Date: Fri, 25 Nov 2022 12:12:31 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 267987] kadmind's kadm5_ret_key_data() can leave pointers uninitialized, causing crash Message-ID: <bug-267987-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267987 Bug ID: 267987 Summary: kadmind's kadm5_ret_key_data() can leave pointers uninitialized, causing crash Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #238335 text/plain mime type: Created attachment 238335 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D238335&action= =3Dedit cause kadmind's kadm5_ret_key_data() to yield an uninitialized pointer For a client kadm_chpass_with_key request, kadmind_dispatch() calls kadm5_ret_key_data() to fill key_data[] elements. kadm5_ret_key_data() ignores any errors it may encounter: kadm5_ret_t kadm5_ret_key_data(krb5_storage *sp, krb5_key_data *key) { krb5_data c; int32_t tmp; krb5_ret_int32(sp, &tmp); key->key_data_ver =3D tmp; krb5_ret_int32(sp, &tmp); key->key_data_kvno =3D tmp; krb5_ret_int32(sp, &tmp); key->key_data_type[0] =3D tmp; krb5_ret_data(sp, &c); key->key_data_length[0] =3D c.length; key->key_data_contents[0] =3D c.data; krb5_ret_int32(sp, &tmp); key->key_data_type[1] =3D tmp; krb5_ret_data(sp, &c); key->key_data_length[1] =3D c.length; key->key_data_contents[1] =3D c.data; return 0; } In particular, if krb5_ret_data() encounters the end of a too-short client message, it leaves c.data with its uninitialized value, and thus kadm5_ret_key_data() can set an element of the caller's key_data[] with invalid pointer contents, without returning an error. Later, if kadmind_dispatch() calls kadm5_free_key_data() due to some error (e.g. client message too short), the latter ends up trying to free() invalid pointers. I've attached a demo; it expects the user to have run kinit. # valgrind /usr/libexec/kadmind --debug & # cc kadmind17a.c -lkrb5 # ./a.out 2022-11-25T06:50:53 root@EXAMPLE.ORG: CHPASS_WITH_KEY @ =3D=3D11284=3D=3D Invalid free() / delete / delete[] / realloc() =3D=3D11284=3D=3D at 0x484E83C: free (in /usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so) =3D=3D11284=3D=3D by 0x48631BB: kadm5_free_key_data (in /usr/lib/libkadm= 5srv.so.11) =3D=3D11284=3D=3D by 0x112569: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x1129A8: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x10D1DC: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x4823007: ??? =3D=3D11284=3D=3D Address 0x5b77340 is 0 bytes after a block of size 0 fre= e'd =3D=3D11284=3D=3D at 0x484E83C: free (in /usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so) =3D=3D11284=3D=3D by 0x48631AE: kadm5_free_key_data (in /usr/lib/libkadm= 5srv.so.11) =3D=3D11284=3D=3D by 0x112569: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x1129A8: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x10D1DC: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x4823007: ??? =3D=3D11284=3D=3D Block was alloc'd at =3D=3D11284=3D=3D at 0x484CBC4: malloc (in /usr/local/libexec/valgrind/vgpreload_memcheck-amd64-freebsd.so) =3D=3D11284=3D=3D by 0x48E1B74: krb5_data_alloc (in /usr/lib/libkrb5.so.= 11) =3D=3D11284=3D=3D by 0x490B231: krb5_ret_data (in /usr/lib/libkrb5.so.11) =3D=3D11284=3D=3D by 0x4865C6D: kadm5_ret_key_data (in /usr/lib/libkadm5= srv.so.11) =3D=3D11284=3D=3D by 0x1123D7: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x1129A8: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x10D1DC: ??? (in /usr/libexec/kadmind) =3D=3D11284=3D=3D by 0x4823007: ??? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-267987-227>