From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/6879
Path: news.gmane.org!not-for-mail
From: =?UTF-8?Q?Daniel_Cegie=C5=82ka?= <daniel.cegielka@gmail.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: gethostbyname buffer overflow (glibc)
Date: Tue, 27 Jan 2015 17:59:36 +0100
Message-ID: <CAPLrYES9oEF5XB32Q8tDxYuDJ8wOZ6iiZEQz3vxbun2vtqrYuQ@mail.gmail.com>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Trace: ger.gmane.org 1422378015 10169 80.91.229.3 (27 Jan 2015 17:00:15 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 27 Jan 2015 17:00:15 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-6892-gllmg-musl=m.gmane.org@lists.openwall.com Tue Jan 27 18:00:15 2015
Return-path: <musl-return-6892-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-6892-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1YG9Up-0005Au-Kt
	for gllmg-musl@m.gmane.org; Tue, 27 Jan 2015 18:00:11 +0100
Original-Received: (qmail 23922 invoked by uid 550); 27 Jan 2015 17:00:09 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 23913 invoked from network); 27 Jan 2015 17:00:08 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:from:date:message-id:subject:to:content-type;
        bh=JoMUH3LNR9BQpKkxlrWp2XMec5EdvXF2uRsbSrBWZ+g=;
        b=q8+ZRfbeAAyF3e7YodCRnXgweeZaatr7ROqqVmulBqA9I+8CGCOpNVsIQOGtQIion8
         8FOJ4sq/HH2B7jLCxpCm7LDu/UHTD2UfkuGLPdIx07orM2m1TAL0JPCpa+12Y7cxeeYK
         t1jbFNgoQsJ8eSb1do79Ta5JVHHmXmCBqMoCuYvXDlhqi5IaI7GwHsYw3mh/Pfv1rQtK
         Lhk0UhvjPJbCWlPTGBIfaetHcwISPhEviV+D5c530wabrqkHCeQvUftRSgYgODtn1Msf
         82xgd1yZjLRMmyLVTXe7gj7uRUZL/y1az3lTQNPVzZZUdBjeyH0xuJ6qyD44f6QGZRk+
         7qlw==
X-Received: by 10.202.228.9 with SMTP id b9mr1383124oih.40.1422377997044; Tue,
 27 Jan 2015 08:59:57 -0800 (PST)
Xref: news.gmane.org gmane.linux.lib.musl.general:6879
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/6879>

eg from:

http://www.openwall.com/lists/oss-security/2015/01/27/9

# gcc ghost.c && ./a.out
should not happen


  retval = gethostbyname_r(name, &resbuf, temp.buffer,
sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);

Double exit. Is something wrong with gethostbyname_r() in musl?

Daniel