The Samba-Bugzilla – Attachment 16511 Details for
Bug 14571
CVE-2021-20254 [SECURITY] Buffer overrun in sids_to_unixids() [source3/passdb/lookup_sid.c]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
backport to 4.11
14571-4.11.14.patch (text/plain), 4.77 KB, created by
Noel Power
on 2021-03-09 08:49:20 UTC
(
hide
)
Description:
backport to 4.11
Filename:
MIME Type:
Creator:
Noel Power
Created:
2021-03-09 08:49:20 UTC
Size:
4.77 KB
patch
obsolete
>From 399fee7f789862806cf18f553ce4f71a382aa385 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Sat, 20 Feb 2021 15:50:12 +0100 >Subject: [PATCH 1/2] passdb: Simplify sids_to_unixids() > >Best reviewed with "git show -b", there's a "continue" statement that >changes subsequent indentation. > >Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/passdb/lookup_sid.c | 49 +++++++++++++++++++++++-------------- > 1 file changed, 31 insertions(+), 18 deletions(-) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index c31a9e48739..25db04fa7f6 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -29,6 +29,7 @@ > #include "../libcli/security/security.h" > #include "lib/winbind_util.h" > #include "../librpc/gen_ndr/idmap.h" >+#include "lib/util/bitmap.h" > > static bool lookup_unix_user_name(const char *name, struct dom_sid *sid) > { >@@ -1247,6 +1248,7 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, > { > struct wbcDomainSid *wbc_sids = NULL; > struct wbcUnixId *wbc_ids = NULL; >+ struct bitmap *found = NULL; > uint32_t i, num_not_cached; > wbcErr err; > bool ret = false; >@@ -1255,6 +1257,10 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, > if (wbc_sids == NULL) { > return false; > } >+ found = bitmap_talloc(wbc_sids, num_sids); >+ if (found == NULL) { >+ goto fail; >+ } > > num_not_cached = 0; > >@@ -1266,17 +1272,20 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, > &sids[i], &rid)) { > ids[i].type = ID_TYPE_UID; > ids[i].id = rid; >+ bitmap_set(found, i); > continue; > } > if (sid_peek_check_rid(&global_sid_Unix_Groups, > &sids[i], &rid)) { > ids[i].type = ID_TYPE_GID; > ids[i].id = rid; >+ bitmap_set(found, i); > continue; > } > if (idmap_cache_find_sid2unixid(&sids[i], &ids[i], &expired) > && !expired) > { >+ bitmap_set(found, i); > continue; > } > ids[i].type = ID_TYPE_NOT_SPECIFIED; >@@ -1303,36 +1312,40 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, > num_not_cached = 0; > > for (i=0; i<num_sids; i++) { >- if (ids[i].type == ID_TYPE_NOT_SPECIFIED) { >- switch (wbc_ids[num_not_cached].type) { >- case WBC_ID_TYPE_UID: >- ids[i].type = ID_TYPE_UID; >- ids[i].id = wbc_ids[num_not_cached].id.uid; >- break; >- case WBC_ID_TYPE_GID: >- ids[i].type = ID_TYPE_GID; >- ids[i].id = wbc_ids[num_not_cached].id.gid; >- break; >- default: >- /* The types match, and wbcUnixId -> id is a union anyway */ >- ids[i].type = (enum id_type)wbc_ids[num_not_cached].type; >- ids[i].id = wbc_ids[num_not_cached].id.gid; >- break; >- } >- num_not_cached += 1; >+ if (bitmap_query(found, i)) { >+ continue; >+ } >+ >+ switch (wbc_ids[num_not_cached].type) { >+ case WBC_ID_TYPE_UID: >+ ids[i].type = ID_TYPE_UID; >+ ids[i].id = wbc_ids[num_not_cached].id.uid; >+ break; >+ case WBC_ID_TYPE_GID: >+ ids[i].type = ID_TYPE_GID; >+ ids[i].id = wbc_ids[num_not_cached].id.gid; >+ break; >+ default: >+ /* The types match, and wbcUnixId -> id is a union anyway */ >+ ids[i].type = (enum id_type)wbc_ids[num_not_cached].type; >+ ids[i].id = wbc_ids[num_not_cached].id.gid; >+ break; > } >+ num_not_cached += 1; > } > > for (i=0; i<num_sids; i++) { >- if (ids[i].type != ID_TYPE_NOT_SPECIFIED) { >+ if (bitmap_query(found, i)) { > continue; > } > if (legacy_sid_to_gid(&sids[i], &ids[i].id)) { > ids[i].type = ID_TYPE_GID; >+ bitmap_set(found, i); > continue; > } > if (legacy_sid_to_uid(&sids[i], &ids[i].id)) { > ids[i].type = ID_TYPE_UID; >+ bitmap_set(found, i); > continue; > } > } >-- >2.26.2 > > >From 7cbdc7eb359bcdf98cb4f501e54e3806bc7e312f Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 22 Feb 2021 18:05:02 -0800 >Subject: [PATCH 2/2] passdb: Ensure we initialize both members of wbc_ids[] > struct before lookup. > >The id.gid element will be read if wbcSidsToUnixIds() >returns ID_TYPE_NOT_SPECIFIED for an array element, >but wbcSidsToUnixIds() doesn't initialize it. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/passdb/lookup_sid.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index 25db04fa7f6..a2b80dbab12 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -1302,6 +1302,7 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, > } > for (i=0; i<num_not_cached; i++) { > wbc_ids[i].type = WBC_ID_TYPE_NOT_SPECIFIED; >+ wbc_ids[i].id.gid = (uint32_t)-1; > } > err = wbcSidsToUnixIds(wbc_sids, num_not_cached, wbc_ids); > if (!WBC_ERROR_IS_OK(err)) { >-- >2.26.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14571
:
16407
|
16410
|
16466
|
16467
|
16499
|
16505
|
16506
|
16507
|
16508
|
16509
|
16510
|
16511
|
16516
|
16517
|
16519
|
16520
|
16532
|
16533
|
16534
|
16535
|
16536
|
16537
|
16538
|
16539
|
16542
|
16543
|
16544
|
16545
|
16546
|
16548
|
16551
|
16553
|
16595