978e96
commit 2eecc8afd02d8c65cf098cbae4de87f332dc21bd
978e96
Author: Florian Weimer <fweimer@redhat.com>
978e96
Date:   Mon Nov 9 12:48:41 2015 +0100
978e96
978e96
    Terminate process on invalid netlink response from kernel [BZ #12926]
978e96
    
978e96
    The recvmsg system calls for netlink sockets have been particularly
978e96
    prone to picking up unrelated data after a file descriptor race
978e96
    (where the descriptor is closed and reopened concurrently in a
978e96
    multi-threaded process, as the result of a file descriptor
978e96
    management issue elsewhere).  This commit adds additional error
978e96
    checking and aborts the process if a datagram of unexpected length
978e96
    (without the netlink header) is received, or an error code which
978e96
    cannot happen due to the way the netlink socket is used.
978e96
    
978e96
            [BZ #12926]
978e96
            Terminate process on invalid netlink response.
978e96
            * sysdeps/unix/sysv/linux/netlinkaccess.h
978e96
            (__netlink_assert_response): Declare.
978e96
            * sysdeps/unix/sysv/linux/netlink_assert_response.c: New file.
978e96
            * sysdeps/unix/sysv/linux/Makefile [$(subdir) == inet]
978e96
            (sysdep_routines): Add netlink_assert_response.
978e96
            * sysdeps/unix/sysv/linux/check_native.c (__check_native): Call
978e96
            __netlink_assert_response.
978e96
            * sysdeps/unix/sysv/linux/check_pf.c (make_request): Likewise.
978e96
            * sysdeps/unix/sysv/linux/ifaddrs.c (__netlink_request): Likewise.
978e96
            * sysdeps/unix/sysv/linux/Versions (GLIBC_PRIVATE): Add
978e96
            __netlink_assert_response.
978e96
978e96
Conflicts:
978e96
	sysdeps/unix/sysv/linux/check_pf.c
978e96
	  Upstream commit fda389c8f0311dd5786be91a7b54b9f935fcafa1
978e96
          ("Fix infinite loop in check_pf (BZ #12926)") was not backported
978e96
	  before and is superseded by the upstream commit backported here.
978e96
	sysdeps/unix/sysv/linux/netlinkaccess.h
978e96
          Missing backport of e054f494306530720114b321b3d97ca2f397cbbb
978e96
          ("Add #include <stdint.h> for uint[32|64]_t usage (except
978e96
	  installed headers)").
978e96
978e96
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
978e96
index 95cff0ef651e74a9..bb69b985e6df7fb1 100644
978e96
--- a/sysdeps/unix/sysv/linux/Makefile
978e96
+++ b/sysdeps/unix/sysv/linux/Makefile
978e96
@@ -114,6 +114,7 @@ sysdep_headers += netinet/if_fddi.h netinet/if_tr.h \
978e96
 		  netipx/ipx.h netash/ash.h netax25/ax25.h netatalk/at.h \
978e96
 		  netrom/netrom.h netpacket/packet.h netrose/rose.h \
978e96
 		  neteconet/ec.h netiucv/iucv.h
978e96
+sysdep_routines += netlink_assert_response
978e96
 endif
978e96
 
978e96
 # Don't compile the ctype glue code, since there is no old non-GNU C library.
978e96
diff --git a/sysdeps/unix/sysv/linux/Versions b/sysdeps/unix/sysv/linux/Versions
978e96
index 16bb28159099c5fa..202ffccc2908ddcc 100644
978e96
--- a/sysdeps/unix/sysv/linux/Versions
978e96
+++ b/sysdeps/unix/sysv/linux/Versions
978e96
@@ -169,5 +169,7 @@ libc {
978e96
   GLIBC_PRIVATE {
978e96
     # functions used in other libraries
978e96
     __syscall_rt_sigqueueinfo;
978e96
+    # functions used by nscd
978e96
+    __netlink_assert_response;
978e96
   }
978e96
 }
978e96
diff --git a/sysdeps/unix/sysv/linux/check_native.c b/sysdeps/unix/sysv/linux/check_native.c
978e96
index 4968a07a0f8c7932..319b46762aeaf3b6 100644
978e96
--- a/sysdeps/unix/sysv/linux/check_native.c
978e96
+++ b/sysdeps/unix/sysv/linux/check_native.c
978e96
@@ -35,6 +35,7 @@
978e96
 
978e96
 #include <not-cancel.h>
978e96
 
978e96
+#include "netlinkaccess.h"
978e96
 
978e96
 void
978e96
 __check_native (uint32_t a1_index, int *a1_native,
978e96
@@ -117,6 +118,7 @@ __check_native (uint32_t a1_index, int *a1_native,
978e96
 	};
978e96
 
978e96
       ssize_t read_len = TEMP_FAILURE_RETRY (__recvmsg (fd, &msg, 0));
978e96
+      __netlink_assert_response (fd, read_len);
978e96
       if (read_len < 0)
978e96
 	goto out_fail;
978e96
 
978e96
diff --git a/sysdeps/unix/sysv/linux/check_pf.c b/sysdeps/unix/sysv/linux/check_pf.c
978e96
index d33e1b497d8ba9c7..6b28a735a14f1498 100644
978e96
--- a/sysdeps/unix/sysv/linux/check_pf.c
978e96
+++ b/sysdeps/unix/sysv/linux/check_pf.c
978e96
@@ -36,6 +36,7 @@
978e96
 #include <atomic.h>
978e96
 #include <nscd/nscd-client.h>
978e96
 
978e96
+#include "netlinkaccess.h"
978e96
 
978e96
 #ifndef IFA_F_HOMEADDRESS
978e96
 # define IFA_F_HOMEADDRESS 0
978e96
@@ -178,6 +179,7 @@ make_request (int fd, pid_t pid)
978e96
 	};
978e96
 
978e96
       ssize_t read_len = TEMP_FAILURE_RETRY (__recvmsg (fd, &msg, 0));
978e96
+      __netlink_assert_response (fd, read_len);
978e96
       if (read_len < 0)
978e96
 	goto out_fail;
978e96
 
978e96
diff --git a/sysdeps/unix/sysv/linux/ifaddrs.c b/sysdeps/unix/sysv/linux/ifaddrs.c
978e96
index 179653103e057b79..c87e594e30a314fe 100644
978e96
--- a/sysdeps/unix/sysv/linux/ifaddrs.c
978e96
+++ b/sysdeps/unix/sysv/linux/ifaddrs.c
978e96
@@ -169,6 +169,7 @@ __netlink_request (struct netlink_handle *h, int type)
978e96
 	};
978e96
 
978e96
       read_len = TEMP_FAILURE_RETRY (__recvmsg (h->fd, &msg, 0));
978e96
+      __netlink_assert_response (h->fd, read_len);
978e96
       if (read_len < 0)
978e96
 	goto out_fail;
978e96
 
978e96
diff --git a/sysdeps/unix/sysv/linux/netlink_assert_response.c b/sysdeps/unix/sysv/linux/netlink_assert_response.c
978e96
new file mode 100644
978e96
index 0000000000000000..b570e93db840fec1
978e96
--- /dev/null
978e96
+++ b/sysdeps/unix/sysv/linux/netlink_assert_response.c
978e96
@@ -0,0 +1,106 @@
978e96
+/* Check recvmsg results for netlink sockets.
978e96
+   Copyright (C) 2015 Free Software Foundation, Inc.
978e96
+   This file is part of the GNU C Library.
978e96
+
978e96
+   The GNU C Library is free software; you can redistribute it and/or
978e96
+   modify it under the terms of the GNU Lesser General Public
978e96
+   License as published by the Free Software Foundation; either
978e96
+   version 2.1 of the License, or (at your option) any later version.
978e96
+
978e96
+   The GNU C Library is distributed in the hope that it will be useful,
978e96
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
978e96
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
978e96
+   Lesser General Public License for more details.
978e96
+
978e96
+   You should have received a copy of the GNU Lesser General Public
978e96
+   License along with the GNU C Library; if not, see
978e96
+   <http://www.gnu.org/licenses/>.  */
978e96
+
978e96
+#include <errno.h>
978e96
+#include <fcntl.h>
978e96
+#include <stdio.h>
978e96
+#include <sys/socket.h>
978e96
+
978e96
+#include "netlinkaccess.h"
978e96
+
978e96
+static int
978e96
+get_address_family (int fd)
978e96
+{
978e96
+  struct sockaddr_storage sa;
978e96
+  socklen_t sa_len = sizeof (sa);
978e96
+  if (__getsockname (fd, (struct sockaddr *) &sa, &sa_len) < 0)
978e96
+    return -1;
978e96
+  /* Check that the socket family number is preserved despite in-band
978e96
+     signaling.  */
978e96
+  _Static_assert (sizeof (sa.ss_family) < sizeof (int), "address family size");
978e96
+  _Static_assert (0 < (__typeof__ (sa.ss_family)) -1,
978e96
+                  "address family unsigned");
978e96
+  return sa.ss_family;
978e96
+}
978e96
+
978e96
+void
978e96
+internal_function
978e96
+__netlink_assert_response (int fd, ssize_t result)
978e96
+{
978e96
+  if (result < 0)
978e96
+    {
978e96
+      /* Check if the error is unexpected.  */
978e96
+      bool terminate = false;
978e96
+      int error_code = errno;
978e96
+      int family = get_address_family (fd);
978e96
+      if (family != AF_NETLINK)
978e96
+        /* If the address family does not match (or getsockname
978e96
+           failed), report the original error.  */
978e96
+        terminate = true;
978e96
+      else if (error_code == EBADF
978e96
+          || error_code == ENOTCONN
978e96
+          || error_code == ENOTSOCK
978e96
+          || error_code == ECONNREFUSED)
978e96
+        /* These errors indicate that the descriptor is not a
978e96
+           connected socket.  */
978e96
+        terminate = true;
978e96
+      else if (error_code == EAGAIN || error_code == EWOULDBLOCK)
978e96
+        {
978e96
+          /* The kernel might return EAGAIN for other reasons than a
978e96
+             non-blocking socket.  But if the socket is not blocking,
978e96
+             it is not ours, so report the error.  */
978e96
+          int mode = __fcntl (fd, F_GETFL, 0);
978e96
+          if (mode < 0 || (mode & O_NONBLOCK) != 0)
978e96
+            terminate = true;
978e96
+        }
978e96
+      if (terminate)
978e96
+        {
978e96
+          char message[200];
978e96
+          if (family < 0)
978e96
+            __snprintf (message, sizeof (message),
978e96
+                        "Unexpected error %d on netlink descriptor %d",
978e96
+                        error_code, fd);
978e96
+          else
978e96
+            __snprintf (message, sizeof (message),
978e96
+                        "Unexpected error %d on netlink descriptor %d"
978e96
+                        " (address family %d)",
978e96
+                        error_code, fd, family);
978e96
+          __libc_fatal (message);
978e96
+        }
978e96
+      else
978e96
+        /* Restore orignal errno value.  */
978e96
+        __set_errno (error_code);
978e96
+    }
978e96
+  else if (result < sizeof (struct nlmsghdr))
978e96
+    {
978e96
+      char message[200];
978e96
+      int family = get_address_family (fd);
978e96
+      if (family < 0)
978e96
+          __snprintf (message, sizeof (message),
978e96
+                      "Unexpected netlink response of size %zd"
978e96
+                      " on descriptor %d",
978e96
+                      result, fd);
978e96
+      else
978e96
+          __snprintf (message, sizeof (message),
978e96
+                      "Unexpected netlink response of size %zd"
978e96
+                      " on descriptor %d (address family %d)",
978e96
+                      result, fd, family);
978e96
+      __libc_fatal (message);
978e96
+    }
978e96
+}
978e96
+libc_hidden_def (__netlink_assert_response)
978e96
diff --git a/sysdeps/unix/sysv/linux/netlinkaccess.h b/sysdeps/unix/sysv/linux/netlinkaccess.h
978e96
index 6cd8a882640d2486..33dc4e12cd464681 100644
978e96
--- a/sysdeps/unix/sysv/linux/netlinkaccess.h
978e96
+++ b/sysdeps/unix/sysv/linux/netlinkaccess.h
978e96
@@ -18,6 +18,7 @@
978e96
 #ifndef _NETLINKACCESS_H
978e96
 #define _NETLINKACCESS_H 1
978e96
 
978e96
+#include <sys/types.h>
978e96
 #include <asm/types.h>
978e96
 #include <linux/netlink.h>
978e96
 #include <linux/rtnetlink.h>
978e96
@@ -49,5 +50,10 @@ extern void __netlink_close (struct netlink_handle *h);
978e96
 extern void __netlink_free_handle (struct netlink_handle *h);
978e96
 extern int __netlink_request (struct netlink_handle *h, int type);
978e96
 
978e96
+/* Terminate the process if RESULT is an invalid recvmsg result for
978e96
+   the netlink socket FD.  */
978e96
+void __netlink_assert_response (int fd, ssize_t result)
978e96
+  internal_function;
978e96
+libc_hidden_proto (__netlink_assert_response)
978e96
 
978e96
 #endif /* netlinkaccess.h */