Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ad-gpo: use hash to store intermediate results (fixes CVE-2023-3758) #7302

Closed
wants to merge 1 commit into from

Conversation

sumit-bose
Copy link
Contributor

Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.

If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.

To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.

src/providers/ad/ad_gpo.c Fixed Show resolved Hide resolved
Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.

If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.

To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.
Copy link
Contributor

@thalman thalman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, ACK

@alexey-tikhonov alexey-tikhonov added backport-to-stable Targets also latest stable branch branch: sssd-2-8 Ready to push Ready to push labels Apr 18, 2024
@alexey-tikhonov
Copy link
Member

Pushed PR: #7302

  • master
    • d7db797 - ad-gpo: use hash to store intermediate results
  • sssd-2-8
    • f4ebe14 - ad-gpo: use hash to store intermediate results
  • sssd-2-9
    • e1bfbc2 - ad-gpo: use hash to store intermediate results

@carnil
Copy link

carnil commented Apr 19, 2024

CVE-2023-3758 seems to be assigned to this issue.

@alexey-tikhonov
Copy link
Member

CVE-2023-3758 seems to be assigned to this issue.

That's correct.

@alexey-tikhonov alexey-tikhonov changed the title ad-gpo: use hash to store intermediate results ad-gpo: use hash to store intermediate results (fixes CVE-2023-3758) Apr 19, 2024
gerrit-photon pushed a commit to vmware/photon that referenced this pull request Apr 25, 2024
Ref: SSSD/sssd#7302

Change-Id: I3fe67b4a7092bdc332e2ecf590b7d8f48b81207f
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23799
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
gerrit-photon pushed a commit to vmware/photon that referenced this pull request Apr 25, 2024
Ref: SSSD/sssd#7302

Change-Id: I601639776d99c490554036a73888a4a4f0b6a0d5
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23801
Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
Tested-by: gerrit-photon <photon-checkins@vmware.com>
gerrit-photon pushed a commit to vmware/photon that referenced this pull request Apr 26, 2024
Ref: SSSD/sssd#7302

Change-Id: I4064c58cda61b9ef703b81d610582dd52e35a51c
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23800
Tested-by: Michelle Wang <michelle.wang@broadcom.com>
Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-to-stable Targets also latest stable branch branch: sssd-2-8 Pushed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants