The Samba-Bugzilla – Attachment 18102 Details for
Bug 15422
CVE-2023-3961 [SECURITY] Unsanitized client pipe name passed to local_np_connect()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master backported to Samba 4.16 v1
CVE-2023-3961-piepname-4.16-v1.patch (text/plain), 9.36 KB, created by
Andrew Bartlett
on 2023-09-13 02:13:39 UTC
(
hide
)
Description:
patch for master backported to Samba 4.16 v1
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-09-13 02:13:39 UTC
Size:
9.36 KB
patch
obsolete
>From ada80aa9871927adeb1f9b89ab3742073b97273d Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:41:04 -0700 >Subject: [PATCH 1/3] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that > could exit socket_dir. > >For now, SMB_ASSERT() to exit the server. We will remove >this once the test code is in place. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/rpc_client/local_np.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > >diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c >index 5b1a818c88d..a8d556d6e41 100644 >--- a/source3/rpc_client/local_np.c >+++ b/source3/rpc_client/local_np.c >@@ -509,6 +509,24 @@ struct tevent_req *local_np_connect_send( > return tevent_req_post(req, ev); > } > >+ /* >+ * Ensure we cannot process a path that exits >+ * the socket_dir. >+ */ >+ if (ISDOTDOT(lower_case_pipename) || >+ (strchr(lower_case_pipename, '/')!=NULL)) >+ { >+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", >+ lower_case_pipename); >+ /* >+ * For now, panic the server until we have >+ * the test code in place. >+ */ >+ SMB_ASSERT(false); >+ tevent_req_error(req, ENOENT); >+ return tevent_req_post(req, ev); >+ } >+ > state->socketpath = talloc_asprintf( > state, "%s/np/%s", socket_dir, lower_case_pipename); > if (tevent_req_nomem(state->socketpath, req)) { >-- >2.25.1 > > >From 8c92b3c48faff77c4d96502c5ae8c10d8b041a3e Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:49:21 -0700 >Subject: [PATCH 2/3] CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME > to show we allow bad pipenames with unix separators through to the UNIX > domain socket code. > >The raw SMB2-INVALID-PIPENAME test passes against Windows 2022, >as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND. > >Add the knownfail. > >BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> > >[abartlet@samba.org backported to Samba 4.16 due to conflicts from > context of other new torture tests missing in this version and > changes in smb2cli_create() arguments] >--- > selftest/knownfail.d/badpipename | 1 + > source3/selftest/tests.py | 15 +++++ > source3/torture/proto.h | 1 + > source3/torture/test_smb2.c | 105 +++++++++++++++++++++++++++++++ > source3/torture/torture.c | 4 ++ > 5 files changed, 126 insertions(+) > create mode 100644 selftest/knownfail.d/badpipename > >diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename >new file mode 100644 >index 00000000000..e69715f863d >--- /dev/null >+++ b/selftest/knownfail.d/badpipename >@@ -0,0 +1 @@ >+^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index e0548fbc86d..a4209b2c06d 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -227,6 +227,21 @@ plantestsuite("samba3.smbtorture_s3.smb1.MSDFS-ATTRIBUTE", > "-mNT1", > "-f msdfs-src1"]) > >+# >+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 >+# Prevent bad pipenames. >+# >+plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME", >+ "fileserver", >+ [os.path.join(samba3srcdir, >+ "script/tests/test_smbtorture_s3.sh"), >+ 'SMB2-INVALID-PIPENAME', >+ '//$SERVER_IP/tmp', >+ '$USERNAME', >+ '$PASSWORD', >+ smbtorture3, >+ "-mSMB2"]) >+ > # > # SMB2-STREAM-ACL needs to run against a special share - vfs_wo_fruit > # >diff --git a/source3/torture/proto.h b/source3/torture/proto.h >index 551c4ea80ac..f8d6384e1f2 100644 >--- a/source3/torture/proto.h >+++ b/source3/torture/proto.h >@@ -120,6 +120,7 @@ bool run_smb2_path_slash(int dummy); > bool run_smb2_sacl(int dummy); > bool run_smb2_quota1(int dummy); > bool run_smb2_stream_acl(int dummy); >+bool run_smb2_invalid_pipename(int dummy); > bool run_list_dir_async_test(int dummy); > bool run_delete_on_close_non_empty(int dummy); > bool run_delete_on_close_nonwrite_delete_yes_test(int dummy); >diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c >index c3f014100d9..f6afdf0b553 100644 >--- a/source3/torture/test_smb2.c >+++ b/source3/torture/test_smb2.c >@@ -3608,3 +3608,108 @@ bool run_delete_on_close_nonwrite_delete_no_test(int dummy) > } > return ret; > } >+ >+bool run_smb2_invalid_pipename(int dummy) >+{ >+ struct cli_state *cli = NULL; >+ NTSTATUS status; >+ uint64_t fid_persistent = 0; >+ uint64_t fid_volatile = 0; >+ const char *unknown_pipe = "badpipe"; >+ const char *invalid_pipe = "../../../../../../../../../badpipe"; >+ >+ printf("Starting SMB2-INVALID-PIPENAME\n"); >+ >+ if (!torture_init_connection(&cli)) { >+ return false; >+ } >+ >+ status = smbXcli_negprot(cli->conn, >+ cli->timeout, >+ PROTOCOL_SMB2_02, >+ PROTOCOL_SMB3_11); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("smbXcli_negprot returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ status = cli_session_setup_creds(cli, torture_creds); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_session_setup returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ status = cli_tree_connect(cli, "IPC$", "?????", NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_tree_connect returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ /* Try and connect to an unknown pipename. */ >+ status = smb2cli_create(cli->conn, >+ cli->timeout, >+ cli->smb2.session, >+ cli->smb2.tcon, >+ unknown_pipe, >+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ >+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ >+ SEC_STD_SYNCHRONIZE| >+ SEC_FILE_READ_DATA| >+ SEC_FILE_WRITE_DATA| >+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ >+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ >+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ >+ FILE_CREATE, /* create_disposition, */ >+ 0, /* create_options, */ >+ NULL, /* smb2_create_blobs *blobs */ >+ &fid_persistent, >+ &fid_volatile, >+ NULL, /* struct smb_create_returns * */ >+ talloc_tos(), /* mem_ctx. */ >+ NULL); /* struct smb2_create_blobs */ >+ /* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */ >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { >+ printf("%s:%d smb2cli_create on name %s returned %s\n", >+ __FILE__, >+ __LINE__, >+ unknown_pipe, >+ nt_errstr(status)); >+ return false; >+ } >+ >+ /* Try and connect to an invalid pipename containing unix separators. */ >+ status = smb2cli_create(cli->conn, >+ cli->timeout, >+ cli->smb2.session, >+ cli->smb2.tcon, >+ invalid_pipe, >+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ >+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ >+ SEC_STD_SYNCHRONIZE| >+ SEC_FILE_READ_DATA| >+ SEC_FILE_WRITE_DATA| >+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ >+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ >+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ >+ FILE_CREATE, /* create_disposition, */ >+ 0, /* create_options, */ >+ NULL, /* smb2_create_blobs *blobs */ >+ &fid_persistent, >+ &fid_volatile, >+ NULL, /* struct smb_create_returns * */ >+ talloc_tos(), /* mem_ctx. */ >+ NULL); /* struct smb2_create_blobs */ >+ /* >+ * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND >+ * (tested against Windows 2022). >+ */ >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { >+ printf("%s:%d smb2cli_create on name %s returned %s\n", >+ __FILE__, >+ __LINE__, >+ invalid_pipe, >+ nt_errstr(status)); >+ return false; >+ } >+ return true; >+} >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index f070d56bed0..81f446c2b20 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -15366,6 +15366,10 @@ static struct { > .name = "OPLOCK-CANCEL", > .fn = run_oplock_cancel, > }, >+ { >+ .name = "SMB2-INVALID-PIPENAME", >+ .fn = run_smb2_invalid_pipename, >+ }, > { > .name = "PIDHIGH", > .fn = run_pidhigh, >-- >2.25.1 > > >From 9e65b7029a6b9d7b4446f7eae7a3ad41af94b2ff Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:54:41 -0700 >Subject: [PATCH 3/3] CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that > crashes on bad pipenames. > >We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND). > >Remove knowfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/badpipename | 1 - > source3/rpc_client/local_np.c | 5 ----- > 2 files changed, 6 deletions(-) > delete mode 100644 selftest/knownfail.d/badpipename > >diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename >deleted file mode 100644 >index e69715f863d..00000000000 >--- a/selftest/knownfail.d/badpipename >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) >diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c >index a8d556d6e41..e92f4823ff6 100644 >--- a/source3/rpc_client/local_np.c >+++ b/source3/rpc_client/local_np.c >@@ -518,11 +518,6 @@ struct tevent_req *local_np_connect_send( > { > DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", > lower_case_pipename); >- /* >- * For now, panic the server until we have >- * the test code in place. >- */ >- SMB_ASSERT(false); > tevent_req_error(req, ENOENT); > return tevent_req_post(req, ev); > } >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
jra
:
review+
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 15422
:
18001
|
18003
|
18050
|
18062
|
18099
|
18100
|
18101
| 18102 |
18124
|
18128
|
18151