The Samba-Bugzilla – Attachment 17675 Details for
Bug 14929
CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-17-test
bfixes-CVE-2022-44640-v4-17.txt (text/plain), 6.71 KB, created by
Stefan Metzmacher
on 2022-12-06 14:04:12 UTC
(
hide
)
Description:
Patches for v4-17-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-12-06 14:04:12 UTC
Size:
6.71 KB
patch
obsolete
>From 4cbd2c3e7f4ca294a7cdb889f0feb2b4a133b2c4 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 6 Dec 2022 15:11:05 +1300 >Subject: [PATCH 1/2] CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from > source_chars test > >A new file will shorlty fail as it is binary input > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 5a02915913a2410904886e186ada90a36492571f) >--- > python/samba/tests/source_chars.py | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/python/samba/tests/source_chars.py b/python/samba/tests/source_chars.py >index 856a27b0d1a3..c0e57cafb42d 100644 >--- a/python/samba/tests/source_chars.py >+++ b/python/samba/tests/source_chars.py >@@ -70,6 +70,7 @@ IGNORED_RE = ( > r'^third_party/heimdal/lib/hx509/data/', > r'^third_party/heimdal/po', > r'^third_party/heimdal/tests/kdc/hdb-mitdb', >+ r'^third_party/heimdal/lib/asn1/fuzz-inputs/', > ) > > IGNORED_EXTENSIONS = { >-- >2.34.1 > > >From 13a2dca744e9b37549b68fcd3f1d44e2fe1e8425 Mon Sep 17 00:00:00 2001 >From: Nicolas Williams <nico@twosigma.com> >Date: Wed, 10 Mar 2021 16:49:04 -0600 >Subject: [PATCH 2/2] CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec > >Heimdal's ASN.1 compiler generates code that allows specially >crafted DER encodings of CHOICEs to invoke the wrong free function >on the decoded structure upon decode error. This is known to impact >the Heimdal KDC, leading to an invalid free() of an address partly >or wholly under the control of the attacker, in turn leading to a >potential remote code execution (RCE) vulnerability. > >This error affects the DER codec for all CHOICE types used in >Heimdal, though not all cases will be exploitable. We have not >completed a thorough analysis of all the Heimdal components >affected, thus the Kerberos client, the X.509 library, and other >parts, may be affected as well. > >This bug has been in Heimdal since 2005. It was first reported by >Douglas Bagnall, though it had been found independently by the >Heimdal maintainers via fuzzing a few weeks earlier. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 > >(cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767) > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Tue Dec 6 13:41:05 UTC 2022 on sn-devel-184 > >(cherry picked from commit 68fc909a7f4d69c254d34bec85cf8431bcb6e72f) >--- > .../heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes > third_party/heimdal/lib/asn1/gen_decode.c | 12 ++++++------ > third_party/heimdal/lib/asn1/gen_free.c | 7 +++++++ > third_party/heimdal/lib/asn1/gen_template.c | 1 + > third_party/heimdal/lib/asn1/krb5.asn1 | 1 + > 5 files changed, 15 insertions(+), 6 deletions(-) > create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq > >diff --git a/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq b/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq >new file mode 100644 >index 0000000000000000000000000000000000000000..21ac3601bcc9c657454ac0f2dbca099eac73b6af >GIT binary patch >literal 55 >zc-mWFYM{GN+dy>z9}|n9lCg^~qYw)N0|TS-_r7}*OBkxJGYhg*WKU{RoAhw&D#O=i >LC2rpt>V16ysnrq} > >literal 0 >Hc-jL100001 > >diff --git a/third_party/heimdal/lib/asn1/gen_decode.c b/third_party/heimdal/lib/asn1/gen_decode.c >index 93d412f63356..fa9d79a8ae5b 100644 >--- a/third_party/heimdal/lib/asn1/gen_decode.c >+++ b/third_party/heimdal/lib/asn1/gen_decode.c >@@ -694,14 +694,14 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval, > classname(cl), > ty ? "CONS" : "PRIM", > valuename(cl, tag)); >+ fprintf(codefile, >+ "(%s)->element = %s;\n", >+ name, m->label); > if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&", > name, m->gen_name) < 0 || s == NULL) > errx(1, "malloc"); > decode_type(s, m->type, m->optional, NULL, forwstr, m->gen_name, > NULL, depth + 1); >- fprintf(codefile, >- "(%s)->element = %s;\n", >- name, m->label); > free(s); > fprintf(codefile, > "}\n"); >@@ -710,23 +710,23 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval, > if (have_ellipsis) { > fprintf(codefile, > "else {\n" >+ "(%s)->element = %s;\n" > "(%s)->u.%s.data = calloc(1, len);\n" > "if ((%s)->u.%s.data == NULL) {\n" > "e = ENOMEM; %s;\n" > "}\n" > "(%s)->u.%s.length = len;\n" > "memcpy((%s)->u.%s.data, p, len);\n" >- "(%s)->element = %s;\n" > "p += len;\n" > "ret += len;\n" > "len = 0;\n" > "}\n", >+ name, have_ellipsis->label, > name, have_ellipsis->gen_name, > name, have_ellipsis->gen_name, > forwstr, > name, have_ellipsis->gen_name, >- name, have_ellipsis->gen_name, >- name, have_ellipsis->label); >+ name, have_ellipsis->gen_name); > } else { > fprintf(codefile, > "else {\n" >diff --git a/third_party/heimdal/lib/asn1/gen_free.c b/third_party/heimdal/lib/asn1/gen_free.c >index 0507d5421803..b6da8ae14dd2 100644 >--- a/third_party/heimdal/lib/asn1/gen_free.c >+++ b/third_party/heimdal/lib/asn1/gen_free.c >@@ -62,6 +62,13 @@ free_type (const char *name, const Type *t, int preserve) > case TNull: > case TGeneralizedTime: > case TUTCTime: >+ /* >+ * This doesn't do much, but it leaves zeros where garbage might >+ * otherwise have been found. Gets us closer to having the equivalent >+ * of a memset()-to-zero data structure after calling the free >+ * functions. >+ */ >+ fprintf(codefile, "*%s = 0;\n", name); > break; > case TBitString: > if (HEIM_TAILQ_EMPTY(t->members)) >diff --git a/third_party/heimdal/lib/asn1/gen_template.c b/third_party/heimdal/lib/asn1/gen_template.c >index e053a8bdd8bc..ad25fcfb29d3 100644 >--- a/third_party/heimdal/lib/asn1/gen_template.c >+++ b/third_party/heimdal/lib/asn1/gen_template.c >@@ -1600,6 +1600,7 @@ generate_template(const Symbol *s) > "int ASN1CALL\n" > "decode_%s(const unsigned char *p, size_t len, %s *data, size_t *size)\n" > "{\n" >+ " memset(data, 0, sizeof(*data));\n" > " return _asn1_decode_top(asn1_%s, 0|%s, p, len, data, size);\n" > "}\n" > "\n", >diff --git a/third_party/heimdal/lib/asn1/krb5.asn1 b/third_party/heimdal/lib/asn1/krb5.asn1 >index d7ce6bd6333d..00a0acbc029b 100644 >--- a/third_party/heimdal/lib/asn1/krb5.asn1 >+++ b/third_party/heimdal/lib/asn1/krb5.asn1 >@@ -81,6 +81,7 @@ EXPORTS > KrbFastFinished, > KrbFastReq, > KrbFastArmor, >+ KrbFastArmoredReq, > KDCFastState, > KDCFastCookie, > KDC-PROXY-MESSAGE, >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 14929
: 17675 |
17676
|
17679