lib/37708: getservbyname, segetaddrinfo sefgfaults when user has no rights for reading ``/etc/services''

[tikkeri%gmail.com@localhost]

>Number:         37708
>Category:       lib
>Synopsis:       getservbyname,  segetaddrinfo sefgfaults when user has no 
>rights for reading ``/etc/services''
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 06 16:25:00 +0000 2008
>Originator:     A.Leo.
>Release:        NetBSD 4.0
>Organization:
Rhonda, Ltd.
>Environment:
This issue was reproduced on i386 and sparc.

NetBSD xxxxxx 4.0 NetBSD 4.0 (GENERIC) #0: Sun Dec 16 02:09:27 PST 2007  
builds@wb29:/home/builds/ab/netbsd-4-0-RELEASE/sparc/200712160005Z-obj/home/buil
ds/ab/netbsd-4-0-RELEASE/src/sys/arch/sparc/compile/GENERIC sparc

NetBSD xxxxxx 4.0 NetBSD 4.0 (GENERIC) #0: Sun Dec 16 00:20:10 PST 2007  
builds@wb34:/home/builds/ab/netbsd-4-0-RELEASE/i386/200712160005Z-obj/home/builds/ab/netbsd-4-0-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386


>Description:
When user has no rights for reading /etc/services and calls either 
getservbyname or segetaddrinfo he get segfault. I've tested ssh, ftp and telnet 
and they all got segfault.

I guess this issue caused by rewind'ing 0 file in the function 
_servent_getline(). But adding there a check for 0 is not good solution...

ss5# uname -srm  
NetBSD 4.0 sparc
ss5# useradd -g guest -G games -m testuser                                     
ss5# chmod 000 /etc/services                                                   
ss5# su - testuser
$ ftp localhost
[1]   Segmentation fault (core dumped) ftp localhost
$ telnet localhost
[1]   Segmentation fault (core dumped) telnet localhost
$ ssh localhost
[1]   Segmentation fault (core dumped) ssh localhost
$ gdb ftp
GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc--netbsdelf"...(no debugging symbols found)...
(gdb) r localhost
Starting program: /usr/bin/ftp localhost
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x20173f9c in fseeko () from /usr/lib/libc.so.12
(gdb) bt
#0  0x20173f9c in fseeko () from /usr/lib/libc.so.12
#1  0x20173b70 in rewind () from /usr/lib/libc.so.12
#2  0x2015e584 in _servent_getline () from /usr/lib/libc.so.12
#3  0x2015bba0 in getservbyname_r () from /usr/lib/libc.so.12
#4  0x200fa188 in getservbyname () from /usr/lib/libc.so.12
#5  0x00026a80 in parseport ()
#6  0x00022208 in hookup ()
#7  0x000286d4 in setpeer ()
#8  0x00024298 in main ()
#9  0x00011d80 in ___start ()
(gdb) q
The program is running.  Exit anyway? (y or n) y
$ gdb telnet
GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc--netbsdelf"...(no debugging symbols found)...
(gdb) r localhost
Starting program: /usr/bin/telnet localhost
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x20403f9c in fseeko () from /usr/lib/libc.so.12
(gdb) bt
#0  0x20403f9c in fseeko () from /usr/lib/libc.so.12
#1  0x20403b70 in rewind () from /usr/lib/libc.so.12
#2  0x203ee584 in _servent_getline () from /usr/lib/libc.so.12
#3  0x203ebba0 in getservbyname_r () from /usr/lib/libc.so.12
#4  0x203e95fc in gai_strerror () from /usr/lib/libc.so.12
#5  0x203e9d64 in getaddrinfo () from /usr/lib/libc.so.12
#6  0x000153dc in tn ()
#7  0x00016734 in main ()
#8  0x00012098 in ___start ()
$ gdb ssh
GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc--netbsdelf"...(no debugging symbols found)...
r(gdb) r localhost
Starting program: /usr/bin/ssh localhost
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x20433f9c in fseeko () from /usr/lib/libc.so.12
(gdb) bt
#0  0x20433f9c in fseeko () from /usr/lib/libc.so.12
#1  0x20433b70 in rewind () from /usr/lib/libc.so.12
#2  0x2041e584 in _servent_getline () from /usr/lib/libc.so.12
#3  0x2041bba0 in getservbyname_r () from /usr/lib/libc.so.12
#4  0x203ba188 in getservbyname () from /usr/lib/libc.so.12
#5  0x00016ad0 in main ()
#6  0x00014400 in ___start ()

>How-To-Repeat:
1) chmod 000 /etc/services
2) login as non-root user
3) try either "ssh localhost" or "ftp localhost" or "telnet localhost"

>Fix: