[Bug 1062167] Re: Segfault in __libc_res_nquerydomain

Joern Heissler percona at joern.heissler.de
Sun Oct 7 16:34:52 UTC 2012 

The real case how I stumbled over it:
* my PHP application calls geoip_record_by_name with NULL as argument (although it expects a string)
* the PHP GeoIP module converts NULL into an allocated empty string
* libGeoIP is called with "" as hostname. Sometimes, the byte directly preceding the empty string is the dot (.). Must be related to how PHP allocates memory.
* libGeoIP calls the gethostbyname_r function or similar which in turn calls above broken function.
* strncpy overwrites my call stack, making debugging complicated, and then segfaults :-(

I can't think of any common real world example where it might trigger,
and my situation is my own fault :-)

It's probably not too easy to trigger it in other situations. One way would be a program which stores the hostname on the stack and e.g. the port number directly before. Or maybe a Big Endian machine using malloc. I think the bytes before the then-empty string are not zeros as on my amd64.
In such a situation, $ program "" 11822 might result in a segfault.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/1062167

Title:
  Segfault in __libc_res_nquerydomain

Status in “eglibc” package in Ubuntu:
  Triaged

Bug description:
  Ubuntu 12.04 contains a bug in the eglibc (libc6) package.
  It was introduced here:
  http://www.eglibc.org/cgi-bin/viewvc.cgi/trunk/libc/resolv/res_query.c?r1=13759&r2=14662
  glibc commit 28b59fca7ae3cfc2d57e0007aaa3793d4b775e97

  And fixed here:
  http://www.eglibc.org/cgi-bin/viewvc.cgi/trunk/libc/resolv/res_query.c?r1=15869&r2=17385
  glibc commit 8fdceb2efda8cf724cfc4444af86b5f135ad3172

  Reproduce:
  #include <netdb.h>
  int main(void)
  {
      gethostbyname("." + 1);
  }

  I believe that the patch is correct.
  Can you please apply it to 12.04?

  $ lsb_release -rd
  Description:	Ubuntu 12.04 LTS
  Release:	12.04

  $ apt-cache policy libc6
  libc6:
    Installed: 2.15-0ubuntu10.2
    Candidate: 2.15-0ubuntu10.2
    Version table:
   *** 2.15-0ubuntu10.2 0
          500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
          100 /var/lib/dpkg/status
       2.15-0ubuntu10 0
          500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

  > What you expected to happen
  Not a segfault but maybe an error code.

  > What happened instead
  Segfault.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1062167/+subscriptions

More information about the foundations-bugs mailing list