Bug 15008 (CVE-2022-32745) - CVE-2022-32745 [SECURITY] Collecting attribute values for LDB add/modify can result in out-of-bounds access
Summary: CVE-2022-32745 [SECURITY] Collecting attribute values for LDB add/modify can ...
Status: RESOLVED FIXED
Alias: CVE-2022-32745
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.14
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 15096 15109
  Show dependency treegraph
 
Reported: 2022-03-11 01:21 UTC by Joseph Sutton
Modified: 2022-08-04 09:51 UTC (History)
9 users (show)

See Also:


Attachments
patch for master (2.68 KB, patch)
2022-03-11 01:37 UTC, Joseph Sutton
no flags Details
patch for master (4.12 KB, patch)
2022-03-11 01:40 UTC, Joseph Sutton
no flags Details
patch for master (5.07 KB, patch)
2022-06-03 04:22 UTC, Joseph Sutton
no flags Details
patch for master (5.13 KB, patch)
2022-06-13 03:05 UTC, Joseph Sutton
abartlet: review+
Details
advisory (1.71 KB, text/plain)
2022-06-13 03:07 UTC, Joseph Sutton
abartlet: review-
Details
patch for master (5.19 KB, patch)
2022-06-14 03:58 UTC, Joseph Sutton
jsutton: ci-passed+
Details
advisory v2 (1.81 KB, text/plain)
2022-06-21 02:10 UTC, Joseph Sutton
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Sutton 2022-03-11 01:21:52 UTC
When there is more than one message element modifying a specific attribute (such as sAMAccountName), dsdb_get_expected_new_values() uses the wrong value as the limit for the loop (val_count instead of msg->num_elements). This can result in an out-of-bounds read or accessing uninitialised data.
Comment 1 Joseph Sutton 2022-03-11 01:37:42 UTC
Created attachment 17203 [details]
patch for master
Comment 2 Joseph Sutton 2022-03-11 01:40:34 UTC
Created attachment 17204 [details]
patch for master

Avoids calling memcpy() with a NULL pointer.
Comment 3 Joseph Sutton 2022-06-03 04:22:40 UTC
Created attachment 17317 [details]
patch for master

There was one more issue that I missed. We weren't specifying the correct number of bytes to memcpy(), resulting in half-uninitialised data.
Comment 4 Joseph Sutton 2022-06-13 03:05:41 UTC
Created attachment 17340 [details]
patch for master
Comment 5 Joseph Sutton 2022-06-13 03:07:20 UTC
Created attachment 17341 [details]
advisory
Comment 6 Andrew Bartlett 2022-06-13 08:32:08 UTC
Comment on attachment 17341 [details]
advisory

Looks good but at least the 4.16.2 version is wrong (that was just released).
Comment 7 Andrew Bartlett 2022-06-13 09:01:30 UTC
Comment on attachment 17340 [details]
patch for master

Patch for master looks good, thanks!
Comment 8 Andrew Bartlett 2022-06-14 03:56:24 UTC
Comment on attachment 17340 [details]
patch for master

[PATCH 4/4] CVE-2022-32745 s4/dsdb/util: Correctly copy values into
 message element

This patch needs the BUG: tag added.
Comment 9 Joseph Sutton 2022-06-14 03:58:31 UTC
Created attachment 17343 [details]
patch for master

Fixed.
Comment 10 Joseph Sutton 2022-06-21 02:10:56 UTC
Created attachment 17379 [details]
advisory v2

Updated advisory.
Comment 11 Andrew Bartlett 2022-06-28 07:19:26 UTC
Assigning to Jule for the next security release.
Comment 12 Andrew Bartlett 2022-07-14 03:57:30 UTC
Comment on attachment 17343 [details]
patch for master

Marking this patch as obsolete to avoid confusion as the patches were uplaoded on parent bug 15096 combined with CVE-2022-32745 / bug 15009
Comment 13 Andrew Bartlett 2022-07-14 04:17:45 UTC
Opening security bugs to vendors.  Release date is currently proposed to be Wednesday 27 July but bug 15109 will be the authoritative reference on that.
Comment 14 Samba QA Contact 2022-07-27 10:30:58 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.4):

1d7690b000f115ea39fb498d63de46ab6705f927
f2ded77168dbc54b1d0c8ead08701c48af3f3a74
701aef133fd6efb03f8b32dfd5a4d93acf8b9fce
e0d25e172c48c1cd083466dc304257698aadf4af
Comment 15 Samba QA Contact 2022-07-27 10:31:27 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.9):

c231d424b89ba718262ed376431a982baaeef33f
d2dbb3b6818d429b12d54e68510286d033d4abd7
d85bb9f5edc08ce2042be366c720dd027788f5bd
6af497232e4ed24c33a29b77825fa854a73b5427
Comment 16 Samba QA Contact 2022-07-27 10:34:21 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.14):

6237c85565332e0be1890dd57cc7e25fb76571d7
7c8427e5d2f247921ab44996829acfed1f5f2360
4d2d30c21b16a53d5547cb803efe49cb6304ce37
65d96369fa4f915f01e203cfc8b15e48c5b4b440
Comment 17 Samba QA Contact 2022-07-27 10:38:04 UTC
This bug was referenced in samba v4-14-test:

6237c85565332e0be1890dd57cc7e25fb76571d7
7c8427e5d2f247921ab44996829acfed1f5f2360
4d2d30c21b16a53d5547cb803efe49cb6304ce37
65d96369fa4f915f01e203cfc8b15e48c5b4b440
Comment 18 Jule Anger 2022-07-27 11:02:56 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.
Comment 19 Samba QA Contact 2022-07-27 11:11:02 UTC
This bug was referenced in samba v4-16-test:

1d7690b000f115ea39fb498d63de46ab6705f927
f2ded77168dbc54b1d0c8ead08701c48af3f3a74
701aef133fd6efb03f8b32dfd5a4d93acf8b9fce
e0d25e172c48c1cd083466dc304257698aadf4af
Comment 20 Samba QA Contact 2022-07-27 11:11:56 UTC
This bug was referenced in samba v4-15-test:

c231d424b89ba718262ed376431a982baaeef33f
d2dbb3b6818d429b12d54e68510286d033d4abd7
d85bb9f5edc08ce2042be366c720dd027788f5bd
6af497232e4ed24c33a29b77825fa854a73b5427
Comment 21 Samba QA Contact 2022-07-27 11:59:41 UTC
This bug was referenced in samba master:

4ec784e0a91e572801a47be36a1729b92cb4140b
4a31c48057ec65d9d73b9cf5fbb0abfefeb2c18c
aa728dfcc9684748818412231e865fbd9112b565
9881491023eb1ece27bd7a24ed41902bb15dbff2
Comment 22 Samba QA Contact 2022-07-27 13:06:14 UTC
This bug was referenced in samba v4-17-stable:

4ec784e0a91e572801a47be36a1729b92cb4140b
4a31c48057ec65d9d73b9cf5fbb0abfefeb2c18c
aa728dfcc9684748818412231e865fbd9112b565
9881491023eb1ece27bd7a24ed41902bb15dbff2
Comment 23 Samba QA Contact 2022-07-27 13:07:05 UTC
This bug was referenced in samba v4-17-test:

4ec784e0a91e572801a47be36a1729b92cb4140b
4a31c48057ec65d9d73b9cf5fbb0abfefeb2c18c
aa728dfcc9684748818412231e865fbd9112b565
9881491023eb1ece27bd7a24ed41902bb15dbff2
Comment 24 Jule Anger 2022-08-04 09:51:12 UTC
Pushed to all relevant branches. Closing out bug report.
Many thanks at all!