The Samba-Bugzilla – Attachment 15658 Details for
Bug 14206
dnsProperty round-trip memory handling error in fuzzer (only)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master: mitigate this at the IDL level
0001-librpc-idl-dnsserver.idl-Ensure-DnsProperty-id-match.patch (text/plain), 2.37 KB, created by
Andrew Bartlett
on 2019-12-01 23:13:03 UTC
(
hide
)
Description:
patch for master: mitigate this at the IDL level
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-12-01 23:13:03 UTC
Size:
2.37 KB
patch
obsolete
>From ac3895347207976e3d84348f13be92aeeb267ca5 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 2 Dec 2019 11:20:31 +1300 >Subject: [PATCH] librpc/idl/dnsserver.idl: Ensure DnsProperty id matches what > is pulled from the stored buffer > >There are two concerns here, assuming the attacker can place arbitary values >in a dnsProperty attribute over LDAP (eg is a DNS administrator). > >This comes from the fact that id is used as the switch value at the C layer >but at the NDR layer the wDataLength value is considered first. > >One concern is that a pull/push round-trip could include server memory: > > The previous switch_is() behaviour could store the server memory back > into the attribute. > > However this pattern of pull/push only happens in ndrdump and fuzzing tools, as > dnsserver_db_do_reset_dword() operates only on the uint32/bitmap union > arms, and fully initialises those. > >The other is that a pull of the attacker-supplied value could >cause the server to expose memory. > > This would be over the network via DNS or the RPC dnsserver protocols. > However at all times the ndr_pull_struct_blob is passed zeroed memory. > >The final concern (which fuzz_ndr_X found) is that in the ndr_size_dnsPropertyData() >the union descriminent is only id. > > This has no impact as only zeroed memory is used so there will be a > zero value in all scalars, including data->d_ns_servers.AddrArray. > > Therefore the server will not crash processing the attacker-supplied blob > >This was known as CVE-2019-14908 before being triaged back to a normal bug. > >Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X fuzzer. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14206 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > librpc/idl/dnsp.idl | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl >index 1bbcaca6bfa..47a51d540cc 100644 >--- a/librpc/idl/dnsp.idl >+++ b/librpc/idl/dnsp.idl >@@ -256,8 +256,8 @@ interface dnsp > uint32 namelength; > [value(0)] uint32 flag; > [value(1)] uint32 version; >- dns_property_id id; >- [switch_is(wDataLength?id:DSPROPERTY_ZONE_EMPTY)] dnsPropertyData data; >+ [range(DSPROPERTY_ZONE_EMPTY, (r->wDataLength > 0 ? DSPROPERTY_ZONE_NODE_DBFLAGS : 0))] dns_property_id id; >+ [switch_is(id)] dnsPropertyData data; > uint32 name; > } dnsp_DnsProperty; > } >-- >2.17.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15658">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14206
:
15641
|
15657
| 15658 |
15671