From 209701ef7fd24c34889a20f61723f33b7eb10589 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 27 Apr 2018 21:54:13 +0200 Subject: [PATCH] Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound? MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabiano FidĂȘncio --- 0035-nss-idmap-do-not-set-a-limit.patch | 34 +++++++++ ...ght-group-list-pointer-after-sss_get.patch | 69 +++++++++++++++++++ sssd.spec | 4 ++ 3 files changed, 107 insertions(+) create mode 100644 0035-nss-idmap-do-not-set-a-limit.patch create mode 100644 0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch diff --git a/0035-nss-idmap-do-not-set-a-limit.patch b/0035-nss-idmap-do-not-set-a-limit.patch new file mode 100644 index 0000000..7975f19 --- /dev/null +++ b/0035-nss-idmap-do-not-set-a-limit.patch @@ -0,0 +1,34 @@ +From b489dcc998fc305f3a0a43b6484c042065320001 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 18 Apr 2018 10:20:06 +0200 +Subject: [PATCH] nss-idmap: do not set a limit + +If the limit is set the needed size to return all groups cannot be +returned. + +Related to https://pagure.io/SSSD/sssd/issue/3715 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 46a4c265629d9b725c41f22849741ce7342bdd85) +--- + src/sss_client/idmap/sss_nss_ex.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c +index c00e64cc4..b87b5e3b2 100644 +--- a/src/sss_client/idmap/sss_nss_ex.c ++++ b/src/sss_client/idmap/sss_nss_ex.c +@@ -96,7 +96,9 @@ errno_t sss_nss_mc_get(struct nss_input *inp) + inp->result.initgrrep.start, + inp->result.initgrrep.ngroups, + &(inp->result.initgrrep.groups), +- *(inp->result.initgrrep.ngroups)); ++ /* no limit so that needed size can ++ * be returned properly */ ++ -1); + break; + default: + return EINVAL; +-- +2.14.3 + diff --git a/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch b/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch new file mode 100644 index 0000000..012a426 --- /dev/null +++ b/0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch @@ -0,0 +1,69 @@ +From b24ef81656fc3d0dce49b1756ba53c46b5881a14 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 18 Apr 2018 10:23:22 +0200 +Subject: [PATCH] nss-idmap: use right group list pointer after sss_get_ex() + +If the initial array is too small it will be reallocated during +sss_get_ex() and the pointer might change and the initial memory area +should not be used anymore. + +Related to https://pagure.io/SSSD/sssd/issue/3715 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b) +--- + src/sss_client/idmap/sss_nss_ex.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c +index b87b5e3b2..971422063 100644 +--- a/src/sss_client/idmap/sss_nss_ex.c ++++ b/src/sss_client/idmap/sss_nss_ex.c +@@ -485,7 +485,6 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group, + uint32_t flags, unsigned int timeout) + { + int ret; +- gid_t *new_groups; + long int new_ngroups; + long int start = 1; + struct nss_input inp = { +@@ -498,27 +497,28 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group, + } + + new_ngroups = MAX(1, *ngroups); +- new_groups = malloc(new_ngroups * sizeof(gid_t)); +- if (new_groups == NULL) { ++ inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t)); ++ if (inp.result.initgrrep.groups == NULL) { + free(discard_const(inp.rd.data)); + return ENOMEM; + } +- new_groups[0] = group; ++ inp.result.initgrrep.groups[0] = group; + +- inp.result.initgrrep.groups = new_groups, + inp.result.initgrrep.ngroups = &new_ngroups; + inp.result.initgrrep.start = &start; + +- ++ /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and ++ * inp.result.initgrrep.start might be modified by sss_get_ex() */ + ret = sss_get_ex(&inp, flags, timeout); + free(discard_const(inp.rd.data)); + if (ret != 0) { +- free(new_groups); ++ free(inp.result.initgrrep.groups); + return ret; + } + +- memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t)); +- free(new_groups); ++ memcpy(groups, inp.result.initgrrep.groups, ++ MIN(*ngroups, start) * sizeof(gid_t)); ++ free(inp.result.initgrrep.groups); + + if (start > *ngroups) { + ret = ERANGE; +-- +2.14.3 + diff --git a/sssd.spec b/sssd.spec index fdea454..03845c2 100644 --- a/sssd.spec +++ b/sssd.spec @@ -76,6 +76,8 @@ Patch0031: 0031-sssctl-move-check-for-version-error-to-correct-place.patch Patch0032: 0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch Patch0033: 0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch Patch0034: 0034-MAN-Improve-docs-about-GC-detection.patch +Patch0035: 0035-nss-idmap-do-not-set-a-limit.patch +Patch0036: 0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -1293,6 +1295,8 @@ fi - Resolves: upstream#3469 - extend sss-certmap man page regarding priority processing - Improve docs/debug message about GC detection +- Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes + list out of bound? * Fri Mar 30 2018 Fabiano FidĂȘncio - 1.16.1-2 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain