triaged: Trivial test case and pointer to fix
Medium: Reasonable starter; if you can point to it being triggerable in some apps then it might be higher

This triggers in Quantal libc6 2.15-0ubuntu20 , and as I understand it, it needs to get fixed in the dev version before being SRUd
to 12.04.

Changed in eglibc (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
tags: added: patch
Revision history for this message
Joern Heissler (joernheissler) wrote :

The real case how I stumbled over it:
* my PHP application calls geoip_record_by_name with NULL as argument (although it expects a string)
* the PHP GeoIP module converts NULL into an allocated empty string
* libGeoIP is called with "" as hostname. Sometimes, the byte directly preceding the empty string is the dot (.). Must be related to how PHP allocates memory.
* libGeoIP calls the gethostbyname_r function or similar which in turn calls above broken function.
* strncpy overwrites my call stack, making debugging complicated, and then segfaults :-(

I can't think of any common real world example where it might trigger, and my situation is my own fault :-)

It's probably not too easy to trigger it in other situations. One way would be a program which stores the hostname on the stack and e.g. the port number directly before. Or maybe a Big Endian machine using malloc. I think the bytes before the then-empty string are not zeros as on my amd64.
In such a situation, $ program "" 11822 might result in a segfault.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.