15009 – (CVE-2022-32746) CVE-2022-32746 [SECURITY] Use-after-free occurring in database audit logging module

Bug 15009 (CVE-2022-32746) - CVE-2022-32746 [SECURITY] Use-after-free occurring in database audit logging module

Summary: CVE-2022-32746 [SECURITY] Use-after-free occurring in database audit logging ...

Status:	RESOLVED FIXED

Alias:	CVE-2022-32746

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.11.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15096 15109
	Show dependency tree / graph

Reported:	2022-03-11 01:30 UTC by Jo Sutton
Modified:	2022-08-04 09:51 UTC (History)
CC List:	8 users (show)

See Also:	13941

Attachments
WIP patch for master (50.37 KB, patch) 2022-03-11 01:44 UTC, Jo Sutton	no flags	Details
WIP patch for master (50.64 KB, patch) 2022-03-11 01:51 UTC, Jo Sutton	jsutton: ci-passed-	Details
patch for master (79.69 KB, patch) 2022-06-21 00:11 UTC, Jo Sutton	jsutton: ci-passed+	Details
Advisory draft #1 (2.66 KB, text/plain) 2022-06-21 07:48 UTC, Jo Sutton	abartlet: review+	Details
Advisory draft #2 (2.66 KB, text/plain) 2022-06-28 08:01 UTC, Jo Sutton	abartlet: review+	Details
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jo Sutton 2022-03-11 01:30:26 UTC

Some LDB modules add new values to a shallow copy of an LDB message such that talloc_realloc() is called on the original values array. This invalidates the 'values' pointer in the original message element, which may later be used in the database audit logging module to log database requests, potentially causing a crash.

Comment 1 Jo Sutton 2022-03-11 01:44:09 UTC

Created attachment 17205 [details]
WIP patch for master

This patch is mostly complete, but probably needs a new LDB release.

Comment 2 Jo Sutton 2022-03-11 01:51:10 UTC

Created attachment 17206 [details]
WIP patch for master

Forgot to add bug tags.

Comment 3 Jo Sutton 2022-06-21 00:11:53 UTC

Created attachment 17377 [details]
patch for master

Comment 4 Jo Sutton 2022-06-21 07:13:58 UTC

Comment on attachment 17377 [details]
patch for master

Newer version of the patchset available at https://bugzilla.samba.org/show_bug.cgi?id=15096.

Comment 5 Jo Sutton 2022-06-21 07:48:32 UTC

Created attachment 17381 [details]
Advisory draft #1

Comment 6 Andrew Bartlett 2022-06-28 07:19:25 UTC

Assigning to Jule for the next security release.

Comment 7 Jo Sutton 2022-06-28 08:01:32 UTC

Created attachment 17399 [details]
Advisory draft #2

Fixed typo:
The AD DC database audit logging module be made => logging module can be made

Comment 8 Andrew Bartlett 2022-07-14 04:17:29 UTC

Opening security bugs to vendors.  Release date is currently proposed to be Wednesday 27 July but bug 15109 will be the authoritative reference on that.

Comment 9 Samba QA Contact 2022-07-27 10:31:14 UTC

This bug was referenced in samba v4-16-stable (Release samba-4.16.4):

16f3112687e59deb862ebb8f3649310a352b038a
c83967ad71ae1fbacb6cec696face96aef1d2e22
59cd645b3958eeb7b359ed5b488820070873fac8
e46e43f76e7731c90ef4c47caa67d233d8c62d9a
b436fa43f29da677513e4fb6bf5c4f9f69280be0
ef8e25cf53f218c63f6becd8724a20d4e0cba6f7
f2ee4c78d95e744d83a85f472f9d2d487cc3cf3a
738955d0e14ead23c3ca2e8c0ce1d042332de73d
77d87117744a0d96fa758e68dd0a4c2fc759b413
513574283d9985b9a74b9faecf57355fea178dc0
a7a59c540ba13777109b33470dbd2d2c4938eb9d
c0127af98b2af828c635bd5a97b732cc5d151567
18b73e01ca4c67d27e08e505c0d29ff5c99d26ea
90ef792d904bc14c462a0232b985185a2159cf94

Comment 10 Samba QA Contact 2022-07-27 10:31:44 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.9):

a258b3c0636b208de699b1e693d86f5ee9985cfd
e2ef0f299aed8c0f9660f1d7912472d23e81fee8
6bc5e73000a639bab3c3d6789bdf879d5395bf9c
39371352d8fc1d3ab0dd2baeacebd9ce48b4ef02
27efd19085d01e1e3702afb5dfd82eaf72c13bf9
7c4439c7b7ff4caa7152f810ec9e83732fa70c3c
47e2b1080e603b36b5d54a3e00f005983e6911e2
f2b821f24e9b144c2cb1a9ec85f3bf1fdd2c2a8e
ba27d18c2e8e1d0cf1828bb6d072489e5c6c9159
1294192b821d2d3af444b750baa75924042f1162
3a68efe1bbba4923f02b89a7f675398fbd73265e
a25b97d0540fdb5a4a75fd85807d8963f14b607d
0446581bcce7c2d7f5ec22d8510a6e2069463d39
b686ef00da46d4a0c0aba0c61b1866cbc9b462b6

Comment 11 Samba QA Contact 2022-07-27 10:33:42 UTC

This bug was referenced in samba v4-14-stable (Release samba-4.14.14):

5d958156c7e5d6c1da61d18fe4fd105b22639b56
51cbeff886fe01db463448f8655a43d10040dc8b
a68553792a8512a2d266bbb86f064f78b5482a65
582ac171364f0c28f54eaf4f21b5bfa7569b5233
0526d27e9eddd9c2a54434cf0dcdb136a6c659e4
2869b5aa3148869edf0d079266542aef6e64608e
535b5a366a2ad054f729e57e282e402cf13b2efc
bedd0b768c3f92645af033399aefd7ee971d9150
49dd9042f4ee380fa1dafcebcb54d0e1f0852463
faa61ab3053d077ac9d0aa67e955217e85b660f4
4e5fb78c3dcff60aa8fd4b07dad4660bbb30532b
512a2617b1593bdc16caeeeda4312a581cbb34e9
f419753d1c7a373fb32ffe20930a6e084e44b44d
7270b68386692829f97d5c51c50108db395b263e

Comment 12 Samba QA Contact 2022-07-27 10:38:12 UTC

This bug was referenced in samba v4-14-test:

5d958156c7e5d6c1da61d18fe4fd105b22639b56
51cbeff886fe01db463448f8655a43d10040dc8b
a68553792a8512a2d266bbb86f064f78b5482a65
582ac171364f0c28f54eaf4f21b5bfa7569b5233
0526d27e9eddd9c2a54434cf0dcdb136a6c659e4
2869b5aa3148869edf0d079266542aef6e64608e
535b5a366a2ad054f729e57e282e402cf13b2efc
bedd0b768c3f92645af033399aefd7ee971d9150
49dd9042f4ee380fa1dafcebcb54d0e1f0852463
faa61ab3053d077ac9d0aa67e955217e85b660f4
4e5fb78c3dcff60aa8fd4b07dad4660bbb30532b
512a2617b1593bdc16caeeeda4312a581cbb34e9
f419753d1c7a373fb32ffe20930a6e084e44b44d
7270b68386692829f97d5c51c50108db395b263e

Comment 13 Samba QA Contact 2022-07-27 10:59:54 UTC

This bug was referenced in samba v4-15-test:

a258b3c0636b208de699b1e693d86f5ee9985cfd
e2ef0f299aed8c0f9660f1d7912472d23e81fee8
6bc5e73000a639bab3c3d6789bdf879d5395bf9c
39371352d8fc1d3ab0dd2baeacebd9ce48b4ef02
27efd19085d01e1e3702afb5dfd82eaf72c13bf9
7c4439c7b7ff4caa7152f810ec9e83732fa70c3c
47e2b1080e603b36b5d54a3e00f005983e6911e2
f2b821f24e9b144c2cb1a9ec85f3bf1fdd2c2a8e
ba27d18c2e8e1d0cf1828bb6d072489e5c6c9159
1294192b821d2d3af444b750baa75924042f1162
3a68efe1bbba4923f02b89a7f675398fbd73265e
a25b97d0540fdb5a4a75fd85807d8963f14b607d
0446581bcce7c2d7f5ec22d8510a6e2069463d39
b686ef00da46d4a0c0aba0c61b1866cbc9b462b6

Comment 14 Jule Anger 2022-07-27 11:03:56 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.

Comment 15 Samba QA Contact 2022-07-27 11:11:48 UTC

This bug was referenced in samba v4-16-test:

16f3112687e59deb862ebb8f3649310a352b038a
c83967ad71ae1fbacb6cec696face96aef1d2e22
59cd645b3958eeb7b359ed5b488820070873fac8
e46e43f76e7731c90ef4c47caa67d233d8c62d9a
b436fa43f29da677513e4fb6bf5c4f9f69280be0
ef8e25cf53f218c63f6becd8724a20d4e0cba6f7
f2ee4c78d95e744d83a85f472f9d2d487cc3cf3a
738955d0e14ead23c3ca2e8c0ce1d042332de73d
77d87117744a0d96fa758e68dd0a4c2fc759b413
513574283d9985b9a74b9faecf57355fea178dc0
a7a59c540ba13777109b33470dbd2d2c4938eb9d
c0127af98b2af828c635bd5a97b732cc5d151567
18b73e01ca4c67d27e08e505c0d29ff5c99d26ea
90ef792d904bc14c462a0232b985185a2159cf94

Comment 16 Samba QA Contact 2022-07-27 11:59:17 UTC

This bug was referenced in samba master:

a45ba891829b2f76a7d92998b8d96d7096e03c38
852a79c63c965b9861a1bd319948a51f116b7e9a
d178a0614057e75c957a77607df34ad81d8f1207
64258fd8b128970f0198b3f804311a0ca8fd48a1
99b805e4cbeec232c65adb1a6f3fb326b55c4496
41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b
e3b002641357ab7ee447999a3ffad8512d2bbb9c
e8ebdb99369c8d073190e467d1ede0f5b938a284
3e4439565b655135246491a2b43f69817bf20161
7efe8182c165fbf17d2f88c173527a7a554e214b
a2bb5beee82fd9c4c29decc07024057febeaf1b5
df487eb2d713e817660dd3b56bb26ba715fadfea
0a3aa5f908e351201dc9c4d4807b09ed9eedff77
f4eb4e6478db2b41acf426a7a6ba2e7130b69b29

Comment 17 Samba QA Contact 2022-07-27 13:06:22 UTC

This bug was referenced in samba v4-17-stable:

a45ba891829b2f76a7d92998b8d96d7096e03c38
852a79c63c965b9861a1bd319948a51f116b7e9a
d178a0614057e75c957a77607df34ad81d8f1207
64258fd8b128970f0198b3f804311a0ca8fd48a1
99b805e4cbeec232c65adb1a6f3fb326b55c4496
41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b
e3b002641357ab7ee447999a3ffad8512d2bbb9c
e8ebdb99369c8d073190e467d1ede0f5b938a284
3e4439565b655135246491a2b43f69817bf20161
7efe8182c165fbf17d2f88c173527a7a554e214b
a2bb5beee82fd9c4c29decc07024057febeaf1b5
df487eb2d713e817660dd3b56bb26ba715fadfea
0a3aa5f908e351201dc9c4d4807b09ed9eedff77
f4eb4e6478db2b41acf426a7a6ba2e7130b69b29

Comment 18 Samba QA Contact 2022-07-27 13:07:13 UTC

This bug was referenced in samba v4-17-test:

a45ba891829b2f76a7d92998b8d96d7096e03c38
852a79c63c965b9861a1bd319948a51f116b7e9a
d178a0614057e75c957a77607df34ad81d8f1207
64258fd8b128970f0198b3f804311a0ca8fd48a1
99b805e4cbeec232c65adb1a6f3fb326b55c4496
41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b
e3b002641357ab7ee447999a3ffad8512d2bbb9c
e8ebdb99369c8d073190e467d1ede0f5b938a284
3e4439565b655135246491a2b43f69817bf20161
7efe8182c165fbf17d2f88c173527a7a554e214b
a2bb5beee82fd9c4c29decc07024057febeaf1b5
df487eb2d713e817660dd3b56bb26ba715fadfea
0a3aa5f908e351201dc9c4d4807b09ed9eedff77
f4eb4e6478db2b41acf426a7a6ba2e7130b69b29

Comment 19 Jule Anger 2022-08-04 09:51:33 UTC

Pushed to all relevant branches. Closing out bug report.
Many thanks at all!