Fix defcred leak in krb5 gss_inquire_cred()

This commit is contained in:
Robbie Harwood 2021-07-21 12:44:26 -04:00
parent 6a2eeb9666
commit 2484569caa
2 changed files with 90 additions and 1 deletions

View File

@ -0,0 +1,85 @@
From 7e6cdffd47559be61a8c26c4ed3c500c536d5368 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 16 Jul 2021 13:39:39 -0400
Subject: [PATCH] Fix defcred leak in krb5 gss_inquire_cred()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 altered the memory
management of krb5_gss_inquire_cred(), introducing defcred to act as
an owner pointer when the function must acquire a default credential.
The commit neglected to update the code to release the default cred
along the successful path. The old code does not trigger because
cred_handle is now reassigned, so the default credential is leaked.
Unify the success and failure cleanup for this function so that
defcred is properly released on success.
Reported by Pavel Březina.
ticket: 9016
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
(cherry picked from commit 593e16448e1af23eef74689afe06a7bcc86e79c7)
---
src/lib/gssapi/krb5/inq_cred.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index a8f254110..bb63b726c 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -127,7 +127,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if ((code = krb5_timeofday(context, &now))) {
*minor_status = code;
ret = GSS_S_FAILURE;
- goto fail;
+ goto cleanup;
}
if (cred->expire != 0) {
@@ -158,7 +158,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
*minor_status = code;
save_error_info(*minor_status, context);
ret = GSS_S_FAILURE;
- goto fail;
+ goto cleanup;
}
}
@@ -174,7 +174,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if (ret_name)
kg_release_name(context, &ret_name);
/* *minor_status set above */
- goto fail;
+ goto cleanup;
}
}
@@ -190,20 +190,16 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
if (cred_usage)
*cred_usage = cred->usage;
- k5_mutex_unlock(&cred->lock);
if (mechanisms) {
*mechanisms = mechs;
mechs = GSS_C_NO_OID_SET;
}
- if (cred_handle == GSS_C_NO_CREDENTIAL)
- krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
-
- krb5_free_context(context);
*minor_status = 0;
- return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
-fail:
+ ret = (lifetime == 0) ? GSS_S_CREDENTIALS_EXPIRED : GSS_S_COMPLETE;
+
+cleanup:
k5_mutex_unlock(&cred->lock);
krb5_gss_release_cred(&tmpmin, &defcred);
krb5_free_context(context);

View File

@ -42,7 +42,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.19.1
Release: %{?zdpd}14%{?dist}
Release: %{?zdpd}15%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@ -93,6 +93,7 @@ Patch27: Using-locking-in-MEMORY-krb5_cc_get_principal.patch
Patch28: Fix-use-after-free-during-krad-remote_shutdown.patch
Patch29: Clean-up-gssapi_krb5-ccache-name-functions.patch
Patch30: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
Patch31: Fix-defcred-leak-in-krb5-gss_inquire_cred.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -655,6 +656,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Jul 21 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-15
- Fix defcred leak in krb5 gss_inquire_cred()
* Mon Jul 12 2021 Robbie Harwood <rharwood@redhat.com> - 1.19.1-14
- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)