75 lines
2.6 KiB
Diff
75 lines
2.6 KiB
Diff
From 4def2dc554754033174c60f5860f51b46d8502c1 Mon Sep 17 00:00:00 2001
|
|
From: Andrew Bartlett <abartlet@samba.org>
|
|
Date: Fri, 5 Jun 2020 22:14:48 +1200
|
|
Subject: [PATCH 21/22] CVE-2020-10760 dsdb: Ensure a proper talloc tree for
|
|
saved controls
|
|
|
|
Otherwise a paged search on the GC port will fail as the ->data was
|
|
not kept around for the second page of searches.
|
|
|
|
An example command to produce this is
|
|
bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD
|
|
|
|
This shows up later in the partition module as:
|
|
|
|
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260
|
|
READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0))
|
|
#0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526
|
|
#1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559
|
|
#2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582
|
|
#3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780
|
|
|
|
or
|
|
|
|
smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value
|
|
(from source4/dsdb/samdb/ldb_modules/partition.c:780)
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source4/dsdb/samdb/ldb_modules/paged_results.c | 8 ++++++++
|
|
source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 7 +++++++
|
|
2 files changed, 15 insertions(+)
|
|
|
|
diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c
|
|
index 735883e8802..3eea3236e7d 100644
|
|
--- a/source4/dsdb/samdb/ldb_modules/paged_results.c
|
|
+++ b/source4/dsdb/samdb/ldb_modules/paged_results.c
|
|
@@ -523,6 +523,14 @@ paged_results_copy_down_controls(TALLOC_CTX *mem_ctx,
|
|
continue;
|
|
}
|
|
new_controls[j] = talloc_steal(new_controls, control);
|
|
+
|
|
+ /*
|
|
+ * Sadly the caller is not obliged to make this a
|
|
+ * proper talloc tree, so we do so here.
|
|
+ */
|
|
+ if (control->data) {
|
|
+ talloc_steal(control, control->data);
|
|
+ }
|
|
j++;
|
|
}
|
|
new_controls[j] = NULL;
|
|
diff --git a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
|
|
index b103bda5f52..d6d6039e849 100644
|
|
--- a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
|
|
+++ b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
|
|
@@ -746,6 +746,13 @@ vlv_copy_down_controls(TALLOC_CTX *mem_ctx, struct ldb_control **controls)
|
|
continue;
|
|
}
|
|
new_controls[j] = talloc_steal(new_controls, control);
|
|
+ /*
|
|
+ * Sadly the caller is not obliged to make this a
|
|
+ * proper talloc tree, so we do so here.
|
|
+ */
|
|
+ if (control->data) {
|
|
+ talloc_steal(control, control->data);
|
|
+ }
|
|
j++;
|
|
}
|
|
new_controls[j] = NULL;
|
|
--
|
|
2.17.1
|
|
|