Bug 14402 (CVE-2020-10760) - CVE-2020-10760 [SECURITY] Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV
Summary: CVE-2020-10760 [SECURITY] Use-after-free in AD DC Global Catalog LDAP server ...
Status: RESOLVED FIXED
Alias: CVE-2020-10760
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14412
  Show dependency treegraph
 
Reported: 2020-06-05 10:27 UTC by Andrew Bartlett
Modified: 2020-07-21 19:43 UTC (History)
6 users (show)

See Also:


Attachments
initial patch for master (2.63 KB, patch)
2020-06-05 10:37 UTC, Andrew Bartlett
no flags Details
Advisory v1 with CVE number. Still needs release versions (2.71 KB, text/plain)
2020-06-08 05:32 UTC, Andrew Bartlett
no flags Details
patch for master (v1) (11.94 KB, patch)
2020-06-08 05:35 UTC, Andrew Bartlett
no flags Details
patch for master to be applied after patch in Bug 14364 (CVE-2020-10730) (v2) (12.11 KB, patch)
2020-06-10 05:34 UTC, Andrew Bartlett
abartlet: review? (gary)
gary: review+
abartlet: ci-passed+
Details
patch for 4.12 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2) (12.11 KB, patch)
2020-06-10 05:35 UTC, Andrew Bartlett
abartlet: review? (gary)
gary: review+
abartlet: ci-passed+
Details
patch for 4.11 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2) (12.22 KB, patch)
2020-06-10 05:36 UTC, Andrew Bartlett
abartlet: review? (gary)
gary: review+
abartlet: ci-passed+
Details
patch for 4.10 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2) (12.19 KB, patch)
2020-06-10 05:37 UTC, Andrew Bartlett
abartlet: review? (gary)
gary: review+
Details
patch for 4.5 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2) (5.32 KB, patch)
2020-06-10 05:37 UTC, Andrew Bartlett
abartlet: review? (gary)
abartlet: review-
gary: review+
abartlet: ci-passed-
Details
Advisory v2 with CVE number. Still needs release versions (2.71 KB, text/plain)
2020-06-10 05:38 UTC, Andrew Bartlett
gary: review+
Details
Advisory V3 (2.71 KB, text/plain)
2020-06-18 01:55 UTC, Gary Lockyer
no flags Details
Advisory (2.71 KB, text/plain)
2020-06-23 22:27 UTC, Douglas Bagnall
dbagnall: review? (gary)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2020-06-05 10:27:48 UTC
Samba will crash with:
 bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD

This is because the search_options control data is not a correct talloc child of the control, so when VLV and paged_results try to steal the control, the data is not kept with it, showing a use after free.

Impacts Samba 4.5 and later (presumably, not yet tested) due to the VLV design that was then copied to paged_results in Samba 4.10

Originally reported by Andrei Popa <andrei.popa@next-gen.ro> but not fully diagnosed (we found other issues bug 14331 - CVE-2020-10700 - instead).  

Re-raised by an anonymous Samba user.

CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
Comment 1 Andrew Bartlett 2020-06-05 10:37:20 UTC
Created attachment 16021 [details]
initial patch for master
Comment 2 Andrew Bartlett 2020-06-08 05:32:39 UTC
Created attachment 16022 [details]
Advisory v1 with CVE number.  Still needs release versions
Comment 3 Andrew Bartlett 2020-06-08 05:35:10 UTC
Created attachment 16023 [details]
patch for master (v1)
Comment 4 Gary Lockyer 2020-06-08 21:09:15 UTC
Comment on attachment 16022 [details]
Advisory v1 with CVE number.  Still needs release versions

(however this will use more
memory, may allow resource exhaustion)

Maybe reword this to

(however this will use more
memory, and may cause resource exhaustion)
Comment 5 Gary Lockyer 2020-06-08 21:23:38 UTC
Comment on attachment 16023 [details]
patch for master (v1)

Does not currently apply to master.

But changes look good.

Do we have a reproducer for the original triggering case?
Comment 6 Andrew Bartlett 2020-06-08 21:48:02 UTC
(In reply to Gary Lockyer from comment #5)
Sorry patch is on top of your other work, and includes the triggering case (confirmed)
Comment 7 Andrew Bartlett 2020-06-10 05:34:51 UTC
Created attachment 16024 [details]
patch for master to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Comment 8 Andrew Bartlett 2020-06-10 05:35:51 UTC
Created attachment 16025 [details]
patch for 4.12 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Comment 9 Andrew Bartlett 2020-06-10 05:36:27 UTC
Created attachment 16026 [details]
patch for 4.11 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Comment 10 Andrew Bartlett 2020-06-10 05:37:03 UTC
Created attachment 16027 [details]
patch for 4.10 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Comment 11 Andrew Bartlett 2020-06-10 05:37:49 UTC
Created attachment 16028 [details]
patch for 4.5 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Comment 12 Andrew Bartlett 2020-06-10 05:38:16 UTC
Created attachment 16029 [details]
Advisory v2 with CVE number.  Still needs release versions
Comment 13 Andrew Bartlett 2020-06-10 05:38:43 UTC
Comment on attachment 16027 [details]
patch for 4.10 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)

(CI still pending on 4.10 and below)
Comment 14 Andrew Bartlett 2020-06-10 07:32:29 UTC
Comment on attachment 16028 [details]
patch for 4.5 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)

The 4.5 patch (which is not part of the official Samba patch service) is wrong, the vlv test needs to be backported more carefully.
Comment 15 Gary Lockyer 2020-06-18 01:55:49 UTC
Created attachment 16058 [details]
Advisory V3
Comment 16 Karolin Seeger 2020-06-19 11:14:19 UTC
Planned release date Thursday July 2nd
Opening bug report for vendors.
Comment 17 Douglas Bagnall 2020-06-23 22:27:57 UTC
Created attachment 16066 [details]
Advisory
Comment 18 Karolin Seeger 2020-07-02 08:53:09 UTC
Samba 4.12.4, 4.11.11 and 4.10.17 have been shipped to address this defect.
Comment 19 Karolin Seeger 2020-07-02 08:57:08 UTC
Pushed to autobuild-master.
Comment 20 Karolin Seeger 2020-07-02 09:08:02 UTC
Merged into v4-{12,11,10}-test.
Comment 21 Karolin Seeger 2020-07-03 09:20:55 UTC
Pushed to autobuild-master.
Closing out bug report.

Thanks!
Comment 22 Andrew Bartlett 2020-07-21 19:43:06 UTC
Opening to the public and removing the samba-vendor alias from CC.  

Vendors: CC individually if you wish to follow along.