Attachment 17679 Details for Bug 14929 – Patches for v4-15-test

Patches for v4-15-test

bfixes-CVE-2022-44640-v4-15.txt (text/plain), 5.38 KB, created by Stefan Metzmacher on 2022-12-07 19:04:57 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2022-12-07 19:04:57 UTC

Size: 5.38 KB

patch

obsolete

>From b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f Mon Sep 17 00:00:00 2001
>From: Nicolas Williams <nico@twosigma.com>
>Date: Wed, 10 Mar 2021 16:49:04 -0600
>Subject: [PATCH 1/2] CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
>
>This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
>
>Heimdal's ASN.1 compiler generates code that allows specially
>crafted DER encodings of CHOICEs to invoke the wrong free function
>on the decoded structure upon decode error.  This is known to impact
>the Heimdal KDC, leading to an invalid free() of an address partly
>or wholly under the control of the attacker, in turn leading to a
>potential remote code execution (RCE) vulnerability.
>
>This error affects the DER codec for all CHOICE types used in
>Heimdal, though not all cases will be exploitable.  We have not
>completed a thorough analysis of all the Heimdal components
>affected, thus the Kerberos client, the X.509 library, and other
>parts, may be affected as well.
>
>This bug has been in Heimdal since 2005.  It was first reported by
>Douglas Bagnall, though it had been found independently by the
>Heimdal maintainers via fuzzing a few weeks earlier.
>
>While no zero-day exploit is known, such an exploit will likely be
>available soon after public disclosure.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
>
>[abartlet@samba.org Adapted from Heimdal commit
>ea5ec8f174920cb80ce2b168b49195378420449e for older Heimdal in Samba 4.15
>by dropping fuzz-inputs file and EXPORTS entry for fuzzing]
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/heimdal/lib/asn1/gen_decode.c | 12 ++++++------
> source4/heimdal/lib/asn1/gen_free.c   |  7 +++++++
> 2 files changed, 13 insertions(+), 6 deletions(-)
>
>diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c
>index 9d816d5400d7..bf2d93b806df 100644
>--- a/source4/heimdal/lib/asn1/gen_decode.c
>+++ b/source4/heimdal/lib/asn1/gen_decode.c
>@@ -584,14 +584,14 @@ decode_type (const char *name, const Type *t, int optional,
> 		    classname(cl),
> 		    ty ? "CONS" : "PRIM",
> 		    valuename(cl, tag));
>+	    fprintf(codefile,
>+		    "(%s)->element = %s;\n",
>+		    name, m->label);
> 	    if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
> 			  name, m->gen_name) < 0 || s == NULL)
> 		errx(1, "malloc");
> 	    decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
> 		depth + 1);
>-	    fprintf(codefile,
>-		    "(%s)->element = %s;\n",
>-		    name, m->label);
> 	    free(s);
> 	    fprintf(codefile,
> 		    "}\n");
>@@ -600,23 +600,23 @@ decode_type (const char *name, const Type *t, int optional,
> 	if (have_ellipsis) {
> 	    fprintf(codefile,
> 		    "else {\n"
>+		    "(%s)->element = %s;\n"
> 		    "(%s)->u.%s.data = calloc(1, len);\n"
> 		    "if ((%s)->u.%s.data == NULL) {\n"
> 		    "e = ENOMEM; %s;\n"
> 		    "}\n"
> 		    "(%s)->u.%s.length = len;\n"
> 		    "memcpy((%s)->u.%s.data, p, len);\n"
>-		    "(%s)->element = %s;\n"
> 		    "p += len;\n"
> 		    "ret += len;\n"
> 		    "len = 0;\n"
> 		    "}\n",
>+		    name, have_ellipsis->label,
> 		    name, have_ellipsis->gen_name,
> 		    name, have_ellipsis->gen_name,
> 		    forwstr,
> 		    name, have_ellipsis->gen_name,
>-		    name, have_ellipsis->gen_name,
>-		    name, have_ellipsis->label);
>+		    name, have_ellipsis->gen_name);
> 	} else {
> 	    fprintf(codefile,
> 		    "else {\n"
>diff --git a/source4/heimdal/lib/asn1/gen_free.c b/source4/heimdal/lib/asn1/gen_free.c
>index b9cae7533b17..74449fe6ca82 100644
>--- a/source4/heimdal/lib/asn1/gen_free.c
>+++ b/source4/heimdal/lib/asn1/gen_free.c
>@@ -61,6 +61,13 @@ free_type (const char *name, const Type *t, int preserve)
>     case TNull:
>     case TGeneralizedTime:
>     case TUTCTime:
>+        /*
>+         * This doesn't do much, but it leaves zeros where garbage might
>+         * otherwise have been found.  Gets us closer to having the equivalent
>+         * of a memset()-to-zero data structure after calling the free
>+         * functions.
>+         */
>+        fprintf(codefile, "*%s = 0;\n", name);
> 	break;
>     case TBitString:
> 	if (ASN1_TAILQ_EMPTY(t->members))
>-- 
>2.34.1
>
>
>From 73c7c6ec9bc3a1993e766f119e9e29905ded5e28 Mon Sep 17 00:00:00 2001
>From: Joseph Sutton <josephsutton@catalyst.net.nz>
>Date: Wed, 7 Dec 2022 20:13:25 +1300
>Subject: [PATCH 2/2] CVE-2022-44640 source4/heimdal: Fix use-after-free when
> decoding PA-ENC-TS-ENC
>
>Upstream Heimdal fixed this in commit
>7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of
>ENC-CHALLANGE).
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
>
>Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
>Reviewed-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/heimdal/kdc/kerberos5.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
>index ad026dd617bd..bda61e69df2a 100644
>--- a/source4/heimdal/kdc/kerberos5.c
>+++ b/source4/heimdal/kdc/kerberos5.c
>@@ -1391,7 +1391,6 @@ _kdc_as_rep(krb5_context context,
> 			client_name);
> 		continue;
> 	    }
>-	    free_PA_ENC_TS_ENC(&p);
> 	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
> 		char client_time[100];
> 
>@@ -1413,8 +1412,10 @@ _kdc_as_rep(krb5_context context,
> 		 * there is a e_text, they become unhappy.
> 		 */
> 		e_text = NULL;
>+		free_PA_ENC_TS_ENC(&p);
> 		goto out;
> 	    }
>+	    free_PA_ENC_TS_ENC(&p);
> 	    et.flags.pre_authent = 1;
> 
> 	    set_salt_padata(rep.padata, pa_key->salt);
>-- 
>2.34.1
>

Flags:

metze: ci-passed+

Actions: View

Attachments on bug 14929: 17675 | 17676 | 17679