From 81e50cfb3b83a62d2a1e604a0854a9f346bdd6f9 Mon Sep 17 00:00:00 2001 From: Zoltan Borbely Date: Tue, 28 Jan 2025 16:39:25 -0500 Subject: [PATCH] Prevent overflow when calculating ulog block size In kdb_log.c:resize(), log an error and fail if the update size is larger than the largest possible block size (2^16-1). CVE-2025-24528: In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash. [ghudson@mit.edu: edited commit message and added CVE description] ticket: 9159 (new) tags: pullup target_version: 1.21-next (cherry picked from commit 78ceba024b64d49612375be4a12d1c066b0bfbd0) --- src/lib/kdb/kdb_log.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c index e9b95fce59..c805ebd988 100644 --- a/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c @@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size) */ static krb5_error_code resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, - unsigned int recsize) + unsigned int recsize, const kdb_incr_update_t *upd) { unsigned int new_block, new_size; @@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, new_block *= ULOG_BLOCK; new_size += ulogentries * new_block; + if (new_block > UINT16_MAX) { + syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"), + upd->kdb_princ_name.utf8str_t_len, + upd->kdb_princ_name.utf8str_t_val); + return KRB5_LOG_ERROR; + } if (new_size > MAXLOGLEN) return KRB5_LOG_ERROR; @@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd) recsize = sizeof(kdb_ent_header_t) + upd_size; if (recsize > ulog->kdb_block) { - retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize); + retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd); if (retval) return retval; } -- 2.48.1