From nobody Tue Oct 11 05:37:12 2022 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mml0T225Wz4dwfv; Tue, 11 Oct 2022 05:37:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mml0T1cq0z449t; Tue, 11 Oct 2022 05:37:13 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665466633; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3ZcJ2efkTUxO1ZOthVqm1bJgu7uuM3X1UevTHqmIPvY=; b=AiR8UVsYqgWGpEXTAHghK41wNu4K3+8LRrBQRWbEVz3IObW87fQcMMAKr77O4T5M7u9Fa7 CQevt5LAukD9D79dYfYIYnTQHMO/gYkIpolYL8Wm2MKzfSj9rdOwpKqL16CmVKAHjdG/zw wclfRcmvj9TLM23q+VG/T0tF/J41tBXogDZPKt1wlJGsjnd6ZWqGO1BilCTSw01tC/HAlW RgfM8lftl63ReKyQJPm2dErISCq8/3mfyBmMb4QiRkS+HMGKIhlmx1eBQ1C5BC/Qbbd2Ur B98bHprWNp2UA2ehPCo+YyVHRlqMhuoRfad8EUNGNLlqnldd6rJ8JnqbQUn5Zg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mml0T0h2Hzs29; Tue, 11 Oct 2022 05:37:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 29B5bDTm080700; Tue, 11 Oct 2022 05:37:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 29B5bCXX080699; Tue, 11 Oct 2022 05:37:12 GMT (envelope-from git) Date: Tue, 11 Oct 2022 05:37:12 GMT Message-Id: <202210110537.29B5bCXX080699@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Yasuhiro Kimura Subject: git: e9e5495de10d - 2022Q4 - net/samba413: Backport security fix from 4.14.14 List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-branches@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: yasu X-Git-Repository: ports X-Git-Refname: refs/heads/2022Q4 X-Git-Reftype: branch X-Git-Commit: e9e5495de10d87602e6e1386c20333754bb0e879 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665466633; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3ZcJ2efkTUxO1ZOthVqm1bJgu7uuM3X1UevTHqmIPvY=; b=hlI4vgZPFLavj0GUB8RItz7bUR6ip8/vstVcVnsTkmw2XlhACPvXcoSPi2AiNR1Bdpt6C1 jt4+pvmHnNcPpVghIy26cgkpQAB/yZynhVKXvA0zbtYSoQuf82BvYY5b1qPEbw6GiC1jC2 /WiXtgSydNU2XtYaK5/UcUPtMB86z+geQQcU+tLE/khGGp9tCTS88p3BF8WqL7/XTXIrzY lCk3TwJ7NPXiO6QcocKfLJ9dlpV9JUDEeLOyxKh5xzctuRpJVompUxQk92ycWDvkCf6qrN 7yxulf4YLbLEw9lQCYKdtVwWWNVO2moxsg24xrRxIxmbmhut4qie4hiWf97pfg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665466633; a=rsa-sha256; cv=none; b=R16OXFUTWmeK62JA+Jo9vWlDUM5JpVp6JdUK5zJLQAnE4gesMMfLJ8zh0yTkcq69a0gG58 dtEhBg62ab4QE8MWmar9TGjFHNIknj0blAJZ/sOOonyigWzkRyXo/6C6xhhVfZ5Lv6Ht+x /UM/S4tcZc1LrobUJ81Ic+92ydaqXTD8pd11jc17OCLP2AjVlOH1HJ9N9sIT3I2EQjbk0S LBzIPJnXS1cX2tyPVeNcZLYS/KPZ7tM9uvKQ3hx+Ww78VaIn/86oEVZBhYFGZgoC1lSckm UvwXIbpQKq1mtf/NKAB/+qOJ2DRYydAfhfmsGbTradnLkrxMxZ7qLTbzKMJcWw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch 2022Q4 has been updated by yasu: URL: https://cgit.FreeBSD.org/ports/commit/?id=e9e5495de10d87602e6e1386c20333754bb0e879 commit e9e5495de10d87602e6e1386c20333754bb0e879 Author: Yasuhiro Kimura AuthorDate: 2022-09-26 23:47:17 +0000 Commit: Yasuhiro Kimura CommitDate: 2022-10-11 05:36:47 +0000 net/samba413: Backport security fix from 4.14.14 * Add upstream patch to fix configure error with Python 3.11. * Fix plist error when AD_DC option is off and PYTHON3 option is on. * Replace BIND911 option with BIND918 as dns/bind911 is removed from ports tree and dns/bind918 is added instead. PR: 266641 Approved by: maintainer timeout MFH: 2022Q4 Security: f9140ad4-4920-11ed-a07e-080027f5fec9 (cherry picked from commit dfaa714fc960fb4d0a5bc6983d3882a974857f12) --- net/samba413/Makefile | 8 +- net/samba413/files/patch-samba-4.14.14 | 13366 +++++++++++++++++++++++++++++++ net/samba413/files/patch-waf-2.0.20 | 1663 ++++ net/samba413/files/patch-waf-2.0.21 | 703 ++ net/samba413/files/patch-waf-2.0.22 | 596 ++ net/samba413/files/patch-waf-2.0.23 | 877 ++ net/samba413/files/patch-waf-2.0.24 | 164 + net/samba413/pkg-plist.ad_dc | 2 - net/samba413/pkg-plist.python | 3 + 9 files changed, 17376 insertions(+), 6 deletions(-) diff --git a/net/samba413/Makefile b/net/samba413/Makefile index f1dea1c15f3d..ccbb438ecb6a 100644 --- a/net/samba413/Makefile +++ b/net/samba413/Makefile @@ -1,6 +1,6 @@ PORTNAME= ${SAMBA4_BASENAME}413 PORTVERSION= ${SAMBA4_VERSION} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} @@ -96,7 +96,7 @@ OPTIONS_SINGLE_GSSAPI= GSSAPI_BUILTIN GSSAPI_MIT OPTIONS_SINGLE_ZEROCONF= ZEROCONF_NONE AVAHI MDNSRESPONDER OPTIONS_RADIO= DNS -OPTIONS_RADIO_DNS= NSUPDATE BIND911 BIND916 +OPTIONS_RADIO_DNS= NSUPDATE BIND916 BIND918 # Make those default options OPTIONS_DEFAULT= AD_DC ADS DOCS FAM LDAP \ PROFILE PYTHON3 QUOTAS SYSLOG UTMP \ @@ -129,8 +129,8 @@ ZEROCONF_DESC= Zero configuration networking ZEROCONF_NONE_DESC= Zeroconf support is absent DNS_DESC= DNS frontend -BIND911_DESC= Use Bind 9.11 as AD DC DNS server frontend BIND916_DESC= Use Bind 9.16 as AD DC DNS server frontend +BIND918_DESC= Use Bind 9.18 as AD DC DNS server frontend NSUPDATE_DESC= Use samba NSUPDATE utility for AD DC ############################################################################## # XXX: Unconditional dependencies which can't be switched off(if present in @@ -299,8 +299,8 @@ MDNSRESPONDER_CONFIGURE_ENABLE= dnssd MDNSRESPONDER_LIB_DEPENDS= libdns_sd.so:net/mDNSResponder MDNSRESPONDER_VARS= SAMBA4_SERVICES+=mdnsd ############################################################################## -BIND911_RUN_DEPENDS= bind911>=9.11.0.0:dns/bind911 BIND916_RUN_DEPENDS= bind916>=9.16.0.0:dns/bind916 +BIND918_RUN_DEPENDS= bind918>=9.18.0.0:dns/bind918 NSUPDATE_RUN_DEPENDS= samba-nsupdate:dns/samba-nsupdate ############################################################################## MEMORY_DEBUG_IMPLIES= DEBUG diff --git a/net/samba413/files/patch-samba-4.14.14 b/net/samba413/files/patch-samba-4.14.14 new file mode 100644 index 000000000000..4127ab67308e --- /dev/null +++ b/net/samba413/files/patch-samba-4.14.14 @@ -0,0 +1,13366 @@ +From 5d958156c7e5d6c1da61d18fe4fd105b22639b56 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 14 Jun 2022 21:09:53 +1200 +Subject: [PATCH 01/99] CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git source4/dsdb/samdb/ldb_modules/objectclass_attrs.c source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +index 6ab46a729a2..2a77353cdfc 100644 +--- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c ++++ source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +@@ -263,7 +263,7 @@ static int attr_handler(struct oc_context *ac) + LDB_CONTROL_AS_SYSTEM_OID); + if (!dsdb_module_am_system(ac->module) && !as_system) { + ldb_asprintf_errstring(ldb, +- "objectclass_attrs: attribute '%s' on entry '%s' must can only be modified as system", ++ "objectclass_attrs: attribute '%s' on entry '%s' can only be modified as system", + msg->elements[i].name, + ldb_dn_get_linearized(msg->dn)); + return LDB_ERR_CONSTRAINT_VIOLATION; +-- +2.25.1 + + +From 51cbeff886fe01db463448f8655a43d10040dc8b Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 21 Jun 2022 15:37:15 +1200 +Subject: [PATCH 02/99] CVE-2022-32746 s4:dsdb:tests: Add test for deleting a + disallowed SPN + +If an account has an SPN that requires Write Property to set, we should +still be able to delete it with just Validated Write. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + selftest/knownfail.d/acl-spn-delete | 1 + + source4/dsdb/tests/python/acl.py | 26 ++++++++++++++++++++++++++ + 2 files changed, 27 insertions(+) + create mode 100644 selftest/knownfail.d/acl-spn-delete + +diff --git selftest/knownfail.d/acl-spn-delete selftest/knownfail.d/acl-spn-delete +new file mode 100644 +index 00000000000..32018413c49 +--- /dev/null ++++ selftest/knownfail.d/acl-spn-delete +@@ -0,0 +1 @@ ++^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( +diff --git source4/dsdb/tests/python/acl.py source4/dsdb/tests/python/acl.py +index df0fe12bf29..d90d3b3923f 100755 +--- source4/dsdb/tests/python/acl.py ++++ source4/dsdb/tests/python/acl.py +@@ -2286,6 +2286,32 @@ class AclSPNTests(AclTests): + else: + self.fail(f'able to add disallowed SPN {not_allowed_spn}') + ++ def test_delete_disallowed_spn(self): ++ # Grant Validated-SPN property. ++ mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})' ++ self.sd_utils.dacl_add_ace(self.computerdn, mod) ++ ++ spn_base = f'HOST/{self.computername}' ++ ++ not_allowed_spn = f'{spn_base}/{self.dcctx.get_domain_name()}' ++ ++ # Add a disallowed SPN as admin. ++ msg = Message(Dn(self.ldb_admin, self.computerdn)) ++ msg['servicePrincipalName'] = MessageElement(not_allowed_spn, ++ FLAG_MOD_ADD, ++ 'servicePrincipalName') ++ self.ldb_admin.modify(msg) ++ ++ # Ensure we are able to delete a disallowed SPN. ++ msg = Message(Dn(self.ldb_user1, self.computerdn)) ++ msg['servicePrincipalName'] = MessageElement(not_allowed_spn, ++ FLAG_MOD_DELETE, ++ 'servicePrincipalName') ++ try: ++ self.ldb_user1.modify(msg) ++ except LdbError: ++ self.fail(f'unable to delete disallowed SPN {not_allowed_spn}') ++ + + # tests SEC_ADS_LIST vs. SEC_ADS_LIST_OBJECT + @DynamicTestCase +-- +2.25.1 + + +From a68553792a8512a2d266bbb86f064f78b5482a65 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 21 Jun 2022 14:41:02 +1200 +Subject: [PATCH 03/99] CVE-2022-32746 s4/dsdb/partition: Fix LDB flags + comparison + +LDB_FLAG_MOD_* values are not actually flags, and the previous +comparison was equivalent to + +(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0 + +which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct +the expression to what it was probably intended to be. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + source4/dsdb/samdb/ldb_modules/partition.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git source4/dsdb/samdb/ldb_modules/partition.c source4/dsdb/samdb/ldb_modules/partition.c +index 2544a106d13..2d90ca5d1b3 100644 +--- source4/dsdb/samdb/ldb_modules/partition.c ++++ source4/dsdb/samdb/ldb_modules/partition.c +@@ -493,8 +493,8 @@ static int partition_copy_all_callback_action( + * them here too + */ + for (el_idx=0; el_idx < req_msg->num_elements; el_idx++) { +- if (req_msg->elements[el_idx].flags & LDB_FLAG_MOD_DELETE +- || ((req_msg->elements[el_idx].flags & LDB_FLAG_MOD_REPLACE) && ++ if (LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_DELETE ++ || ((LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_REPLACE) && + req_msg->elements[el_idx].num_values == 0)) { + if (ldb_msg_find_element(modify_msg, + req_msg->elements[el_idx].name) != NULL) { +-- +2.25.1 + + +From 582ac171364f0c28f54eaf4f21b5bfa7569b5233 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 21 Jun 2022 14:49:51 +1200 +Subject: [PATCH 04/99] CVE-2022-32746 s4:torture: Fix LDB flags comparison + +LDB_FLAG_MOD_* values are not actually flags, and the previous +comparison was equivalent to + +(el->flags & LDB_FLAG_MOD_MASK) == 0 + +which is only true if none of the LDB_FLAG_MOD_* values are set. Correct +the expression to what it was probably intended to be. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + source4/torture/drs/rpc/dssync.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git source4/torture/drs/rpc/dssync.c source4/torture/drs/rpc/dssync.c +index cde9f78692b..ff7ce2d9074 100644 +--- source4/torture/drs/rpc/dssync.c ++++ source4/torture/drs/rpc/dssync.c +@@ -527,7 +527,9 @@ static bool test_analyse_objects(struct torture_context *tctx, + el = &new_msg->elements[idx]; + a = dsdb_attribute_by_lDAPDisplayName(ldap_schema, + el->name); +- if (!(el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE))) { ++ if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD && ++ LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE) ++ { + /* DRS only value */ + is_warning = false; + } else if (a->linkID & 1) { +-- +2.25.1 + + +From 0526d27e9eddd9c2a54434cf0dcdb136a6c659e4 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 21 Jun 2022 15:22:47 +1200 +Subject: [PATCH 05/99] CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison + +LDB_FLAG_MOD_* values are not actually flags, and the previous +comparison was equivalent to + +(el->flags & LDB_FLAG_MOD_MASK) == 0 + +which is only true if none of the LDB_FLAG_MOD_* values are set, so we +would not successfully return if the element was a DELETE. Correct the +expression to what it was intended to be. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + selftest/knownfail.d/acl-spn-delete | 1 - + source4/dsdb/samdb/ldb_modules/acl.c | 5 +++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + delete mode 100644 selftest/knownfail.d/acl-spn-delete + +diff --git selftest/knownfail.d/acl-spn-delete selftest/knownfail.d/acl-spn-delete +deleted file mode 100644 +index 32018413c49..00000000000 +--- selftest/knownfail.d/acl-spn-delete ++++ /dev/null +@@ -1 +0,0 @@ +-^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( +diff --git source4/dsdb/samdb/ldb_modules/acl.c source4/dsdb/samdb/ldb_modules/acl.c +index 21e83276bfd..8016a2d4bd0 100644 +--- source4/dsdb/samdb/ldb_modules/acl.c ++++ source4/dsdb/samdb/ldb_modules/acl.c +@@ -734,8 +734,9 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, + * If not add or replace (eg delete), + * return success + */ +- if ((el->flags +- & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)) == 0) { ++ if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD && ++ LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE) ++ { + talloc_free(tmp_ctx); + return LDB_SUCCESS; + } +-- +2.25.1 + + +From 2869b5aa3148869edf0d079266542aef6e64608e Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 16 Feb 2022 12:43:52 +1300 +Subject: [PATCH 06/99] CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() + for flags equality check + +Now unrelated flags will no longer affect the result. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + lib/ldb/modules/rdn_name.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git lib/ldb/modules/rdn_name.c lib/ldb/modules/rdn_name.c +index e69ad9315ae..25cffe07591 100644 +--- lib/ldb/modules/rdn_name.c ++++ lib/ldb/modules/rdn_name.c +@@ -545,7 +545,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) + if (e != NULL) { + ldb_asprintf_errstring(ldb, "Modify of 'distinguishedName' on %s not permitted, must use 'rename' operation instead", + ldb_dn_get_linearized(req->op.mod.message->dn)); +- if (e->flags == LDB_FLAG_MOD_REPLACE) { ++ if (LDB_FLAG_MOD_TYPE(e->flags) == LDB_FLAG_MOD_REPLACE) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } else { + return LDB_ERR_UNWILLING_TO_PERFORM; +-- +2.25.1 + + +From 535b5a366a2ad054f729e57e282e402cf13b2efc Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 14 Jun 2022 19:49:19 +1200 +Subject: [PATCH 07/99] CVE-2022-32746 s4/dsdb/repl_meta_data: Use + LDB_FLAG_MOD_TYPE() for flags equality check + +Now unrelated flags will no longer affect the result. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git source4/dsdb/samdb/ldb_modules/repl_meta_data.c source4/dsdb/samdb/ldb_modules/repl_meta_data.c +index ab506cec488..29ffda75c87 100644 +--- source4/dsdb/samdb/ldb_modules/repl_meta_data.c ++++ source4/dsdb/samdb/ldb_modules/repl_meta_data.c +@@ -3525,7 +3525,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) + return ldb_module_operr(module); + } + +- if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_REPLACE) { ++ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[0].flags) != LDB_FLAG_MOD_REPLACE) { + return ldb_module_operr(module); + } + +@@ -3558,11 +3558,11 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) + return ldb_module_operr(module); + } + +- if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_DELETE) { ++ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[0].flags) != LDB_FLAG_MOD_DELETE) { + return ldb_module_operr(module); + } + +- if (req->op.mod.message->elements[1].flags != LDB_FLAG_MOD_ADD) { ++ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[1].flags) != LDB_FLAG_MOD_ADD) { + return ldb_module_operr(module); + } + +@@ -3645,7 +3645,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) + return ldb_module_operr(module); + } + +- if (msg->elements[0].flags != LDB_FLAG_MOD_ADD) { ++ if (LDB_FLAG_MOD_TYPE(msg->elements[0].flags) != LDB_FLAG_MOD_ADD) { + talloc_free(ac); + return ldb_module_operr(module); + } +-- +2.25.1 + + +From bedd0b768c3f92645af033399aefd7ee971d9150 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 14 Jun 2022 21:11:33 +1200 +Subject: [PATCH 08/99] CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use + LDB_FLAG_MOD_TYPE() for flags equality check + +Now unrelated flags will no longer affect the result. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c +index 64e05195798..5f8911c66be 100644 +--- source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c ++++ source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c +@@ -104,7 +104,7 @@ static bool is_tombstone_reanimate_request(struct ldb_request *req, + if (el_dn == NULL) { + return false; + } +- if (el_dn->flags != LDB_FLAG_MOD_REPLACE) { ++ if (LDB_FLAG_MOD_TYPE(el_dn->flags) != LDB_FLAG_MOD_REPLACE) { + return false; + } + if (el_dn->num_values != 1) { +@@ -117,7 +117,7 @@ static bool is_tombstone_reanimate_request(struct ldb_request *req, + return false; + } + +- if (el_deleted->flags != LDB_FLAG_MOD_DELETE) { ++ if (LDB_FLAG_MOD_TYPE(el_deleted->flags) != LDB_FLAG_MOD_DELETE) { + return false; + } + +-- +2.25.1 + + +From 49dd9042f4ee380fa1dafcebcb54d0e1f0852463 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Tue, 14 Jun 2022 21:12:39 +1200 +Subject: [PATCH 09/99] CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for + flags equality check + +Now unrelated flags will no longer affect the result. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + source4/lib/registry/ldb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git source4/lib/registry/ldb.c source4/lib/registry/ldb.c +index e089355975b..db383a560da 100644 +--- source4/lib/registry/ldb.c ++++ source4/lib/registry/ldb.c +@@ -859,7 +859,7 @@ static WERROR ldb_set_value(struct hive_key *parent, + + /* Try first a "modify" and if this doesn't work do try an "add" */ + for (i = 0; i < msg->num_elements; i++) { +- if (msg->elements[i].flags != LDB_FLAG_MOD_DELETE) { ++ if (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) != LDB_FLAG_MOD_DELETE) { + msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; + } + } +-- +2.25.1 + + +From faa61ab3053d077ac9d0aa67e955217e85b660f4 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Mon, 21 Feb 2022 16:10:32 +1300 +Subject: [PATCH 10/99] CVE-2022-32746 ldb: Add flag to mark message element + values as shared + +When making a shallow copy of an ldb message, mark the message elements +of the copy as sharing their values with the message elements in the +original message. + +This flag value will be heeded in the next commit. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + lib/ldb/common/ldb_msg.c | 43 +++++++++++++++++++++++++++++++----- + lib/ldb/include/ldb_module.h | 6 +++++ + 2 files changed, 43 insertions(+), 6 deletions(-) + +diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c +index 57dfc5a04c2..2a9ce384bb9 100644 +--- lib/ldb/common/ldb_msg.c ++++ lib/ldb/common/ldb_msg.c +@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg) + ldb_msg_element_compare_name); + } + +-/* +- shallow copy a message - copying only the elements array so that the caller +- can safely add new elements without changing the message +-*/ +-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, ++static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx, + const struct ldb_message *msg) + { + struct ldb_message *msg2; +@@ -863,6 +859,35 @@ failed: + return NULL; + } + ++/* ++ shallow copy a message - copying only the elements array so that the caller ++ can safely add new elements without changing the message ++*/ ++struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, ++ const struct ldb_message *msg) ++{ ++ struct ldb_message *msg2; ++ unsigned int i; ++ ++ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); ++ if (msg2 == NULL) { ++ return NULL; ++ } ++ ++ for (i = 0; i < msg2->num_elements; ++i) { ++ /* ++ * Mark this message's elements as sharing their values with the ++ * original message, so that we don't inadvertently modify or ++ * free them. We don't mark the original message element as ++ * shared, so the original message element should not be ++ * modified or freed while the shallow copy lives. ++ */ ++ struct ldb_message_element *el = &msg2->elements[i]; ++ el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES; ++ } ++ ++ return msg2; ++} + + /* + copy a message, allocating new memory for all parts +@@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, + struct ldb_message *msg2; + unsigned int i, j; + +- msg2 = ldb_msg_copy_shallow(mem_ctx, msg); ++ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); + if (msg2 == NULL) return NULL; + + if (msg2->dn != NULL) { +@@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, + goto failed; + } + } ++ ++ /* ++ * Since we copied this element's values, we can mark them as ++ * not shared. ++ */ ++ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; + } + + return msg2; +diff --git lib/ldb/include/ldb_module.h lib/ldb/include/ldb_module.h +index 8c1e5ee7936..4c7c85a17f0 100644 +--- lib/ldb/include/ldb_module.h ++++ lib/ldb/include/ldb_module.h +@@ -96,6 +96,12 @@ struct ldb_module; + */ + #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100 + ++/* ++ * indicates that this element's values are shared with another element (for ++ * example, in a shallow copy of an ldb_message) and should not be freed ++ */ ++#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200 ++ + /* an extended match rule that always fails to match */ + #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1" + +-- +2.25.1 + + +From 4e5fb78c3dcff60aa8fd4b07dad4660bbb30532b Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 16 Feb 2022 12:35:13 +1300 +Subject: [PATCH 11/99] CVE-2022-32746 ldb: Ensure shallow copy modifications + do not affect original message + +Using the newly added ldb flag, we can now detect when a message has +been shallow-copied so that its elements share their values with the +original message elements. Then when adding values to the copied +message, we now make a copy of the shared values array first. + +This should prevent a use-after-free that occurred in LDB modules when +new values were added to a shallow copy of a message by calling +talloc_realloc() on the original values array, invalidating the 'values' +pointer in the original message element. The original values pointer can +later be used in the database audit logging module which logs database +requests, and potentially cause a crash. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + lib/ldb/common/ldb_msg.c | 52 ++++++++++++++++++++++++++++++++------ + lib/ldb/include/ldb.h | 6 +++++ + source4/dsdb/common/util.c | 20 +++++---------- + 3 files changed, 56 insertions(+), 22 deletions(-) + +diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c +index 2a9ce384bb9..44d3b29e9a7 100644 +--- lib/ldb/common/ldb_msg.c ++++ lib/ldb/common/ldb_msg.c +@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg, + return LDB_SUCCESS; + } + ++/* ++ * add a value to a message element ++ */ ++int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, ++ struct ldb_message_element *el, ++ const struct ldb_val *val) ++{ ++ struct ldb_val *vals; ++ ++ if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) { ++ /* ++ * Another message is using this message element's values array, ++ * so we don't want to make any modifications to the original ++ * message, or potentially invalidate its own values by calling ++ * talloc_realloc(). Make a copy instead. ++ */ ++ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; ++ ++ vals = talloc_array(mem_ctx, struct ldb_val, ++ el->num_values + 1); ++ if (vals == NULL) { ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ ++ if (el->values != NULL) { ++ memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val)); ++ } ++ } else { ++ vals = talloc_realloc(mem_ctx, el->values, struct ldb_val, ++ el->num_values + 1); ++ if (vals == NULL) { ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ } ++ el->values = vals; ++ el->values[el->num_values] = *val; ++ el->num_values++; ++ ++ return LDB_SUCCESS; ++} ++ + /* + add a value to a message + */ +@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg, + struct ldb_message_element **return_el) + { + struct ldb_message_element *el; +- struct ldb_val *vals; + int ret; + + el = ldb_msg_find_element(msg, attr_name); +@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg, + } + } + +- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, +- el->num_values+1); +- if (!vals) { +- return LDB_ERR_OPERATIONS_ERROR; ++ ret = ldb_msg_element_add_value(msg->elements, el, val); ++ if (ret != LDB_SUCCESS) { ++ return ret; + } +- el->values = vals; +- el->values[el->num_values] = *val; +- el->num_values++; + + if (return_el) { + *return_el = el; +diff --git lib/ldb/include/ldb.h lib/ldb/include/ldb.h +index bc44157eaf4..129beefeaf5 100644 +--- lib/ldb/include/ldb.h ++++ lib/ldb/include/ldb.h +@@ -1981,6 +1981,12 @@ int ldb_msg_add_empty(struct ldb_message *msg, + int flags, + struct ldb_message_element **return_el); + ++/** ++ add a value to a message element ++*/ ++int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, ++ struct ldb_message_element *el, ++ const struct ldb_val *val); + /** + add a element to a ldb_message + */ +diff --git source4/dsdb/common/util.c source4/dsdb/common/util.c +index 5ce4c0a5e33..577b2a33873 100644 +--- source4/dsdb/common/util.c ++++ source4/dsdb/common/util.c +@@ -816,7 +816,7 @@ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, + const char *value) + { + struct ldb_message_element *el; +- struct ldb_val val, *vals; ++ struct ldb_val val; + char *v; + unsigned int i; + bool found = false; +@@ -851,14 +851,10 @@ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, + } + } + +- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, +- el->num_values + 1); +- if (vals == NULL) { ++ ret = ldb_msg_element_add_value(msg->elements, el, &val); ++ if (ret != LDB_SUCCESS) { + return ldb_oom(sam_ldb); + } +- el->values = vals; +- el->values[el->num_values] = val; +- ++(el->num_values); + + return LDB_SUCCESS; + } +@@ -872,7 +868,7 @@ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, + const char *value) + { + struct ldb_message_element *el; +- struct ldb_val val, *vals; ++ struct ldb_val val; + char *v; + unsigned int i; + bool found = false; +@@ -907,14 +903,10 @@ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, + } + } + +- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, +- el->num_values + 1); +- if (vals == NULL) { ++ ret = ldb_msg_element_add_value(msg->elements, el, &val); ++ if (ret != LDB_SUCCESS) { + return ldb_oom(sam_ldb); + } +- el->values = vals; +- el->values[el->num_values] = val; +- ++(el->num_values); + + return LDB_SUCCESS; + } +-- +2.25.1 + + +From 512a2617b1593bdc16caeeeda4312a581cbb34e9 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 16 Feb 2022 16:30:03 +1300 +Subject: [PATCH 12/99] CVE-2022-32746 ldb: Add functions for appending to an + ldb_message + +Currently, there are many places where we use ldb_msg_add_empty() to add +an empty element to a message, and then call ldb_msg_add_value() or +similar to add values to that element. However, this performs an +unnecessary search of the message's elements to locate the new element. +Moreover, if an element with the same attribute name already exists +earlier in the message, the values will be added to that element, +instead of to the intended newly added element. + +A similar pattern exists where we add values to a message, and then call +ldb_msg_find_element() to locate that message element and sets its flags +to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary +search, and may locate the wrong message element for setting the flags. + +To avoid these problems, add functions for appending a value to a +message, so that a particular value can be added to the end of a message +in a single operation. + +For ADD requests, it is important that no two message elements share the +same attribute name, otherwise things will break. (Normally, +ldb_msg_normalize() is called before processing the request to help +ensure this.) Thus, we must be careful not to append an attribute to an +ADD message, unless we are sure (e.g. through ldb_msg_find_element()) +that an existing element for that attribute is not present. + +These functions will be used in the next commit. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 + +Signed-off-by: Joseph Sutton +--- + lib/ldb/common/ldb_msg.c | 165 ++++++++++++++++++++++++++++++++++++++- + lib/ldb/include/ldb.h | 24 ++++++ + 2 files changed, 185 insertions(+), 4 deletions(-) + +diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c +index 44d3b29e9a7..9cd7998e21c 100644 +--- lib/ldb/common/ldb_msg.c ++++ lib/ldb/common/ldb_msg.c +@@ -509,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, + + + /* +- add a string element to a message ++ add a string element to a message, specifying flags + */ +-int ldb_msg_add_string(struct ldb_message *msg, +- const char *attr_name, const char *str) ++int ldb_msg_add_string_flags(struct ldb_message *msg, ++ const char *attr_name, const char *str, ++ int flags) + { + struct ldb_val val; ++ int ret; ++ struct ldb_message_element *el = NULL; + + val.data = discard_const_p(uint8_t, str); + val.length = strlen(str); +@@ -524,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg, + return LDB_SUCCESS; + } + +- return ldb_msg_add_value(msg, attr_name, &val, NULL); ++ ret = ldb_msg_add_value(msg, attr_name, &val, &el); ++ if (ret != LDB_SUCCESS) { ++ return ret; ++ } ++ ++ if (flags != 0) { ++ el->flags = flags; ++ } ++ ++ return LDB_SUCCESS; ++} ++ ++/* ++ add a string element to a message ++*/ ++int ldb_msg_add_string(struct ldb_message *msg, ++ const char *attr_name, const char *str) ++{ ++ return ldb_msg_add_string_flags(msg, attr_name, str, 0); + } + + /* +@@ -586,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg, + return ldb_msg_add_steal_value(msg, attr_name, &val); + } + ++static int ldb_msg_append_value_impl(struct ldb_message *msg, ++ const char *attr_name, ++ const struct ldb_val *val, ++ int flags, ++ struct ldb_message_element **return_el) ++{ ++ struct ldb_message_element *el = NULL; ++ int ret; ++ ++ ret = ldb_msg_add_empty(msg, attr_name, flags, &el); ++ if (ret != LDB_SUCCESS) { ++ return ret; ++ } ++ ++ ret = ldb_msg_element_add_value(msg->elements, el, val); ++ if (ret != LDB_SUCCESS) { ++ return ret; ++ } ++ ++ if (return_el != NULL) { ++ *return_el = el; ++ } ++ ++ return LDB_SUCCESS; ++} ++ ++/* ++ append a value to a message ++*/ ++int ldb_msg_append_value(struct ldb_message *msg, ++ const char *attr_name, ++ const struct ldb_val *val, ++ int flags) ++{ ++ return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL); ++} ++ ++/* ++ append a value to a message, stealing it into the 'right' place ++*/ ++int ldb_msg_append_steal_value(struct ldb_message *msg, ++ const char *attr_name, ++ struct ldb_val *val, ++ int flags) ++{ ++ int ret; ++ struct ldb_message_element *el = NULL; ++ ++ ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el); ++ if (ret == LDB_SUCCESS) { ++ talloc_steal(el->values, val->data); ++ } ++ return ret; ++} ++ ++/* ++ append a string element to a message, stealing it into the 'right' place ++*/ ++int ldb_msg_append_steal_string(struct ldb_message *msg, ++ const char *attr_name, char *str, ++ int flags) ++{ ++ struct ldb_val val; ++ ++ val.data = (uint8_t *)str; ++ val.length = strlen(str); ++ ++ if (val.length == 0) { ++ /* allow empty strings as non-existent attributes */ ++ return LDB_SUCCESS; ++ } ++ ++ return ldb_msg_append_steal_value(msg, attr_name, &val, flags); ++} ++ ++/* ++ append a string element to a message ++*/ ++int ldb_msg_append_string(struct ldb_message *msg, ++ const char *attr_name, const char *str, int flags) ++{ ++ struct ldb_val val; ++ ++ val.data = discard_const_p(uint8_t, str); ++ val.length = strlen(str); ++ ++ if (val.length == 0) { ++ /* allow empty strings as non-existent attributes */ ++ return LDB_SUCCESS; ++ } ++ ++ return ldb_msg_append_value(msg, attr_name, &val, flags); ++} ++ ++/* ++ append a DN element to a message ++ WARNING: this uses the linearized string from the dn, and does not ++ copy the string. ++*/ ++int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, ++ struct ldb_dn *dn, int flags) ++{ ++ char *str = ldb_dn_alloc_linearized(msg, dn); ++ ++ if (str == NULL) { ++ /* we don't want to have unknown DNs added */ ++ return LDB_ERR_OPERATIONS_ERROR; ++ } ++ ++ return ldb_msg_append_steal_string(msg, attr_name, str, flags); ++} ++ ++/* ++ append a printf formatted element to a message ++*/ ++int ldb_msg_append_fmt(struct ldb_message *msg, int flags, ++ const char *attr_name, const char *fmt, ...) ++{ ++ struct ldb_val val; ++ va_list ap; ++ char *str = NULL; ++ ++ va_start(ap, fmt); ++ str = talloc_vasprintf(msg, fmt, ap); ++ va_end(ap); ++ ++ if (str == NULL) { ++ return LDB_ERR_OPERATIONS_ERROR; ++ } *** 16531 LINES SKIPPED ***