The Samba-Bugzilla – Attachment 16021 Details for
Bug 14402
CVE-2020-10760 [SECURITY] Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
initial patch for master
0001-dsdb-Ensure-a-proper-talloc-tree-for-saved-controls.patch (text/plain), 2.63 KB, created by
Andrew Bartlett
on 2020-06-05 10:37:20 UTC
(
hide
)
Description:
initial patch for master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2020-06-05 10:37:20 UTC
Size:
2.63 KB
patch
obsolete
>From 4b6ddfce5efa59d6bfaefed04e2fa495eb7a50d5 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 5 Jun 2020 22:14:48 +1200 >Subject: [PATCH] dsdb: Ensure a proper talloc tree for saved controls > >Otherwise a paged search on the GC port will fail as the ->data was >not kept around for the second page of searches. > >An example command to produce this is > bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD > >This shows up later in the partition module as: > >ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260 >READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0)) > #0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526 > #1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559 > #2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582 > #3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780 > >or > >smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value >(from source4/dsdb/samdb/ldb_modules/partition.c:780) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/paged_results.c | 8 ++++++++ > source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 7 +++++++ > 2 files changed, 15 insertions(+) > >diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c >index 735883e8802..3eea3236e7d 100644 >--- a/source4/dsdb/samdb/ldb_modules/paged_results.c >+++ b/source4/dsdb/samdb/ldb_modules/paged_results.c >@@ -523,6 +523,14 @@ paged_results_copy_down_controls(TALLOC_CTX *mem_ctx, > continue; > } > new_controls[j] = talloc_steal(new_controls, control); >+ >+ /* >+ * Sadly the caller is not obliged to make this a >+ * proper talloc tree, so we do so here. >+ */ >+ if (control->data) { >+ talloc_steal(control, control->data); >+ } > j++; > } > new_controls[j] = NULL; >diff --git a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c >index b103bda5f52..d6d6039e849 100644 >--- a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c >+++ b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c >@@ -746,6 +746,13 @@ vlv_copy_down_controls(TALLOC_CTX *mem_ctx, struct ldb_control **controls) > continue; > } > new_controls[j] = talloc_steal(new_controls, control); >+ /* >+ * Sadly the caller is not obliged to make this a >+ * proper talloc tree, so we do so here. >+ */ >+ if (control->data) { >+ talloc_steal(control, control->data); >+ } > j++; > } > new_controls[j] = NULL; >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14402
:
16021
|
16022
|
16023
|
16024
|
16025
|
16026
|
16027
|
16028
|
16029
|
16058
|
16066