The Samba-Bugzilla – Attachment 16505 Details for
Bug 14571
CVE-2021-20254 [SECURITY] Buffer overrun in sids_to_unixids() [source3/passdb/lookup_sid.c]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
backport to 3.6
14571-3.6.patch (text/plain), 4.34 KB, created by
Noel Power
on 2021-03-09 08:44:13 UTC
(
hide
)
Description:
backport to 3.6
Filename:
MIME Type:
Creator:
Noel Power
Created:
2021-03-09 08:44:13 UTC
Size:
4.34 KB
patch
obsolete
>From 48229f34423239d5f38faecb454b5d8cb2973b96 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Sat, 20 Feb 2021 15:50:12 +0100 >Subject: [PATCH 1/2] passdb: Simplify sids_to_unixids() > >Best reviewed with "git show -b", there's a "continue" statement that >changes subsequent indentation. > >Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/passdb/lookup_sid.c | 21 +++++++++++++++++---- > 1 file changed, 17 insertions(+), 4 deletions(-) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index 64a181e..a9dc12f 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -27,6 +27,7 @@ > #include "idmap_cache.h" > #include "../libcli/security/security.h" > #include "lib/winbind_util.h" >+#include "lib/util/bitmap.h" > > /***************************************************************** > Dissect a user-provided name into domain, name, sid and type. >@@ -1400,6 +1401,7 @@ bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids, > { > struct wbcDomainSid *wbc_sids = NULL; > struct wbcUnixId *wbc_ids = NULL; >+ struct bitmap *found = NULL; > uint32_t i, num_not_cached; > wbcErr err; > bool ret = false; >@@ -1408,6 +1410,10 @@ bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids, > if (wbc_sids == NULL) { > return false; > } >+ found = bitmap_talloc(wbc_sids, num_sids); >+ if (found == NULL) { >+ goto fail; >+ } > > num_not_cached = 0; > >@@ -1417,34 +1423,40 @@ bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids, > > if (fetch_uid_from_cache(&ids[i].id.uid, &sids[i])) { > ids[i].type = WBC_ID_TYPE_UID; >+ bitmap_set(found, i); > continue; > } > if (fetch_gid_from_cache(&ids[i].id.gid, &sids[i])) { > ids[i].type = WBC_ID_TYPE_GID; >+ bitmap_set(found, i); > continue; > } > if (sid_peek_check_rid(&global_sid_Unix_Users, > &sids[i], &rid)) { > ids[i].type = WBC_ID_TYPE_UID; > ids[i].id.uid = rid; >+ bitmap_set(found, i); > continue; > } > if (sid_peek_check_rid(&global_sid_Unix_Groups, > &sids[i], &rid)) { > ids[i].type = WBC_ID_TYPE_GID; > ids[i].id.gid = rid; >+ bitmap_set(found, i); > continue; > } > if (idmap_cache_find_sid2uid(&sids[i], &ids[i].id.uid, > &expired) > && !expired && ids[i].id.uid != (uid_t)-1) { > ids[i].type = WBC_ID_TYPE_UID; >+ bitmap_set(found, i); > continue; > } > if (idmap_cache_find_sid2gid(&sids[i], &ids[i].id.gid, > &expired) > && !expired && ids[i].id.gid != (gid_t)-1) { > ids[i].type = WBC_ID_TYPE_GID; >+ bitmap_set(found, i); > continue; > } > ids[i].type = WBC_ID_TYPE_NOT_SPECIFIED; >@@ -1471,14 +1483,15 @@ bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids, > num_not_cached = 0; > > for (i=0; i<num_sids; i++) { >- if (ids[i].type == WBC_ID_TYPE_NOT_SPECIFIED) { >- ids[i] = wbc_ids[num_not_cached]; >- num_not_cached += 1; >+ if (bitmap_query(found, i)) { >+ continue; > } >+ ids[i] = wbc_ids[num_not_cached]; >+ num_not_cached += 1; > } > > for (i=0; i<num_sids; i++) { >- if (ids[i].type != WBC_ID_TYPE_NOT_SPECIFIED) { >+ if (bitmap_query(found, i)) { > continue; > } > if (legacy_sid_to_gid(&sids[i], &ids[i].id.gid)) { >-- >2.26.2 > > >From 8a7824453945e5b91a3b8c3ef11997091bc3e7eb Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 22 Feb 2021 18:05:02 -0800 >Subject: [PATCH 2/2] passdb: Ensure we initialize both members of wbc_ids[] > struct before lookup. > >The id.gid element will be read if wbcSidsToUnixIds() >returns ID_TYPE_NOT_SPECIFIED for an array element, >but wbcSidsToUnixIds() doesn't initialize it. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/passdb/lookup_sid.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index a9dc12f..306160b 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -1473,6 +1473,7 @@ bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids, > } > for (i=0; i<num_not_cached; i++) { > wbc_ids[i].type = WBC_ID_TYPE_NOT_SPECIFIED; >+ wbc_ids[i].id.gid = (uint32_t)-1; > } > err = wbcSidsToUnixIds(wbc_sids, num_not_cached, wbc_ids); > if (!WBC_ERROR_IS_OK(err)) { >-- >2.26.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16505">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14571
:
16407
|
16410
|
16466
|
16467
|
16499
|
16505
|
16506
|
16507
|
16508
|
16509
|
16510
|
16511
|
16516
|
16517
|
16519
|
16520
|
16532
|
16533
|
16534
|
16535
|
16536
|
16537
|
16538
|
16539
|
16542
|
16543
|
16544
|
16545
|
16546
|
16548
|
16551
|
16553
|
16595