[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Wed Mar 24 13:12:01 UTC 2021


The branch, master has been updated
       via  293ab5f20ca ldb: bump version to 2.4.0, in order to be used for Samba 4.15
       via  9532c44baea CVE-2020-27840: pytests: move Dn.validate test to ldb
       via  dbb3e65f7e3 CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
       via  1996b79f376 CVE-2020-27840: pytests:segfault: add ldb.Dn validate test
       via  1fe8c790b22 CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
       via  ea4bd2c437f CVE-2021-20277 ldb tests: ldb_match tests with extra spaces
      from  bf1c294adb7 auth:creds: Free the uname pointer in cli_credentials_parse_string()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 293ab5f20caa12b7aaafaac992d5ce89cae77d45
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Mar 24 12:54:31 2021 +0100

    ldb: bump version to 2.4.0, in order to be used for Samba 4.15
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Wed Mar 24 13:11:52 UTC 2021 on sn-devel-184

commit 9532c44baea130db74f866e1472cb871936cd3dd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Thu Feb 11 16:28:43 2021 +1300

    CVE-2020-27840: pytests: move Dn.validate test to ldb
    
    We had the test in the Samba Python segfault suite because
    a) the signal catching infrastructure was there, and
    b) the ldb tests lack Samba's knownfail mechanism, which allowed us to
       assert the failure.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit dbb3e65f7e382adf5fa6a6afb3d8684aca3f201a
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Fri Dec 11 16:32:25 2020 +1300

    CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
    
    A DN string with lots of trailing space can cause ldb_dn_explode() to
    put a zero byte in the wrong place in the heap.
    
    When a DN string has a value represented with trailing spaces,
    like this
    
         "CN=foo   ,DC=bar"
    
    the whitespace is supposed to be ignored. We keep track of this in the
    `t` pointer, which is NULL when we are not walking through trailing
    spaces, and points to the first space when we are. We are walking with
    the `p` pointer, writing the value to `d`, and keeping the length in
    `l`.
    
         "CN=foo   ,DC= "       ==>       "foo   "
                ^  ^                             ^
                t  p                             d
                                           --l---
    
    The value is finished when we encounter a comma or the end of the
    string. If `t` is not NULL at that point, we assume there are trailing
    spaces and wind `d and `l` back by the correct amount. Then we switch
    to expecting an attribute name (e.g. "CN"), until we get to an "=",
    which puts us back into looking for a value.
    
    Unfortunately, we forget to immediately tell `t` that we'd finished
    the last value, we can end up like this:
    
         "CN=foo   ,DC= "       ==>        ""
                ^      ^                    ^
                t      p                    d
                                            l=0
    
    where `p` is pointing to a new value that contains only spaces, while
    `t` is still referring to the old value. `p` notices the value ends,
    and we subtract `p - t` from `d`:
    
         "CN=foo   ,DC= "       ==>  ?     ""
                ^       ^            ^
                t       p            d
                                          l ~= SIZE_MAX - 8
    
    At that point `d` wants to terminate its string with a '\0', but
    instead it terminates someone else's byte. This does not crash if the
    number of trailing spaces is small, as `d` will point into a previous
    value (a copy of "foo" in this example). Corrupting that value will
    ultimately not matter, as we will soon try to allocate a buffer `l`
    long, which will be greater than the available memory and the whole
    operation will fail properly.
    
    However, with more spaces, `d` will point into memory before the
    beginning of the allocated buffer, with the exact offset depending on
    the length of the earlier attributes and the number of spaces.
    
    What about a longer DN with more attributes? For example,
    "CN=foo     ,DC= ,DC=example,DC=com" -- since `d` has moved out of
    bounds, won't we continue to use it and write more DN values into
    mystery memory? Fortunately not, because the aforementioned allocation
    of `l` bytes must happen first, and `l` is now huge. The allocation
    happens in a talloc_memdup(), which is by default restricted to
    allocating 256MB.
    
    So this allows a person who controls a string parsed by ldb_dn_explode
    to corrupt heap memory by placing a single zero byte at a chosen
    offset before the allocated buffer.
    
    An LDAP bind request can send a string DN as a username. This DN is
    necessarily parsed before the password is checked, so an attacker does
    not need proper credentials. The attacker can easily cause a denial of
    service and we cannot rule out more subtle attacks.
    
    The immediate solution is to reset `t` to NULL when a comma is
    encountered, indicating that we are no longer looking at trailing
    whitespace.
    
    Found with the help of Honggfuzz.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1996b79f376b459bb964a6344ca5f264e7d6e2ec
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Thu Feb 11 17:05:14 2021 +1300

    CVE-2020-27840: pytests:segfault: add ldb.Dn validate test
    
    ldb.Dn.validate wraps ldb_dn_explode.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1fe8c790b2294fd10fe9c9c6254ecf2b6c00b709
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Tue Dec 8 21:32:09 2020 +1300

    CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
    
    For a string that had N spaces at the beginning, we would
    try to move N bytes beyond the end of the string.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ea4bd2c437fbb5801fb82e2a038d9cdb5abea4c0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date:   Fri Mar 5 20:13:01 2021 +1300

    CVE-2021-20277 ldb tests: ldb_match tests with extra spaces
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
    
    Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.0.sigs}     |  0
 ...pyldb-util-2.1.0.sigs => pyldb-util-2.4.0.sigs} |  0
 lib/ldb/common/attrib_handlers.c                   |  2 +-
 lib/ldb/common/ldb_dn.c                            |  1 +
 lib/ldb/tests/ldb_match_test.c                     |  8 +++-
 lib/ldb/tests/python/crash.py                      | 45 ++++++++++++++++++++++
 lib/ldb/wscript                                    |  3 +-
 7 files changed, 56 insertions(+), 3 deletions(-)
 copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.0.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.0.sigs} (100%)
 create mode 100644 lib/ldb/tests/python/crash.py


Changeset truncated at 500 lines:

diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.4.0.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.4.0.sigs
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.4.0.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.4.0.sigs
diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c
index 11921ca429c..81a74584bcb 100644
--- a/lib/ldb/common/attrib_handlers.c
+++ b/lib/ldb/common/attrib_handlers.c
@@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx,
 	
 	/* remove leading spaces if any */
 	if (*s == ' ') {
-		for (t = s; *s == ' '; s++) ;
+		for (t = s; *s == ' '; s++, l--) ;
 
 		/* remove leading spaces by moving down the string */
 		memmove(t, s, l);
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index 001fcad621f..cce5ad5b2ff 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -570,6 +570,7 @@ static bool ldb_dn_explode(struct ldb_dn *dn)
 					/* trim back */
 					d -= (p - t);
 					l -= (p - t);
+					t = NULL;
 				}
 
 				in_attr = true;
diff --git a/lib/ldb/tests/ldb_match_test.c b/lib/ldb/tests/ldb_match_test.c
index 3028aed072c..ba6ea56be15 100644
--- a/lib/ldb/tests/ldb_match_test.c
+++ b/lib/ldb/tests/ldb_match_test.c
@@ -181,6 +181,8 @@ static void test_wildcard_match(void **state)
 	size_t failed = 0;
 	size_t i;
 	struct wildcard_test tests[] = {
+		TEST_ENTRY("                     1  0", "1*0*", true, true),
+		TEST_ENTRY("                     1  0", "1 *0", true, true),
 		TEST_ENTRY("The value.......end", "*end", true, true),
 		TEST_ENTRY("The value.......end", "*fend", false, true),
 		TEST_ENTRY("The value.......end", "*eel", false, true),
@@ -203,8 +205,12 @@ static void test_wildcard_match(void **state)
 		TEST_ENTRY("1\n0\r0\t000.0.0.0.0", "1*0*0*0*0*0*0*0*0", true,
 			   true),
 		/*
-		 *  We allow NUL bytes in non-casefolding syntaxes.
+		 *  We allow NUL bytes and redundant spaces in non-casefolding
+		 *  syntaxes.
 		 */
+		TEST_ENTRY("                  1  0", "*1  0", true, false),
+		TEST_ENTRY("                  1  0", "*1  0", true, false),
+		TEST_ENTRY("1    0", "*1 0", false, false),
 		TEST_ENTRY("1\x00 x", "1*x", true, false),
 		TEST_ENTRY("1\x00 x", "*x", true, false),
 		TEST_ENTRY("1\x00 x", "*x*", true, false),
diff --git a/lib/ldb/tests/python/crash.py b/lib/ldb/tests/python/crash.py
new file mode 100644
index 00000000000..32839814552
--- /dev/null
+++ b/lib/ldb/tests/python/crash.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+#
+# Tests for crashing functions
+
+import os
+from unittest import TestCase
+import os
+import sys
+import traceback
+
+import ldb
+
+
+def segfault_detector(f):
+    def wrapper(*args, **kwargs):
+        pid = os.fork()
+        if pid == 0:
+            # child, crashing?
+            try:
+                f(*args, **kwargs)
+            except Exception as e:
+                traceback.print_exc()
+            sys.stderr.flush()
+            sys.stdout.flush()
+            os._exit(0)
+
+        # parent, waiting
+        pid2, status = os.waitpid(pid, 0)
+        if os.WIFSIGNALED(status):
+            signal = os.WTERMSIG(status)
+            raise AssertionError("Failed with signal %d" % signal)
+
+    return wrapper
+
+
+class LdbDnCrashTests(TestCase):
+    @segfault_detector
+    def test_ldb_dn_explode_crash(self):
+        for i in range(106, 150):
+            dn = ldb.Dn(ldb.Ldb(), "a=b%s,c= " % (' ' * i))
+            dn.validate()
+
+if __name__ == '__main__':
+    import unittest
+    unittest.TestProgram()
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index f374f64aeab..5f98fb4f605 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 APPNAME = 'ldb'
-VERSION = '2.2.0'
+VERSION = '2.4.0'
 
 import sys, os
 
@@ -614,6 +614,7 @@ def test(ctx):
         os.mkdir(tmp_dir)
     pyret = samba_utils.RUN_PYTHON_TESTS(
         ['tests/python/api.py',
+         'tests/python/crash.py',
          'tests/python/index.py',
          'tests/python/repack.py'],
         extra_env={'SELFTEST_PREFIX': test_prefix})


-- 
Samba Shared Repository



More information about the samba-cvs mailing list