backport to fix CVE-2021-44142

2022-02-08 19:21:29 +08:00 · 2022-02-08 19:21:29 +08:00 · 363e1826c2
commit 363e1826c2
parent 8ffc8d6a32
6 changed files with 325 additions and 1 deletions
--- a/backport-0001-CVE-2021-44142.patch
+++ b/backport-0001-CVE-2021-44142.patch
@ -0,0 +1,25 @@
+From 592aca7ac48947ff264ff2f24980a22863c644fb Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 13 Jan 2022 16:48:01 +0100
+Subject: [PATCH 1/6] CVE-2021-44142: libadouble: add defines for icon lengths
+
+From https://www.ietf.org/rfc/rfc1740.txt
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/modules/vfs_fruit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
+@@ -279,6 +279,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC
+ #define ADEDLEN_MACFILEI        4
+ #define ADEDLEN_PRODOSFILEI     8
+ #define ADEDLEN_MSDOSFILEI      2
+#define ADEDLEN_ICONBW          128
+#define ADEDLEN_ICONCOL         1024
+ #define ADEDLEN_DID             4
+ #define ADEDLEN_PRIVDEV         8
+ #define ADEDLEN_PRIVINO         8
--- a/backport-0002-CVE-2021-44142.patch
+++ b/backport-0002-CVE-2021-44142.patch
@ -0,0 +1,43 @@
+From 0c9e24ea2abb1882d74cf705dd4c692eb1705adb Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sat, 20 Nov 2021 16:36:42 +0100
+Subject: [PATCH 2/6] CVE-2021-44142: smbd: add Netatalk xattr used by
+ vfs_fruit to the list of private Samba xattrs
+
+This is an internal xattr that should not be user visible.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c]
+---
+ source3/smbd/trans2.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
+@@ -176,6 +176,16 @@ void aapl_force_zero_file_id(struct smbd
+  Refuse to allow clients to overwrite our private xattrs.
+ ****************************************************************************/
+ 
+/*
+ * Taken from vfs_fruit.c
+ */
+#define NETATALK_META_XATTR "org.netatalk.Metadata"
+#if defined(HAVE_ATTROPEN)
+#define AFPINFO_EA_NETATALK NETATALK_META_XATTR
+#else
+#define AFPINFO_EA_NETATALK "user." NETATALK_META_XATTR
+#endif
+
+ bool samba_private_attr_name(const char *unix_ea_name)
+ {
+ 	static const char * const prohibited_ea_names[] = {
+@@ -183,6 +193,7 @@ bool samba_private_attr_name(const char
+ 		SAMBA_XATTR_DOS_ATTRIB,
+ 		SAMBA_XATTR_MARKER,
+ 		XATTR_NTACL_NAME,
+		AFPINFO_EA_NETATALK,
+ 		NULL
+ 	};
+ 
--- a/backport-0003-CVE-2021-44142.patch
+++ b/backport-0003-CVE-2021-44142.patch
@ -0,0 +1,64 @@
+From d9cfe712fed17e0f031e3955a04a712a12a31c26 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 Nov 2021 07:19:32 +0100
+Subject: [PATCH 3/6] CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
+
+This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
+which is used for parsing ._ AppleDouble sidecar files, and the buffer
+ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
+buffer out-of-bounds access checks in ad_unpack_xattrs().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/modules/vfs_fruit.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
+@@ -675,14 +675,27 @@ static bool ad_pack(struct adouble *ad)
+ static bool ad_unpack_xattrs(struct adouble *ad)
+ {
+ 	struct ad_xattr_header *h = &ad->adx_header;
+	size_t bufsize = talloc_get_size(ad->ad_data);
+ 	const char *p = ad->ad_data;
+ 	uint32_t hoff;
+ 	uint32_t i;
+ 
+	if (ad->ad_type != ADOUBLE_RSRC) {
+		return false;
+	}
+
+ 	if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) {
+ 		return true;
+ 	}
+ 
+	/*
+	 * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
+	 * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
+	 */
+	if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
+		return false;
+	}
+
+ 	/* 2 bytes padding */
+ 	hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2;
+ 
+@@ -930,11 +943,12 @@ static bool ad_unpack(struct adouble *ad
+ 		ad->ad_eid[eid].ade_len = len;
+ 	}
+ 
+-	ok = ad_unpack_xattrs(ad);
+-	if (!ok) {
+-		return false;
+	if (ad->ad_type == ADOUBLE_RSRC) {
+		ok = ad_unpack_xattrs(ad);
+		if (!ok) {
+			return false;
+		}
+ 	}
+-
+ 	return true;
+ }
+ 
--- a/backport-0004-CVE-2021-44142.patch
+++ b/backport-0004-CVE-2021-44142.patch
@ -0,0 +1,20 @@
+From d5f8a6f423f6bfba706d57459d78046920d61ce5 Mon Sep 17 00:00:00 2001
+From: Noel Power <noel.power@suse.com>
+Date: Fri, 21 Jan 2022 14:52:53 +0000
+Subject: [PATCH 4/6] vfs_fruit: CVE-2021-44142 tweak buffer size check
+
+---
+ source3/modules/vfs_fruit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
+@@ -692,7 +692,7 @@ static bool ad_unpack_xattrs(struct adou
+ 	 * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
+ 	 * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
+ 	 */
+-	if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
+	if (bufsize < AD_DATASZ_DOT_UND || bufsize > AD_XATTR_MAX_HDR_SIZE) {
+ 		return false;
+ 	}
+ 
--- a/backport-0005-CVE-2021-44142.patch
+++ b/backport-0005-CVE-2021-44142.patch
@ -0,0 +1,161 @@
+From 6dd0f863108cab92e97de2e4d283cd07a3c07caf Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 13 Jan 2022 17:03:02 +0100
+Subject: [PATCH 6/6] CVE-2021-44142: libadouble: harden parsing code
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/modules/vfs_fruit.c                  | 116 ++++++++++++++++---
+ 2 files changed, 101 insertions(+), 18 deletions(-)
+ delete mode 100644 selftest/knownfail.d/samba.unittests.adouble
+
+--- a/source3/modules/vfs_fruit.c
+++ b/source3/modules/vfs_fruit.c
+@@ -488,6 +488,95 @@ static ssize_t afpinfo_pack(const AfpInf
+ static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data);
+ 
+ 
+/*
+ * All entries besides FinderInfo and resource fork must fit into the
+ * buffer. FinderInfo is special as it may be larger then the default 32 bytes
+ * if it contains marshalled xattrs, which we will fixup that in
+ * ad_convert(). The first 32 bytes however must also be part of the buffer.
+ *
+ * The resource fork is never accessed directly by the ad_data buf.
+ */
+static bool ad_entry_check_size(uint32_t eid,
+				size_t bufsize,
+				uint32_t off,
+				uint32_t got_len)
+{
+	struct {
+		off_t expected_len;
+		bool fixed_size;
+		bool minimum_size;
+	} ad_checks[] = {
+		[ADEID_DFORK] = {-1, false, false}, /* not applicable */
+		[ADEID_RFORK] = {-1, false, false}, /* no limit */
+		[ADEID_NAME] = {ADEDLEN_NAME, false, false},
+		[ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false},
+		[ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false},
+		[ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false},
+		[ADEID_FILEI] = {ADEDLEN_FILEI, true, false},
+		[ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false},
+		[ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true},
+		[ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false},
+		[ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false},
+		[ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false},
+		[ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false},
+		[ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false},
+		[ADEID_DID] = {ADEDLEN_DID, true, false},
+		[ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false},
+		[ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false},
+		[ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false},
+		[ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false},
+	};
+
+	if (eid >= ADEID_MAX) {
+		return false;
+	}
+	if (got_len == 0) {
+		/* Entry present, but empty, allow */
+		return true;
+	}
+	if (ad_checks[eid].expected_len == 0) {
+		/*
+		 * Shouldn't happen: implicitly initialized to zero because
+		 * explicit initializer missing.
+		 */
+		return false;
+	}
+	if (ad_checks[eid].expected_len == -1) {
+		/* Unused or no limit */
+		return true;
+	}
+	if (ad_checks[eid].fixed_size) {
+		if (ad_checks[eid].expected_len != got_len) {
+			/* Wrong size fo fixed size entry. */
+			return false;
+		}
+	} else {
+		if (ad_checks[eid].minimum_size) {
+			if (got_len < ad_checks[eid].expected_len) {
+				/*
+				 * Too small for variable sized entry with
+				 * minimum size.
+				 */
+				return false;
+			}
+		} else {
+			if (got_len > ad_checks[eid].expected_len) {
+				/* Too big for variable sized entry. */
+				return false;
+			}
+		}
+	}
+	if (off + got_len < off) {
+		/* wrap around */
+		return false;
+	}
+	if (off + got_len > bufsize) {
+		/* overflow */
+		return false;
+	}
+	return true;
+}
+
+ /**
+  * Return a pointer to an AppleDouble entry
+  *
+@@ -495,8 +584,15 @@ static AfpInfo *afpinfo_unpack(TALLOC_CT
+  **/
+ static char *ad_get_entry(const struct adouble *ad, int eid)
+ {
+	size_t bufsize = talloc_get_size(ad->ad_data);
+ 	off_t off = ad_getentryoff(ad, eid);
+ 	size_t len = ad_getentrylen(ad, eid);
+	bool valid;
+
+	valid = ad_entry_check_size(eid, bufsize, off, len);
+	if (!valid) {
+		return NULL;
+	}
+ 
+ 	if (off == 0 || len == 0) {
+ 		return NULL;
+@@ -560,7 +656,6 @@ static int ad_setdate(struct adouble *ad
+ 	return 0;
+ }
+ 
+-
+ /**
+  * Map on-disk AppleDouble id to enumerated id
+  **/
+@@ -880,20 +975,11 @@ static bool ad_unpack(struct adouble *ad
+ 			return false;
+ 		}
+ 
+-		/*
+-		 * All entries besides FinderInfo and resource fork
+-		 * must fit into the buffer. FinderInfo is special as
+-		 * it may be larger then the default 32 bytes (if it
+-		 * contains marshalled xattrs), but we will fixup that
+-		 * in ad_convert(). And the resource fork is never
+-		 * accessed directly by the ad_data buf (also see
+-		 * comment above) anyway.
+-		 */
+-		if ((eid != ADEID_RFORK) &&
+-		    (eid != ADEID_FINDERI) &&
+-		    ((off + len) > bufsize)) {
+-			DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n",
+-				  eid, off, len));
+		ok = ad_entry_check_size(eid, bufsize, off, len);
+		if (!ok) {
+			DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] "
+				"off [%"PRIu32"] len [%"PRIu32"]\n",
+				eid, bufsize, off, len);
+ 			return false;
+ 		}
+ 
--- a/samba.spec
+++ b/samba.spec
@ -49,7 +49,7 @@

 Name:           samba
 Version:        4.11.12
-Release:        8
+Release:        9

 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@ -177,6 +177,11 @@ Patch6248:       backport-s3-VFS-change-connection_struct-cwd_fname-to-cwd_fsp.p
 Patch6249:       backport-s3-smbd-Change-mkdir_internal-to-call-SMB_VFS_MKDIRAT.patch
 Patch6250:       backport-smbd-use-parent_smb_fname-in-mkdir_internal.patch
 Patch6251:       backport-CVE-2021-43566.patch
+Patch6252:       backport-0001-CVE-2021-44142.patch
+Patch6253:       backport-0002-CVE-2021-44142.patch
+Patch6254:       backport-0003-CVE-2021-44142.patch
+Patch6255:       backport-0004-CVE-2021-44142.patch
+Patch6256:       backport-0005-CVE-2021-44142.patch

 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
 BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel libattr-devel 
@ -3164,6 +3169,12 @@ fi
 %{_mandir}/man*

 %changelog
+* Tue Feb 08 2022 gaihuiying <eaglegai@163.com> - 4.11.12-9
+- Type:cves
+- ID:CVE-2021-44142
+- SUG:NA
+- DESC:backport to fix CVE-2021-44142
+
 * Thu Jan 20 2022 gaihuiying <gaihuiying1@huawei.com> - 4.11.12-8
 - Type:cves
 - ID:CVE-2021-43566