CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache

First published: Thu Apr 25 2024(Updated: )

A stack-based buffer overflow in nscd was reported and assigned <a href="https://access.redhat.com/security/cve/CVE-2024-33599">CVE-2024-33599</a>. Reference: <a href="https://sourceware.org/bugzilla/show_bug.cgi?id=31677">https://sourceware.org/bugzilla/show_bug.cgi?id=31677</a> --- nscd/netgroupcache.c (addinnetgrX): 497 struct indataset 498 { 499 struct datahead head; 500 innetgroup_response_header resp; 501 } *dataset 502 = (struct indataset *) mempool_alloc (db, 503 sizeof (*dataset) + req->key_len, 504 1); mempool_alloc fails and returns NULL. This is possible if posix_fallocate fails and the retry fails. 505 struct indataset dataset_mem; 506 bool cacheable = true; 507 if (__glibc_unlikely (dataset == NULL)) 508 { 509 cacheable = false; 510 dataset = &dataset_mem; This structure has no room for req->key_len material. 511 } 512 513 datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, 514 sizeof (innetgroup_response_header), 515 he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); 516 /* Set the notfound status and timeout based on the result from 517 getnetgrent. */ 518 dataset->head.notfound = result->head.notfound; 519 dataset->head.timeout = timeout; 520 521 dataset->resp.version = NSCD_VERSION; 522 dataset->resp.found = result->resp.found; 523 /* Until we find a matching entry the result is 0. */ 524 dataset->resp.result = 0; 525 526 char *key_copy = memcpy ((char *) (dataset + 1), group, req->key_len); This copies up to req->key_len material to a structure that has no storage space for it. This was detected by static code analysis. It will only happen in the case the database runs out of memory/storage while expanding the netgroup cache. The group entries overwrite other data on the stack after dataset_mem. The workaround is not to cache the netgroup if this is impacting the use of the application.

Credit: 3ff69d7a-14f2-4f67-a097-88dee7810d18 3ff69d7a-14f2-4f67-a097-88dee7810d18