The Samba-Bugzilla – Attachment 18128 Details for
Bug 15422
CVE-2023-3961 [SECURITY] Unsanitized client pipe name passed to local_np_connect()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 4.18.next - rebased after 4.18.7 release
CVE-2023-3961-pipename-4.18-v2.patch (text/plain), 9.49 KB, created by
Jeremy Allison
on 2023-09-27 17:03:33 UTC
(
hide
)
Description:
git-am fix for 4.18.next - rebased after 4.18.7 release
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2023-09-27 17:03:33 UTC
Size:
9.49 KB
patch
obsolete
>From 09ee91a8f7e53f688f091fe67e0b95d1d34fb9c9 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:41:04 -0700 >Subject: [PATCH 1/3] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that > could exit socket_dir. > >For now, SMB_ASSERT() to exit the server. We will remove >this once the test code is in place. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/rpc_client/local_np.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > >diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c >index 0b323404f06..95228d5d801 100644 >--- a/source3/rpc_client/local_np.c >+++ b/source3/rpc_client/local_np.c >@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send( > return tevent_req_post(req, ev); > } > >+ /* >+ * Ensure we cannot process a path that exits >+ * the socket_dir. >+ */ >+ if (ISDOTDOT(lower_case_pipename) || >+ (strchr(lower_case_pipename, '/')!=NULL)) >+ { >+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", >+ lower_case_pipename); >+ /* >+ * For now, panic the server until we have >+ * the test code in place. >+ */ >+ SMB_ASSERT(false); >+ tevent_req_error(req, ENOENT); >+ return tevent_req_post(req, ev); >+ } >+ > state->socketpath = talloc_asprintf( > state, "%s/np/%s", socket_dir, lower_case_pipename); > if (tevent_req_nomem(state->socketpath, req)) { >-- >2.39.2 > > >From 34d4258e77d7a3f48004e88161ac2398e9669a4b Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:49:21 -0700 >Subject: [PATCH 2/3] CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME > to show we allow bad pipenames with unix separators through to the UNIX > domain socket code. > >The raw SMB2-INVALID-PIPENAME test passes against Windows 2022, >as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND. > >Add the knownfail. > >BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/badpipename | 1 + > source3/selftest/tests.py | 14 ++++ > source3/torture/proto.h | 1 + > source3/torture/test_smb2.c | 107 +++++++++++++++++++++++++++++++ > source3/torture/torture.c | 4 ++ > 5 files changed, 127 insertions(+) > create mode 100644 selftest/knownfail.d/badpipename > >diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename >new file mode 100644 >index 00000000000..e69715f863d >--- /dev/null >+++ b/selftest/knownfail.d/badpipename >@@ -0,0 +1 @@ >+^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 1fdcad1089f..2c8336d35e8 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -309,6 +309,20 @@ plantestsuite("samba3.smbtorture_s3.smb2.SMB2-DFS-FILENAME-LEADING-BACKSLASH", > smbtorture3, > "-mSMB2"]) > >+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 >+# Prevent bad pipenames. >+# >+plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME", >+ "fileserver", >+ [os.path.join(samba3srcdir, >+ "script/tests/test_smbtorture_s3.sh"), >+ 'SMB2-INVALID-PIPENAME', >+ '//$SERVER_IP/tmp', >+ '$USERNAME', >+ '$PASSWORD', >+ smbtorture3, >+ "-mSMB2"]) >+ > # > # SMB2-NON-DFS-SHARE needs to run against a special share non-msdfs-pathname-share > # This is an empty non-DFS share with no links, used merely to test >diff --git a/source3/torture/proto.h b/source3/torture/proto.h >index 21d7b3e00a7..3751697596a 100644 >--- a/source3/torture/proto.h >+++ b/source3/torture/proto.h >@@ -125,6 +125,7 @@ bool run_smb2_non_dfs_share(int dummy); > bool run_smb2_dfs_share_non_dfs_path(int dummy); > bool run_smb2_dfs_filename_leading_backslash(int dummy); > bool run_smb2_pipe_read_async_disconnect(int dummy); >+bool run_smb2_invalid_pipename(int dummy); > bool run_smb1_dfs_paths(int dummy); > bool run_smb1_dfs_search_paths(int dummy); > bool run_smb1_dfs_operations(int dummy); >diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c >index 269ade4ef61..7ea3d83de10 100644 >--- a/source3/torture/test_smb2.c >+++ b/source3/torture/test_smb2.c >@@ -5253,3 +5253,110 @@ bool run_smb2_pipe_read_async_disconnect(int dummy) > } > return retval; > } >+ >+bool run_smb2_invalid_pipename(int dummy) >+{ >+ struct cli_state *cli = NULL; >+ NTSTATUS status; >+ uint64_t fid_persistent = 0; >+ uint64_t fid_volatile = 0; >+ const char *unknown_pipe = "badpipe"; >+ const char *invalid_pipe = "../../../../../../../../../badpipe"; >+ >+ printf("Starting SMB2-INVALID-PIPENAME\n"); >+ >+ if (!torture_init_connection(&cli)) { >+ return false; >+ } >+ >+ status = smbXcli_negprot(cli->conn, >+ cli->timeout, >+ PROTOCOL_SMB2_02, >+ PROTOCOL_SMB3_11); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("smbXcli_negprot returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ status = cli_session_setup_creds(cli, torture_creds); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_session_setup returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ status = cli_tree_connect(cli, "IPC$", "?????", NULL); >+ if (!NT_STATUS_IS_OK(status)) { >+ printf("cli_tree_connect returned %s\n", nt_errstr(status)); >+ return false; >+ } >+ >+ /* Try and connect to an unknown pipename. */ >+ status = smb2cli_create(cli->conn, >+ cli->timeout, >+ cli->smb2.session, >+ cli->smb2.tcon, >+ unknown_pipe, >+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ >+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ >+ SEC_STD_SYNCHRONIZE| >+ SEC_FILE_READ_DATA| >+ SEC_FILE_WRITE_DATA| >+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ >+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ >+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ >+ FILE_CREATE, /* create_disposition, */ >+ 0, /* create_options, */ >+ NULL, /* smb2_create_blobs *blobs */ >+ &fid_persistent, >+ &fid_volatile, >+ NULL, /* struct smb_create_returns * */ >+ talloc_tos(), /* mem_ctx. */ >+ NULL, /* struct smb2_create_blobs * */ >+ NULL); /* struct symlink_reparse_struct */ >+ /* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */ >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { >+ printf("%s:%d smb2cli_create on name %s returned %s\n", >+ __FILE__, >+ __LINE__, >+ unknown_pipe, >+ nt_errstr(status)); >+ return false; >+ } >+ >+ /* Try and connect to an invalid pipename containing unix separators. */ >+ status = smb2cli_create(cli->conn, >+ cli->timeout, >+ cli->smb2.session, >+ cli->smb2.tcon, >+ invalid_pipe, >+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ >+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ >+ SEC_STD_SYNCHRONIZE| >+ SEC_FILE_READ_DATA| >+ SEC_FILE_WRITE_DATA| >+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ >+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ >+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ >+ FILE_CREATE, /* create_disposition, */ >+ 0, /* create_options, */ >+ NULL, /* smb2_create_blobs *blobs */ >+ &fid_persistent, >+ &fid_volatile, >+ NULL, /* struct smb_create_returns * */ >+ talloc_tos(), /* mem_ctx. */ >+ NULL, /* struct smb2_create_blobs * */ >+ NULL); /* struct symlink_reparse_struct */ >+ /* >+ * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND >+ * (tested against Windows 2022). >+ */ >+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { >+ printf("%s:%d smb2cli_create on name %s returned %s\n", >+ __FILE__, >+ __LINE__, >+ invalid_pipe, >+ nt_errstr(status)); >+ return false; >+ } >+ return true; >+} >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index 1315b328f5f..d53699c3b02 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -15763,6 +15763,10 @@ static struct { > .name = "SMB2-DFS-FILENAME-LEADING-BACKSLASH", > .fn = run_smb2_dfs_filename_leading_backslash, > }, >+ { >+ .name = "SMB2-INVALID-PIPENAME", >+ .fn = run_smb2_invalid_pipename, >+ }, > { > .name = "SMB2-PIPE-READ-ASYNC-DISCONNECT", > .fn = run_smb2_pipe_read_async_disconnect, >-- >2.39.2 > > >From cbd81ca9d7ea1d5a6ea2b1026bc342ff996cca7c Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 25 Jul 2023 17:54:41 -0700 >Subject: [PATCH 3/3] CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that > crashes on bad pipenames. > >We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND). > >Remove knowfail. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > selftest/knownfail.d/badpipename | 1 - > source3/rpc_client/local_np.c | 5 ----- > 2 files changed, 6 deletions(-) > delete mode 100644 selftest/knownfail.d/badpipename > >diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename >deleted file mode 100644 >index e69715f863d..00000000000 >--- a/selftest/knownfail.d/badpipename >+++ /dev/null >@@ -1 +0,0 @@ >-^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) >diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c >index 95228d5d801..791ded99a47 100644 >--- a/source3/rpc_client/local_np.c >+++ b/source3/rpc_client/local_np.c >@@ -551,11 +551,6 @@ struct tevent_req *local_np_connect_send( > { > DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", > lower_case_pipename); >- /* >- * For now, panic the server until we have >- * the test code in place. >- */ >- SMB_ASSERT(false); > tevent_req_error(req, ENOENT); > return tevent_req_post(req, ev); > } >-- >2.39.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
jra
:
ci-passed+
Actions:
View
Attachments on
bug 15422
:
18001
|
18003
|
18050
|
18062
|
18099
|
18100
|
18101
|
18102
|
18124
| 18128 |
18151