Fix double free on kdb5_util key creation failure

Resolves: rhbz#2166603
Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2023-02-01 16:01:22 +01:00
parent db46465e14
commit 4b799ce613
2 changed files with 51 additions and 1 deletions

View File

@ -0,0 +1,45 @@
From ff9c99b689855a646c371379d30a668dfd7a87a7 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 1 Feb 2023 15:57:26 +0100
Subject: [PATCH] Fix possible double-free during KDB creation
In krb5_dbe_def_encrypt_key_data(), when we free
key_data->key_data_contents[0], reset it to null so the caller doesn't
free it as well.
Since commit a06945b4ec267e8b80e5e8c95edd89930ff12103 this bug
manifests as a double-free during KDB creation if master key
encryption fails.
[ghudson@mit.edu: edited commit message]
ticket: 9086 (new)
tags: pullup
target_version: 1.20-next
---
src/lib/kdb/encrypt_key.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c
index dc612c810e..91debea533 100644
--- a/src/lib/kdb/encrypt_key.c
+++ b/src/lib/kdb/encrypt_key.c
@@ -109,6 +109,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context,
if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
&plain, &cipher))) {
free(key_data->key_data_contents[0]);
+ key_data->key_data_contents[0] = NULL;
return retval;
}
@@ -121,6 +122,7 @@ krb5_dbe_def_encrypt_key_data( krb5_context context,
key_data->key_data_contents[1] = malloc(keysalt->data.length);
if (key_data->key_data_contents[1] == NULL) {
free(key_data->key_data_contents[0]);
+ key_data->key_data_contents[0] = NULL;
return ENOMEM;
}
memcpy(key_data->key_data_contents[1], keysalt->data.data,
--
2.39.1

View File

@ -34,7 +34,7 @@
# #
# baserelease is what we have standardized across Fedora and what # baserelease is what we have standardized across Fedora and what
# rpmdev-bumpspec knows how to handle. # rpmdev-bumpspec knows how to handle.
%global baserelease 6 %global baserelease 7
# This should be e.g. beta1 or %%nil # This should be e.g. beta1 or %%nil
%global pre_release %nil %global pre_release %nil
@ -99,6 +99,7 @@ Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch
Patch14: 0014-downstream-Do-not-set-root-as-ksu-file-owner.patch Patch14: 0014-downstream-Do-not-set-root-as-ksu-file-owner.patch
Patch15: 0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch Patch15: 0015-downstream-Allow-KRB5KDF-MD5-and-MD4-in-FIPS-mode.patch
Patch16: 0016-Add-PAC-full-checksums.patch Patch16: 0016-Add-PAC-full-checksums.patch
Patch17: 0017-Fix-possible-double-free-during-KDB-creation.patch
License: MIT License: MIT
URL: https://web.mit.edu/kerberos/www/ URL: https://web.mit.edu/kerberos/www/
@ -663,6 +664,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Tue Feb 14 2023 Julien Rische <jrische@redhat.com> - 1.20.1-7
- Fix double free on kdb5_util key creation failure
- Resolves: rhbz#2166603
* Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6 * Tue Jan 31 2023 Julien Rische <jrische@redhat.com> - 1.20.1-6
- Add support for MS-PAC extended KDC signature (CVE-2022-37967) - Add support for MS-PAC extended KDC signature (CVE-2022-37967)
- Resolves: rhbz#2165827 - Resolves: rhbz#2165827