Fix integer overflows in PAC parsing (CVE-2022-42898)

Resolves: rhbz#2143011
Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2022-11-09 11:38:44 +01:00
parent 0c2f5dcbe5
commit c13bf943d8
2 changed files with 112 additions and 1 deletions

View File

@ -0,0 +1,106 @@
From 06d30f43a41029d83248bbac1a9b65fc09987597 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 17 Oct 2022 20:25:11 -0400
Subject: [PATCH] Fix integer overflows in PAC parsing
In krb5_parse_pac(), check for buffer counts large enough to threaten
integer overflow in the header length and memory length calculations.
Avoid potential integer overflows when checking the length of each
buffer.
CVE-2022-42898:
In MIT krb5 releases 1.8 and later, an authenticated attacker may be
able to cause a KDC or kadmind process to crash by reading beyond the
bounds of allocated memory, creating a denial of service. A
privileged attacker may similarly be able to cause a Kerberos or GSS
application service to crash. On 32-bit platforms, an attacker can
also cause insufficient memory to be allocated for the result,
potentially leading to remote code execution in a KDC, kadmind, or GSS
or Kerberos application server process. An attacker with the
privileges of a cross-realm KDC may be able to extract secrets from
the KDC process's memory by having them copied into the PAC of a new
ticket.
ticket: 9074 (new)
tags: pullup
target_version: 1.20-next
target_version: 1.19-next
---
src/lib/krb5/krb/pac.c | 9 +++++++--
src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 950beda657..1b9ef12276 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -27,6 +27,8 @@
#include "k5-int.h"
#include "authdata.h"
+#define MAX_BUFFERS 4096
+
/* draft-brezak-win2k-krb-authz-00 */
/*
@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
if (version != 0)
return EINVAL;
+ if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
+ return ERANGE;
+
header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
if (len < header_len)
return ERANGE;
@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
krb5_pac_free(context, pac);
return EINVAL;
}
- if (buffer->Offset < header_len ||
- buffer->Offset + buffer->cbBufferSize > len) {
+ if (buffer->Offset < header_len || buffer->Offset > len ||
+ buffer->cbBufferSize > len - buffer->Offset) {
krb5_pac_free(context, pac);
return ERANGE;
}
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
index ee47152ee4..ccd165380d 100644
--- a/src/lib/krb5/krb/t_pac.c
+++ b/src/lib/krb5/krb/t_pac.c
@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
};
+static const unsigned char fuzz1[] = {
+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
+};
+
+static const unsigned char fuzz2[] = {
+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
+ 0x20, 0x20
+};
+
static const char *s4u_principal = "w2k8u@ACME.COM";
static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
@@ -646,6 +656,14 @@ main(int argc, char **argv)
krb5_free_principal(context, sep);
}
+ /* Check problematic PACs found by fuzzing. */
+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
+ if (!ret)
+ err(context, ret, "krb5_pac_parse should have failed");
+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
+ if (!ret)
+ err(context, ret, "krb5_pac_parse should have failed");
+
/*
* Test empty free
*/
--
2.37.3

View File

@ -34,7 +34,7 @@
# #
# baserelease is what we have standardized across Fedora and what # baserelease is what we have standardized across Fedora and what
# rpmdev-bumpspec knows how to handle. # rpmdev-bumpspec knows how to handle.
%global baserelease 12 %global baserelease 13
# This should be e.g. beta1 or %%nil # This should be e.g. beta1 or %%nil
%global pre_release %nil %global pre_release %nil
@ -120,6 +120,7 @@ Patch40: Try-harder-to-avoid-password-change-replay-errors.patch
Patch41: Add-configure-variable-for-default-PKCS-11-module.patch Patch41: Add-configure-variable-for-default-PKCS-11-module.patch
Patch42: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch Patch42: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
Patch43: Read-GSS-configuration-files-with-mtime-0.patch Patch43: Read-GSS-configuration-files-with-mtime-0.patch
Patch44: Fix-integer-overflows-in-PAC-parsing.patch
License: MIT License: MIT
URL: https://web.mit.edu/kerberos/www/ URL: https://web.mit.edu/kerberos/www/
@ -675,6 +676,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Wed Nov 09 2022 Julien Rische <jrische@redhat.com> - 1.19.2-13
- Fix integer overflows in PAC parsing (CVE-2022-42898)
- Resolves: rhbz#2143011
* Tue Aug 02 2022 Andreas Schneider <asn@redhat.com> - 1.19.2-12 * Tue Aug 02 2022 Andreas Schneider <asn@redhat.com> - 1.19.2-12
- Use baserelease to set the release number - Use baserelease to set the release number
- Do not define netlib, but use autoconf detection for res_* functions - Do not define netlib, but use autoconf detection for res_* functions