diff --git a/net/samba413/Makefile b/net/samba413/Makefile index 472f19ea389c4..7207ba3a7a46c 100644 --- a/net/samba413/Makefile +++ b/net/samba413/Makefile @@ -1,6 +1,6 @@ PORTNAME= ${SAMBA4_BASENAME}413 PORTVERSION= ${SAMBA4_VERSION} -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} @@ -19,7 +19,30 @@ USES= cpe EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 \ ${PATCHDIR}/0001-Compact-and-simplify-modules-build-and-config-genera.patch:-p1 \ - ${PATCHDIR}/CVE-2022-3437-des3-overflow-v4a-4.12.patch:-p1 + ${PATCHDIR}/CVE-2022-3437-des3-overflow-v4a-4.12.patch:-p1 \ + ${PATCHDIR}/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch:-p1 \ + ${PATCHDIR}/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch:-p1 \ + ${PATCHDIR}/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch:-p1 \ + ${PATCHDIR}/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch:-p1 \ + ${PATCHDIR}/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch:-p1 \ + ${PATCHDIR}/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch:-p1 \ + ${PATCHDIR}/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch:-p1 \ + ${PATCHDIR}/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch:-p1 \ + ${PATCHDIR}/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch:-p1 \ + ${PATCHDIR}/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch:-p1 \ + ${PATCHDIR}/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch:-p1 \ + ${PATCHDIR}/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch:-p1 \ + ${PATCHDIR}/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch:-p1 \ + ${PATCHDIR}/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch:-p1 \ + ${PATCHDIR}/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch:-p1 \ + ${PATCHDIR}/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch:-p1 \ + ${PATCHDIR}/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch:-p1 \ + ${PATCHDIR}/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch:-p1 \ + ${PATCHDIR}/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch:-p1 + +# These have been removed from EXTRA_PATCHES because they are empty and patch(1) complains about them +# ${PATCHDIR}/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch:-p1 +# ${PATCHDIR}/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch:-p1 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 diff --git a/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch b/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch new file mode 100644 index 0000000000000..a03539adeedeb --- /dev/null +++ b/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch @@ -0,0 +1,67 @@ +From d2a03a12c607e00654b21a91d487c3408b394eaf Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 24 Feb 2022 17:48:27 +0100 +Subject: [PATCH 01/21] CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks + to parent process + +The winbindd_dual_pam_auth_crap() function will be converted to a local +RPC call handler and it won't receive a winbindd_cli_state struct. Move +the checks accessing this struct to the parent. + +Signed-off-by: Samuel Cabrero +Reviewed-by: Jeremy Allison +(cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374) +--- + source3/winbindd/winbindd_pam.c | 12 ------------ + source3/winbindd/winbindd_pam_auth_crap.c | 12 ++++++++++++ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 59dd18e27b8..9e799b3a191 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -2698,18 +2698,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, + DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, + name_domain, name_user)); + +- if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp) +- || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) { +- if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) || +- state->request->extra_len != state->request->data.auth_crap.nt_resp_len) { +- DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", +- state->request->data.auth_crap.lm_resp_len, +- state->request->data.auth_crap.nt_resp_len)); +- result = NT_STATUS_INVALID_PARAMETER; +- goto done; +- } +- } +- + lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp, + state->request->data.auth_crap.lm_resp_len); + +diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c +index 40cab81b5ea..310d50fdde2 100644 +--- a/source3/winbindd/winbindd_pam_auth_crap.c ++++ b/source3/winbindd/winbindd_pam_auth_crap.c +@@ -138,6 +138,18 @@ struct tevent_req *winbindd_pam_auth_crap_send( + fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); + } + ++ if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) ++ || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { ++ if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || ++ request->extra_len != request->data.auth_crap.nt_resp_len) { ++ DBG_ERR("Invalid password length %u/%u\n", ++ request->data.auth_crap.lm_resp_len, ++ request->data.auth_crap.nt_resp_len); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return tevent_req_post(req, ev); ++ } ++ } ++ + subreq = wb_domain_request_send(state, global_event_context(), domain, + request); + if (tevent_req_nomem(subreq, req)) { +-- +2.41.0 + diff --git a/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch b/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch new file mode 100644 index 0000000000000..06b7472df4dbb --- /dev/null +++ b/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch @@ -0,0 +1,71 @@ +From 5c6a46d21cc247ed38e70925b2d849d4e807ca0a Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Fri, 20 May 2022 10:55:23 +0200 +Subject: [PATCH 02/21] CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP + length checks + +With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you +can crash winbind. We don't independently check lm_resp_len +sufficiently. + +Discovered via Coverity ID 1504444 Out-of-bounds access + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 + +Signed-off-by: Volker Lendecke +--- + source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++-------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c +index 310d50fdde2..19e295f50b3 100644 +--- a/source3/winbindd/winbindd_pam_auth_crap.c ++++ b/source3/winbindd/winbindd_pam_auth_crap.c +@@ -40,6 +40,9 @@ struct tevent_req *winbindd_pam_auth_crap_send( + struct winbindd_pam_auth_crap_state *state; + struct winbindd_domain *domain; + const char *auth_domain = NULL; ++ bool lmlength_ok = false; ++ bool ntlength_ok = false; ++ bool pwlength_ok = false; + + req = tevent_req_create(mem_ctx, &state, + struct winbindd_pam_auth_crap_state); +@@ -138,16 +141,24 @@ struct tevent_req *winbindd_pam_auth_crap_send( + fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); + } + +- if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) +- || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { +- if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || +- request->extra_len != request->data.auth_crap.nt_resp_len) { +- DBG_ERR("Invalid password length %u/%u\n", +- request->data.auth_crap.lm_resp_len, +- request->data.auth_crap.nt_resp_len); +- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); +- return tevent_req_post(req, ev); +- } ++ lmlength_ok = (request->data.auth_crap.lm_resp_len <= ++ sizeof(request->data.auth_crap.lm_resp)); ++ ++ ntlength_ok = (request->data.auth_crap.nt_resp_len <= ++ sizeof(request->data.auth_crap.nt_resp)); ++ ++ ntlength_ok |= ++ ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) && ++ (request->extra_len == request->data.auth_crap.nt_resp_len)); ++ ++ pwlength_ok = lmlength_ok && ntlength_ok; ++ ++ if (!pwlength_ok) { ++ DBG_ERR("Invalid password length %u/%u\n", ++ request->data.auth_crap.lm_resp_len, ++ request->data.auth_crap.nt_resp_len); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return tevent_req_post(req, ev); + } + + subreq = wb_domain_request_send(state, global_event_context(), domain, +-- +2.41.0 + diff --git a/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch b/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch new file mode 100644 index 0000000000000..a1f8733661723 --- /dev/null +++ b/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch @@ -0,0 +1,40 @@ +From de6bd24d80ec4af9d618911cc42d10e109d1d121 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 16 Jun 2023 12:28:47 +0200 +Subject: [PATCH 03/21] CVE-2022-2127: ntlm_auth: cap lanman response length + value + +We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the +lm_resp buffer, but we don't cap the length indicator. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 + +Signed-off-by: Ralph Boehme +--- + source3/utils/ntlm_auth.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 5541c58350b..def8cdef6fa 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -573,10 +573,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username, + memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); + + if (lm_response && lm_response->length) { ++ size_t capped_lm_response_len = MIN( ++ lm_response->length, ++ sizeof(request.data.auth_crap.lm_resp)); ++ + memcpy(request.data.auth_crap.lm_resp, + lm_response->data, +- MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp))); +- request.data.auth_crap.lm_resp_len = lm_response->length; ++ capped_lm_response_len); ++ request.data.auth_crap.lm_resp_len = capped_lm_response_len; + } + + if (nt_response && nt_response->length) { +-- +2.41.0 + diff --git a/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch b/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch new file mode 100644 index 0000000000000..9b96a50e84cca --- /dev/null +++ b/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch @@ -0,0 +1,135 @@ +From b8a534a3d9b98cc70b2535f3fca31983e3617275 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 31 May 2023 15:34:26 +0200 +Subject: [PATCH 04/21] CVE-2023-34966: CI: test for sl_unpack_loop() + +Send a maliciously crafted packet where a nil type has a subcount of 0. This +triggers an endless loop in mdssvc sl_unpack_loop(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme +--- + source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++ + 1 file changed, 100 insertions(+) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index 507a4a1d2e4..f5f59395241 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -570,6 +570,102 @@ done: + return ok; + } + ++static uint8_t test_sl_unpack_loop_buf[] = { ++ 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d, ++ 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00, ++ 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00, ++ 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74, ++ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a, ++ 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72, ++ 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74, ++ 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea, ++ 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00, ++ 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00, ++ 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50, ++ 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b, ++ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, ++ 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, ++ 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00, ++ 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00, ++ 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00, ++ 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00 ++}; ++ ++static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, ++ void *data) ++{ ++ struct torture_mdsscv_state *state = talloc_get_type_abort( ++ data, struct torture_mdsscv_state); ++ struct dcerpc_binding_handle *b = state->p->binding_handle; ++ struct mdssvc_blob request_blob; ++ struct mdssvc_blob response_blob; ++ uint32_t device_id; ++ uint32_t unkn2; ++ uint32_t unkn9; ++ uint32_t fragment; ++ uint32_t flags; ++ NTSTATUS status; ++ bool ok = true; ++ ++ device_id = UINT32_C(0x2f000045); ++ unkn2 = 23; ++ unkn9 = 0; ++ fragment = 0; ++ flags = UINT32_C(0x6b000001); ++ ++ request_blob.spotlight_blob = test_sl_unpack_loop_buf; ++ request_blob.size = sizeof(test_sl_unpack_loop_buf); ++ request_blob.length = sizeof(test_sl_unpack_loop_buf); ++ ++ response_blob.spotlight_blob = talloc_array(state, ++ uint8_t, ++ 0); ++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, ++ ok, done, "dalloc_zero failed\n"); ++ response_blob.size = 0; ++ ++ status = dcerpc_mdssvc_cmd(b, ++ state, ++ &state->ph, ++ 0, ++ device_id, ++ unkn2, ++ 0, ++ flags, ++ request_blob, ++ 0, ++ 64 * 1024, ++ 1, ++ 64 * 1024, ++ 0, ++ 0, ++ &fragment, ++ &response_blob, ++ &unkn9); ++ torture_assert_ntstatus_ok_goto( ++ tctx, status, ok, done, ++ "dcerpc_mdssvc_unknown1 failed\n"); ++ ++done: ++ return ok; ++} ++ + static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, + void *data) + { +@@ -841,5 +937,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) + "fetch_unknown_cnid", + test_mdssvc_fetch_attr_unknown_cnid); + ++ torture_tcase_add_simple_test(tcase, ++ "mdssvc_sl_unpack_loop", ++ test_mdssvc_sl_unpack_loop); ++ + return suite; + } +-- +2.41.0 + diff --git a/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch b/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch new file mode 100644 index 0000000000000..771731aa49fc4 --- /dev/null +++ b/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch @@ -0,0 +1,73 @@ +From 3bdbf83c365a5bcd339aaa5e894797fe0e610c69 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 26 May 2023 13:06:19 +0200 +Subject: [PATCH 05/21] CVE-2023-34966: mdssvc: harden sl_unpack_loop() + +A malicious client could send a packet where subcount is zero, leading to a busy +loop because + + count -= subcount +=> count -= 0 +=> while (count > 0) + +loops forever. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme +--- + source3/rpc_server/mdssvc/marshalling.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c +index 1aa750413cd..441d41160f1 100644 +--- a/source3/rpc_server/mdssvc/marshalling.c ++++ b/source3/rpc_server/mdssvc/marshalling.c +@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + sl_nil_t nil = 0; + + subcount = tag.count; +- if (subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + for (i = 0; i < subcount; i++) { +@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_INT64: + subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_UUID: + subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_FLOAT: + subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_DATE: + subcount = sl_unpack_date(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +-- +2.41.0 + diff --git a/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch b/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch new file mode 100644 index 0000000000000..5d488a71cbec4 --- /dev/null +++ b/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch @@ -0,0 +1,172 @@ +From b1a0a1574ae0db083e917c13777abb4b113d6383 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 31 May 2023 16:26:14 +0200 +Subject: [PATCH 06/21] CVE-2023-34967: CI: add a test for type checking of + dalloc_value_for_key() + +Sends a maliciously crafted packet where the value in a key/value style +dictionary for the "scope" key is a simple string object whereas the server +expects an array. As the server doesn't perform type validation on the value, it +crashes when trying to use the "simple" object as a "complex" one. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme +--- + source4/torture/rpc/mdssvc.c | 134 +++++++++++++++++++++++++++++++++++ + 1 file changed, 134 insertions(+) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index f5f59395241..20b903f93fa 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -666,6 +666,136 @@ done: + return ok; + } + ++static bool test_sl_dict_type_safety(struct torture_context *tctx, ++ void *data) ++{ ++ struct torture_mdsscv_state *state = talloc_get_type_abort( ++ data, struct torture_mdsscv_state); ++ struct dcerpc_binding_handle *b = state->p->binding_handle; ++ struct mdssvc_blob request_blob; ++ struct mdssvc_blob response_blob; ++ uint64_t ctx1 = 0xdeadbeef; ++ uint64_t ctx2 = 0xcafebabe; ++ uint32_t device_id; ++ uint32_t unkn2; ++ uint32_t unkn9; ++ uint32_t fragment; ++ uint32_t flags; ++ DALLOC_CTX *d = NULL; ++ sl_array_t *array1 = NULL, *array2 = NULL; ++ sl_dict_t *arg = NULL; ++ int result; ++ NTSTATUS status; ++ bool ok = true; ++ ++ device_id = UINT32_C(0x2f000045); ++ unkn2 = 23; ++ unkn9 = 0; ++ fragment = 0; ++ flags = UINT32_C(0x6b000001); ++ ++ d = dalloc_new(tctx); ++ torture_assert_not_null_goto(tctx, d, ++ ok, done, "dalloc_new failed\n"); ++ ++ array1 = dalloc_zero(d, sl_array_t); ++ torture_assert_not_null_goto(tctx, array1, ++ ok, done, "dalloc_zero failed\n"); ++ ++ array2 = dalloc_zero(d, sl_array_t); ++ torture_assert_not_null_goto(tctx, array2, ++ ok, done, "dalloc_new failed\n"); ++ ++ result = dalloc_stradd(array2, "openQueryWithParams:forContext:"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add_copy(array2, &ctx1, uint64_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add_copy(array2, &ctx2, uint64_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ arg = dalloc_zero(array1, sl_dict_t); ++ torture_assert_not_null_goto(tctx, d, ++ ok, done, "dalloc_zero failed\n"); ++ ++ result = dalloc_stradd(arg, "kMDQueryString"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "*"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "kMDScopeArray"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "AAAABBBB"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add(array1, array2, sl_array_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ result = dalloc_add(array1, arg, sl_dict_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ result = dalloc_add(d, array1, sl_array_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ torture_comment(tctx, "%s", dalloc_dump(d, 0)); ++ ++ request_blob.spotlight_blob = talloc_array(tctx, ++ uint8_t, ++ 64 * 1024); ++ torture_assert_not_null_goto(tctx, request_blob.spotlight_blob, ++ ok, done, "dalloc_new failed\n"); ++ request_blob.size = 64 * 1024; ++ ++ request_blob.length = sl_pack(d, ++ (char *)request_blob.spotlight_blob, ++ request_blob.size); ++ torture_assert_goto(tctx, request_blob.length > 0, ++ ok, done, "sl_pack failed\n"); ++ ++ response_blob.spotlight_blob = talloc_array(state, uint8_t, 0); ++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, ++ ok, done, "dalloc_zero failed\n"); ++ response_blob.size = 0; ++ ++ status = dcerpc_mdssvc_cmd(b, ++ state, ++ &state->ph, ++ 0, ++ device_id, ++ unkn2, ++ 0, ++ flags, ++ request_blob, ++ 0, ++ 64 * 1024, ++ 1, ++ 64 * 1024, ++ 0, ++ 0, ++ &fragment, ++ &response_blob, ++ &unkn9); ++ torture_assert_ntstatus_ok_goto( ++ tctx, status, ok, done, ++ "dcerpc_mdssvc_cmd failed\n"); ++ ++done: ++ return ok; ++} ++ + static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, + void *data) + { +@@ -941,5 +1071,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) + "mdssvc_sl_unpack_loop", + test_mdssvc_sl_unpack_loop); + ++ torture_tcase_add_simple_test(tcase, ++ "sl_dict_type_safety", ++ test_sl_dict_type_safety); ++ + return suite; + } +-- +2.41.0 + diff --git a/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch b/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch new file mode 100644 index 0000000000000..ec117f36d9977 --- /dev/null +++ b/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch @@ -0,0 +1,120 @@ +From 91350e1dddc2e5418a3aa0caf22e86b193e46610 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 26 May 2023 15:06:38 +0200 +Subject: [PATCH 07/21] CVE-2023-34967: mdssvc: add type checking to + dalloc_value_for_key() + +Change the dalloc_value_for_key() function to require an additional final +argument which denotes the expected type of the value associated with a key. If +the types don't match, return NULL. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme +--- + source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++---- + source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++---- + 2 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c +index 2e13203c4c6..5169c822357 100644 +--- a/source3/rpc_server/mdssvc/dalloc.c ++++ b/source3/rpc_server/mdssvc/dalloc.c +@@ -164,7 +164,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + int result = 0; + void *p = NULL; + va_list args; +- const char *type; ++ const char *type = NULL; + int elem; + size_t array_len; + +@@ -175,7 +175,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + array_len = talloc_array_length(d->dd_talloc_array); + elem = va_arg(args, int); + if (elem >= array_len) { +- va_end(args); + result = -1; + goto done; + } +@@ -183,8 +182,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + type = va_arg(args, const char *); + } + +- va_end(args); +- + array_len = talloc_array_length(d->dd_talloc_array); + + for (elem = 0; elem + 1 < array_len; elem += 2) { +@@ -197,8 +194,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + break; + } + } ++ if (p == NULL) { ++ goto done; ++ } ++ ++ type = va_arg(args, const char *); ++ if (strcmp(talloc_get_name(p), type) != 0) { ++ p = NULL; ++ } + + done: ++ va_end(args); + if (result != 0) { + p = NULL; + } +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 2b243d64e99..b04a80c37ba 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -888,7 +888,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + + querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0, + "DALLOC_CTX", 1, +- "kMDQueryString"); ++ "kMDQueryString", ++ "char *"); + if (querystring == NULL) { + DEBUG(1, ("missing kMDQueryString\n")); + goto error; +@@ -928,8 +929,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + slq->ctx2 = *uint64p; + + path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDScopeArray"); ++ "DALLOC_CTX", 1, ++ "kMDScopeArray", ++ "sl_array_t"); + if (path_scope == NULL) { ++ DBG_ERR("missing kMDScopeArray\n"); + goto error; + } + +@@ -944,8 +948,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + } + + reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDAttributeArray"); ++ "DALLOC_CTX", 1, ++ "kMDAttributeArray", ++ "sl_array_t"); + if (reqinfo == NULL) { ++ DBG_ERR("missing kMDAttributeArray\n"); + goto error; + } + +@@ -953,7 +960,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0))); + + cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDQueryItemArray"); ++ "DALLOC_CTX", 1, ++ "kMDQueryItemArray", ++ "sl_array_t"); + if (cnids) { + ok = sort_cnids(slq, cnids->ca_cnids); + if (!ok) { +-- +2.41.0 + diff --git a/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch b/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch new file mode 100644 index 0000000000000..5df69c398ccf2 --- /dev/null +++ b/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch @@ -0,0 +1,17 @@ +From 8fe2c97c416d4a53bac971ac6bf20f125563f20f Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 31 May 2023 16:26:14 +0200 +Subject: [PATCH 08/21] CVE-2023-34967: CI: add a test for type checking of + dalloc_value_for_key() + +Sends a maliciously crafted packet where the value in a key/value style +dictionary for the "scope" key is a simple string object whereas the server +expects an array. As the server doesn't perform type validation on the value, it +crashes when trying to use the "simple" object as a "complex" one. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme +-- +2.41.0 + diff --git a/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch b/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch new file mode 100644 index 0000000000000..6a2dcf4db6c22 --- /dev/null +++ b/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch @@ -0,0 +1,16 @@ +From 388ea72b933b23e043a271288cd58e2d18ab01c8 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 26 May 2023 15:06:38 +0200 +Subject: [PATCH 09/21] CVE-2023-34967: mdssvc: add type checking to + dalloc_value_for_key() + +Change the dalloc_value_for_key() function to require an additional final +argument which denotes the expected type of the value associated with a key. If +the types don't match, return NULL. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme +-- +2.41.0 + diff --git a/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch b/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch new file mode 100644 index 0000000000000..3486dd12b1013 --- /dev/null +++ b/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch @@ -0,0 +1,101 @@ +From 617bc2ee68d2213517c32f1c5cd44edc32817e41 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Sat, 15 Oct 2022 13:29:14 +0200 +Subject: [PATCH 10/21] CVE-2023-34968: lib: Move subdir_of() to + source3/lib/util_path.c + +Make it available for other components + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207 +Signed-off-by: Volker Lendecke +(backported from commit d905dbddf8d2655e6c91752b750cbe9c15837ee5) +[slow@samba.org: subdir_of() didn't exist yet in 4.16 so this just adds it] +--- + source3/lib/util_path.c | 52 +++++++++++++++++++++++++++++++++++++++++ + source3/lib/util_path.h | 4 ++++ + 2 files changed, 56 insertions(+) + +diff --git a/source3/lib/util_path.c b/source3/lib/util_path.c +index c34b734384c..e6bed724551 100644 +--- a/source3/lib/util_path.c ++++ b/source3/lib/util_path.c +@@ -23,6 +23,8 @@ + + #include "replace.h" + #include ++#include "lib/util/debug.h" ++#include "lib/util/fault.h" + #include "lib/util/samba_util.h" + #include "lib/util_path.h" + +@@ -210,3 +212,53 @@ char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *pathname_in) + *p++ = '\0'; + return pathname; + } ++ ++/* ++ * Take two absolute paths, figure out if "subdir" is a proper ++ * subdirectory of "parent". Return the component relative to the ++ * "parent" without the potential "/". Take care of "parent" ++ * possibly ending in "/". ++ */ ++bool subdir_of(const char *parent, ++ size_t parent_len, ++ const char *subdir, ++ const char **_relative) ++{ ++ const char *relative = NULL; ++ bool matched; ++ ++ SMB_ASSERT(parent[0] == '/'); ++ SMB_ASSERT(subdir[0] == '/'); ++ ++ if (parent_len == 1) { ++ /* ++ * Everything is below "/" ++ */ ++ *_relative = subdir+1; ++ return true; ++ } ++ ++ if (parent[parent_len-1] == '/') { ++ parent_len -= 1; ++ } ++ ++ matched = (strncmp(subdir, parent, parent_len) == 0); ++ if (!matched) { ++ return false; ++ } ++ ++ relative = &subdir[parent_len]; ++ ++ if (relative[0] == '\0') { ++ *_relative = relative; /* nothing left */ ++ return true; ++ } ++ ++ if (relative[0] == '/') { ++ /* End of parent must match a '/' in subdir. */ ++ *_relative = relative+1; ++ return true; ++ } ++ ++ return false; ++} +diff --git a/source3/lib/util_path.h b/source3/lib/util_path.h +index 3e7d04de550..0ea508bf5bb 100644 +--- a/source3/lib/util_path.h ++++ b/source3/lib/util_path.h +@@ -31,5 +31,9 @@ char *lock_path(TALLOC_CTX *mem_ctx, const char *name); + char *state_path(TALLOC_CTX *mem_ctx, const char *name); + char *cache_path(TALLOC_CTX *mem_ctx, const char *name); + char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *abs_path); ++bool subdir_of(const char *parent, ++ size_t parent_len, ++ const char *subdir, ++ const char **_relative); + + #endif +-- +2.41.0 + diff --git a/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch b/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch new file mode 100644 index 0000000000000..6408fdcf24021 --- /dev/null +++ b/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch @@ -0,0 +1,93 @@ +From e7662921b82d331fa79fa503e3dd3c7ceed25026 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 6 Jun 2023 15:17:26 +0200 +Subject: [PATCH 11/21] CVE-2023-34968: mdssvc: cache and reuse stat info in + struct sl_inode_path_map + +Prepare for the "path" being a fake path and not the real server-side +path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already +got stat info for the object in mds_add_result() so we can just pass stat info +from there. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_server/mdssvc/mdssvc.c | 26 +++++++------------------- + source3/rpc_server/mdssvc/mdssvc.h | 1 + + 2 files changed, 8 insertions(+), 19 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index b04a80c37ba..32380bf904a 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -445,7 +445,10 @@ static int ino_path_map_destr_cb(struct sl_inode_path_map *entry) + * entries by calling talloc_free() on the query slq handles. + **/ + +-static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path) ++static bool inode_map_add(struct sl_query *slq, ++ uint64_t ino, ++ const char *path, ++ struct stat_ex *st) + { + NTSTATUS status; + struct sl_inode_path_map *entry; +@@ -492,6 +495,7 @@ static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path) + + entry->ino = ino; + entry->mds_ctx = slq->mds_ctx; ++ entry->st = *st; + entry->path = talloc_strdup(entry, path); + if (entry->path == NULL) { + DEBUG(1, ("talloc failed\n")); +@@ -633,7 +637,7 @@ bool mds_add_result(struct sl_query *slq, const char *path) + return false; + } + +- ok = inode_map_add(slq, ino64, path); ++ ok = inode_map_add(slq, ino64, path, &sb); + if (!ok) { + DEBUG(1, ("inode_map_add error\n")); + slq->state = SLQ_STATE_ERROR; +@@ -1350,23 +1354,7 @@ static bool slrpc_fetch_attributes(struct mds_ctx *mds_ctx, + elem = talloc_get_type_abort(p, struct sl_inode_path_map); + path = elem->path; + +- smb_fname = synthetic_smb_fname(talloc_tos(), +- path, +- NULL, +- NULL, +- 0, +- 0); +- if (smb_fname == NULL) { +- DBG_ERR("synthetic_smb_fname() failed\n"); +- goto error; +- } +- +- result = SMB_VFS_STAT(mds_ctx->conn, smb_fname); +- if (result != 0) { +- goto error; +- } +- +- sp = &smb_fname->st; ++ sp = &elem->st; + } + + ok = add_filemeta(mds_ctx, reqinfo, fm_array, path, sp); +diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h +index 392482767dd..a09799130f5 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.h ++++ b/source3/rpc_server/mdssvc/mdssvc.h +@@ -105,6 +105,7 @@ struct sl_inode_path_map { + struct mds_ctx *mds_ctx; + uint64_t ino; + char *path; ++ struct stat_ex st; + }; + + /* Per process state */ +-- +2.41.0 + diff --git a/net/samba413/files/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch b/net/samba413/files/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch new file mode 100644 index 0000000000000..d2a97f6bab61d --- /dev/null +++ b/net/samba413/files/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch @@ -0,0 +1,34 @@ +From 93c02d8987828dea902888229fc8a4693c1daba7 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Sat, 17 Jun 2023 13:39:55 +0200 +Subject: [PATCH 12/21] CVE-2023-34968: mdssvc: add missing + "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties() + +We were adding the value, but not the key. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_server/mdssvc/mdssvc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 32380bf904a..199a1d5a89a 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -746,6 +746,10 @@ static bool slrpc_fetch_properties(struct mds_ctx *mds_ctx, + } + + /* kMDSStoreMetaScopes array */ ++ result = dalloc_stradd(dict, "kMDSStoreMetaScopes"); ++ if (result != 0) { ++ return false; ++ } + array = dalloc_zero(dict, sl_array_t); + if (array == NULL) { + return NULL; +-- +2.41.0 + diff --git a/net/samba413/files/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch b/net/samba413/files/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch new file mode 100644 index 0000000000000..fc820d0bdec44 --- /dev/null +++ b/net/samba413/files/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch @@ -0,0 +1,60 @@ +From 78131d2a8e5c9cfd054bcaa5754df11875d5b331 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 19 Jun 2023 17:14:38 +0200 +Subject: [PATCH 13/21] CVE-2023-34968: mdscli: use correct TALLOC memory + context when allocating spotlight_blob + +d is talloc_free()d at the end of the functions and the buffer was later used +after beeing freed in the DCERPC layer when sending the packet. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_client/cli_mdssvc_util.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c +index fe5092c3790..892a844e71a 100644 +--- a/source3/rpc_client/cli_mdssvc_util.c ++++ b/source3/rpc_client/cli_mdssvc_util.c +@@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(d, ++ blob->spotlight_blob = talloc_array(mem_ctx, + uint8_t, + ctx->max_fragment_size); + if (blob->spotlight_blob == NULL) { +@@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(d, ++ blob->spotlight_blob = talloc_array(mem_ctx, + uint8_t, + ctx->max_fragment_size); + if (blob->spotlight_blob == NULL) { +@@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(d, ++ blob->spotlight_blob = talloc_array(mem_ctx, + uint8_t, + ctx->max_fragment_size); + if (blob->spotlight_blob == NULL) { +@@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(d, ++ blob->spotlight_blob = talloc_array(mem_ctx, + uint8_t, + ctx->max_fragment_size); + if (blob->spotlight_blob == NULL) { +-- +2.41.0 + diff --git a/net/samba413/files/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch b/net/samba413/files/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch new file mode 100644 index 0000000000000..d3fca1c92d72a --- /dev/null +++ b/net/samba413/files/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch @@ -0,0 +1,86 @@ +From 842c888b48b3244d30410b7f7df16e2356b0f5a2 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 19 Jun 2023 18:28:41 +0200 +Subject: [PATCH 14/21] CVE-2023-34968: mdscli: remove response blob allocation + +This is handled by the NDR code transparently. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_client/cli_mdssvc.c | 36 --------------------------------- + 1 file changed, 36 deletions(-) + +diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c +index 82d14372fe4..07c19b51dd4 100644 +--- a/source3/rpc_client/cli_mdssvc.c ++++ b/source3/rpc_client/cli_mdssvc.c +@@ -276,15 +276,6 @@ struct tevent_req *mdscli_search_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + +- state->response_blob.spotlight_blob = talloc_array( +- state, +- uint8_t, +- mdscli_ctx->max_fragment_size); +- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { +- return tevent_req_post(req, ev); +- } +- state->response_blob.size = mdscli_ctx->max_fragment_size; +- + subreq = dcerpc_mdssvc_cmd_send(state, + ev, + mdscli_ctx->bh, +@@ -457,15 +448,6 @@ struct tevent_req *mdscli_get_results_send( + return tevent_req_post(req, ev); + } + +- state->response_blob.spotlight_blob = talloc_array( +- state, +- uint8_t, +- mdscli_ctx->max_fragment_size); +- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { +- return tevent_req_post(req, ev); +- } +- state->response_blob.size = mdscli_ctx->max_fragment_size; +- + subreq = dcerpc_mdssvc_cmd_send(state, + ev, + mdscli_ctx->bh, +@@ -681,15 +663,6 @@ struct tevent_req *mdscli_get_path_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + +- state->response_blob.spotlight_blob = talloc_array( +- state, +- uint8_t, +- mdscli_ctx->max_fragment_size); +- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { +- return tevent_req_post(req, ev); +- } +- state->response_blob.size = mdscli_ctx->max_fragment_size; +- + subreq = dcerpc_mdssvc_cmd_send(state, + ev, + mdscli_ctx->bh, +@@ -852,15 +825,6 @@ struct tevent_req *mdscli_close_search_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + +- state->response_blob.spotlight_blob = talloc_array( +- state, +- uint8_t, +- mdscli_ctx->max_fragment_size); +- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { +- return tevent_req_post(req, ev); +- } +- state->response_blob.size = mdscli_ctx->max_fragment_size; +- + subreq = dcerpc_mdssvc_cmd_send(state, + ev, + mdscli_ctx->bh, +-- +2.41.0 + diff --git a/net/samba413/files/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch b/net/samba413/files/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch new file mode 100644 index 0000000000000..d253d8436d5e1 --- /dev/null +++ b/net/samba413/files/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch @@ -0,0 +1,77 @@ +From d4ba49e029be14287661d4c7a6899b50d3881f7b Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 20 Jun 2023 11:28:47 +0200 +Subject: [PATCH 15/21] CVE-2023-34968: smbtorture: remove response blob + allocation in mdssvc.c + +This is alreay done by NDR for us. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source4/torture/rpc/mdssvc.c | 26 -------------------------- + 1 file changed, 26 deletions(-) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index 20b903f93fa..76a740c41db 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -537,13 +537,6 @@ static bool test_mdssvc_invalid_ph_cmd(struct torture_context *tctx, + request_blob.length = 0; + request_blob.size = 0; + +- response_blob.spotlight_blob = talloc_array(state, +- uint8_t, +- 0); +- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, +- ok, done, "dalloc_zero failed\n"); +- response_blob.size = 0; +- + status = dcerpc_mdssvc_cmd(b, + state, + &ph, +@@ -633,13 +626,6 @@ static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, + request_blob.size = sizeof(test_sl_unpack_loop_buf); + request_blob.length = sizeof(test_sl_unpack_loop_buf); + +- response_blob.spotlight_blob = talloc_array(state, +- uint8_t, +- 0); +- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, +- ok, done, "dalloc_zero failed\n"); +- response_blob.size = 0; +- + status = dcerpc_mdssvc_cmd(b, + state, + &state->ph, +@@ -765,11 +751,6 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx, + torture_assert_goto(tctx, request_blob.length > 0, + ok, done, "sl_pack failed\n"); + +- response_blob.spotlight_blob = talloc_array(state, uint8_t, 0); +- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, +- ok, done, "dalloc_zero failed\n"); +- response_blob.size = 0; +- + status = dcerpc_mdssvc_cmd(b, + state, + &state->ph, +@@ -927,13 +908,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, + ret, done, "dalloc_zero failed\n"); + request_blob.size = max_fragment_size; + +- response_blob.spotlight_blob = talloc_array(state, +- uint8_t, +- max_fragment_size); +- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, +- ret, done, "dalloc_zero failed\n"); +- response_blob.size = max_fragment_size; +- + len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); + torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n"); + +-- +2.41.0 + diff --git a/net/samba413/files/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch b/net/samba413/files/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch new file mode 100644 index 0000000000000..1d33496d35b0a --- /dev/null +++ b/net/samba413/files/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch @@ -0,0 +1,53 @@ +From 041ee143748bad9117112bcdd0200e1da9127034 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 20 Jun 2023 11:35:41 +0200 +Subject: [PATCH 16/21] CVE-2023-34968: rpcclient: remove response blob + allocation + +This is alreay done by NDR for us. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpcclient/cmd_spotlight.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c +index 661ada7efb8..a0a1d10c45f 100644 +--- a/source3/rpcclient/cmd_spotlight.c ++++ b/source3/rpcclient/cmd_spotlight.c +@@ -144,13 +144,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties( + } + request_blob.size = max_fragment_size; + +- response_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size); +- if (response_blob.spotlight_blob == NULL) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- response_blob.size = max_fragment_size; +- + len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); + if (len == -1) { + status = NT_STATUS_INTERNAL_ERROR; +@@ -368,15 +361,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( + } + request_blob.size = max_fragment_size; + +- response_blob.spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- max_fragment_size); +- if (response_blob.spotlight_blob == NULL) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- response_blob.size = max_fragment_size; +- + len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); + if (len == -1) { + status = NT_STATUS_INTERNAL_ERROR; +-- +2.41.0 + diff --git a/net/samba413/files/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch b/net/samba413/files/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch new file mode 100644 index 0000000000000..881a76c66c551 --- /dev/null +++ b/net/samba413/files/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch @@ -0,0 +1,45 @@ +From 88aff628e6ec80622e960796073775651f602134 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 20 Jun 2023 11:42:10 +0200 +Subject: [PATCH 17/21] CVE-2023-34968: mdssvc: remove response blob allocation + +This is alreay done by NDR for us. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +index 40e37cb3b85..f89a187bd3f 100644 +--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c ++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +@@ -208,7 +208,6 @@ void _mdssvc_unknown1(struct pipes_struct *p, struct mdssvc_unknown1 *r) + void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) + { + bool ok; +- char *rbuf; + struct mds_ctx *mds_ctx; + NTSTATUS status; + +@@ -265,14 +264,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) + return; + } + +- rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1); +- if (rbuf == NULL) { +- p->fault_state = DCERPC_FAULT_CANT_PERFORM; +- return; +- } +- r->out.response_blob->spotlight_blob = (uint8_t *)rbuf; +- r->out.response_blob->size = r->in.max_fragment_size1; +- + /* We currently don't use fragmentation at the mdssvc RPC layer */ + *r->out.fragment = 0; + +-- +2.41.0 + diff --git a/net/samba413/files/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch b/net/samba413/files/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch new file mode 100644 index 0000000000000..7a53487492910 --- /dev/null +++ b/net/samba413/files/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch @@ -0,0 +1,57 @@ +From 60f6d69f42818c5c49c35390db9a88d79ff10d8b Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 20 Jun 2023 11:05:22 +0200 +Subject: [PATCH 18/21] CVE-2023-34968: mdssvc: switch to doing an early return + +Just reduce indentation of the code handling the success case. No change in +behaviour. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_server/mdssvc/mdssvc.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 199a1d5a89a..82d46987e40 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -1797,19 +1797,21 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, + } + + ok = slcmd->function(mds_ctx, query, reply); +- if (ok) { +- DBG_DEBUG("%s", dalloc_dump(reply, 0)); +- +- len = sl_pack(reply, +- (char *)response_blob->spotlight_blob, +- response_blob->size); +- if (len == -1) { +- DBG_ERR("error packing Spotlight RPC reply\n"); +- ok = false; +- goto cleanup; +- } +- response_blob->length = len; ++ if (!ok) { ++ goto cleanup; ++ } ++ ++ DBG_DEBUG("%s", dalloc_dump(reply, 0)); ++ ++ len = sl_pack(reply, ++ (char *)response_blob->spotlight_blob, ++ response_blob->size); ++ if (len == -1) { ++ DBG_ERR("error packing Spotlight RPC reply\n"); ++ ok = false; ++ goto cleanup; + } ++ response_blob->length = len; + + cleanup: + talloc_free(query); +-- +2.41.0 + diff --git a/net/samba413/files/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch b/net/samba413/files/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch new file mode 100644 index 0000000000000..deeddcd15eb6c --- /dev/null +++ b/net/samba413/files/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch @@ -0,0 +1,456 @@ +From 731763209a35e3c410ab8a1ff40fa88140f6519a Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 19 Jun 2023 18:16:57 +0200 +Subject: [PATCH 19/21] CVE-2023-34968: mdssvc: introduce an allocating wrapper + to sl_pack() + +sl_pack_alloc() does the buffer allocation that previously all callers of +sl_pack() did themselves. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_client/cli_mdssvc_util.c | 80 +++++------------------ + source3/rpc_server/mdssvc/marshalling.c | 35 ++++++++-- + source3/rpc_server/mdssvc/marshalling.h | 9 ++- + source3/rpc_server/mdssvc/mdssvc.c | 18 ++--- + source3/rpc_server/mdssvc/mdssvc.h | 3 +- + source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 5 +- + source3/rpcclient/cmd_spotlight.c | 32 ++------- + source4/torture/rpc/mdssvc.c | 24 ++----- + 8 files changed, 79 insertions(+), 127 deletions(-) + +diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c +index 892a844e71a..a39202d0c99 100644 +--- a/source3/rpc_client/cli_mdssvc_util.c ++++ b/source3/rpc_client/cli_mdssvc_util.c +@@ -42,7 +42,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + sl_array_t *scope_array = NULL; + double dval; + uint64_t uint64val; +- ssize_t len; ++ NTSTATUS status; + int ret; + + d = dalloc_new(mem_ctx); +@@ -209,23 +209,11 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- ctx->max_fragment_size); +- if (blob->spotlight_blob == NULL) { +- TALLOC_FREE(d); +- return NT_STATUS_NO_MEMORY; +- } +- blob->size = ctx->max_fragment_size; +- +- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); + TALLOC_FREE(d); +- if (len == -1) { +- return NT_STATUS_NO_MEMORY; ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } +- +- blob->length = len; +- blob->size = len; + return NT_STATUS_OK; + } + +@@ -238,7 +226,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, + uint64_t *uint64p = NULL; + sl_array_t *array = NULL; + sl_array_t *cmd_array = NULL; +- ssize_t len; ++ NTSTATUS status; + int ret; + + d = dalloc_new(mem_ctx); +@@ -293,23 +281,11 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- ctx->max_fragment_size); +- if (blob->spotlight_blob == NULL) { +- TALLOC_FREE(d); +- return NT_STATUS_NO_MEMORY; +- } +- blob->size = ctx->max_fragment_size; +- +- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); + TALLOC_FREE(d); +- if (len == -1) { +- return NT_STATUS_NO_MEMORY; ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } +- +- blob->length = len; +- blob->size = len; + return NT_STATUS_OK; + } + +@@ -325,7 +301,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, + sl_array_t *cmd_array = NULL; + sl_array_t *attr_array = NULL; + sl_cnids_t *cnids = NULL; +- ssize_t len; ++ NTSTATUS status; + int ret; + + d = dalloc_new(mem_ctx); +@@ -426,23 +402,11 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- ctx->max_fragment_size); +- if (blob->spotlight_blob == NULL) { +- TALLOC_FREE(d); +- return NT_STATUS_NO_MEMORY; +- } +- blob->size = ctx->max_fragment_size; +- +- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); + TALLOC_FREE(d); +- if (len == -1) { +- return NT_STATUS_NO_MEMORY; ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } +- +- blob->length = len; +- blob->size = len; + return NT_STATUS_OK; + } + +@@ -455,7 +419,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, + uint64_t *uint64p = NULL; + sl_array_t *array = NULL; + sl_array_t *cmd_array = NULL; +- ssize_t len; ++ NTSTATUS status; + int ret; + + d = dalloc_new(mem_ctx); +@@ -510,22 +474,10 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- ctx->max_fragment_size); +- if (blob->spotlight_blob == NULL) { +- TALLOC_FREE(d); +- return NT_STATUS_NO_MEMORY; +- } +- blob->size = ctx->max_fragment_size; +- +- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); + TALLOC_FREE(d); +- if (len == -1) { +- return NT_STATUS_NO_MEMORY; ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } +- +- blob->length = len; +- blob->size = len; + return NT_STATUS_OK; + } +diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c +index 441d41160f1..34bfda5eca6 100644 +--- a/source3/rpc_server/mdssvc/marshalling.c ++++ b/source3/rpc_server/mdssvc/marshalling.c +@@ -78,6 +78,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, const char *buf, + ssize_t offset, size_t bufsize, + int count, ssize_t toc_offset, + int encoding); ++static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize); + + /****************************************************************************** + * Wrapper functions for the *VAL macros with bound checking +@@ -1190,11 +1191,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + return offset; + } + +-/****************************************************************************** +- * Global functions for packing und unpacking +- ******************************************************************************/ +- +-ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) ++static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) + { + ssize_t result; + char *toc_buf; +@@ -1274,6 +1271,34 @@ ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) + return len; + } + ++/****************************************************************************** ++ * Global functions for packing und unpacking ++ ******************************************************************************/ ++ ++NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx, ++ DALLOC_CTX *d, ++ struct mdssvc_blob *b, ++ size_t max_fragment_size) ++{ ++ ssize_t len; ++ ++ b->spotlight_blob = talloc_zero_array(mem_ctx, ++ uint8_t, ++ max_fragment_size); ++ if (b->spotlight_blob == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ len = sl_pack(d, (char *)b->spotlight_blob, max_fragment_size); ++ if (len == -1) { ++ return NT_STATUS_DATA_ERROR; ++ } ++ ++ b->length = len; ++ b->size = len; ++ return NT_STATUS_OK; ++} ++ + bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize) + { + ssize_t result; +diff --git a/source3/rpc_server/mdssvc/marshalling.h b/source3/rpc_server/mdssvc/marshalling.h +index 086ca740604..2cc1b44712c 100644 +--- a/source3/rpc_server/mdssvc/marshalling.h ++++ b/source3/rpc_server/mdssvc/marshalling.h +@@ -22,6 +22,9 @@ + #define _MDSSVC_MARSHALLING_H + + #include "dalloc.h" ++#include "libcli/util/ntstatus.h" ++#include "lib/util/data_blob.h" ++#include "librpc/gen_ndr/mdssvc.h" + + #define MAX_SL_FRAGMENT_SIZE 0xFFFFF + +@@ -49,7 +52,11 @@ typedef struct { + * Function declarations + ******************************************************************************/ + +-extern ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize); ++extern NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx, ++ DALLOC_CTX *d, ++ struct mdssvc_blob *b, ++ size_t max_fragment_size); ++ + extern bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize); + + #endif +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 82d46987e40..b75fb7812ed 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -1725,11 +1725,11 @@ error: + **/ + bool mds_dispatch(struct mds_ctx *mds_ctx, + struct mdssvc_blob *request_blob, +- struct mdssvc_blob *response_blob) ++ struct mdssvc_blob *response_blob, ++ size_t max_fragment_size) + { + bool ok; + int ret; +- ssize_t len; + DALLOC_CTX *query = NULL; + DALLOC_CTX *reply = NULL; + char *rpccmd; +@@ -1737,6 +1737,7 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, + const struct smb_filename conn_basedir = { + .base_name = mds_ctx->conn->connectpath, + }; ++ NTSTATUS status; + + if (CHECK_DEBUGLVL(10)) { + const struct sl_query *slq; +@@ -1803,15 +1804,14 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, + + DBG_DEBUG("%s", dalloc_dump(reply, 0)); + +- len = sl_pack(reply, +- (char *)response_blob->spotlight_blob, +- response_blob->size); +- if (len == -1) { +- DBG_ERR("error packing Spotlight RPC reply\n"); +- ok = false; ++ status = sl_pack_alloc(response_blob, ++ reply, ++ response_blob, ++ max_fragment_size); ++ if (!NT_STATUS_IS_OK(status)) { ++ DBG_ERR("sl_pack_alloc() failed\n"); + goto cleanup; + } +- response_blob->length = len; + + cleanup: + talloc_free(query); +diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h +index a09799130f5..2ff717dd7ff 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.h ++++ b/source3/rpc_server/mdssvc/mdssvc.h +@@ -159,7 +159,8 @@ struct mds_ctx *mds_init_ctx(TALLOC_CTX *mem_ctx, + const char *path); + extern bool mds_dispatch(struct mds_ctx *query_ctx, + struct mdssvc_blob *request_blob, +- struct mdssvc_blob *response_blob); ++ struct mdssvc_blob *response_blob, ++ size_t max_fragment_size); + bool mds_add_result(struct sl_query *slq, const char *path); + + #endif /* _MDSSVC_H */ +diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +index f89a187bd3f..bba16118a51 100644 +--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c ++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +@@ -267,7 +267,10 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) + /* We currently don't use fragmentation at the mdssvc RPC layer */ + *r->out.fragment = 0; + +- ok = mds_dispatch(mds_ctx, &r->in.request_blob, r->out.response_blob); ++ ok = mds_dispatch(mds_ctx, ++ &r->in.request_blob, ++ r->out.response_blob, ++ r->in.max_fragment_size1); + if (ok) { + *r->out.unkn9 = 0; + } else { +diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c +index a0a1d10c45f..e006bb84b43 100644 +--- a/source3/rpcclient/cmd_spotlight.c ++++ b/source3/rpcclient/cmd_spotlight.c +@@ -43,7 +43,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties( + uint32_t unkn3; /* server always returns 0 ? */ + struct mdssvc_blob request_blob; + struct mdssvc_blob response_blob; +- ssize_t len; + uint32_t max_fragment_size = 64 * 1024; + DALLOC_CTX *d, *mds_reply; + uint64_t *uint64var; +@@ -137,20 +136,10 @@ static NTSTATUS cmd_mdssvc_fetch_properties( + goto done; + } + +- request_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size); +- if (request_blob.spotlight_blob == NULL) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- request_blob.size = max_fragment_size; +- +- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); +- if (len == -1) { +- status = NT_STATUS_INTERNAL_ERROR; ++ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size); ++ if (!NT_STATUS_IS_OK(status)) { + goto done; + } +- request_blob.length = len; +- request_blob.size = len; + + status = dcerpc_mdssvc_cmd(b, mem_ctx, + &share_handle, +@@ -204,7 +193,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( + uint32_t unkn3; /* server always returns 0 ? */ + struct mdssvc_blob request_blob; + struct mdssvc_blob response_blob; +- ssize_t len; + uint32_t max_fragment_size = 64 * 1024; + DALLOC_CTX *d, *mds_reply; + uint64_t *uint64var; +@@ -352,22 +340,10 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( + goto done; + } + +- request_blob.spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- max_fragment_size); +- if (request_blob.spotlight_blob == NULL) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- request_blob.size = max_fragment_size; +- +- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); +- if (len == -1) { +- status = NT_STATUS_INTERNAL_ERROR; ++ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size); ++ if (!NT_STATUS_IS_OK(status)) { + goto done; + } +- request_blob.length = len; +- request_blob.size = len; + + status = dcerpc_mdssvc_cmd(b, mem_ctx, + &share_handle, +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index 76a740c41db..e670eb9bfca 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -745,11 +745,9 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx, + ok, done, "dalloc_new failed\n"); + request_blob.size = 64 * 1024; + +- request_blob.length = sl_pack(d, +- (char *)request_blob.spotlight_blob, +- request_blob.size); +- torture_assert_goto(tctx, request_blob.length > 0, +- ok, done, "sl_pack failed\n"); ++ status = sl_pack_alloc(tctx, d, &request_blob, 64 * 1024); ++ torture_assert_ntstatus_ok_goto(tctx, status, ok, done, ++ "sl_pack_alloc() failed\n"); + + status = dcerpc_mdssvc_cmd(b, + state, +@@ -836,7 +834,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, + const char *path_type = NULL; + uint64_t ino64; + NTSTATUS status; +- ssize_t len; + int ret; + bool ok = true; + +@@ -901,18 +898,9 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, + ret = dalloc_add(array, cnids, sl_cnids_t); + torture_assert_goto(tctx, ret == 0, ret, done, "dalloc_add failed\n"); + +- request_blob.spotlight_blob = talloc_array(state, +- uint8_t, +- max_fragment_size); +- torture_assert_not_null_goto(tctx, request_blob.spotlight_blob, +- ret, done, "dalloc_zero failed\n"); +- request_blob.size = max_fragment_size; +- +- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); +- torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n"); +- +- request_blob.length = len; +- request_blob.size = len; ++ status = sl_pack_alloc(tctx, d, &request_blob, max_fragment_size); ++ torture_assert_ntstatus_ok_goto(tctx, status, ok, done, ++ "sl_pack_alloc() failed\n"); + + status = dcerpc_mdssvc_cmd(b, + state, +-- +2.41.0 + diff --git a/net/samba413/files/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch b/net/samba413/files/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch new file mode 100644 index 0000000000000..59be69ef07dab --- /dev/null +++ b/net/samba413/files/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch @@ -0,0 +1,504 @@ +From 6a5e5daf6901a6e963b19f2697656ac0c54b2553 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Sat, 17 Jun 2023 13:53:27 +0200 +Subject: [PATCH 20/21] CVE-2023-34968: mdscli: return share relative paths +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The next commit will change the Samba Spotlight server to return absolute paths +that start with the sharename as "/SHARENAME/..." followed by the share path +relative appended. + +So given a share + + [spotlight] + path = /foo/bar + spotlight = yes + +and a file inside this share with a full path of + + /foo/bar/dir/file + +previously a search that matched this file would returns the absolute +server-side pato of the file, ie + + /foo/bar/dir/file + +This will be change to + + /spotlight/dir/file + +As currently the mdscli library and hence the mdsearch tool print out these +paths returned from the server, we have to change the output to accomodate these +fake paths. The only way to do this sensibly is by makeing the paths relative to +the containing share, so just + + dir/file + +in the example above. + +The client learns about the share root path prefix – real server-side of fake in +the future – in an initial handshake in the "share_path" out argument of the +mdssvc_open() RPC call, so the client can use this path to convert the absolute +path to relative. + +There is however an additional twist: the macOS Spotlight server prefixes this +absolute path with another prefix, typically "/System/Volumes/Data", so in the +example above the full path for the same search would be + + /System/Volumes/Data/foo/bar/dir/file + +So macOS does return the full server-side path too, just prefixed with an +additional path. This path prefixed can be queried by the client in the +mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:" +and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba +just returns "/" for this. + +Currently the mdscli library doesn't issue this Spotlight RPC +request (fetchPropertiesForContext), so this is added in this commit. In the +end, all search result paths are stripped of the combined prefix + + kMDSStorePathScopes + share_path (from mdssvc_open). + +eg + + kMDSStorePathScopes = /System/Volumes/Data + share_path = /foo/bar + search result = /System/Volumes/Data/foo/bar/dir/file + relative path returned by mdscli = dir/file + +Makes sense? :) + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + python/samba/tests/blackbox/mdfind.py | 8 +- + python/samba/tests/dcerpc/mdssvc.py | 26 ++-- + source3/rpc_client/cli_mdssvc.c | 155 +++++++++++++++++++++++- + source3/rpc_client/cli_mdssvc_private.h | 4 + + source3/rpc_client/cli_mdssvc_util.c | 68 +++++++++++ + source3/rpc_client/cli_mdssvc_util.h | 4 + + 6 files changed, 245 insertions(+), 20 deletions(-) + +diff --git a/python/samba/tests/blackbox/mdfind.py b/python/samba/tests/blackbox/mdfind.py +index 5c1c0c3d155..62f4d38f17d 100644 +--- a/python/samba/tests/blackbox/mdfind.py ++++ b/python/samba/tests/blackbox/mdfind.py +@@ -76,10 +76,7 @@ class MdfindBlackboxTests(BlackboxTestCase): + self.t.start() + time.sleep(1) + +- pipe = mdssvc.mdssvc('ncacn_np:fileserver[/pipe/mdssvc]', self.get_loadparm()) +- conn = mdscli.conn(pipe, 'spotlight', '/foo') +- self.sharepath = conn.sharepath() +- conn.disconnect(pipe) ++ self.sharepath = os.environ["LOCAL_PATH"] + + for file in testfiles: + f = open("%s/%s" % (self.sharepath, file), "w") +@@ -126,5 +123,4 @@ class MdfindBlackboxTests(BlackboxTestCase): + output = self.check_output("mdfind -s %s -U %s%%%s fileserver spotlight '*==\"samba*\"'" % (config, username, password)) + + actual = output.decode('utf-8').splitlines() +- expected = ["%s/%s" % (self.sharepath, file) for file in testfiles] +- self.assertEqual(expected, actual) ++ self.assertEqual(testfiles, actual) +diff --git a/python/samba/tests/dcerpc/mdssvc.py b/python/samba/tests/dcerpc/mdssvc.py +index b0df509ddc7..5002e5d26d6 100644 +--- a/python/samba/tests/dcerpc/mdssvc.py ++++ b/python/samba/tests/dcerpc/mdssvc.py +@@ -84,10 +84,11 @@ class MdssvcTests(RpcInterfaceTestCase): + self.t = threading.Thread(target=MdssvcTests.http_server, args=(self,)) + self.t.setDaemon(True) + self.t.start() ++ self.sharepath = os.environ["LOCAL_PATH"] + time.sleep(1) + + conn = mdscli.conn(self.pipe, 'spotlight', '/foo') +- self.sharepath = conn.sharepath() ++ self.fakepath = conn.sharepath() + conn.disconnect(self.pipe) + + for file in testfiles: +@@ -105,12 +106,11 @@ class MdssvcTests(RpcInterfaceTestCase): + self.server.serve_forever() + + def run_test(self, query, expect, json_in, json_out): +- expect = [s.replace("%BASEPATH%", self.sharepath) for s in expect] + self.server.json_in = json_in.replace("%BASEPATH%", self.sharepath) + self.server.json_out = json_out.replace("%BASEPATH%", self.sharepath) + + self.conn = mdscli.conn(self.pipe, 'spotlight', '/foo') +- search = self.conn.search(self.pipe, query, self.sharepath) ++ search = self.conn.search(self.pipe, query, self.fakepath) + + # Give it some time, the get_results() below returns immediately + # what's available, so if we ask to soon, we might get back no results +@@ -141,7 +141,7 @@ class MdssvcTests(RpcInterfaceTestCase): + ] + } + }''' +- exp_results = ["%BASEPATH%/foo", "%BASEPATH%/bar"] ++ exp_results = ["foo", "bar"] + self.run_test('*=="samba*"', exp_results, exp_json_query, fake_json_response) + + def test_mdscli_search_escapes(self): +@@ -181,14 +181,14 @@ class MdssvcTests(RpcInterfaceTestCase): + } + }''' + exp_results = [ +- r"%BASEPATH%/x+x", +- r"%BASEPATH%/x*x", +- r"%BASEPATH%/x=x", +- r"%BASEPATH%/x'x", +- r"%BASEPATH%/x?x", +- r"%BASEPATH%/x x", +- r"%BASEPATH%/x(x", +- "%BASEPATH%/x\"x", +- r"%BASEPATH%/x\x", ++ r"x+x", ++ r"x*x", ++ r"x=x", ++ r"x'x", ++ r"x?x", ++ r"x x", ++ r"x(x", ++ "x\"x", ++ r"x\x", + ] + self.run_test(sl_query, exp_results, exp_json_query, fake_json_response) +diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c +index 07c19b51dd4..03aed61c00c 100644 +--- a/source3/rpc_client/cli_mdssvc.c ++++ b/source3/rpc_client/cli_mdssvc.c +@@ -43,10 +43,12 @@ char *mdscli_get_basepath(TALLOC_CTX *mem_ctx, + struct mdscli_connect_state { + struct tevent_context *ev; + struct mdscli_ctx *mdscli_ctx; ++ struct mdssvc_blob response_blob; + }; + + static void mdscli_connect_open_done(struct tevent_req *subreq); + static void mdscli_connect_unknown1_done(struct tevent_req *subreq); ++static void mdscli_connect_fetch_props_done(struct tevent_req *subreq); + + struct tevent_req *mdscli_connect_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, +@@ -111,6 +113,7 @@ static void mdscli_connect_open_done(struct tevent_req *subreq) + struct mdscli_connect_state *state = tevent_req_data( + req, struct mdscli_connect_state); + struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; ++ size_t share_path_len; + NTSTATUS status; + + status = dcerpc_mdssvc_open_recv(subreq, state); +@@ -120,6 +123,18 @@ static void mdscli_connect_open_done(struct tevent_req *subreq) + return; + } + ++ share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path); ++ if (share_path_len < 1 || share_path_len > UINT16_MAX) { ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ mdscli_ctx->mdscmd_open.share_path_len = share_path_len; ++ ++ if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') { ++ mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0'; ++ mdscli_ctx->mdscmd_open.share_path_len--; ++ } ++ + subreq = dcerpc_mdssvc_unknown1_send( + state, + state->ev, +@@ -146,6 +161,8 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq) + subreq, struct tevent_req); + struct mdscli_connect_state *state = tevent_req_data( + req, struct mdscli_connect_state); ++ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; ++ struct mdssvc_blob request_blob; + NTSTATUS status; + + status = dcerpc_mdssvc_unknown1_recv(subreq, state); +@@ -154,6 +171,108 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq) + return; + } + ++ status = mdscli_blob_fetch_props(state, ++ state->mdscli_ctx, ++ &request_blob); ++ if (tevent_req_nterror(req, status)) { ++ return; ++ } ++ ++ subreq = dcerpc_mdssvc_cmd_send(state, ++ state->ev, ++ mdscli_ctx->bh, ++ &mdscli_ctx->ph, ++ 0, ++ mdscli_ctx->dev, ++ mdscli_ctx->mdscmd_open.unkn2, ++ 0, ++ mdscli_ctx->flags, ++ request_blob, ++ 0, ++ mdscli_ctx->max_fragment_size, ++ 1, ++ mdscli_ctx->max_fragment_size, ++ 0, ++ 0, ++ &mdscli_ctx->mdscmd_cmd.fragment, ++ &state->response_blob, ++ &mdscli_ctx->mdscmd_cmd.unkn9); ++ if (tevent_req_nomem(subreq, req)) { ++ return; ++ } ++ tevent_req_set_callback(subreq, mdscli_connect_fetch_props_done, req); ++ mdscli_ctx->async_pending++; ++ return; ++} ++ ++static void mdscli_connect_fetch_props_done(struct tevent_req *subreq) ++{ ++ struct tevent_req *req = tevent_req_callback_data( ++ subreq, struct tevent_req); ++ struct mdscli_connect_state *state = tevent_req_data( ++ req, struct mdscli_connect_state); ++ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; ++ DALLOC_CTX *d = NULL; ++ sl_array_t *path_scope_array = NULL; ++ char *path_scope = NULL; ++ NTSTATUS status; ++ bool ok; ++ ++ status = dcerpc_mdssvc_cmd_recv(subreq, state); ++ TALLOC_FREE(subreq); ++ state->mdscli_ctx->async_pending--; ++ if (tevent_req_nterror(req, status)) { ++ return; ++ } ++ ++ d = dalloc_new(state); ++ if (tevent_req_nomem(d, req)) { ++ return; ++ } ++ ++ ok = sl_unpack(d, ++ (char *)state->response_blob.spotlight_blob, ++ state->response_blob.length); ++ if (!ok) { ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ ++ path_scope_array = dalloc_value_for_key(d, ++ "DALLOC_CTX", 0, ++ "kMDSStorePathScopes", ++ "sl_array_t"); ++ if (path_scope_array == NULL) { ++ DBG_ERR("Missing kMDSStorePathScopes\n"); ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ ++ path_scope = dalloc_get(path_scope_array, "char *", 0); ++ if (path_scope == NULL) { ++ DBG_ERR("Missing path in kMDSStorePathScopes\n"); ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ ++ mdscli_ctx->path_scope_len = strlen(path_scope); ++ if (mdscli_ctx->path_scope_len < 1 || ++ mdscli_ctx->path_scope_len > UINT16_MAX) ++ { ++ DBG_ERR("Bad path_scope: %s\n", path_scope); ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ mdscli_ctx->path_scope = talloc_strdup(mdscli_ctx, path_scope); ++ if (tevent_req_nomem(mdscli_ctx->path_scope, req)) { ++ return; ++ } ++ ++ if (mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] == '/') { ++ mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] = '\0'; ++ mdscli_ctx->path_scope_len--; ++ } ++ + tevent_req_done(req); + } + +@@ -697,7 +816,10 @@ static void mdscli_get_path_done(struct tevent_req *subreq) + struct mdscli_get_path_state *state = tevent_req_data( + req, struct mdscli_get_path_state); + DALLOC_CTX *d = NULL; ++ size_t pathlen; ++ size_t prefixlen; + char *path = NULL; ++ const char *p = NULL; + NTSTATUS status; + bool ok; + +@@ -732,7 +854,38 @@ static void mdscli_get_path_done(struct tevent_req *subreq) + tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); + return; + } +- state->path = talloc_move(state, &path); ++ ++ /* Path is prefixed by /PATHSCOPE/SHARENAME/, strip it */ ++ pathlen = strlen(path); ++ ++ /* ++ * path_scope_len and share_path_len are already checked to be smaller ++ * then UINT16_MAX so this can't overflow ++ */ ++ prefixlen = state->mdscli_ctx->path_scope_len ++ + state->mdscli_ctx->mdscmd_open.share_path_len; ++ ++ if (pathlen < prefixlen) { ++ DBG_DEBUG("Bad path: %s\n", path); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return; ++ } ++ ++ p = path + prefixlen; ++ while (*p == '/') { ++ p++; ++ } ++ if (*p == '\0') { ++ DBG_DEBUG("Bad path: %s\n", path); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return; ++ } ++ ++ state->path = talloc_strdup(state, p); ++ if (state->path == NULL) { ++ tevent_req_nterror(req, NT_STATUS_NO_MEMORY); ++ return; ++ } + DBG_DEBUG("path: %s\n", state->path); + + tevent_req_done(req); +diff --git a/source3/rpc_client/cli_mdssvc_private.h b/source3/rpc_client/cli_mdssvc_private.h +index 031af85bf58..77f300c09cc 100644 +--- a/source3/rpc_client/cli_mdssvc_private.h ++++ b/source3/rpc_client/cli_mdssvc_private.h +@@ -42,6 +42,7 @@ struct mdscli_ctx { + /* cmd specific or unknown fields */ + struct { + char share_path[1025]; ++ size_t share_path_len; + uint32_t unkn2; + uint32_t unkn3; + } mdscmd_open; +@@ -56,6 +57,9 @@ struct mdscli_ctx { + struct { + uint32_t status; + } mdscmd_close; ++ ++ char *path_scope; ++ size_t path_scope_len; + }; + + struct mdscli_search_ctx { +diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c +index a39202d0c99..1eaaca715a8 100644 +--- a/source3/rpc_client/cli_mdssvc_util.c ++++ b/source3/rpc_client/cli_mdssvc_util.c +@@ -28,6 +28,74 @@ + #include "rpc_server/mdssvc/dalloc.h" + #include "rpc_server/mdssvc/marshalling.h" + ++NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx, ++ struct mdscli_ctx *ctx, ++ struct mdssvc_blob *blob) ++{ ++ DALLOC_CTX *d = NULL; ++ uint64_t *uint64p = NULL; ++ sl_array_t *array = NULL; ++ sl_array_t *cmd_array = NULL; ++ NTSTATUS status; ++ int ret; ++ ++ d = dalloc_new(mem_ctx); ++ if (d == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ array = dalloc_zero(d, sl_array_t); ++ if (array == NULL) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ ret = dalloc_add(d, array, sl_array_t); ++ if (ret != 0) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ cmd_array = dalloc_zero(d, sl_array_t); ++ if (cmd_array == NULL) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ ret = dalloc_add(array, cmd_array, sl_array_t); ++ if (ret != 0) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ ret = dalloc_stradd(cmd_array, "fetchPropertiesForContext:"); ++ if (ret != 0) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ uint64p = talloc_zero_array(cmd_array, uint64_t, 2); ++ if (uint64p == NULL) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ talloc_set_name(uint64p, "uint64_t *"); ++ ++ ret = dalloc_add(cmd_array, uint64p, uint64_t *); ++ if (ret != 0) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); ++ TALLOC_FREE(d); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ return NT_STATUS_OK; ++} ++ + NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + struct mdscli_search_ctx *search, + struct mdssvc_blob *blob) +diff --git a/source3/rpc_client/cli_mdssvc_util.h b/source3/rpc_client/cli_mdssvc_util.h +index 7a98c854526..3f324758c70 100644 +--- a/source3/rpc_client/cli_mdssvc_util.h ++++ b/source3/rpc_client/cli_mdssvc_util.h +@@ -21,6 +21,10 @@ + #ifndef _MDSCLI_UTIL_H_ + #define _MDSCLI_UTIL_H_ + ++NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx, ++ struct mdscli_ctx *ctx, ++ struct mdssvc_blob *blob); ++ + NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + struct mdscli_search_ctx *search, + struct mdssvc_blob *blob); +-- +2.41.0 + diff --git a/net/samba413/files/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch b/net/samba413/files/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch new file mode 100644 index 0000000000000..d33138fa2212b --- /dev/null +++ b/net/samba413/files/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch @@ -0,0 +1,222 @@ +From 7aa1e167ee35e2e2f07e83156ee8e7d54bdd4989 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 5 Jun 2023 18:02:20 +0200 +Subject: [PATCH 21/21] CVE-2023-34968: mdssvc: return a fake share path + +Instead of returning the real server-side absolute path of shares and search +results, return a fake absolute path replacing the path of the share with the +share name, iow for a share "test" with a server-side path of "/foo/bar", we +previously returned + + /foo/bar and + /foo/bar/search/result + +and now return + + /test and + /test/search/result + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_server/mdssvc/mdssvc.c | 61 +++++++++++++++++++++-- + source3/rpc_server/mdssvc/mdssvc.h | 1 + + source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 23 +++++++-- + 3 files changed, 78 insertions(+), 7 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index b75fb7812ed..e9d464527b3 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -519,11 +519,14 @@ static bool inode_map_add(struct sl_query *slq, + bool mds_add_result(struct sl_query *slq, const char *path) + { + struct smb_filename *smb_fname = NULL; ++ const char *relative = NULL; ++ char *fake_path = NULL; + struct stat_ex sb; + uint32_t attr; + uint64_t ino64; + int result; + NTSTATUS status; ++ bool sub; + bool ok; + + smb_fname = synthetic_smb_fname(talloc_tos(), +@@ -614,6 +617,17 @@ bool mds_add_result(struct sl_query *slq, const char *path) + } + } + ++ sub = subdir_of(slq->mds_ctx->spath, ++ slq->mds_ctx->spath_len, ++ path, ++ &relative); ++ if (!sub) { ++ DBG_ERR("[%s] is not inside [%s]\n", ++ path, slq->mds_ctx->spath); ++ slq->state = SLQ_STATE_ERROR; ++ return false; ++ } ++ + /* + * Add inode number and filemeta to result set, this is what + * we return as part of the result set of a query +@@ -626,18 +640,30 @@ bool mds_add_result(struct sl_query *slq, const char *path) + slq->state = SLQ_STATE_ERROR; + return false; + } ++ ++ fake_path = talloc_asprintf(slq, ++ "/%s/%s", ++ slq->mds_ctx->sharename, ++ relative); ++ if (fake_path == NULL) { ++ slq->state = SLQ_STATE_ERROR; ++ return false; ++ } ++ + ok = add_filemeta(slq->mds_ctx, + slq->reqinfo, + slq->query_results->fm_array, +- path, ++ fake_path, + &sb); + if (!ok) { + DBG_ERR("add_filemeta error\n"); ++ TALLOC_FREE(fake_path); + slq->state = SLQ_STATE_ERROR; + return false; + } + +- ok = inode_map_add(slq, ino64, path, &sb); ++ ok = inode_map_add(slq, ino64, fake_path, &sb); ++ TALLOC_FREE(fake_path); + if (!ok) { + DEBUG(1, ("inode_map_add error\n")); + slq->state = SLQ_STATE_ERROR; +@@ -844,6 +870,32 @@ static void slq_close_timer(struct tevent_context *ev, + } + } + ++/** ++ * Translate a fake scope from the client like /sharename/dir ++ * to the real server-side path, replacing the "/sharename" part ++ * with the absolute server-side path of the share. ++ **/ ++static bool mdssvc_real_scope(struct sl_query *slq, const char *fake_scope) ++{ ++ size_t sname_len = strlen(slq->mds_ctx->sharename); ++ size_t fake_scope_len = strlen(fake_scope); ++ ++ if (fake_scope_len < sname_len + 1) { ++ DBG_ERR("Short scope [%s] for share [%s]\n", ++ fake_scope, slq->mds_ctx->sharename); ++ return false; ++ } ++ ++ slq->path_scope = talloc_asprintf(slq, ++ "%s%s", ++ slq->mds_ctx->spath, ++ fake_scope + sname_len + 1); ++ if (slq->path_scope == NULL) { ++ return false; ++ } ++ return true; ++} ++ + /** + * Begin a search query + **/ +@@ -950,8 +1002,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + goto error; + } + +- slq->path_scope = talloc_strdup(slq, scope); +- if (slq->path_scope == NULL) { ++ ok = mdssvc_real_scope(slq, scope); ++ if (!ok) { + goto error; + } + +@@ -1660,6 +1712,7 @@ struct mds_ctx *mds_init_ctx(TALLOC_CTX *mem_ctx, + if (mds_ctx->spath == NULL) { + goto error; + } ++ mds_ctx->spath_len = strlen(path); + + mds_ctx->snum = snum; + mds_ctx->pipe_session_info = session_info; +diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h +index 2ff717dd7ff..2f12f4f9f84 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.h ++++ b/source3/rpc_server/mdssvc/mdssvc.h +@@ -127,6 +127,7 @@ struct mds_ctx { + int snum; + const char *sharename; + const char *spath; ++ size_t spath_len; + struct connection_struct *conn; + struct sl_query *query_list; /* list of active queries */ + struct db_context *ino_path_map; /* dbwrap rbt for storing inode->path mappings */ +diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +index bba16118a51..08ba3ad0c76 100644 +--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c ++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +@@ -120,6 +120,7 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r) + loadparm_s3_global_substitution(); + int snum; + char *outpath = discard_const_p(char, r->out.share_path); ++ char *fake_path = NULL; + char *path; + NTSTATUS status; + +@@ -137,8 +138,17 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r) + + path = lp_path(talloc_tos(), lp_sub, snum); + if (path == NULL) { +- DBG_ERR("Couldn't create policy handle for %s\n", ++ DBG_ERR("Couldn't create path for %s\n", ++ r->in.share_name); ++ p->fault_state = DCERPC_FAULT_CANT_PERFORM; ++ return; ++ } ++ ++ fake_path = talloc_asprintf(p->mem_ctx, "/%s", r->in.share_name); ++ if (fake_path == NULL) { ++ DBG_ERR("Couldn't create fake share path for %s\n", + r->in.share_name); ++ talloc_free(path); + p->fault_state = DCERPC_FAULT_CANT_PERFORM; + return; + } +@@ -148,16 +158,23 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r) + r->in.share_name, + path, + r->out.handle); ++ if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_VOLUME)) { ++ ZERO_STRUCTP(r->out.handle); ++ talloc_free(path); ++ talloc_free(fake_path); ++ return; ++ } + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("Couldn't create policy handle for %s\n", + r->in.share_name); + talloc_free(path); ++ talloc_free(fake_path); + p->fault_state = DCERPC_FAULT_CANT_PERFORM; + return; + } + +- strlcpy(outpath, path, 1024); +- talloc_free(path); ++ strlcpy(outpath, fake_path, 1024); ++ talloc_free(fake_path); + return; + } + +-- +2.41.0 +