!105 fix CVE-2022-32745

From: @xinghe_1 Reviewed-by: @seuzw Signed-off-by: @seuzw
2022-08-15 07:49:51 +00:00 · 2022-08-15 07:49:51 +00:00 · 2bad2e90a4
commit 2bad2e90a4
parent 6e15257f72 db79c7717e
5 changed files with 166 additions and 1 deletions
--- a/backport-0001-CVE-2022-32745.patch
+++ b/backport-0001-CVE-2022-32745.patch
@ -0,0 +1,40 @@
+From f1995ad41d01134a5169bd24b67881e69ec28ece Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 16 Feb 2022 17:03:10 +1300
+Subject: [PATCH 15/18] CVE-2022-32745 s4/dsdb/samldb: Check for empty values
+ array
+
+This avoids potentially trying to access the first element of an empty
+array.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
+index abb96d3bef8..5649a301cd4 100644
+--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
+@@ -748,7 +748,7 @@ static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac)
+ 		return ret;
+ 	}
+ 
+-	if (el == NULL) {
+	if (el == NULL || el->num_values == 0) {
+ 		return LDB_SUCCESS;
+ 	}
+ 
+@@ -916,7 +916,7 @@ static int samldb_schema_add_handle_mapiid(struct samldb_ctx *ac)
+ 		return ret;
+ 	}
+ 
+-	if (el == NULL) {
+	if (el == NULL || el->num_values == 0) {
+ 		return LDB_SUCCESS;
+ 	}
+ 
+-- 
+2.35.0
--- a/backport-0002-CVE-2022-32745.patch
+++ b/backport-0002-CVE-2022-32745.patch
@ -0,0 +1,39 @@
+From d9faf142495e1211620779bbedbefe7726d1099b Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Thu, 17 Feb 2022 11:11:53 +1300
+Subject: [PATCH 16/18] CVE-2022-32745 s4/dsdb/util: Use correct value for loop
+ count limit
+
+Currently, we can crash the server by sending a large number of values
+of a specific attribute (such as sAMAccountName) spread across a few
+message elements. If val_count is larger than the total number of
+elements, we get an access beyond the elements array.
+
+Similarly, we can include unrelated message elements prior to the
+message elements of the attribute in question, so that not all of the
+attribute's values are copied into the returned elements values array.
+This can cause the server to access uninitialised data, likely resulting
+in a crash or unexpected behaviour.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ source4/dsdb/samdb/ldb_modules/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
+index 4c67873643a..5d418efcd52 100644
+--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
+@@ -1544,7 +1544,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
+ 
+ 	v = _el->values;
+ 
+-	for (i = 0; i < val_count; i++) {
+	for (i = 0; i < msg->num_elements; i++) {
+ 		if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
+ 			if ((operation == LDB_MODIFY) &&
+ 			    (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
+-- 
+2.35.0
--- a/backport-0003-CVE-2022-32745.patch
+++ b/backport-0003-CVE-2022-32745.patch
@ -0,0 +1,45 @@
+From 0b958460c108542eba1765c9438c8f5a8361a509 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Thu, 17 Feb 2022 11:13:38 +1300
+Subject: [PATCH 17/18] CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a
+ NULL pointer
+
+Doing so is undefined behaviour.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ source4/dsdb/samdb/ldb_modules/util.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
+index 5d418efcd52..af412f55f98 100644
+--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
+@@ -1546,15 +1546,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
+ 
+ 	for (i = 0; i < msg->num_elements; i++) {
+ 		if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
+			const struct ldb_message_element *tmp_el = &msg->elements[i];
+ 			if ((operation == LDB_MODIFY) &&
+-			    (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
+			    (LDB_FLAG_MOD_TYPE(tmp_el->flags)
+ 						== LDB_FLAG_MOD_DELETE)) {
+ 				continue;
+ 			}
+			if (tmp_el->values == NULL || tmp_el->num_values == 0) {
+				continue;
+			}
+ 			memcpy(v,
+-			       msg->elements[i].values,
+-			       msg->elements[i].num_values);
+-			v += msg->elements[i].num_values;
+			       tmp_el->values,
+			       tmp_el->num_values);
+			v += tmp_el->num_values;
+ 		}
+ 	}
+ 
+-- 
+2.35.0
--- a/backport-0004-CVE-2022-32745.patch
+++ b/backport-0004-CVE-2022-32745.patch
@ -0,0 +1,31 @@
+From aa38d5314de216597df6233c2aaa4f7680de4dcb Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Fri, 3 Jun 2022 16:16:31 +1200
+Subject: [PATCH 18/18] CVE-2022-32745 s4/dsdb/util: Correctly copy values into
+ message element
+
+To use memcpy(), we need to specify the number of bytes to copy, rather
+than the number of ldb_val structures.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ source4/dsdb/samdb/ldb_modules/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
+index af412f55f98..5ccbb1b4360 100644
+--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
+@@ -1557,7 +1557,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
+ 			}
+ 			memcpy(v,
+ 			       tmp_el->values,
+-			       tmp_el->num_values);
+			       tmp_el->num_values * sizeof(*v));
+ 			v += tmp_el->num_values;
+ 		}
+ 	}
+-- 
+2.35.0
--- a/samba.spec
+++ b/samba.spec
@ -49,7 +49,7 @@

 Name:           samba
 Version:        4.11.12
-Release:        13
+Release:        14

 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@ -260,6 +260,10 @@ Patch6330:       backport-0053-CVE-2022-2031-CVE-2022-32744.patch
 Patch6331:       backport-0054-CVE-2022-2031-CVE-2022-32744.patch
 Patch6332:       backport-0055-CVE-2022-2031-CVE-2022-32744.patch
 Patch6333:       backport-CVE-2022-32742.patch
+Patch6334:       backport-0001-CVE-2022-32745.patch
+Patch6335:       backport-0002-CVE-2022-32745.patch
+Patch6336:       backport-0003-CVE-2022-32745.patch
+Patch6337:       backport-0004-CVE-2022-32745.patch


 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@ -3249,6 +3253,12 @@ fi
 %{_mandir}/man*

 %changelog
+* Mon Aug 15 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-14
+- Type:cves
+- CVE:CVE-2022-32745
+- SUG:NA
+- DESC:fix CVE-2022-32745
+
 * Fri Aug 12 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-13
 - Type:bugfix
 - ID:NA