!180 回合上游补丁，修复krb5配置文件导致segment fault

From: @fwo 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-CVE-2023-3758.patch

@@ -0,0 +1,222 @@
+From 7544309353945cdb7f7e9ff4566952512ef68346 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 8 Nov 2023 14:50:24 +0100
+Subject: [PATCH] ad-gpo: use hash to store intermediate results
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently after the evaluation of a single GPO file the intermediate
+results are stored in the cache and this cache entry is updated until
+all applicable GPO files are evaluated. Finally the data in the cache is
+used to make the decision of access is granted or rejected.
+
+If there are two or more access-control request running in parallel one
+request might overwrite the cache object with intermediate data while
+another request reads the cached data for the access decision and as a
+result will do this decision based on intermediate data.
+
+To avoid this the intermediate results are not stored in the cache
+anymore but in hash tables which are specific to the request. Only the
+final result is written to the cache to have it available for offline
+authentication.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
+
+Reference：https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726
+Conflict: src/providers/ad/ad_gpo.c
+---
+ src/providers/ad/ad_gpo.c | 117 +++++++++++++++++++++++++++++++++-----
+ 1 file changed, 103 insertions(+), 14 deletions(-)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index 7442f27..c8cb15e 100644
+--- a/src/providers/ad/ad_gpo.c
++++ b/src/providers/ad/ad_gpo.c
+@@ -1138,6 +1138,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
+     return ret;
+ }
+ 
++static errno_t
++add_result_to_hash(hash_table_t *hash, const char *key, char *value)
++{
++    int hret;
++    hash_key_t k;
++    hash_value_t v;
++
++    if (hash == NULL || key == NULL || value == NULL) {
++        return EINVAL;
++    }
++
++    k.type = HASH_KEY_CONST_STRING;
++    k.c_str = key;
++
++    v.type = HASH_VALUE_PTR;
++    v.ptr = value;
++
++    hret = hash_enter(hash, &k, &v);
++    if (hret != HASH_SUCCESS) {
++        DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
++                                 key, value, hash_error_string(hret));
++        return EIO;
++    }
++
++    return EOK;
++}
++
+ /*
+  * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
+  * and stores the allow_key and deny_key of all of the gpo_map_types present
+@@ -1145,6 +1172,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
+  */
+ static errno_t
+ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
++                             hash_table_t *allow_maps, hash_table_t *deny_maps,
+                              const char *filename)
+ {
+     struct ini_cfgfile *file_ctx = NULL;
+@@ -1278,14 +1306,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                 goto done;
+             } else if (ret != ENOENT) {
+                 const char *value = allow_value ? allow_value : empty_val;
+-                ret = sysdb_gpo_store_gpo_result_setting(domain,
+-                                                         allow_key,
+-                                                         value);
++                ret = add_result_to_hash(allow_maps, allow_key,
++                                         talloc_strdup(allow_maps, value));
+                 if (ret != EOK) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE,
+-                          "sysdb_gpo_store_gpo_result_setting failed for key:"
+-                          "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
+-                          ret, sss_strerror(ret));
++                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
++                                               "value: [%s] to allow maps "
++                                               "[%d][%s].\n",
++                                               allow_key, value, ret,
++                                               sss_strerror(ret));
+                     goto done;
+                 }
+             }
+@@ -1305,14 +1333,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                 goto done;
+             } else if (ret != ENOENT) {
+                 const char *value = deny_value ? deny_value : empty_val;
+-                ret = sysdb_gpo_store_gpo_result_setting(domain,
+-                                                         deny_key,
+-                                                         value);
++                ret = add_result_to_hash(deny_maps, deny_key,
++                                         talloc_strdup(deny_maps, value));
+                 if (ret != EOK) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE,
+-                          "sysdb_gpo_store_gpo_result_setting failed for key:"
+-                          "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
+-                          ret, sss_strerror(ret));
++                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
++                                               "value: [%s] to deny maps "
++                                               "[%d][%s].\n",
++                                               deny_key, value, ret,
++                                               sss_strerror(ret));
+                     goto done;
+                 }
+             }
+@@ -1608,6 +1636,8 @@ struct ad_gpo_access_state {
+     struct gp_gpo **cse_filtered_gpos;
+     int num_cse_filtered_gpos;
+     int cse_gpo_index;
++    hash_table_t *allow_maps;
++    hash_table_t *deny_maps;
+ };
+ 
+ static void ad_gpo_connect_done(struct tevent_req *subreq);
+@@ -1730,6 +1760,20 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+ 
++    ret = sss_hash_create(state, 0, &state->allow_maps);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
++              "hash table [%d]: %s\n", ret, sss_strerror(ret));
++        goto immediately;
++    }
++
++    ret = sss_hash_create(state, 0, &state->deny_maps);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
++              "hash table [%d]: %s\n", ret, sss_strerror(ret));
++        goto immediately;
++    }
++
+     subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
+     if (subreq == NULL) {
+         DEBUG(SSSDBG_OP_FAILURE,
+@@ -2371,6 +2415,43 @@ ad_gpo_cse_step(struct tevent_req *req)
+     return EAGAIN;
+ }
+ 
++static errno_t
++store_hash_maps_in_cache(struct sss_domain_info *domain,
++                         hash_table_t *allow_maps, hash_table_t *deny_maps)
++{
++    int ret;
++    struct hash_iter_context_t *iter;
++    hash_entry_t *entry;
++    size_t c;
++    hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
++
++
++    for (c = 0; hash_list[c] != NULL; c++) {
++        iter = new_hash_iter_context(hash_list[c]);
++        if (iter == NULL) {
++            DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
++            return EINVAL;
++        }
++
++        while ((entry = iter->next(iter)) != NULL) {
++            ret = sysdb_gpo_store_gpo_result_setting(domain,
++                                                     entry->key.c_str,
++                                                     entry->value.ptr);
++            if (ret != EOK) {
++                free(iter);
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "sysdb_gpo_store_gpo_result_setting failed for key:"
++                      "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
++                      (char *) entry->value.ptr, ret, sss_strerror(ret));
++                return ret;
++            }
++        }
++        talloc_free(iter);
++    }
++
++    return EOK;
++}
++
+ /*
+  * This cse-specific function (GP_EXT_GUID_SECURITY) increments the
+  * cse_gpo_index until the policy settings for all applicable GPOs have been
+@@ -2412,6 +2493,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
+      * (as part of the GPO Result object in the sysdb cache).
+      */
+     ret = ad_gpo_store_policy_settings(state->host_domain,
++                                       state->allow_maps, state->deny_maps,
+                                        cse_filtered_gpo->policy_filename);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE,
+@@ -2425,6 +2507,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
+ 
+     if (ret == EOK) {
+         /* ret is EOK only after all GPO policy files have been downloaded */
++        ret = store_hash_maps_in_cache(state->host_domain,
++                                       state->allow_maps, state->deny_maps);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
++                                     "[%d][%s].\n", ret, sss_strerror(ret));
++            goto done;
++        }
+         ret = ad_gpo_perform_hbac_processing(state,
+                                              state->gpo_mode,
+                                              state->gpo_map_type,
+-- 
+2.33.0
+

backport-Make-sure-invalid-krb5-context-is-not-used.patch

@@ -0,0 +1,33 @@
+From bdfb92012d6dec2999469d483ba67d6c2521a078 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 21 Nov 2024 09:23:36 +0100
+Subject: [PATCH] ldap_child: make sure invalid krb5 context is not used -
+ 2.9.4
+
+Resolves: https://github.com/SSSD/sssd/issues/7715
+---
+ src/util/sss_krb5.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
+index 3f57e5b268f..0b83142ddfc 100644
+--- a/src/util/sss_krb5.c
++++ b/src/util/sss_krb5.c
+@@ -115,6 +115,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+ 
+     kerr = sss_krb5_init_context(&krb_ctx);
+     if (kerr) {
++	krb_ctx = NULL;
+         DEBUG(SSSDBG_OP_FAILURE, "Failed to init Kerberos context\n");
+         ret = EFAULT;
+         goto done;
+@@ -248,7 +249,7 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
+     }
+ 
+ done:
+-    if (ret != EOK) {
++    if (ret != EOK && krb_ctx != NULL) {
+         DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n",
+                KEYTAB_CLEAN_NAME, strerror(ret));
+         sss_log(SSS_LOG_ERR, "Failed to read keytab [%s]: %s\n",
+

backport-RESPONDER-use-proper-context-for-getDomains.patch

@@ -0,0 +1,55 @@
+From 18f378921ed95dfd6a5e373c87712f7935247d71 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 26 Apr 2024 14:04:50 +0200
+Subject: [PATCH] RESPONDER: use proper context for getDomains()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Request was created on a long term responder context, but a callback
+for this request tries to access memory that is allocated on a short
+term client context. So if client disconnects before request is
+completed, then callback dereferences already freed memory.
+
+Resolves: https://github.com/SSSD/sssd/issues/7319
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+
+Reference:https://github.com/SSSD/sssd/commit/dc637c9730d0ba04a0d8aa2645ee537224cd4b19
+Conflict:NA
+
+---
+ src/responder/pac/pacsrv_cmd.c | 2 +-
+ src/responder/pam/pamsrv_cmd.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c
+index e3aab88..29d5574 100644
+--- a/src/responder/pac/pacsrv_cmd.c
++++ b/src/responder/pac/pacsrv_cmd.c
+@@ -140,7 +140,7 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx)
+     ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str,
+                                      &pr_ctx->dom);
+     if (ret == EAGAIN || ret == ENOENT) {
+-        req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true,
++        req = sss_dp_get_domains_send(cctx, cctx->rctx, true,
+                                       pr_ctx->domain_name);
+         if (req == NULL) {
+             ret = ENOMEM;
+diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
+index 20c332b..1570304 100644
+--- a/src/responder/pam/pamsrv_cmd.c
++++ b/src/responder/pam/pamsrv_cmd.c
+@@ -1416,7 +1416,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
+ 
+     ret = pam_forwarder_parse_data(cctx, pd);
+     if (ret == EAGAIN) {
+-        req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, pd->domain);
++        req = sss_dp_get_domains_send(cctx, cctx->rctx, true, pd->domain);
+         if (req == NULL) {
+             ret = ENOMEM;
+         } else {
+-- 
+2.33.0
+

backport-TOOLS-mistype-fix.patch

@@ -0,0 +1,30 @@
+From 3621a587a32589e8404ed1f2356fcbfebc128efc Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Mon, 2 Sep 2024 21:04:34 +0200
+Subject: [PATCH] TOOLS: mistype fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+---
+ src/tools/sssctl/sssctl_data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index 79e12078e..43b9814ea 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -166,7 +166,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+         }
+     }
+ 
+-    if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
++    if (sssctl_backup_file_exists(SSS_BACKUP_GROUP_OVERRIDES)) {
+         ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+                                                   SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+-- 
+2.33.0
+

backport-UTILS-inotify-avoid-potential-NULL-deref.patch

@@ -0,0 +1,57 @@
+From d24073823fa7d82726f631628923e9a5378d529d Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Mon, 18 Mar 2024 12:15:21 +0100
+Subject: [PATCH] UTILS: inotify: avoid potential NULL deref
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes following error:
+```
+Error: STRING_NULL (CWE-170):
+sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.]
+sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string.
+sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string.
+sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string.
+ #  325|
+ #  326|               if (snctx->wctx->dir_wd == in_event->wd) {
+ #  327|->                 ret = process_dir_event(snctx, in_event);
+ #  328|               } else if (snctx->wctx->file_wd == in_event->wd) {
+ #  329|                   ret = process_file_event(snctx, in_event);
+```
+  --  it might be unsafe to dereference `in_event->name`
+if `in_event->len == 0`
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+
+Reference:https://github.com/SSSD/sssd/commit/4085ee07926303aa26e46dfcc6dec87776432c62
+Conflict:NA
+
+---
+ src/util/inotify.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/inotify.c b/src/util/inotify.c
+index a3c33ed..8192cfd 100644
+--- a/src/util/inotify.c
++++ b/src/util/inotify.c
+@@ -233,9 +233,13 @@ static errno_t process_dir_event(struct snotify_ctx *snctx,
+ {
+     errno_t ret;
+ 
++    if (in_event->len == 0) {
++        DEBUG(SSSDBG_TRACE_FUNC, "Not interested in nameless event\n");
++        return EOK;
++    }
++
+     DEBUG(SSSDBG_TRACE_ALL, "inotify name: %s\n", in_event->name);
+-    if (in_event->len == 0 \
+-            || strcmp(in_event->name, snctx->base_name) != 0) {
++    if (strcmp(in_event->name, snctx->base_name) != 0) {
+         DEBUG(SSSDBG_TRACE_FUNC, "Not interested in %s\n", in_event->name);
+         return EOK;
+     }
+-- 
+2.33.0
+

backport-avoid-NULL-deref-in-monitor_service_shutdow.patch

@@ -0,0 +1,28 @@
+From 38905cac4b67f0e4c4b0f59af9ea7474482f088e Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Mon, 27 May 2024 15:25:45 +0800
+Subject: [PATCH] monitor: avoid NULL deref in monitor_service_shutdown()
+
+Resolves: https://github.com/SSSD/sssd/issues/5598
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/monitor/monitor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
+index f5f8fe9..b464a12 100644
+--- a/src/monitor/monitor.c
++++ b/src/monitor/monitor.c
+@@ -2107,7 +2107,7 @@ static void monitor_service_shutdown(struct mt_svc *svc)
+ 
+     /* We must decrease the number of services when shutting down
+      * a {socket,dbus}-activated service. */
+-    ctx->num_services--;
++    if (ctx != NULL) ctx->num_services--;
+ 
+     DEBUG(SSSDBG_TRACE_FUNC,
+           "Unregistering service %s (%p)\n", svc->identity, svc);
+-- 
+2.33.0
+

sssd.spec

@@ -1,6 +1,6 @@
 Name: sssd
 Version: 2.2.2
-Release: 15
+Release: 20
 Summary: System Security Services Daemon
 License: GPLv3+ and LGPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -16,6 +16,12 @@ Patch6: backport-dp-fix-potential-race-condition-in-provider-s-sbus-s.patch
 Patch7: backport-be-remove-accidental-sleep.patch
 Patch8: backport-sssctl-sssctl_domains.c-null-dereference-fixed.patch
 Patch9: backport-MONITOR-fix-socket_activated-flag-initialization.patch
+Patch10: backport-CVE-2023-3758.patch
+Patch11: backport-avoid-NULL-deref-in-monitor_service_shutdow.patch
+Patch12: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
+Patch13: backport-RESPONDER-use-proper-context-for-getDomains.patch
+Patch14: backport-TOOLS-mistype-fix.patch
+Patch15: backport-Make-sure-invalid-krb5-context-is-not-used.patch
 
 Requires: python3-sssd = %{version}-%{release}
 Requires: libldb
@@ -589,6 +595,21 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Thu Dec 05 2024 wangjiang <app@cameyan.com> - 2.2.2-20
+- backport make sure invalid krb5 context is not used
+
+* Tue Dec 03 2024 wangjiang <app@cameyan.com> - 2.2.2-19
+- backport upstream patches
+
+* Tue Jun 18 2024 wangjiang <wangjiang37@h-partners.com> - 2.2.2-18
+- backport upstream patches
+
+* Mon May 27 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.2.2-17
+- monitor: avoid NULL deref in monitor_service_shutdown()
+
+* Mon Apr 22 2024 wangqingsan <wangqingsan@huawei.com> - 2.2.2-16
+- fix CVE-2023-3758
+
 * Wed Dec 6 2023 zhangruifang <zhangruifang@h-partners.com> - 2.2.2-15
 - fix coredump in sssd.service