Bug 15096 - [SECURITY] ldb memory handling issues
Summary: [SECURITY] ldb memory handling issues
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.16.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: CVE-2022-32745 CVE-2022-32746
Blocks: 15109
  Show dependency treegraph
 
Reported: 2022-06-14 04:09 UTC by Andrew Bartlett
Modified: 2022-08-04 09:53 UTC (History)
8 users (show)

See Also:


Attachments
patch for these bugs for master under CI (79.19 KB, patch)
2022-06-14 04:11 UTC, Andrew Bartlett
jsutton: ci-passed-
Details
patches for these bugs for master (84.89 KB, patch)
2022-06-21 00:09 UTC, Jo Sutton
jsutton: ci-passed+
Details
patches for master v3 (92.22 KB, patch)
2022-06-21 04:13 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
patches v3 for 4.16 (92.22 KB, patch)
2022-06-21 07:58 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
patches v3 for 4.15 (92.22 KB, patch)
2022-06-21 07:58 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
patches v3 for 4.14 (92.22 KB, patch)
2022-06-21 07:59 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
patches v3 for 4.12 (92.22 KB, patch)
2022-06-21 07:59 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
patches v3 for 4.10 (92.68 KB, patch)
2022-07-20 08:15 UTC, Jo Sutton
abartlet: review+
jsutton: ci-passed+
Details
patches v3 for 4.13 (92.21 KB, patch)
2022-07-27 05:31 UTC, Jo Sutton
jsutton: ci-passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-06-14 04:09:28 UTC
Bug to handle a single set of patches (and so single set of backports and CI) for the two similar but not quite identical set of memory handling issues in ldb and Samba's use of ldb.
Comment 1 Andrew Bartlett 2022-06-14 04:11:30 UTC
Created attachment 17344 [details]
patch for these bugs for master under CI
Comment 2 Jo Sutton 2022-06-21 00:09:59 UTC
Created attachment 17376 [details]
patches for these bugs for master
Comment 3 Jo Sutton 2022-06-21 04:13:10 UTC
Created attachment 17380 [details]
patches for master v3

Included some more fixes for incorrect flag comparisons.
Comment 4 Jo Sutton 2022-06-21 07:58:27 UTC
Created attachment 17382 [details]
patches v3 for 4.16
Comment 5 Jo Sutton 2022-06-21 07:58:50 UTC
Created attachment 17383 [details]
patches v3 for 4.15
Comment 6 Jo Sutton 2022-06-21 07:59:08 UTC
Created attachment 17384 [details]
patches v3 for 4.14
Comment 7 Jo Sutton 2022-06-21 07:59:31 UTC
Created attachment 17385 [details]
patches v3 for 4.12

Applies on top of 4.12 patches for #14725.
Comment 8 Jeremy Allison 2022-06-21 15:31:32 UTC
(In reply to Joseph Sutton from comment #6)

Hi Joseph, sorry for the unrelated spam on this bug, but can you explain to me how you're getting a 4.14 build to pass autobuild please ?

I'm trying to do this for:

https://bugzilla.samba.org/show_bug.cgi?id=15085

(CVE-2022-32742) and my private autobuilds fail with a -Werror=format-truncation problem that's unrelated to my code changes.

==> samba.stderr <==
../lib/replace/test/testsuite.c: In function ‘test_snprintf’:
../lib/replace/test/testsuite.c:355:6: error: ‘%d’ directive output truncated writing 1 byte into a region of size 0 [-Werror=format-truncation=]
  if (snprintf(tmp, 3, "foo%d", 9) != 4) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
../lib/replace/test/testsuite.c:355:6: note: ‘snprintf’ output 5 bytes into a destination of size 3

I must be setting up something wrong but I don't see what ?
Comment 9 Jo Sutton 2022-06-22 00:08:42 UTC
(In reply to Jeremy Allison from comment #8)
Hi, are you referring to the autobuilds on samba.org? I'm afraid I don't know what's going on there; I've just been running private pipelines for these patchsets on our private GitLab.
Comment 10 Jeremy Allison 2022-06-22 02:36:17 UTC
(In reply to Joseph Sutton from comment #9)

Sorry for spamming the bug. Yes these are autobuilds on samba.org. I'm guessing as they're not containerized an OS update / compiler update changes the patches required for build.

I'll see if I can get the 4.14.next through the catalyst build system instead.
Comment 11 Andrew Bartlett 2022-06-28 03:26:58 UTC
This comment on ldb_msg_append_linearized_dn() is incorrect

+/*
+  append a DN element to a message
+  WARNING: this uses the linearized string from the dn, and does not
+  copy the string.
+*/

It does an allocation in ldb_dn_alloc_linearized() and puts the allocated memory in the correct place with talloc_steal(), which is exactly what we want.


In samdb_msg_add_int_flags() and samdb_msg_add_uint_flags() the poor pattern that this patch set complains about is repeated.  Both the new and original should use the new _steal functions and not take a memory context, allocating the string version of the 'int' somewhere (eg samdb) and stealing to the right spot.
Comment 12 Andrew Bartlett 2022-06-28 03:39:30 UTC
Comment on attachment 17380 [details]
patches for master v3

Despite my comments I've decided to mark this as reviewed, and we can fix this up more once in master.  The two issues are just echos of the existing state, and the security patch does the minimal change (even to the extent of copying an incorrect comment from where it was already incorrect).
Comment 13 Andrew Bartlett 2022-06-28 07:20:22 UTC
Assigning to Jule for the next security release.
Comment 14 Andrew Bartlett 2022-07-14 04:17:38 UTC
Opening security bugs to vendors.  Release date is currently proposed to be Wednesday 27 July but bug 15109 will be the authoritative reference on that.
Comment 15 Jo Sutton 2022-07-20 08:15:59 UTC
Created attachment 17435 [details]
patches v3 for 4.10

Before applying these patches, first apply the 4.10 patches for:
https://bugzilla.samba.org/show_bug.cgi?id=14725
Comment 16 Andrew Bartlett 2022-07-20 20:46:41 UTC
Comment on attachment 17435 [details]
patches v3 for 4.10

The 4.10 backport looks good to me.  Note that the new ldb 'release' in the 4.10 backport has an un-official version of 1.5.9, not released upstream (the same applies to the 4.12 backport). 

The only check I've not done is that some other area of the code is not using the ldb element flags improperly (eg I've checked the backport, not the rest of Samba).
Comment 17 Jo Sutton 2022-07-27 05:31:18 UTC
Created attachment 17448 [details]
patches v3 for 4.13
Comment 18 Jule Anger 2022-07-27 11:05:29 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.
Comment 19 Andrew Bartlett 2022-07-28 18:37:16 UTC
(In reply to Andrew Bartlett from comment #16)
To be clear, this means that after patching, the Samba tarball contains the new un-official ldb versions.  tarballs could be produced by running 'make dist' in lib/ldb if so required by your packaging.
Comment 20 Jule Anger 2022-08-04 09:53:54 UTC
Pushed to all relevant branches. Closing out bug report.
Many thanks at all!