Bug 15872 - dns_tombstone_records_zone Wild Pointer Issue
Summary: dns_tombstone_records_zone Wild Pointer Issue
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.22.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-06-19 03:28 UTC by ze yue
Modified: 2025-10-16 02:39 UTC (History)
2 users (show)

See Also:

Attachments
Patch (1.06 KB, text/plain)
2025-06-19 09:24 UTC, Volker Lendecke 		no flags Details
patch moving the realloc up (1.67 KB, patch)
2025-06-22 03:08 UTC, Douglas Bagnall 		no flags Details
patch v2 (1.73 KB, patch)
2025-06-22 07:09 UTC, Douglas Bagnall 		no flags Details
patch v3 (1.68 KB, patch)
2025-06-23 00:31 UTC, Douglas Bagnall 		jsutton: review+
Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ze yue 2025-06-19 03:28:16 UTC 
Issue Overview :
     A critical wild pointer issue has been identified in source4\dsdb\kcc\scavenge_dns_records.c involving memory management defects in the dns_tombstone_records_zone function.

Problematic Code Segment
                old_el = ldb_msg_find_element(new_msg, "dnsRecord"); 
		if (old_el == NULL) {
			TALLOC_FREE(new_msg);
			return NT_STATUS_INTERNAL_ERROR;
		}
		old_el->flags = LDB_FLAG_MOD_DELETE;

		ret = ldb_msg_add_empty(
		    new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
		if (ret != LDB_SUCCESS) {
			TALLOC_FREE(new_msg);
			return NT_STATUS_INTERNAL_ERROR;
		}

Memory Reallocation Risk
  ldb_msg_add_empty() may trigger internal realloc() operations
  After reallocation, the memory address of new_msg may change
  Previously obtained old_el pointer may point to freed memory
Comment 1 Douglas Bagnall 2025-06-19 04:09:53 UTC 
thanks.

I have restricted visibility for the moment while we work out what this means.
Comment 2 Volker Lendecke 2025-06-19 09:24:28 UTC 
Created attachment 18652 [details]
Patch

Possible fix?
Comment 3 Douglas Bagnall 2025-06-22 03:08:41 UTC 
Created attachment 18653 [details]
patch moving the realloc up

I think we can do it like this, still only finding old_el once, but doing it after the ldb_msg_add_empty().
Comment 4 Douglas Bagnall 2025-06-22 07:09:18 UTC 
Created attachment 18654 [details]
patch v2
Comment 5 Douglas Bagnall 2025-06-23 00:31:31 UTC 
Created attachment 18655 [details]
patch v3

I'm thinking this is not a security release, because there is not really any gap (i.e. memory writes or context switches) between the free and the read in which the value could be replaced. There might be some OS that could reclaim the page, but that doesn't seem common as there have been no reports.

Introduced in  4a2bfd249d06e229b080cb6f50a68086a8aa1e52.
Comment 6 Jennifer Sutton 2025-06-23 01:07:31 UTC 
Comment on attachment 18654 [details]
patch v2

+		/*
+		 * This empty record will become the replacement for old_el.
+		 * (we add it forst because it reallocs).
+		 */

forst -> first?

+		if (old_el == NULL ||
+		    old_el == &(new_msg->elements[new_msg->num_elements - 1])) {

if (old_el == NULL || old_el == el) {

?

Otherwise looks good.
Comment 7 Jennifer Sutton 2025-06-23 01:09:50 UTC 
Comment on attachment 18655 [details]
patch v3

Oh, you beat me to it.
Comment 8 Samba QA Contact 2025-07-30 02:04:03 UTC 
This bug was referenced in samba master:

750f6847f04d5c18ee308ac8bc5bc0828c32deeb