glibc/glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch

From 5a508e0b508c8ad53bd0d2fb48fd71b242626341 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 25 Apr 2024 15:01:07 +0200
Subject: [PATCH] CVE-2024-33600: nscd: Do not send missing not-found response
 in addgetnetgrentX (bug 31678)

If we failed to add a not-found response to the cache, the dataset
point can be null, resulting in a null pointer dereference.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa)
---
 nscd/netgroupcache.c | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index f227dc7fa2..c18fe111f3 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
       /* No such service.  */
       cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
 			       &key_copy);
-      goto writeout;
+      goto maybe_cache_add;
     }
 
   memset (&data, '\0', sizeof (data));
@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
     {
       cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
 			       &key_copy);
-      goto writeout;
+      goto maybe_cache_add;
     }
 
   total = buffilled;
@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
   }
 
   if (he == NULL && fd != -1)
-    {
-      /* We write the dataset before inserting it to the database
-	 since while inserting this thread might block and so would
-	 unnecessarily let the receiver wait.  */
-    writeout:
+    /* We write the dataset before inserting it to the database since
+       while inserting this thread might block and so would
+       unnecessarily let the receiver wait.  */
       writeall (fd, &dataset->resp, dataset->head.recsize);
-    }
 
+ maybe_cache_add:
   if (cacheable)
     {
       /* If necessary, we also propagate the data to disk.  */
-- 
2.45.0
- Update to glibc 2.40 * The <stdbit.h> header type-generic macros have been changed when using GCC 14.1 or later to use __builtin_stdc_bit_ceil etc. built-in functions * The GNU C Library now supports a feature test macro _ISOC23_SOURCE to enable features from the ISO C23 standard * The ISO C23 function families introduced in TS 18661-4:2015 are now supported in <math.h> * A new tunable, glibc.rtld.enable_secure, can be used to run a program as if it were a setuid process * On Linux, the epoll header was updated to include epoll ioctl definitions and the related structure added in Linux kernel 6.9 * The fortify functionality has been significantly enhanced for building programs with clang against the GNU C Library * Many functions have been added to the vector library for aarch64 * On x86, memset can now use non-temporal stores to improve the performance of large writes * Architectures which use a 32-bit seconds-since-epoch field in struct lastlog, struct utmp, struct utmpx (such as i386, powerpc64le, rv32, rv64, x86-64) switched from a signed to an unsigned type for that field * __rseq_size now denotes the size of the active rseq area (20 bytes initially), not the size of struct rseq (32 bytes initially). - arm-dl-start-user.patch, duplocale-global-locale.patch, elf-parse-tunables.patch, glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch, glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch, glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch, glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch, iconv-iso-2022-cn-ext.patch, nscd-netgroup-cache-timeout.patch, s390-clone-error-clobber-r7.patch, sigisemptyset.patch, OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=719 2024-07-30 08:33:46 +00:00			`From 5a508e0b508c8ad53bd0d2fb48fd71b242626341 Mon Sep 17 00:00:00 2001`
			`From: Florian Weimer <fweimer@redhat.com>`
			`Date: Thu, 25 Apr 2024 15:01:07 +0200`
			`Subject: [PATCH] CVE-2024-33600: nscd: Do not send missing not-found response`
			`in addgetnetgrentX (bug 31678)`

			`If we failed to add a not-found response to the cache, the dataset`
			`point can be null, resulting in a null pointer dereference.`

			`Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>`
			`(cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa)`
			`---`
			`nscd/netgroupcache.c \| 14 ++++++--------`
			`1 file changed, 6 insertions(+), 8 deletions(-)`

			`diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c`
			`index f227dc7fa2..c18fe111f3 100644`
			`--- a/nscd/netgroupcache.c`
			`+++ b/nscd/netgroupcache.c`
			`@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn db, int fd, request_header req,`
			`/* No such service. */`
			`cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,`
			`&key_copy);`
			`- goto writeout;`
			`+ goto maybe_cache_add;`
			`}`

			`memset (&data, '\0', sizeof (data));`
			`@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn db, int fd, request_header req,`
			`{`
			`cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,`
			`&key_copy);`
			`- goto writeout;`
			`+ goto maybe_cache_add;`
			`}`

			`total = buffilled;`
			`@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn db, int fd, request_header req,`
			`}`

			`if (he == NULL && fd != -1)`
			`- {`
			`- /* We write the dataset before inserting it to the database`
			`- since while inserting this thread might block and so would`
			`- unnecessarily let the receiver wait. */`
			`- writeout:`
			`+ /* We write the dataset before inserting it to the database since`
			`+ while inserting this thread might block and so would`
			`+ unnecessarily let the receiver wait. */`
			`writeall (fd, &dataset->resp, dataset->head.recsize);`
			`- }`

			`+ maybe_cache_add:`
			`if (cacheable)`
			`{`
			`/* If necessary, we also propagate the data to disk. */`
			`--`
			`2.45.0`