From db79c7717e1056fab84e6494b444f25791587b84 Mon Sep 17 00:00:00 2001 From: xinghe Date: Mon, 15 Aug 2022 10:04:08 +0800 Subject: [PATCH] fix CVE-2022-32745 --- backport-0001-CVE-2022-32745.patch | 40 ++++++++++++++++++++++++++ backport-0002-CVE-2022-32745.patch | 39 ++++++++++++++++++++++++++ backport-0003-CVE-2022-32745.patch | 45 ++++++++++++++++++++++++++++++ backport-0004-CVE-2022-32745.patch | 31 ++++++++++++++++++++ samba.spec | 12 +++++++- 5 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2022-32745.patch create mode 100644 backport-0002-CVE-2022-32745.patch create mode 100644 backport-0003-CVE-2022-32745.patch create mode 100644 backport-0004-CVE-2022-32745.patch diff --git a/backport-0001-CVE-2022-32745.patch b/backport-0001-CVE-2022-32745.patch new file mode 100644 index 0000000..0df92ca --- /dev/null +++ b/backport-0001-CVE-2022-32745.patch @@ -0,0 +1,40 @@ +From f1995ad41d01134a5169bd24b67881e69ec28ece Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Wed, 16 Feb 2022 17:03:10 +1300 +Subject: [PATCH 15/18] CVE-2022-32745 s4/dsdb/samldb: Check for empty values + array + +This avoids potentially trying to access the first element of an empty +array. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 + +Signed-off-by: Joseph Sutton +--- + source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c +index abb96d3bef8..5649a301cd4 100644 +--- a/source4/dsdb/samdb/ldb_modules/samldb.c ++++ b/source4/dsdb/samdb/ldb_modules/samldb.c +@@ -748,7 +748,7 @@ static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac) + return ret; + } + +- if (el == NULL) { ++ if (el == NULL || el->num_values == 0) { + return LDB_SUCCESS; + } + +@@ -916,7 +916,7 @@ static int samldb_schema_add_handle_mapiid(struct samldb_ctx *ac) + return ret; + } + +- if (el == NULL) { ++ if (el == NULL || el->num_values == 0) { + return LDB_SUCCESS; + } + +-- +2.35.0 \ No newline at end of file diff --git a/backport-0002-CVE-2022-32745.patch b/backport-0002-CVE-2022-32745.patch new file mode 100644 index 0000000..3ed04c6 --- /dev/null +++ b/backport-0002-CVE-2022-32745.patch @@ -0,0 +1,39 @@ +From d9faf142495e1211620779bbedbefe7726d1099b Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Thu, 17 Feb 2022 11:11:53 +1300 +Subject: [PATCH 16/18] CVE-2022-32745 s4/dsdb/util: Use correct value for loop + count limit + +Currently, we can crash the server by sending a large number of values +of a specific attribute (such as sAMAccountName) spread across a few +message elements. If val_count is larger than the total number of +elements, we get an access beyond the elements array. + +Similarly, we can include unrelated message elements prior to the +message elements of the attribute in question, so that not all of the +attribute's values are copied into the returned elements values array. +This can cause the server to access uninitialised data, likely resulting +in a crash or unexpected behaviour. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 + +Signed-off-by: Joseph Sutton +--- + source4/dsdb/samdb/ldb_modules/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c +index 4c67873643a..5d418efcd52 100644 +--- a/source4/dsdb/samdb/ldb_modules/util.c ++++ b/source4/dsdb/samdb/ldb_modules/util.c +@@ -1544,7 +1544,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, + + v = _el->values; + +- for (i = 0; i < val_count; i++) { ++ for (i = 0; i < msg->num_elements; i++) { + if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { + if ((operation == LDB_MODIFY) && + (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) +-- +2.35.0 \ No newline at end of file diff --git a/backport-0003-CVE-2022-32745.patch b/backport-0003-CVE-2022-32745.patch new file mode 100644 index 0000000..00f6d3f --- /dev/null +++ b/backport-0003-CVE-2022-32745.patch @@ -0,0 +1,45 @@ +From 0b958460c108542eba1765c9438c8f5a8361a509 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Thu, 17 Feb 2022 11:13:38 +1300 +Subject: [PATCH 17/18] CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a + NULL pointer + +Doing so is undefined behaviour. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 + +Signed-off-by: Joseph Sutton +--- + source4/dsdb/samdb/ldb_modules/util.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c +index 5d418efcd52..af412f55f98 100644 +--- a/source4/dsdb/samdb/ldb_modules/util.c ++++ b/source4/dsdb/samdb/ldb_modules/util.c +@@ -1546,15 +1546,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, + + for (i = 0; i < msg->num_elements; i++) { + if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { ++ const struct ldb_message_element *tmp_el = &msg->elements[i]; + if ((operation == LDB_MODIFY) && +- (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) ++ (LDB_FLAG_MOD_TYPE(tmp_el->flags) + == LDB_FLAG_MOD_DELETE)) { + continue; + } ++ if (tmp_el->values == NULL || tmp_el->num_values == 0) { ++ continue; ++ } + memcpy(v, +- msg->elements[i].values, +- msg->elements[i].num_values); +- v += msg->elements[i].num_values; ++ tmp_el->values, ++ tmp_el->num_values); ++ v += tmp_el->num_values; + } + } + +-- +2.35.0 \ No newline at end of file diff --git a/backport-0004-CVE-2022-32745.patch b/backport-0004-CVE-2022-32745.patch new file mode 100644 index 0000000..d5652bf --- /dev/null +++ b/backport-0004-CVE-2022-32745.patch @@ -0,0 +1,31 @@ +From aa38d5314de216597df6233c2aaa4f7680de4dcb Mon Sep 17 00:00:00 2001 +From: Joseph Sutton +Date: Fri, 3 Jun 2022 16:16:31 +1200 +Subject: [PATCH 18/18] CVE-2022-32745 s4/dsdb/util: Correctly copy values into + message element + +To use memcpy(), we need to specify the number of bytes to copy, rather +than the number of ldb_val structures. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 + +Signed-off-by: Joseph Sutton +--- + source4/dsdb/samdb/ldb_modules/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c +index af412f55f98..5ccbb1b4360 100644 +--- a/source4/dsdb/samdb/ldb_modules/util.c ++++ b/source4/dsdb/samdb/ldb_modules/util.c +@@ -1557,7 +1557,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, + } + memcpy(v, + tmp_el->values, +- tmp_el->num_values); ++ tmp_el->num_values * sizeof(*v)); + v += tmp_el->num_values; + } + } +-- +2.35.0 \ No newline at end of file diff --git a/samba.spec b/samba.spec index 2f411cd..bc53ad0 100644 --- a/samba.spec +++ b/samba.spec @@ -49,7 +49,7 @@ Name: samba Version: 4.11.12 -Release: 13 +Release: 14 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -260,6 +260,10 @@ Patch6330: backport-0053-CVE-2022-2031-CVE-2022-32744.patch Patch6331: backport-0054-CVE-2022-2031-CVE-2022-32744.patch Patch6332: backport-0055-CVE-2022-2031-CVE-2022-32744.patch Patch6333: backport-CVE-2022-32742.patch +Patch6334: backport-0001-CVE-2022-32745.patch +Patch6335: backport-0002-CVE-2022-32745.patch +Patch6336: backport-0003-CVE-2022-32745.patch +Patch6337: backport-0004-CVE-2022-32745.patch BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel @@ -3249,6 +3253,12 @@ fi %{_mandir}/man* %changelog +* Mon Aug 15 2022 xinghe - 4.11.12-14 +- Type:cves +- CVE:CVE-2022-32745 +- SUG:NA +- DESC:fix CVE-2022-32745 + * Fri Aug 12 2022 xinghe - 4.11.12-13 - Type:bugfix - ID:NA -- Gitee