| |
@@ -0,0 +1,106 @@
|
| |
+ From c0f643a96272d11ae1255bc361f24133d1e58b74 Mon Sep 17 00:00:00 2001
|
| |
+ From: Greg Hudson <ghudson@mit.edu>
|
| |
+ Date: Mon, 17 Oct 2022 20:25:11 -0400
|
| |
+ Subject: [PATCH] Fix integer overflows in PAC parsing
|
| |
+
|
| |
+ In krb5_parse_pac(), check for buffer counts large enough to threaten
|
| |
+ integer overflow in the header length and memory length calculations.
|
| |
+ Avoid potential integer overflows when checking the length of each
|
| |
+ buffer.
|
| |
+
|
| |
+ CVE-2022-42898:
|
| |
+
|
| |
+ In MIT krb5 releases 1.8 and later, an authenticated attacker may be
|
| |
+ able to cause a KDC or kadmind process to crash by reading beyond the
|
| |
+ bounds of allocated memory, creating a denial of service. A
|
| |
+ privileged attacker may similarly be able to cause a Kerberos or GSS
|
| |
+ application service to crash. On 32-bit platforms, an attacker can
|
| |
+ also cause insufficient memory to be allocated for the result,
|
| |
+ potentially leading to remote code execution in a KDC, kadmind, or GSS
|
| |
+ or Kerberos application server process. An attacker with the
|
| |
+ privileges of a cross-realm KDC may be able to extract secrets from
|
| |
+ the KDC process's memory by having them copied into the PAC of a new
|
| |
+ ticket.
|
| |
+
|
| |
+ ticket: 9074 (new)
|
| |
+ tags: pullup
|
| |
+ target_version: 1.20-next
|
| |
+ target_version: 1.19-next
|
| |
+ ---
|
| |
+ src/lib/krb5/krb/pac.c | 9 +++++++--
|
| |
+ src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
|
| |
+ 2 files changed, 25 insertions(+), 2 deletions(-)
|
| |
+
|
| |
+ diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
|
| |
+ index 950beda657..1b9ef12276 100644
|
| |
+ --- a/src/lib/krb5/krb/pac.c
|
| |
+ +++ b/src/lib/krb5/krb/pac.c
|
| |
+ @@ -27,6 +27,8 @@
|
| |
+ #include "k5-int.h"
|
| |
+ #include "authdata.h"
|
| |
+
|
| |
+ +#define MAX_BUFFERS 4096
|
| |
+ +
|
| |
+ /* draft-brezak-win2k-krb-authz-00 */
|
| |
+
|
| |
+ /*
|
| |
+ @@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
|
| |
+ if (version != 0)
|
| |
+ return EINVAL;
|
| |
+
|
| |
+ + if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
|
| |
+ + return ERANGE;
|
| |
+ +
|
| |
+ header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
|
| |
+ if (len < header_len)
|
| |
+ return ERANGE;
|
| |
+ @@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
|
| |
+ krb5_pac_free(context, pac);
|
| |
+ return EINVAL;
|
| |
+ }
|
| |
+ - if (buffer->Offset < header_len ||
|
| |
+ - buffer->Offset + buffer->cbBufferSize > len) {
|
| |
+ + if (buffer->Offset < header_len || buffer->Offset > len ||
|
| |
+ + buffer->cbBufferSize > len - buffer->Offset) {
|
| |
+ krb5_pac_free(context, pac);
|
| |
+ return ERANGE;
|
| |
+ }
|
| |
+ diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
|
| |
+ index ee47152ee4..ccd165380d 100644
|
| |
+ --- a/src/lib/krb5/krb/t_pac.c
|
| |
+ +++ b/src/lib/krb5/krb/t_pac.c
|
| |
+ @@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
|
| |
+ 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
|
| |
+ };
|
| |
+
|
| |
+ +static const unsigned char fuzz1[] = {
|
| |
+ + 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
|
| |
+ + 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
|
| |
+ +};
|
| |
+ +
|
| |
+ +static const unsigned char fuzz2[] = {
|
| |
+ + 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
|
| |
+ + 0x20, 0x20
|
| |
+ +};
|
| |
+ +
|
| |
+ static const char *s4u_principal = "w2k8u@ACME.COM";
|
| |
+ static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
|
| |
+
|
| |
+ @@ -646,6 +656,14 @@ main(int argc, char **argv)
|
| |
+ krb5_free_principal(context, sep);
|
| |
+ }
|
| |
+
|
| |
+ + /* Check problematic PACs found by fuzzing. */
|
| |
+ + ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
|
| |
+ + if (!ret)
|
| |
+ + err(context, ret, "krb5_pac_parse should have failed");
|
| |
+ + ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
|
| |
+ + if (!ret)
|
| |
+ + err(context, ret, "krb5_pac_parse should have failed");
|
| |
+ +
|
| |
+ /*
|
| |
+ * Test empty free
|
| |
+ */
|
| |
+ --
|
| |
+ 2.37.3
|
| |
+
|
| |
In krb5_parse_pac(), check for buffer counts large enough to threaten integer overflow in the header length and memory length calculations. Avoid potential integer overflows when checking the length of each buffer.
Resolves: rhbz#2143010