From 560b4b0b148eb484045465433ba623fe261104f3 Mon Sep 17 00:00:00 2001 From: Geoffrey Thomas Date: Mon, 27 Sep 2021 13:49:30 -0400 Subject: [PATCH 1/6] nix::unistd::getgrouplist buffer overflow --- crates/nix/RUSTSEC-0000-0000.md | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 crates/nix/RUSTSEC-0000-0000.md diff --git a/crates/nix/RUSTSEC-0000-0000.md b/crates/nix/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..cff43fb89 --- /dev/null +++ b/crates/nix/RUSTSEC-0000-0000.md @@ -0,0 +1,34 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "nix" +date = "2021-09-27" +url = "https://github.com/nix-rust/nix/issues/1541" +categories = ["memory-corruption"] +keywords = ["nss"] + +[versions] +patched = [] + +[affected] + +functions = { "nix::unistd::getgrouplist" = [">= 0.16.0"] } +``` + +# Out-of-bounds write in nix::unistd::getgrouplist + +On certain platforms, if a user has more than 16 groups, the +`nix::unistd::getgrouplist` function will call the libc `getgrouplist` +function with a length parameter greater than the size of the buffer it +provides, resulting in an out-of-bounds write and memory corruption. + +The libc `getgrouplist` function takes an in/out parameter `ngroups` +specifying the size of the group buffer. When the buffer is too small to +hold all of the reqested user's group memberships, some libc +implementations, including glibc and Solaris libc, will modify `ngroups` +to indicate the actual number of groups for the user, in addition to +returning an error. The version of `nix::unistd::getgrouplist` in nix +0.16.0 and up will resize the buffer to twice its size, but will not +read or modify the `ngroups` variable. Thus, if the user has more than +twice as many groups as the initial buffer size of 8, the next call to +`getgrouplist` will then write past the end of the buffer. From af5c57bb241121b8465bff4fa7f8d3a894dee2bc Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Mon, 27 Sep 2021 20:28:53 +0200 Subject: [PATCH 2/6] add `unaffected` --- crates/nix/RUSTSEC-0000-0000.md | 1 + 1 file changed, 1 insertion(+) diff --git a/crates/nix/RUSTSEC-0000-0000.md b/crates/nix/RUSTSEC-0000-0000.md index cff43fb89..4653fcedc 100644 --- a/crates/nix/RUSTSEC-0000-0000.md +++ b/crates/nix/RUSTSEC-0000-0000.md @@ -9,6 +9,7 @@ keywords = ["nss"] [versions] patched = [] +unaffected = ["< 0.16.0"] [affected] From 1773a4a8a699ff6842709a5154c4859a76c972cf Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Wed, 29 Sep 2021 21:41:18 +0200 Subject: [PATCH 3/6] add patched versions --- crates/nix/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/nix/RUSTSEC-0000-0000.md b/crates/nix/RUSTSEC-0000-0000.md index 4653fcedc..c2a5fb6db 100644 --- a/crates/nix/RUSTSEC-0000-0000.md +++ b/crates/nix/RUSTSEC-0000-0000.md @@ -8,7 +8,7 @@ categories = ["memory-corruption"] keywords = ["nss"] [versions] -patched = [] +patched = ["^0.20.2", "^0.21.2", "^0.22.2", ">= 0.23.0",] unaffected = ["< 0.16.0"] [affected] From d89cb62c32010eaf951c54c5b42bd4be07a8435a Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Thu, 30 Sep 2021 18:59:39 +0200 Subject: [PATCH 4/6] add affected OSs --- crates/nix/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/nix/RUSTSEC-0000-0000.md b/crates/nix/RUSTSEC-0000-0000.md index c2a5fb6db..65e984213 100644 --- a/crates/nix/RUSTSEC-0000-0000.md +++ b/crates/nix/RUSTSEC-0000-0000.md @@ -12,7 +12,7 @@ patched = ["^0.20.2", "^0.21.2", "^0.22.2", ">= 0.23.0",] unaffected = ["< 0.16.0"] [affected] - +os = ["linux", "freebsd", "android", "netbsd", "dragonfly", "openbsd", "fuchsia"] functions = { "nix::unistd::getgrouplist" = [">= 0.16.0"] } ``` From d9b86f85917aed02d91e3a063856abe715cc94b3 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Thu, 30 Sep 2021 19:00:49 +0200 Subject: [PATCH 5/6] drop severity down to a warning --- crates/nix/RUSTSEC-0000-0000.md | 1 + 1 file changed, 1 insertion(+) diff --git a/crates/nix/RUSTSEC-0000-0000.md b/crates/nix/RUSTSEC-0000-0000.md index 65e984213..b2cc4eb33 100644 --- a/crates/nix/RUSTSEC-0000-0000.md +++ b/crates/nix/RUSTSEC-0000-0000.md @@ -6,6 +6,7 @@ date = "2021-09-27" url = "https://github.com/nix-rust/nix/issues/1541" categories = ["memory-corruption"] keywords = ["nss"] +informational = "unsound" [versions] patched = ["^0.20.2", "^0.21.2", "^0.22.2", ">= 0.23.0",] From d249d66a04e5f0a633c5cde9dca537489596c669 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Thu, 30 Sep 2021 19:02:50 +0200 Subject: [PATCH 6/6] note that this requires root to exploit --- crates/nix/RUSTSEC-0000-0000.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crates/nix/RUSTSEC-0000-0000.md b/crates/nix/RUSTSEC-0000-0000.md index b2cc4eb33..67f1acd95 100644 --- a/crates/nix/RUSTSEC-0000-0000.md +++ b/crates/nix/RUSTSEC-0000-0000.md @@ -34,3 +34,6 @@ returning an error. The version of `nix::unistd::getgrouplist` in nix read or modify the `ngroups` variable. Thus, if the user has more than twice as many groups as the initial buffer size of 8, the next call to `getgrouplist` will then write past the end of the buffer. + +The issue would require editing /etc/groups to exploit, which is usually +only editable by the root user.