Date: Thu, 24 Nov 2022 18:29:58 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 267972] kadmind can use uninitialized ent.tl_data...tl_data_contents and tl_data_length Message-ID: <bug-267972-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267972 Bug ID: 267972 Summary: kadmind can use uninitialized ent.tl_data...tl_data_contents and tl_data_length Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #238312 text/plain mime type: Created attachment 238312 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D238312&action= =3Dedit crash kadmind with a short kadm_modify message If a client kadm_modify message ends unexpectedly early during KADM5_TL_DATA, krb5_ret_data() can return (due to error) before setting data->size of data->length. But the call from kadm5_ret_tl_data() doesn't check for an error, and the surrounding call from ret_principal_ent() for KADM5_TL_DATA doesn't check for an error either. So list elements in ent.tl_data (princ->tl_data) may contain uninitialized junk. I've attached a demo. It expects to be run with tickets. Maybe some previous bugs have to be fixed in order for kadmind to get as far as this one. # cc kadmind16a.c -lkrb5 # ./a.out A backtrace from kadmin: #0 memset (xdst=3D0x17e4ffb480, c=3D0, len=3D18446744073709541600) #1 0x00000017d6b6bff2 in kadm5_free_principal_ent ( server_handle=3D<optimized out>, princ=3D0x17d5c2f420) at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/free.c:73 #2 0x0000001754e3c340 in kadmind_dispatch (kadm_handlep=3D0x17e4fd44c0,=20 initial=3D0, in=3D<optimized out>, out=3D0x17d5c2f5f8) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:161 #3 0x0000001754e3bf9e in v5_loop (contextp=3D<optimized out>,=20 ac=3D<optimized out>, initial=3D<optimized out>, kadm_handlep=3D<optimi= zed out>,=20 fd=3D<optimized out>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:459 #4 0x0000001754e3be72 in handle_v5 (contextp=3D0x17e4f8ee10,=20 keytab=3D<optimized out>, fd=3D<optimized out>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:551 #5 0x0000001754e3bd7a in kadmind_loop (contextp=3D0x17e4f8ee10,=20 keytab=3D0x17e4fad330, sock=3D<optimized out>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:579 #6 0x0000001754e3ccb2 in main (argc=3D<optimized out>, argv=3D<optimized o= ut>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/kadmind.c:202 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-267972-227>