Attachment 17675 Details for Bug 14929 – Patches for v4-17-test

[patch] Patches for v4-17-test

bfixes-CVE-2022-44640-v4-17.txt (text/plain), 6.71 KB, created by Stefan Metzmacher on 2022-12-06 14:04:12 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2022-12-06 14:04:12 UTC

Size: 6.71 KB

patch

obsolete

>From 4cbd2c3e7f4ca294a7cdb889f0feb2b4a133b2c4 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Tue, 6 Dec 2022 15:11:05 +1300
>Subject: [PATCH 1/2] CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from
> source_chars test
>
>A new file will shorlty fail as it is binary input
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>(cherry picked from commit 5a02915913a2410904886e186ada90a36492571f)
>---
> python/samba/tests/source_chars.py | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/python/samba/tests/source_chars.py b/python/samba/tests/source_chars.py
>index 856a27b0d1a3..c0e57cafb42d 100644
>--- a/python/samba/tests/source_chars.py
>+++ b/python/samba/tests/source_chars.py
>@@ -70,6 +70,7 @@ IGNORED_RE = (
>     r'^third_party/heimdal/lib/hx509/data/',
>     r'^third_party/heimdal/po',
>     r'^third_party/heimdal/tests/kdc/hdb-mitdb',
>+    r'^third_party/heimdal/lib/asn1/fuzz-inputs/',
> )
> 
> IGNORED_EXTENSIONS = {
>-- 
>2.34.1
>
>
>From 13a2dca744e9b37549b68fcd3f1d44e2fe1e8425 Mon Sep 17 00:00:00 2001
>From: Nicolas Williams <nico@twosigma.com>
>Date: Wed, 10 Mar 2021 16:49:04 -0600
>Subject: [PATCH 2/2] CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
>
>Heimdal's ASN.1 compiler generates code that allows specially
>crafted DER encodings of CHOICEs to invoke the wrong free function
>on the decoded structure upon decode error.  This is known to impact
>the Heimdal KDC, leading to an invalid free() of an address partly
>or wholly under the control of the attacker, in turn leading to a
>potential remote code execution (RCE) vulnerability.
>
>This error affects the DER codec for all CHOICE types used in
>Heimdal, though not all cases will be exploitable.  We have not
>completed a thorough analysis of all the Heimdal components
>affected, thus the Kerberos client, the X.509 library, and other
>parts, may be affected as well.
>
>This bug has been in Heimdal since 2005.  It was first reported by
>Douglas Bagnall, though it had been found independently by the
>Heimdal maintainers via fuzzing a few weeks earlier.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
>
>(cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767)
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>
>Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
>Autobuild-Date(master): Tue Dec  6 13:41:05 UTC 2022 on sn-devel-184
>
>(cherry picked from commit 68fc909a7f4d69c254d34bec85cf8431bcb6e72f)
>---
> .../heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes
> third_party/heimdal/lib/asn1/gen_decode.c          |  12 ++++++------
> third_party/heimdal/lib/asn1/gen_free.c            |   7 +++++++
> third_party/heimdal/lib/asn1/gen_template.c        |   1 +
> third_party/heimdal/lib/asn1/krb5.asn1             |   1 +
> 5 files changed, 15 insertions(+), 6 deletions(-)
> create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq
>
>diff --git a/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq b/third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq
>new file mode 100644
>index 0000000000000000000000000000000000000000..21ac3601bcc9c657454ac0f2dbca099eac73b6af
>GIT binary patch
>literal 55
>zc-mWFYM{GN+dy>z9}|n9lCg^~qYw)N0|TS-_r7}*OBkxJGYhg*WKU{RoAhw&D#O=i
>LC2rpt>V16ysnrq}
>
>literal 0
>Hc-jL100001
>
>diff --git a/third_party/heimdal/lib/asn1/gen_decode.c b/third_party/heimdal/lib/asn1/gen_decode.c
>index 93d412f63356..fa9d79a8ae5b 100644
>--- a/third_party/heimdal/lib/asn1/gen_decode.c
>+++ b/third_party/heimdal/lib/asn1/gen_decode.c
>@@ -694,14 +694,14 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval,
> 		    classname(cl),
> 		    ty ? "CONS" : "PRIM",
> 		    valuename(cl, tag));
>+	    fprintf(codefile,
>+		    "(%s)->element = %s;\n",
>+		    name, m->label);
> 	    if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
> 			  name, m->gen_name) < 0 || s == NULL)
> 		errx(1, "malloc");
>             decode_type(s, m->type, m->optional, NULL, forwstr, m->gen_name,
>                         NULL, depth + 1);
>-	    fprintf(codefile,
>-		    "(%s)->element = %s;\n",
>-		    name, m->label);
> 	    free(s);
> 	    fprintf(codefile,
> 		    "}\n");
>@@ -710,23 +710,23 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval,
> 	if (have_ellipsis) {
> 	    fprintf(codefile,
> 		    "else {\n"
>+		    "(%s)->element = %s;\n"
> 		    "(%s)->u.%s.data = calloc(1, len);\n"
> 		    "if ((%s)->u.%s.data == NULL) {\n"
> 		    "e = ENOMEM; %s;\n"
> 		    "}\n"
> 		    "(%s)->u.%s.length = len;\n"
> 		    "memcpy((%s)->u.%s.data, p, len);\n"
>-		    "(%s)->element = %s;\n"
> 		    "p += len;\n"
> 		    "ret += len;\n"
> 		    "len = 0;\n"
> 		    "}\n",
>+		    name, have_ellipsis->label,
> 		    name, have_ellipsis->gen_name,
> 		    name, have_ellipsis->gen_name,
> 		    forwstr,
> 		    name, have_ellipsis->gen_name,
>-		    name, have_ellipsis->gen_name,
>-		    name, have_ellipsis->label);
>+		    name, have_ellipsis->gen_name);
> 	} else {
> 	    fprintf(codefile,
> 		    "else {\n"
>diff --git a/third_party/heimdal/lib/asn1/gen_free.c b/third_party/heimdal/lib/asn1/gen_free.c
>index 0507d5421803..b6da8ae14dd2 100644
>--- a/third_party/heimdal/lib/asn1/gen_free.c
>+++ b/third_party/heimdal/lib/asn1/gen_free.c
>@@ -62,6 +62,13 @@ free_type (const char *name, const Type *t, int preserve)
>     case TNull:
>     case TGeneralizedTime:
>     case TUTCTime:
>+        /*
>+         * This doesn't do much, but it leaves zeros where garbage might
>+         * otherwise have been found.  Gets us closer to having the equivalent
>+         * of a memset()-to-zero data structure after calling the free
>+         * functions.
>+         */
>+        fprintf(codefile, "*%s = 0;\n", name);
> 	break;
>     case TBitString:
> 	if (HEIM_TAILQ_EMPTY(t->members))
>diff --git a/third_party/heimdal/lib/asn1/gen_template.c b/third_party/heimdal/lib/asn1/gen_template.c
>index e053a8bdd8bc..ad25fcfb29d3 100644
>--- a/third_party/heimdal/lib/asn1/gen_template.c
>+++ b/third_party/heimdal/lib/asn1/gen_template.c
>@@ -1600,6 +1600,7 @@ generate_template(const Symbol *s)
> 	    "int ASN1CALL\n"
> 	    "decode_%s(const unsigned char *p, size_t len, %s *data, size_t *size)\n"
> 	    "{\n"
>+            "    memset(data, 0, sizeof(*data));\n"
> 	    "    return _asn1_decode_top(asn1_%s, 0|%s, p, len, data, size);\n"
> 	    "}\n"
> 	    "\n",
>diff --git a/third_party/heimdal/lib/asn1/krb5.asn1 b/third_party/heimdal/lib/asn1/krb5.asn1
>index d7ce6bd6333d..00a0acbc029b 100644
>--- a/third_party/heimdal/lib/asn1/krb5.asn1
>+++ b/third_party/heimdal/lib/asn1/krb5.asn1
>@@ -81,6 +81,7 @@ EXPORTS
> 	KrbFastFinished,
> 	KrbFastReq,
> 	KrbFastArmor,
>+	KrbFastArmoredReq,
> 	KDCFastState,
> 	KDCFastCookie,
> 	KDC-PROXY-MESSAGE,
>-- 
>2.34.1
>

Flags:

slow: review+

Actions: View

Attachments on bug 14929: 17675 | 17676 | 17679