Date: Mon, 2 Oct 2023 13:23:39 GMT From: Joseph Mingrone <jrm@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: fe495574527e - main - net/samba413: back port security fixes from 4.16.11 Message-ID: <202310021323.392DNd9F085250@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by jrm: URL: https://cgit.FreeBSD.org/ports/commit/?id=fe495574527e3f97cbb57438f8c468fad8842e9d commit fe495574527e3f97cbb57438f8c468fad8842e9d Author: Michael Osipov <michael.osipov@siemens.com> AuthorDate: 2023-09-06 10:21:59 +0000 Commit: Joseph Mingrone <jrm@FreeBSD.org> CommitDate: 2023-10-02 13:15:28 +0000 net/samba413: back port security fixes from 4.16.11 The security defects addressed in these fixes are described at https://www.samba.org/samba/history/samba-4.16.11.html PR: 273595 Approved by: maintainer timeout --- net/samba413/Makefile | 27 +- ...27-s3-winbind-Move-big-NTLMv2-blob-checks.patch | 67 +++ ...27-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch | 71 +++ ...27-ntlm_auth-cap-lanman-response-length-v.patch | 40 ++ ...CVE-2023-34966-CI-test-for-sl_unpack_loop.patch | 135 ++++++ ...E-2023-34966-mdssvc-harden-sl_unpack_loop.patch | 73 +++ ...967-CI-add-a-test-for-type-checking-of-da.patch | 172 +++++++ ...967-mdssvc-add-type-checking-to-dalloc_va.patch | 120 +++++ ...967-CI-add-a-test-for-type-checking-of-da.patch | 17 + ...967-mdssvc-add-type-checking-to-dalloc_va.patch | 16 + ...968-lib-Move-subdir_of-to-source3-lib-uti.patch | 101 +++++ ...968-mdssvc-cache-and-reuse-stat-info-in-s.patch | 93 ++++ ...968-mdssvc-add-missing-kMDSStoreMetaScope.patch | 34 ++ ...968-mdscli-use-correct-TALLOC-memory-cont.patch | 60 +++ ...968-mdscli-remove-response-blob-allocatio.patch | 86 ++++ ...968-smbtorture-remove-response-blob-alloc.patch | 77 ++++ ...968-rpcclient-remove-response-blob-alloca.patch | 53 +++ ...968-mdssvc-remove-response-blob-allocatio.patch | 45 ++ ...968-mdssvc-switch-to-doing-an-early-retur.patch | 57 +++ ...968-mdssvc-introduce-an-allocating-wrappe.patch | 456 +++++++++++++++++++ ...-34968-mdscli-return-share-relative-paths.patch | 504 +++++++++++++++++++++ ...023-34968-mdssvc-return-a-fake-share-path.patch | 222 +++++++++ 22 files changed, 2524 insertions(+), 2 deletions(-) diff --git a/net/samba413/Makefile b/net/samba413/Makefile index 472f19ea389c..7207ba3a7a46 100644 --- a/net/samba413/Makefile +++ b/net/samba413/Makefile @@ -1,6 +1,6 @@ PORTNAME= ${SAMBA4_BASENAME}413 PORTVERSION= ${SAMBA4_VERSION} -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} @@ -19,7 +19,30 @@ USES= cpe EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 \ ${PATCHDIR}/0001-Compact-and-simplify-modules-build-and-config-genera.patch:-p1 \ - ${PATCHDIR}/CVE-2022-3437-des3-overflow-v4a-4.12.patch:-p1 + ${PATCHDIR}/CVE-2022-3437-des3-overflow-v4a-4.12.patch:-p1 \ + ${PATCHDIR}/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch:-p1 \ + ${PATCHDIR}/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch:-p1 \ + ${PATCHDIR}/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch:-p1 \ + ${PATCHDIR}/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch:-p1 \ + ${PATCHDIR}/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch:-p1 \ + ${PATCHDIR}/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch:-p1 \ + ${PATCHDIR}/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch:-p1 \ + ${PATCHDIR}/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch:-p1 \ + ${PATCHDIR}/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch:-p1 \ + ${PATCHDIR}/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch:-p1 \ + ${PATCHDIR}/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch:-p1 \ + ${PATCHDIR}/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch:-p1 \ + ${PATCHDIR}/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch:-p1 \ + ${PATCHDIR}/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch:-p1 \ + ${PATCHDIR}/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch:-p1 \ + ${PATCHDIR}/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch:-p1 \ + ${PATCHDIR}/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch:-p1 \ + ${PATCHDIR}/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch:-p1 \ + ${PATCHDIR}/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch:-p1 + +# These have been removed from EXTRA_PATCHES because they are empty and patch(1) complains about them +# ${PATCHDIR}/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch:-p1 +# ${PATCHDIR}/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch:-p1 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 diff --git a/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch b/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch new file mode 100644 index 000000000000..a03539adeede --- /dev/null +++ b/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch @@ -0,0 +1,67 @@ +From d2a03a12c607e00654b21a91d487c3408b394eaf Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@samba.org> +Date: Thu, 24 Feb 2022 17:48:27 +0100 +Subject: [PATCH 01/21] CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks + to parent process + +The winbindd_dual_pam_auth_crap() function will be converted to a local +RPC call handler and it won't receive a winbindd_cli_state struct. Move +the checks accessing this struct to the parent. + +Signed-off-by: Samuel Cabrero <scabrero@samba.org> +Reviewed-by: Jeremy Allison <jra@samba.org> +(cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374) +--- + source3/winbindd/winbindd_pam.c | 12 ------------ + source3/winbindd/winbindd_pam_auth_crap.c | 12 ++++++++++++ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 59dd18e27b8..9e799b3a191 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -2698,18 +2698,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, + DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, + name_domain, name_user)); + +- if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp) +- || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) { +- if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) || +- state->request->extra_len != state->request->data.auth_crap.nt_resp_len) { +- DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", +- state->request->data.auth_crap.lm_resp_len, +- state->request->data.auth_crap.nt_resp_len)); +- result = NT_STATUS_INVALID_PARAMETER; +- goto done; +- } +- } +- + lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp, + state->request->data.auth_crap.lm_resp_len); + +diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c +index 40cab81b5ea..310d50fdde2 100644 +--- a/source3/winbindd/winbindd_pam_auth_crap.c ++++ b/source3/winbindd/winbindd_pam_auth_crap.c +@@ -138,6 +138,18 @@ struct tevent_req *winbindd_pam_auth_crap_send( + fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); + } + ++ if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) ++ || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { ++ if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || ++ request->extra_len != request->data.auth_crap.nt_resp_len) { ++ DBG_ERR("Invalid password length %u/%u\n", ++ request->data.auth_crap.lm_resp_len, ++ request->data.auth_crap.nt_resp_len); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return tevent_req_post(req, ev); ++ } ++ } ++ + subreq = wb_domain_request_send(state, global_event_context(), domain, + request); + if (tevent_req_nomem(subreq, req)) { +-- +2.41.0 + diff --git a/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch b/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch new file mode 100644 index 000000000000..06b7472df4db --- /dev/null +++ b/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch @@ -0,0 +1,71 @@ +From 5c6a46d21cc247ed38e70925b2d849d4e807ca0a Mon Sep 17 00:00:00 2001 +From: Volker Lendecke <vl@samba.org> +Date: Fri, 20 May 2022 10:55:23 +0200 +Subject: [PATCH 02/21] CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP + length checks + +With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you +can crash winbind. We don't independently check lm_resp_len +sufficiently. + +Discovered via Coverity ID 1504444 Out-of-bounds access + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 + +Signed-off-by: Volker Lendecke <vl@samba.org> +--- + source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++-------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c +index 310d50fdde2..19e295f50b3 100644 +--- a/source3/winbindd/winbindd_pam_auth_crap.c ++++ b/source3/winbindd/winbindd_pam_auth_crap.c +@@ -40,6 +40,9 @@ struct tevent_req *winbindd_pam_auth_crap_send( + struct winbindd_pam_auth_crap_state *state; + struct winbindd_domain *domain; + const char *auth_domain = NULL; ++ bool lmlength_ok = false; ++ bool ntlength_ok = false; ++ bool pwlength_ok = false; + + req = tevent_req_create(mem_ctx, &state, + struct winbindd_pam_auth_crap_state); +@@ -138,16 +141,24 @@ struct tevent_req *winbindd_pam_auth_crap_send( + fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); + } + +- if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) +- || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { +- if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || +- request->extra_len != request->data.auth_crap.nt_resp_len) { +- DBG_ERR("Invalid password length %u/%u\n", +- request->data.auth_crap.lm_resp_len, +- request->data.auth_crap.nt_resp_len); +- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); +- return tevent_req_post(req, ev); +- } ++ lmlength_ok = (request->data.auth_crap.lm_resp_len <= ++ sizeof(request->data.auth_crap.lm_resp)); ++ ++ ntlength_ok = (request->data.auth_crap.nt_resp_len <= ++ sizeof(request->data.auth_crap.nt_resp)); ++ ++ ntlength_ok |= ++ ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) && ++ (request->extra_len == request->data.auth_crap.nt_resp_len)); ++ ++ pwlength_ok = lmlength_ok && ntlength_ok; ++ ++ if (!pwlength_ok) { ++ DBG_ERR("Invalid password length %u/%u\n", ++ request->data.auth_crap.lm_resp_len, ++ request->data.auth_crap.nt_resp_len); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return tevent_req_post(req, ev); + } + + subreq = wb_domain_request_send(state, global_event_context(), domain, +-- +2.41.0 + diff --git a/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch b/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch new file mode 100644 index 000000000000..a1f873366172 --- /dev/null +++ b/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch @@ -0,0 +1,40 @@ +From de6bd24d80ec4af9d618911cc42d10e109d1d121 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 16 Jun 2023 12:28:47 +0200 +Subject: [PATCH 03/21] CVE-2022-2127: ntlm_auth: cap lanman response length + value + +We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the +lm_resp buffer, but we don't cap the length indicator. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 + +Signed-off-by: Ralph Boehme <slow@samba.org> +--- + source3/utils/ntlm_auth.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 5541c58350b..def8cdef6fa 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -573,10 +573,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username, + memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); + + if (lm_response && lm_response->length) { ++ size_t capped_lm_response_len = MIN( ++ lm_response->length, ++ sizeof(request.data.auth_crap.lm_resp)); ++ + memcpy(request.data.auth_crap.lm_resp, + lm_response->data, +- MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp))); +- request.data.auth_crap.lm_resp_len = lm_response->length; ++ capped_lm_response_len); ++ request.data.auth_crap.lm_resp_len = capped_lm_response_len; + } + + if (nt_response && nt_response->length) { +-- +2.41.0 + diff --git a/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch b/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch new file mode 100644 index 000000000000..9b96a50e84cc --- /dev/null +++ b/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch @@ -0,0 +1,135 @@ +From b8a534a3d9b98cc70b2535f3fca31983e3617275 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Wed, 31 May 2023 15:34:26 +0200 +Subject: [PATCH 04/21] CVE-2023-34966: CI: test for sl_unpack_loop() + +Send a maliciously crafted packet where a nil type has a subcount of 0. This +triggers an endless loop in mdssvc sl_unpack_loop(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme <slow@samba.org> +--- + source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++ + 1 file changed, 100 insertions(+) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index 507a4a1d2e4..f5f59395241 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -570,6 +570,102 @@ done: + return ok; + } + ++static uint8_t test_sl_unpack_loop_buf[] = { ++ 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d, ++ 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00, ++ 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00, ++ 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74, ++ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a, ++ 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72, ++ 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74, ++ 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea, ++ 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00, ++ 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00, ++ 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50, ++ 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b, ++ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, ++ 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, ++ 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00, ++ 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00, ++ 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00, ++ 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00 ++}; ++ ++static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, ++ void *data) ++{ ++ struct torture_mdsscv_state *state = talloc_get_type_abort( ++ data, struct torture_mdsscv_state); ++ struct dcerpc_binding_handle *b = state->p->binding_handle; ++ struct mdssvc_blob request_blob; ++ struct mdssvc_blob response_blob; ++ uint32_t device_id; ++ uint32_t unkn2; ++ uint32_t unkn9; ++ uint32_t fragment; ++ uint32_t flags; ++ NTSTATUS status; ++ bool ok = true; ++ ++ device_id = UINT32_C(0x2f000045); ++ unkn2 = 23; ++ unkn9 = 0; ++ fragment = 0; ++ flags = UINT32_C(0x6b000001); ++ ++ request_blob.spotlight_blob = test_sl_unpack_loop_buf; ++ request_blob.size = sizeof(test_sl_unpack_loop_buf); ++ request_blob.length = sizeof(test_sl_unpack_loop_buf); ++ ++ response_blob.spotlight_blob = talloc_array(state, ++ uint8_t, ++ 0); ++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, ++ ok, done, "dalloc_zero failed\n"); ++ response_blob.size = 0; ++ ++ status = dcerpc_mdssvc_cmd(b, ++ state, ++ &state->ph, ++ 0, ++ device_id, ++ unkn2, ++ 0, ++ flags, ++ request_blob, ++ 0, ++ 64 * 1024, ++ 1, ++ 64 * 1024, ++ 0, ++ 0, ++ &fragment, ++ &response_blob, ++ &unkn9); ++ torture_assert_ntstatus_ok_goto( ++ tctx, status, ok, done, ++ "dcerpc_mdssvc_unknown1 failed\n"); ++ ++done: ++ return ok; ++} ++ + static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, + void *data) + { +@@ -841,5 +937,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) + "fetch_unknown_cnid", + test_mdssvc_fetch_attr_unknown_cnid); + ++ torture_tcase_add_simple_test(tcase, ++ "mdssvc_sl_unpack_loop", ++ test_mdssvc_sl_unpack_loop); ++ + return suite; + } +-- +2.41.0 + diff --git a/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch b/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch new file mode 100644 index 000000000000..771731aa49fc --- /dev/null +++ b/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch @@ -0,0 +1,73 @@ +From 3bdbf83c365a5bcd339aaa5e894797fe0e610c69 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 26 May 2023 13:06:19 +0200 +Subject: [PATCH 05/21] CVE-2023-34966: mdssvc: harden sl_unpack_loop() + +A malicious client could send a packet where subcount is zero, leading to a busy +loop because + + count -= subcount +=> count -= 0 +=> while (count > 0) + +loops forever. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme <slow@samba.org> +--- + source3/rpc_server/mdssvc/marshalling.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c +index 1aa750413cd..441d41160f1 100644 +--- a/source3/rpc_server/mdssvc/marshalling.c ++++ b/source3/rpc_server/mdssvc/marshalling.c +@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + sl_nil_t nil = 0; + + subcount = tag.count; +- if (subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + for (i = 0; i < subcount; i++) { +@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_INT64: + subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_UUID: + subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_FLOAT: + subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_DATE: + subcount = sl_unpack_date(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +-- +2.41.0 + diff --git a/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch b/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch new file mode 100644 index 000000000000..5d488a71cbec --- /dev/null +++ b/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch @@ -0,0 +1,172 @@ +From b1a0a1574ae0db083e917c13777abb4b113d6383 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Wed, 31 May 2023 16:26:14 +0200 +Subject: [PATCH 06/21] CVE-2023-34967: CI: add a test for type checking of + dalloc_value_for_key() + +Sends a maliciously crafted packet where the value in a key/value style +dictionary for the "scope" key is a simple string object whereas the server +expects an array. As the server doesn't perform type validation on the value, it +crashes when trying to use the "simple" object as a "complex" one. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme <slow@samba.org> +--- + source4/torture/rpc/mdssvc.c | 134 +++++++++++++++++++++++++++++++++++ + 1 file changed, 134 insertions(+) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index f5f59395241..20b903f93fa 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -666,6 +666,136 @@ done: + return ok; + } + ++static bool test_sl_dict_type_safety(struct torture_context *tctx, ++ void *data) ++{ ++ struct torture_mdsscv_state *state = talloc_get_type_abort( ++ data, struct torture_mdsscv_state); ++ struct dcerpc_binding_handle *b = state->p->binding_handle; ++ struct mdssvc_blob request_blob; ++ struct mdssvc_blob response_blob; ++ uint64_t ctx1 = 0xdeadbeef; ++ uint64_t ctx2 = 0xcafebabe; ++ uint32_t device_id; ++ uint32_t unkn2; ++ uint32_t unkn9; ++ uint32_t fragment; ++ uint32_t flags; ++ DALLOC_CTX *d = NULL; ++ sl_array_t *array1 = NULL, *array2 = NULL; ++ sl_dict_t *arg = NULL; ++ int result; ++ NTSTATUS status; ++ bool ok = true; ++ ++ device_id = UINT32_C(0x2f000045); ++ unkn2 = 23; ++ unkn9 = 0; ++ fragment = 0; ++ flags = UINT32_C(0x6b000001); ++ ++ d = dalloc_new(tctx); ++ torture_assert_not_null_goto(tctx, d, ++ ok, done, "dalloc_new failed\n"); ++ ++ array1 = dalloc_zero(d, sl_array_t); ++ torture_assert_not_null_goto(tctx, array1, ++ ok, done, "dalloc_zero failed\n"); ++ ++ array2 = dalloc_zero(d, sl_array_t); ++ torture_assert_not_null_goto(tctx, array2, ++ ok, done, "dalloc_new failed\n"); ++ ++ result = dalloc_stradd(array2, "openQueryWithParams:forContext:"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add_copy(array2, &ctx1, uint64_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add_copy(array2, &ctx2, uint64_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ arg = dalloc_zero(array1, sl_dict_t); ++ torture_assert_not_null_goto(tctx, d, ++ ok, done, "dalloc_zero failed\n"); ++ ++ result = dalloc_stradd(arg, "kMDQueryString"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "*"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "kMDScopeArray"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "AAAABBBB"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add(array1, array2, sl_array_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ result = dalloc_add(array1, arg, sl_dict_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ result = dalloc_add(d, array1, sl_array_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ torture_comment(tctx, "%s", dalloc_dump(d, 0)); ++ ++ request_blob.spotlight_blob = talloc_array(tctx, ++ uint8_t, ++ 64 * 1024); ++ torture_assert_not_null_goto(tctx, request_blob.spotlight_blob, ++ ok, done, "dalloc_new failed\n"); ++ request_blob.size = 64 * 1024; ++ ++ request_blob.length = sl_pack(d, ++ (char *)request_blob.spotlight_blob, ++ request_blob.size); ++ torture_assert_goto(tctx, request_blob.length > 0, ++ ok, done, "sl_pack failed\n"); ++ ++ response_blob.spotlight_blob = talloc_array(state, uint8_t, 0); ++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, ++ ok, done, "dalloc_zero failed\n"); ++ response_blob.size = 0; ++ ++ status = dcerpc_mdssvc_cmd(b, ++ state, ++ &state->ph, ++ 0, ++ device_id, ++ unkn2, ++ 0, ++ flags, ++ request_blob, ++ 0, ++ 64 * 1024, ++ 1, ++ 64 * 1024, ++ 0, ++ 0, ++ &fragment, ++ &response_blob, ++ &unkn9); ++ torture_assert_ntstatus_ok_goto( ++ tctx, status, ok, done, ++ "dcerpc_mdssvc_cmd failed\n"); ++ ++done: ++ return ok; ++} ++ + static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, + void *data) + { +@@ -941,5 +1071,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) + "mdssvc_sl_unpack_loop", + test_mdssvc_sl_unpack_loop); + ++ torture_tcase_add_simple_test(tcase, ++ "sl_dict_type_safety", ++ test_sl_dict_type_safety); ++ + return suite; + } +-- +2.41.0 + diff --git a/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch b/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch new file mode 100644 index 000000000000..ec117f36d997 --- /dev/null +++ b/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch @@ -0,0 +1,120 @@ +From 91350e1dddc2e5418a3aa0caf22e86b193e46610 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 26 May 2023 15:06:38 +0200 +Subject: [PATCH 07/21] CVE-2023-34967: mdssvc: add type checking to + dalloc_value_for_key() + +Change the dalloc_value_for_key() function to require an additional final +argument which denotes the expected type of the value associated with a key. If +the types don't match, return NULL. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme <slow@samba.org> +--- + source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++---- + source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++---- + 2 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c +index 2e13203c4c6..5169c822357 100644 +--- a/source3/rpc_server/mdssvc/dalloc.c ++++ b/source3/rpc_server/mdssvc/dalloc.c +@@ -164,7 +164,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + int result = 0; + void *p = NULL; + va_list args; +- const char *type; ++ const char *type = NULL; + int elem; + size_t array_len; + +@@ -175,7 +175,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + array_len = talloc_array_length(d->dd_talloc_array); + elem = va_arg(args, int); + if (elem >= array_len) { +- va_end(args); + result = -1; + goto done; + } +@@ -183,8 +182,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + type = va_arg(args, const char *); + } + +- va_end(args); +- + array_len = talloc_array_length(d->dd_talloc_array); + + for (elem = 0; elem + 1 < array_len; elem += 2) { +@@ -197,8 +194,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + break; + } + } ++ if (p == NULL) { ++ goto done; ++ } ++ ++ type = va_arg(args, const char *); ++ if (strcmp(talloc_get_name(p), type) != 0) { ++ p = NULL; ++ } + + done: ++ va_end(args); + if (result != 0) { + p = NULL; + } +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 2b243d64e99..b04a80c37ba 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -888,7 +888,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + + querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0, + "DALLOC_CTX", 1, +- "kMDQueryString"); ++ "kMDQueryString", ++ "char *"); + if (querystring == NULL) { + DEBUG(1, ("missing kMDQueryString\n")); + goto error; +@@ -928,8 +929,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + slq->ctx2 = *uint64p; + + path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDScopeArray"); ++ "DALLOC_CTX", 1, ++ "kMDScopeArray", ++ "sl_array_t"); + if (path_scope == NULL) { ++ DBG_ERR("missing kMDScopeArray\n"); + goto error; + } + +@@ -944,8 +948,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + } + + reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDAttributeArray"); ++ "DALLOC_CTX", 1, ++ "kMDAttributeArray", ++ "sl_array_t"); + if (reqinfo == NULL) { ++ DBG_ERR("missing kMDAttributeArray\n"); + goto error; + } + +@@ -953,7 +960,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0))); + + cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDQueryItemArray"); ++ "DALLOC_CTX", 1, ++ "kMDQueryItemArray", ++ "sl_array_t"); + if (cnids) { + ok = sort_cnids(slq, cnids->ca_cnids); + if (!ok) { +-- +2.41.0 + diff --git a/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch b/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch new file mode 100644 index 000000000000..5df69c398ccf --- /dev/null +++ b/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch @@ -0,0 +1,17 @@ +From 8fe2c97c416d4a53bac971ac6bf20f125563f20f Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Wed, 31 May 2023 16:26:14 +0200 +Subject: [PATCH 08/21] CVE-2023-34967: CI: add a test for type checking of + dalloc_value_for_key() + +Sends a maliciously crafted packet where the value in a key/value style +dictionary for the "scope" key is a simple string object whereas the server +expects an array. As the server doesn't perform type validation on the value, it +crashes when trying to use the "simple" object as a "complex" one. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme <slow@samba.org> +-- +2.41.0 + diff --git a/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch b/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch new file mode 100644 index 000000000000..6a2dcf4db6c2 --- /dev/null +++ b/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch @@ -0,0 +1,16 @@ +From 388ea72b933b23e043a271288cd58e2d18ab01c8 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 26 May 2023 15:06:38 +0200 +Subject: [PATCH 09/21] CVE-2023-34967: mdssvc: add type checking to + dalloc_value_for_key() + +Change the dalloc_value_for_key() function to require an additional final +argument which denotes the expected type of the value associated with a key. If +the types don't match, return NULL. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme <slow@samba.org> +-- +2.41.0 + diff --git a/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch b/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch new file mode 100644 index 000000000000..3486dd12b101 --- /dev/null +++ b/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch @@ -0,0 +1,101 @@ +From 617bc2ee68d2213517c32f1c5cd44edc32817e41 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke <vl@samba.org> +Date: Sat, 15 Oct 2022 13:29:14 +0200 +Subject: [PATCH 10/21] CVE-2023-34968: lib: Move subdir_of() to + source3/lib/util_path.c + +Make it available for other components + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207 +Signed-off-by: Volker Lendecke <vl@samba.org> +(backported from commit d905dbddf8d2655e6c91752b750cbe9c15837ee5) +[slow@samba.org: subdir_of() didn't exist yet in 4.16 so this just adds it] +--- + source3/lib/util_path.c | 52 +++++++++++++++++++++++++++++++++++++++++ + source3/lib/util_path.h | 4 ++++ + 2 files changed, 56 insertions(+) + +diff --git a/source3/lib/util_path.c b/source3/lib/util_path.c +index c34b734384c..e6bed724551 100644 +--- a/source3/lib/util_path.c ++++ b/source3/lib/util_path.c +@@ -23,6 +23,8 @@ + + #include "replace.h" + #include <talloc.h> ++#include "lib/util/debug.h" ++#include "lib/util/fault.h" + #include "lib/util/samba_util.h" + #include "lib/util_path.h" + +@@ -210,3 +212,53 @@ char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *pathname_in) + *p++ = '\0'; + return pathname; + } ++ ++/* ++ * Take two absolute paths, figure out if "subdir" is a proper ++ * subdirectory of "parent". Return the component relative to the ++ * "parent" without the potential "/". Take care of "parent" ++ * possibly ending in "/". ++ */ ++bool subdir_of(const char *parent, ++ size_t parent_len, ++ const char *subdir, ++ const char **_relative) ++{ ++ const char *relative = NULL; ++ bool matched; ++ ++ SMB_ASSERT(parent[0] == '/'); ++ SMB_ASSERT(subdir[0] == '/'); ++ ++ if (parent_len == 1) { ++ /* ++ * Everything is below "/" ++ */ ++ *_relative = subdir+1; ++ return true; ++ } ++ ++ if (parent[parent_len-1] == '/') { ++ parent_len -= 1; ++ } ++ ++ matched = (strncmp(subdir, parent, parent_len) == 0); ++ if (!matched) { ++ return false; ++ } ++ ++ relative = &subdir[parent_len]; ++ ++ if (relative[0] == '\0') { ++ *_relative = relative; /* nothing left */ ++ return true; ++ } ++ ++ if (relative[0] == '/') { ++ /* End of parent must match a '/' in subdir. */ ++ *_relative = relative+1; ++ return true; ++ } ++ ++ return false; ++} +diff --git a/source3/lib/util_path.h b/source3/lib/util_path.h +index 3e7d04de550..0ea508bf5bb 100644 +--- a/source3/lib/util_path.h ++++ b/source3/lib/util_path.h +@@ -31,5 +31,9 @@ char *lock_path(TALLOC_CTX *mem_ctx, const char *name); + char *state_path(TALLOC_CTX *mem_ctx, const char *name); + char *cache_path(TALLOC_CTX *mem_ctx, const char *name); + char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *abs_path); ++bool subdir_of(const char *parent, ++ size_t parent_len, ++ const char *subdir, ++ const char **_relative); + + #endif +-- +2.41.0 + diff --git a/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch b/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch new file mode 100644 index 000000000000..6408fdcf2402 --- /dev/null +++ b/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch @@ -0,0 +1,93 @@ +From e7662921b82d331fa79fa503e3dd3c7ceed25026 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Tue, 6 Jun 2023 15:17:26 +0200 +Subject: [PATCH 11/21] CVE-2023-34968: mdssvc: cache and reuse stat info in + struct sl_inode_path_map + +Prepare for the "path" being a fake path and not the real server-side +path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already +got stat info for the object in mds_add_result() so we can just pass stat info +from there. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> +--- + source3/rpc_server/mdssvc/mdssvc.c | 26 +++++++------------------- + source3/rpc_server/mdssvc/mdssvc.h | 1 + + 2 files changed, 8 insertions(+), 19 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index b04a80c37ba..32380bf904a 100644 *** 1725 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202310021323.392DNd9F085250>