Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
net/samba413: back port security fixes from 4.16.11
The security defects addressed in these fixes are described at https://www.samba.org/samba/history/samba-4.16.11.html PR: 273595 Approved by: maintainer timeout
- Loading branch information
Showing
22 changed files
with
2,524 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 67 additions & 0 deletions
67
net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| From d2a03a12c607e00654b21a91d487c3408b394eaf Mon Sep 17 00:00:00 2001 | ||
| From: Samuel Cabrero <scabrero@samba.org> | ||
| Date: Thu, 24 Feb 2022 17:48:27 +0100 | ||
| Subject: [PATCH 01/21] CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks | ||
| to parent process | ||
|
|
||
| The winbindd_dual_pam_auth_crap() function will be converted to a local | ||
| RPC call handler and it won't receive a winbindd_cli_state struct. Move | ||
| the checks accessing this struct to the parent. | ||
|
|
||
| Signed-off-by: Samuel Cabrero <scabrero@samba.org> | ||
| Reviewed-by: Jeremy Allison <jra@samba.org> | ||
| (cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374) | ||
| --- | ||
| source3/winbindd/winbindd_pam.c | 12 ------------ | ||
| source3/winbindd/winbindd_pam_auth_crap.c | 12 ++++++++++++ | ||
| 2 files changed, 12 insertions(+), 12 deletions(-) | ||
|
|
||
| diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c | ||
| index 59dd18e27b8..9e799b3a191 100644 | ||
| --- a/source3/winbindd/winbindd_pam.c | ||
| +++ b/source3/winbindd/winbindd_pam.c | ||
| @@ -2698,18 +2698,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, | ||
| DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, | ||
| name_domain, name_user)); | ||
|
|
||
| - if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp) | ||
| - || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) { | ||
| - if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) || | ||
| - state->request->extra_len != state->request->data.auth_crap.nt_resp_len) { | ||
| - DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", | ||
| - state->request->data.auth_crap.lm_resp_len, | ||
| - state->request->data.auth_crap.nt_resp_len)); | ||
| - result = NT_STATUS_INVALID_PARAMETER; | ||
| - goto done; | ||
| - } | ||
| - } | ||
| - | ||
| lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp, | ||
| state->request->data.auth_crap.lm_resp_len); | ||
|
|
||
| diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c | ||
| index 40cab81b5ea..310d50fdde2 100644 | ||
| --- a/source3/winbindd/winbindd_pam_auth_crap.c | ||
| +++ b/source3/winbindd/winbindd_pam_auth_crap.c | ||
| @@ -138,6 +138,18 @@ struct tevent_req *winbindd_pam_auth_crap_send( | ||
| fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); | ||
| } | ||
|
|
||
| + if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) | ||
| + || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { | ||
| + if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || | ||
| + request->extra_len != request->data.auth_crap.nt_resp_len) { | ||
| + DBG_ERR("Invalid password length %u/%u\n", | ||
| + request->data.auth_crap.lm_resp_len, | ||
| + request->data.auth_crap.nt_resp_len); | ||
| + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); | ||
| + return tevent_req_post(req, ev); | ||
| + } | ||
| + } | ||
| + | ||
| subreq = wb_domain_request_send(state, global_event_context(), domain, | ||
| request); | ||
| if (tevent_req_nomem(subreq, req)) { | ||
| -- | ||
| 2.41.0 | ||
|
|
71 changes: 71 additions & 0 deletions
71
net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| From 5c6a46d21cc247ed38e70925b2d849d4e807ca0a Mon Sep 17 00:00:00 2001 | ||
| From: Volker Lendecke <vl@samba.org> | ||
| Date: Fri, 20 May 2022 10:55:23 +0200 | ||
| Subject: [PATCH 02/21] CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP | ||
| length checks | ||
|
|
||
| With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you | ||
| can crash winbind. We don't independently check lm_resp_len | ||
| sufficiently. | ||
|
|
||
| Discovered via Coverity ID 1504444 Out-of-bounds access | ||
|
|
||
| BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 | ||
|
|
||
| Signed-off-by: Volker Lendecke <vl@samba.org> | ||
| --- | ||
| source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++-------- | ||
| 1 file changed, 21 insertions(+), 10 deletions(-) | ||
|
|
||
| diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c | ||
| index 310d50fdde2..19e295f50b3 100644 | ||
| --- a/source3/winbindd/winbindd_pam_auth_crap.c | ||
| +++ b/source3/winbindd/winbindd_pam_auth_crap.c | ||
| @@ -40,6 +40,9 @@ struct tevent_req *winbindd_pam_auth_crap_send( | ||
| struct winbindd_pam_auth_crap_state *state; | ||
| struct winbindd_domain *domain; | ||
| const char *auth_domain = NULL; | ||
| + bool lmlength_ok = false; | ||
| + bool ntlength_ok = false; | ||
| + bool pwlength_ok = false; | ||
|
|
||
| req = tevent_req_create(mem_ctx, &state, | ||
| struct winbindd_pam_auth_crap_state); | ||
| @@ -138,16 +141,24 @@ struct tevent_req *winbindd_pam_auth_crap_send( | ||
| fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); | ||
| } | ||
|
|
||
| - if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) | ||
| - || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { | ||
| - if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || | ||
| - request->extra_len != request->data.auth_crap.nt_resp_len) { | ||
| - DBG_ERR("Invalid password length %u/%u\n", | ||
| - request->data.auth_crap.lm_resp_len, | ||
| - request->data.auth_crap.nt_resp_len); | ||
| - tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); | ||
| - return tevent_req_post(req, ev); | ||
| - } | ||
| + lmlength_ok = (request->data.auth_crap.lm_resp_len <= | ||
| + sizeof(request->data.auth_crap.lm_resp)); | ||
| + | ||
| + ntlength_ok = (request->data.auth_crap.nt_resp_len <= | ||
| + sizeof(request->data.auth_crap.nt_resp)); | ||
| + | ||
| + ntlength_ok |= | ||
| + ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) && | ||
| + (request->extra_len == request->data.auth_crap.nt_resp_len)); | ||
| + | ||
| + pwlength_ok = lmlength_ok && ntlength_ok; | ||
| + | ||
| + if (!pwlength_ok) { | ||
| + DBG_ERR("Invalid password length %u/%u\n", | ||
| + request->data.auth_crap.lm_resp_len, | ||
| + request->data.auth_crap.nt_resp_len); | ||
| + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); | ||
| + return tevent_req_post(req, ev); | ||
| } | ||
|
|
||
| subreq = wb_domain_request_send(state, global_event_context(), domain, | ||
| -- | ||
| 2.41.0 | ||
|
|
40 changes: 40 additions & 0 deletions
40
net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| From de6bd24d80ec4af9d618911cc42d10e109d1d121 Mon Sep 17 00:00:00 2001 | ||
| From: Ralph Boehme <slow@samba.org> | ||
| Date: Fri, 16 Jun 2023 12:28:47 +0200 | ||
| Subject: [PATCH 03/21] CVE-2022-2127: ntlm_auth: cap lanman response length | ||
| value | ||
|
|
||
| We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the | ||
| lm_resp buffer, but we don't cap the length indicator. | ||
|
|
||
| BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 | ||
|
|
||
| Signed-off-by: Ralph Boehme <slow@samba.org> | ||
| --- | ||
| source3/utils/ntlm_auth.c | 8 ++++++-- | ||
| 1 file changed, 6 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c | ||
| index 5541c58350b..def8cdef6fa 100644 | ||
| --- a/source3/utils/ntlm_auth.c | ||
| +++ b/source3/utils/ntlm_auth.c | ||
| @@ -573,10 +573,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username, | ||
| memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); | ||
|
|
||
| if (lm_response && lm_response->length) { | ||
| + size_t capped_lm_response_len = MIN( | ||
| + lm_response->length, | ||
| + sizeof(request.data.auth_crap.lm_resp)); | ||
| + | ||
| memcpy(request.data.auth_crap.lm_resp, | ||
| lm_response->data, | ||
| - MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp))); | ||
| - request.data.auth_crap.lm_resp_len = lm_response->length; | ||
| + capped_lm_response_len); | ||
| + request.data.auth_crap.lm_resp_len = capped_lm_response_len; | ||
| } | ||
|
|
||
| if (nt_response && nt_response->length) { | ||
| -- | ||
| 2.41.0 | ||
|
|
135 changes: 135 additions & 0 deletions
135
net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| From b8a534a3d9b98cc70b2535f3fca31983e3617275 Mon Sep 17 00:00:00 2001 | ||
| From: Ralph Boehme <slow@samba.org> | ||
| Date: Wed, 31 May 2023 15:34:26 +0200 | ||
| Subject: [PATCH 04/21] CVE-2023-34966: CI: test for sl_unpack_loop() | ||
|
|
||
| Send a maliciously crafted packet where a nil type has a subcount of 0. This | ||
| triggers an endless loop in mdssvc sl_unpack_loop(). | ||
|
|
||
| BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 | ||
|
|
||
| Signed-off-by: Ralph Boehme <slow@samba.org> | ||
| --- | ||
| source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++ | ||
| 1 file changed, 100 insertions(+) | ||
|
|
||
| diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c | ||
| index 507a4a1d2e4..f5f59395241 100644 | ||
| --- a/source4/torture/rpc/mdssvc.c | ||
| +++ b/source4/torture/rpc/mdssvc.c | ||
| @@ -570,6 +570,102 @@ done: | ||
| return ok; | ||
| } | ||
|
|
||
| +static uint8_t test_sl_unpack_loop_buf[] = { | ||
| + 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d, | ||
| + 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, | ||
| + 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, | ||
| + 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00, | ||
| + 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00, | ||
| + 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00, | ||
| + 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74, | ||
| + 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a, | ||
| + 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72, | ||
| + 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74, | ||
| + 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea, | ||
| + 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00, | ||
| + 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| + 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00, | ||
| + 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, | ||
| + 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00, | ||
| + 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50, | ||
| + 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| + 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00, | ||
| + 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00, | ||
| + 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b, | ||
| + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| + 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, | ||
| + 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, | ||
| + 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, | ||
| + 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00, | ||
| + 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00, | ||
| + 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00, | ||
| + 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, | ||
| + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| + 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, | ||
| + 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
| + 0x00, 0x00, 0x00, 0x00 | ||
| +}; | ||
| + | ||
| +static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, | ||
| + void *data) | ||
| +{ | ||
| + struct torture_mdsscv_state *state = talloc_get_type_abort( | ||
| + data, struct torture_mdsscv_state); | ||
| + struct dcerpc_binding_handle *b = state->p->binding_handle; | ||
| + struct mdssvc_blob request_blob; | ||
| + struct mdssvc_blob response_blob; | ||
| + uint32_t device_id; | ||
| + uint32_t unkn2; | ||
| + uint32_t unkn9; | ||
| + uint32_t fragment; | ||
| + uint32_t flags; | ||
| + NTSTATUS status; | ||
| + bool ok = true; | ||
| + | ||
| + device_id = UINT32_C(0x2f000045); | ||
| + unkn2 = 23; | ||
| + unkn9 = 0; | ||
| + fragment = 0; | ||
| + flags = UINT32_C(0x6b000001); | ||
| + | ||
| + request_blob.spotlight_blob = test_sl_unpack_loop_buf; | ||
| + request_blob.size = sizeof(test_sl_unpack_loop_buf); | ||
| + request_blob.length = sizeof(test_sl_unpack_loop_buf); | ||
| + | ||
| + response_blob.spotlight_blob = talloc_array(state, | ||
| + uint8_t, | ||
| + 0); | ||
| + torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, | ||
| + ok, done, "dalloc_zero failed\n"); | ||
| + response_blob.size = 0; | ||
| + | ||
| + status = dcerpc_mdssvc_cmd(b, | ||
| + state, | ||
| + &state->ph, | ||
| + 0, | ||
| + device_id, | ||
| + unkn2, | ||
| + 0, | ||
| + flags, | ||
| + request_blob, | ||
| + 0, | ||
| + 64 * 1024, | ||
| + 1, | ||
| + 64 * 1024, | ||
| + 0, | ||
| + 0, | ||
| + &fragment, | ||
| + &response_blob, | ||
| + &unkn9); | ||
| + torture_assert_ntstatus_ok_goto( | ||
| + tctx, status, ok, done, | ||
| + "dcerpc_mdssvc_unknown1 failed\n"); | ||
| + | ||
| +done: | ||
| + return ok; | ||
| +} | ||
| + | ||
| static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, | ||
| void *data) | ||
| { | ||
| @@ -841,5 +937,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) | ||
| "fetch_unknown_cnid", | ||
| test_mdssvc_fetch_attr_unknown_cnid); | ||
|
|
||
| + torture_tcase_add_simple_test(tcase, | ||
| + "mdssvc_sl_unpack_loop", | ||
| + test_mdssvc_sl_unpack_loop); | ||
| + | ||
| return suite; | ||
| } | ||
| -- | ||
| 2.41.0 | ||
|
|
Oops, something went wrong.