Arjun Shankar of Red Hat discovered that the nss_dns code does not adjust the buffer length when the buffer start pointer is aligned. As a result, a buffer overflow can occur in the implementation of functions such as gethostbyname_r, and crafted DNS responses might cause application crashes or result in arbitrary code execution.
This can only happen if these functions are called with a misaligned buffer. I looked at quite a bit of source code, and tested applications with a patched glibc that logs misaligned buffers. I did not observe any such misaligned buffers.
Upstream bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=18287
Upstream commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
{
/* The buffer is too small. */
too_small: