diff options
author | Polampalli, Archana <archana.polampalli@windriver.com> | 2023-09-29 17:43:19 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-10-17 08:40:46 -0400 |
commit | 2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f (patch) | |
tree | ad6f989994d1d759b964a9111927ff468df4436b | |
parent | 9c5541f7e18a1fac3b8dea71e1ebb8398d58e6ff (diff) | |
download | meta-openembedded-contrib-2715358a3d7e134ae7e2dc689f40c4fdd47f6d4f.tar.gz |
samba: fix CVE-2023-34966
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
3 files changed, 220 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch new file mode 100644 index 0000000000..77a383f09e --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch @@ -0,0 +1,78 @@ +From 38664163fcac985d87e4274d198568e0fe88595e Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 26 May 2023 13:06:19 +0200 +Subject: [PATCH] CVE-2023-34966: mdssvc: harden sl_unpack_loop() + +A malicious client could send a packet where subcount is zero, leading to a busy +loop because + + count -= subcount +=> count -= 0 +=> while (count > 0) + +loops forever. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/38664163fcac985d87e4274d198568e0fe88595e] + +CVE: CVE-2023-34966 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_server/mdssvc/marshalling.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c +index 9ba6ef571f2..d794ba15838 100644 +--- a/source3/rpc_server/mdssvc/marshalling.c ++++ b/source3/rpc_server/mdssvc/marshalling.c +@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + sl_nil_t nil = 0; + + subcount = tag.count; +- if (subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + for (i = 0; i < subcount; i++) { +@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_INT64: + subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_UUID: + subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_FLOAT: + subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_DATE: + subcount = sl_unpack_date(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch new file mode 100644 index 0000000000..a86d1729cf --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch @@ -0,0 +1,140 @@ +From 10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Wed, 31 May 2023 15:34:26 +0200 +Subject: [PATCH] CVE-2023-34966: CI: test for sl_unpack_loop() + +Send a maliciously crafted packet where a nil type has a subcount of 0. This +triggers an endless loop in mdssvc sl_unpack_loop(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9] + +CVE: CVE-2023-34966 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++ + 1 file changed, 100 insertions(+) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index 2d2a8306412..a9956ef8f1d 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -581,6 +581,102 @@ done: + return ok; + } + ++static uint8_t test_sl_unpack_loop_buf[] = { ++ 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d, ++ 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00, ++ 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00, ++ 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74, ++ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a, ++ 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72, ++ 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74, ++ 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea, ++ 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00, ++ 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00, ++ 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50, ++ 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b, ++ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, ++ 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, ++ 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00, ++ 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00, ++ 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00, ++ 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00 ++}; ++ ++static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, ++ void *data) ++{ ++ struct torture_mdsscv_state *state = talloc_get_type_abort( ++ data, struct torture_mdsscv_state); ++ struct dcerpc_binding_handle *b = state->p->binding_handle; ++ struct mdssvc_blob request_blob; ++ struct mdssvc_blob response_blob; ++ uint32_t device_id; ++ uint32_t unkn2; ++ uint32_t unkn9; ++ uint32_t fragment; ++ uint32_t flags; ++ NTSTATUS status; ++ bool ok = true; ++ ++ device_id = UINT32_C(0x2f000045); ++ unkn2 = 23; ++ unkn9 = 0; ++ fragment = 0; ++ flags = UINT32_C(0x6b000001); ++ ++ request_blob.spotlight_blob = test_sl_unpack_loop_buf; ++ request_blob.size = sizeof(test_sl_unpack_loop_buf); ++ request_blob.length = sizeof(test_sl_unpack_loop_buf); ++ ++ response_blob.spotlight_blob = talloc_array(state, ++ uint8_t, ++ 0); ++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, ++ ok, done, "dalloc_zero failed\n"); ++ response_blob.size = 0; ++ ++ status = dcerpc_mdssvc_cmd(b, ++ state, ++ &state->ph, ++ 0, ++ device_id, ++ unkn2, ++ 0, ++ flags, ++ request_blob, ++ 0, ++ 64 * 1024, ++ 1, ++ 64 * 1024, ++ 0, ++ 0, ++ &fragment, ++ &response_blob, ++ &unkn9); ++ torture_assert_ntstatus_ok_goto( ++ tctx, status, ok, done, ++ "dcerpc_mdssvc_unknown1 failed\n"); ++ ++done: ++ return ok; ++} ++ + static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, + void *data) + { +@@ -856,5 +952,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) + "fetch_unknown_cnid", + test_mdssvc_fetch_attr_unknown_cnid); + ++ torture_tcase_add_simple_test(tcase, ++ "mdssvc_sl_unpack_loop", ++ test_mdssvc_sl_unpack_loop); ++ + return suite; + } +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index 72021745b3..11b6ade405 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb @@ -33,6 +33,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ file://CVE-2022-45142.patch;patchdir=source4/heimdal \ file://CVE-2022-41916.patch;patchdir=source4/heimdal \ file://CVE-2021-44758.patch;patchdir=source4/heimdal \ + file://CVE-2023-34966_0001.patch \ + file://CVE-2023-34966_0002.patch \ " SRC_URI:append:libc-musl = " \ |