The Samba-Bugzilla – Attachment 18101 Details for
Bug 15422
CVE-2023-3961 [SECURITY] Unsanitized client pipe name passed to local_np_connect()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch in master backported to Samba 4.17 v1
CVE-2023-3961-pipename-4.17-v1.patch (text/plain), 9.39 KB, created by
Andrew Bartlett
on 2023-09-13 02:13:06 UTC
(
hide
)
Description:
patch in master backported to Samba 4.17 v1
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-09-13 02:13:06 UTC
Size:
9.39 KB
patch
obsolete
>From 3097dbf4616b48e6a523574deedf0ec90baa9dc1 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:41:04 -0700 >Subject: [PATCH 1/3] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that > could exit socket_dir. > >For now, SMB_ASSERT() to exit the server. We will remove >this once the test code is in place. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/rpc_client/local_np.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > >diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c >index 0b323404f06..95228d5d801 100644 >--- a/source3/rpc_client/local_np.c >+++ b/source3/rpc_client/local_np.c >@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send( > return tevent_req_post(req, ev); > } > >+ /* >+ * Ensure we cannot process a path that exits >+ * the socket_dir. >+ */ >+ if (ISDOTDOT(lower_case_pipename) || >+ (strchr(lower_case_pipename, '/')!=NULL)) >+ { >+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", >+ lower_case_pipename); >+ /* >+ * For now, panic the server until we have >+ * the test code in place. >+ */ >+ SMB_ASSERT(false); >+ tevent_req_error(req, ENOENT); >+ return tevent_req_post(req, ev); >+ } >+ > state->socketpath = talloc_asprintf( > state, "%s/np/%s", socket_dir, lower_case_pipename); > if (tevent_req_nomem(state->socketpath, req)) { >-- >2.25.1 > > >From 8b8b4c8178291fd9fee8c8585cb6bbf0f6f903e3 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:49:21 -0700 >Subject: [PATCH 2/3] CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME > to show we allow bad pipenames with unix separators through to the UNIX > domain socket code. > >The raw SMB2-INVALID-PIPENAME test passes against Windows 2022, >as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND. > >Add the knownfail. > >BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> > >[abartlet@samba.org backported to Samba 4.17 due to conflicts from > context of other new torture tests missing in this version and > changes in smb2cli_create() arguments] >--- > selftest/knownfail.d/badpipename | 1 + > source3/selftest/tests.py | 15 +++++ > source3/torture/proto.h | 1 + > source3/torture/test_smb2.c | 105 +++++++++++++++++++++++++++++++ > source3/torture/torture.c | 4 ++ > 5 files changed, 126 insertions(+) > create mode 100644 selftest/knownfail.d/badpipename > >diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename >new file mode 100644 >index 00000000000..e69715f863d >--- /dev/null >+++ b/selftest/knownfail.d/badpipename >@@ -0,0 +1 @@ >+^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 831fdd6db2e..e93365e3db5 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -263,6 +263,21 @@ plantestsuite("samba3.smbtorture_s3.smb1.MSDFS-ATTRIBUTE", > "-mNT1", > "-f msdfs-src1"]) > >+# >+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 >+# Prevent bad pipenames. >+# >+plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME", >+ "fileserver", >+ [os.path.join(samba3srcdir, >+ "script/tests/test_smbtorture_s3.sh"), >+ 'SMB2-INVALID-PIPENAME', >+ '//$SERVER_IP/tmp', >+ '$USERNAME', >+ '$PASSWORD', >+ smbtorture3, >+ "-mSMB2"]) >+ > # > # SMB2-STREAM-ACL needs to run against a special share - vfs_wo_fruit > # >diff --git a/source3/torture/proto.h b/source3/torture/proto.h >index 4fa2fbd12a1..6c60e80a95e 100644 >--- a/source3/torture/proto.h >+++ b/source3/torture/proto.h >@@ -120,6 +120,7 @@ bool run_smb2_path_slash(int dummy); > bool run_smb2_sacl(int dummy); > bool run_smb2_quota1(int dummy); > bool run_smb2_stream_acl(int dummy); >+bool run_smb2_invalid_pipename(int dummy); > bool run_list_dir_async_test(int dummy); > bool run_delete_on_close_non_empty(int dummy); > bool run_delete_on_close_nonwrite_delete_yes_test(int dummy); >diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c >index c3f014100d9..f6afdf0b553 100644 >--- a/source3/torture/test_smb2.c >+++ b/source3/torture/test_smb2.c >@@ -3608,3 +3608,108 @@ bool run_delete_on_close_nonwrite_delete_no_test(int dummy) > } > return ret; > } >+ >+bool run_smb2_invalid_pipename(int dummy) >+{ >+ struct cli_state *cli = NULL; >+ NTSTATUS status; >+ uint64_t fid_persistent = 0; >+ uint64_t fid_volatile = 0; >+ const char *unknown_pipe = "badpipe"; >+ const char *invalid_pipe = "../../../../../../../../../badpipe"; >+ >+ printf("Starting SMB2-INVALID-PIPENAME\n"); >+ >+ if (!torture_init_connection(&cli)) { >+ return false; >+ } >+ >+ status = smbXcli_negprot(cli->conn, >+ cli->timeout, >+ PROTOCOL_SMB2_02, >+ PROTOCOL_SMB3_11); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("smbXcli_negprot returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ status = cli_session_setup_creds(cli, torture_creds); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_session_setup returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ status = cli_tree_connect(cli, "IPC$", "?????", NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_tree_connect returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ /* Try and connect to an unknown pipename. */ >+ status = smb2cli_create(cli->conn, >+ cli->timeout, >+ cli->smb2.session, >+ cli->smb2.tcon, >+ unknown_pipe, >+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ >+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ >+ SEC_STD_SYNCHRONIZE| >+ SEC_FILE_READ_DATA| >+ SEC_FILE_WRITE_DATA| >+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ >+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ >+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ >+ FILE_CREATE, /* create_disposition, */ >+ 0, /* create_options, */ >+ NULL, /* smb2_create_blobs *blobs */ >+ &fid_persistent, >+ &fid_volatile, >+ NULL, /* struct smb_create_returns * */ >+ talloc_tos(), /* mem_ctx. */ >+ NULL); /* struct smb2_create_blobs */ >+ /* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */ >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { >+ printf("%s:%d smb2cli_create on name %s returned %s\n", >+ __FILE__, >+ __LINE__, >+ unknown_pipe, >+ nt_errstr(status)); >+ return false; >+ } >+ >+ /* Try and connect to an invalid pipename containing unix separators. */ >+ status = smb2cli_create(cli->conn, >+ cli->timeout, >+ cli->smb2.session, >+ cli->smb2.tcon, >+ invalid_pipe, >+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ >+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ >+ SEC_STD_SYNCHRONIZE| >+ SEC_FILE_READ_DATA| >+ SEC_FILE_WRITE_DATA| >+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ >+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ >+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ >+ FILE_CREATE, /* create_disposition, */ >+ 0, /* create_options, */ >+ NULL, /* smb2_create_blobs *blobs */ >+ &fid_persistent, >+ &fid_volatile, >+ NULL, /* struct smb_create_returns * */ >+ talloc_tos(), /* mem_ctx. */ >+ NULL); /* struct smb2_create_blobs */ >+ /* >+ * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND >+ * (tested against Windows 2022). >+ */ >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { >+ printf("%s:%d smb2cli_create on name %s returned %s\n", >+ __FILE__, >+ __LINE__, >+ invalid_pipe, >+ nt_errstr(status)); >+ return false; >+ } >+ return true; >+} >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index 4b22958c838..6dd37148137 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -15763,6 +15763,10 @@ static struct { > .name = "OPLOCK-CANCEL", > .fn = run_oplock_cancel, > }, >+ { >+ .name = "SMB2-INVALID-PIPENAME", >+ .fn = run_smb2_invalid_pipename, >+ }, > { > .name = "SMB1-TRUNCATED-SESSSETUP", > .fn = run_smb1_truncated_sesssetup, >-- >2.25.1 > > >From 7ad958bad043a078876b5e551ae927aa2f779177 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:54:41 -0700 >Subject: [PATCH 3/3] CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that > crashes on bad pipenames. > >We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND). > >Remove knowfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/badpipename | 1 - > source3/rpc_client/local_np.c | 5 ----- > 2 files changed, 6 deletions(-) > delete mode 100644 selftest/knownfail.d/badpipename > >diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename >deleted file mode 100644 >index e69715f863d..00000000000 >--- a/selftest/knownfail.d/badpipename >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) >diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c >index 95228d5d801..791ded99a47 100644 >--- a/source3/rpc_client/local_np.c >+++ b/source3/rpc_client/local_np.c >@@ -551,11 +551,6 @@ struct tevent_req *local_np_connect_send( > { > DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", > lower_case_pipename); >- /* >- * For now, panic the server until we have >- * the test code in place. >- */ >- SMB_ASSERT(false); > tevent_req_error(req, ENOENT); > return tevent_req_post(req, ev); > } >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
jra
:
review+
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 15422
:
18001
|
18003
|
18050
|
18062
|
18099
|
18100
| 18101 |
18102
|
18124
|
18128
|
18151