Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound?

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio 2018-04-27 21:54:13 +02:00
parent 3115154117
commit 209701ef7f
3 changed files with 107 additions and 0 deletions

View File

@ -0,0 +1,34 @@
From b489dcc998fc305f3a0a43b6484c042065320001 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Apr 2018 10:20:06 +0200
Subject: [PATCH] nss-idmap: do not set a limit
If the limit is set the needed size to return all groups cannot be
returned.
Related to https://pagure.io/SSSD/sssd/issue/3715
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 46a4c265629d9b725c41f22849741ce7342bdd85)
---
src/sss_client/idmap/sss_nss_ex.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
index c00e64cc4..b87b5e3b2 100644
--- a/src/sss_client/idmap/sss_nss_ex.c
+++ b/src/sss_client/idmap/sss_nss_ex.c
@@ -96,7 +96,9 @@ errno_t sss_nss_mc_get(struct nss_input *inp)
inp->result.initgrrep.start,
inp->result.initgrrep.ngroups,
&(inp->result.initgrrep.groups),
- *(inp->result.initgrrep.ngroups));
+ /* no limit so that needed size can
+ * be returned properly */
+ -1);
break;
default:
return EINVAL;
--
2.14.3

View File

@ -0,0 +1,69 @@
From b24ef81656fc3d0dce49b1756ba53c46b5881a14 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 18 Apr 2018 10:23:22 +0200
Subject: [PATCH] nss-idmap: use right group list pointer after sss_get_ex()
If the initial array is too small it will be reallocated during
sss_get_ex() and the pointer might change and the initial memory area
should not be used anymore.
Related to https://pagure.io/SSSD/sssd/issue/3715
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 2c4dc7a4d98c439c69625f12ba4c3c8253f4cc5b)
---
src/sss_client/idmap/sss_nss_ex.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
index b87b5e3b2..971422063 100644
--- a/src/sss_client/idmap/sss_nss_ex.c
+++ b/src/sss_client/idmap/sss_nss_ex.c
@@ -485,7 +485,6 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
uint32_t flags, unsigned int timeout)
{
int ret;
- gid_t *new_groups;
long int new_ngroups;
long int start = 1;
struct nss_input inp = {
@@ -498,27 +497,28 @@ int sss_nss_getgrouplist_timeout(const char *name, gid_t group,
}
new_ngroups = MAX(1, *ngroups);
- new_groups = malloc(new_ngroups * sizeof(gid_t));
- if (new_groups == NULL) {
+ inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t));
+ if (inp.result.initgrrep.groups == NULL) {
free(discard_const(inp.rd.data));
return ENOMEM;
}
- new_groups[0] = group;
+ inp.result.initgrrep.groups[0] = group;
- inp.result.initgrrep.groups = new_groups,
inp.result.initgrrep.ngroups = &new_ngroups;
inp.result.initgrrep.start = &start;
-
+ /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and
+ * inp.result.initgrrep.start might be modified by sss_get_ex() */
ret = sss_get_ex(&inp, flags, timeout);
free(discard_const(inp.rd.data));
if (ret != 0) {
- free(new_groups);
+ free(inp.result.initgrrep.groups);
return ret;
}
- memcpy(groups, new_groups, MIN(*ngroups, start) * sizeof(gid_t));
- free(new_groups);
+ memcpy(groups, inp.result.initgrrep.groups,
+ MIN(*ngroups, start) * sizeof(gid_t));
+ free(inp.result.initgrrep.groups);
if (start > *ngroups) {
ret = ERANGE;
--
2.14.3

View File

@ -76,6 +76,8 @@ Patch0031: 0031-sssctl-move-check-for-version-error-to-correct-place.patch
Patch0032: 0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch
Patch0033: 0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
Patch0034: 0034-MAN-Improve-docs-about-GC-detection.patch
Patch0035: 0035-nss-idmap-do-not-set-a-limit.patch
Patch0036: 0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1293,6 +1295,8 @@ fi
- Resolves: upstream#3469 - extend sss-certmap man page regarding priority
processing
- Improve docs/debug message about GC detection
- Resolves: upstream#3715 - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes
list out of bound?
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain