[PATCH] nsswitch pam_winbind: Fix Asan use after free

Gary Lockyer gary at catalyst.net.nz
Mon May 6 03:03:14 UTC 2019 

Fix use after free condition detected by Address Sanitizer triggered by
wbcLogonUserInfoDestructor, wbcFreeMemory has code to detect and prevent
a double free.  This patch prevents the Address Sanitizer error,
allowing tests to be run with Address Sanitizer enabled.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13927

MR: https://gitlab.com/samba-team/samba/merge_requests/420
CI: https://gitlab.com/samba-team/devel/samba/pipelines/59869301

Review appreciated

Ngā mihi
Gary
-------------- next part --------------
From e6f789c8965dc6744162458566cf945fcde43bde Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu, 18 Apr 2019 09:29:28 +1200
Subject: [PATCH] nsswitch pam_winbind: Fix Asan use after free

Fix use after free condition detected by Address Sanitizer triggered by
wbcLogonUserInfoDestructor, wbcFreeMemory has code to detect and prevent a
double free.  This patch prevents the Address Sanitizer error, allowing
tests to be run with Address Sanitizer enabled.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13927

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
---
 nsswitch/pam_winbind.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 757fdae6e3c..0ba1955f007 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -1931,6 +1931,11 @@ static int winbind_auth_request(struct pwb_context *ctx,
 	wbcFreeMemory(logon.blobs);
 	if (info && info->blobs && !p_info) {
 		wbcFreeMemory(info->blobs);
+		/*
+		 * We set blobs to NULL to prevent a use after free in the
+		 * in the wbcLogonUserInfoDestructor
+		 */
+		info->blobs = NULL;
 	}
 	if (error && !p_error) {
 		wbcFreeMemory(error);
-- 
2.18.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190506/15f6c954/signature.sig>

More information about the samba-technical mailing list