samba: fix CVE-2023-34966

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Polampalli, Archana <archana.polampalli@windriver.com> 2023-09-29 17:43:19 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-10-17 08:40:46 -0400
commit: 2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f (patch)
tree: ad6f989994d1d759b964a9111927ff468df4436b
parent: 9c5541f7e18a1fac3b8dea71e1ebb8398d58e6ff (diff)
download: meta-openembedded-contrib-2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f.tar.gz
3 files changed, 220 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch
new file mode 100644
index 0000000000..77a383f09e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch
@@ -0,0 +1,78 @@
+From 38664163fcac985d87e4274d198568e0fe88595e Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 May 2023 13:06:19 +0200
+Subject: [PATCH] CVE-2023-34966: mdssvc: harden sl_unpack_loop()
+
+A malicious client could send a packet where subcount is zero, leading to a busy
+loop because
+
+    count -= subcount
+=>  count -= 0
+=>  while (count > 0)
+
+loops forever.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/38664163fcac985d87e4274d198568e0fe88595e]
+
+CVE: CVE-2023-34966
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source3/rpc_server/mdssvc/marshalling.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c
+index 9ba6ef571f2..d794ba15838 100644
+--- a/source3/rpc_server/mdssvc/marshalling.c
++++ b/source3/rpc_server/mdssvc/marshalling.c
+@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+			sl_nil_t nil = 0;
+
+			subcount = tag.count;
+-			if (subcount > count) {
++			if (subcount < 1 || subcount > count) {
+				return -1;
+			}
+			for (i = 0; i < subcount; i++) {
+@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+
+		case SQ_TYPE_INT64:
+			subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding);
+-			if (subcount == -1 || subcount > count) {
++			if (subcount < 1 || subcount > count) {
+				return -1;
+			}
+			offset += tag.size;
+@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+
+		case SQ_TYPE_UUID:
+			subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding);
+-			if (subcount == -1 || subcount > count) {
++			if (subcount < 1 || subcount > count) {
+				return -1;
+			}
+			offset += tag.size;
+@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+
+		case SQ_TYPE_FLOAT:
+			subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding);
+-			if (subcount == -1 || subcount > count) {
++			if (subcount < 1 || subcount > count) {
+				return -1;
+			}
+			offset += tag.size;
+@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+
+		case SQ_TYPE_DATE:
+			subcount = sl_unpack_date(query, buf, offset, bufsize, encoding);
+-			if (subcount == -1 || subcount > count) {
++			if (subcount < 1 || subcount > count) {
+				return -1;
+			}
+			offset += tag.size;
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch
new file mode 100644
index 0000000000..a86d1729cf
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch
@@ -0,0 +1,140 @@
+From 10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Wed, 31 May 2023 15:34:26 +0200
+Subject: [PATCH] CVE-2023-34966: CI: test for sl_unpack_loop()
+
+Send a maliciously crafted packet where a nil type has a subcount of 0. This
+triggers an endless loop in mdssvc sl_unpack_loop().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9]
+
+CVE: CVE-2023-34966
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 100 insertions(+)
+
+diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c
+index 2d2a8306412..a9956ef8f1d 100644
+--- a/source4/torture/rpc/mdssvc.c
++++ b/source4/torture/rpc/mdssvc.c
+@@ -581,6 +581,102 @@ done:
+	return ok;
+ }
+
++static uint8_t test_sl_unpack_loop_buf[] = {
++	0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d,
++	0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00,
++	0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00,
++	0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00,
++	0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00,
++	0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00,
++	0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74,
++	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a,
++	0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72,
++	0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74,
++	0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea,
++	0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00,
++	0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++	0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00,
++	0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00,
++	0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00,
++	0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50,
++	0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00,
++	0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00,
++	0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00,
++	0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b,
++	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++	0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00,
++	0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
++	0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00,
++	0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00,
++	0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00,
++	0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00,
++	0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00
++};
++
++static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx,
++				       void *data)
++{
++	struct torture_mdsscv_state *state = talloc_get_type_abort(
++		data, struct torture_mdsscv_state);
++	struct dcerpc_binding_handle *b = state->p->binding_handle;
++	struct mdssvc_blob request_blob;
++	struct mdssvc_blob response_blob;
++	uint32_t device_id;
++	uint32_t unkn2;
++	uint32_t unkn9;
++	uint32_t fragment;
++	uint32_t flags;
++	NTSTATUS status;
++	bool ok = true;
++
++	device_id = UINT32_C(0x2f000045);
++	unkn2 = 23;
++	unkn9 = 0;
++	fragment = 0;
++	flags = UINT32_C(0x6b000001);
++
++	request_blob.spotlight_blob = test_sl_unpack_loop_buf;
++	request_blob.size = sizeof(test_sl_unpack_loop_buf);
++	request_blob.length = sizeof(test_sl_unpack_loop_buf);
++
++	response_blob.spotlight_blob = talloc_array(state,
++						    uint8_t,
++						    0);
++	torture_assert_not_null_goto(tctx, response_blob.spotlight_blob,
++				     ok, done, "dalloc_zero failed\n");
++	response_blob.size = 0;
++
++	status = dcerpc_mdssvc_cmd(b,
++				   state,
++				   &state->ph,
++				   0,
++				   device_id,
++				   unkn2,
++				   0,
++				   flags,
++				   request_blob,
++				   0,
++				   64 * 1024,
++				   1,
++				   64 * 1024,
++				   0,
++				   0,
++				   &fragment,
++				   &response_blob,
++				   &unkn9);
++	torture_assert_ntstatus_ok_goto(
++		tctx, status, ok, done,
++		"dcerpc_mdssvc_unknown1 failed\n");
++
++done:
++	return ok;
++}
++
+ static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx,
+					 void *data)
+ {
+@@ -856,5 +952,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx)
+				      "fetch_unknown_cnid",
+				      test_mdssvc_fetch_attr_unknown_cnid);
+
++	torture_tcase_add_simple_test(tcase,
++				      "mdssvc_sl_unpack_loop",
++				      test_mdssvc_sl_unpack_loop);
++
+	return suite;
+ }
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 72021745b3..11b6ade405 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -33,6 +33,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://CVE-2022-45142.patch;patchdir=source4/heimdal \
            file://CVE-2022-41916.patch;patchdir=source4/heimdal \
            file://CVE-2021-44758.patch;patchdir=source4/heimdal \
+           file://CVE-2023-34966_0001.patch \
+           file://CVE-2023-34966_0002.patch \
            "
 
 SRC_URI:append:libc-musl = " \
author	Polampalli, Archana <archana.polampalli@windriver.com>	2023-09-29 17:43:19 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-10-17 08:40:46 -0400
commit	2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f (patch)
tree	ad6f989994d1d759b964a9111927ff468df4436b
parent	9c5541f7e18a1fac3b8dea71e1ebb8398d58e6ff (diff)
download	meta-openembedded-contrib-2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f.tar.gz