fix some coredump

2022-12-20 23:31:43 +08:00 · 2022-12-20 23:31:43 +08:00 · 2a79e801cc
commit 2a79e801cc
parent 6cd39f31a6
4 changed files with 123 additions and 1 deletions
--- a/backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch
+++ b/backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch
@ -0,0 +1,52 @@
+From 6bc90214830cb5239aa397c20763902f10f11786 Mon Sep 17 00:00:00 2001
+From: ChenChen Zhou <357726167@qq.com>
+Date: Sun, 27 Nov 2022 22:57:14 +0800
+Subject: [PATCH] Fix gic_keytab crash on memory exhaustion
+
+get_as_key_keytab() does not check the result of krb5_copy_keyblock(),
+and dereferences a null pointer if it fails.  Remove the call and
+steal the memory from kt_ent instead.
+
+[ghudson@mit.edu: rewrote commit message; fixed comments]
+
+ticket: 9080 (new)
+---
+ src/lib/krb5/krb/gic_keytab.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
+index b8b7c1506..f9baabbf9 100644
+--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
+@@ -45,7 +45,6 @@ get_as_key_keytab(krb5_context context,
+     krb5_keytab keytab = (krb5_keytab) gak_data;
+     krb5_error_code ret;
+     krb5_keytab_entry kt_ent;
+-    krb5_keyblock *kt_key;
+ 
+     /* We don't need the password from the responder to create the AS key. */
+     if (as_key == NULL)
+@@ -71,16 +70,13 @@ get_as_key_keytab(krb5_context context,
+                                  etype, &kt_ent)))
+         return(ret);
+ 
+-    ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key);
+-
+-    /* again, krb5's memory management is lame... */
+-
+-    *as_key = *kt_key;
+-    free(kt_key);
+    /* Steal the keyblock from kt_ent for the caller. */
+    *as_key = kt_ent.key;
+    memset(&kt_ent.key, 0, sizeof(kt_ent.key));
+ 
+     (void) krb5_kt_free_entry(context, &kt_ent);
+ 
+-    return(ret);
+    return 0;
+ }
+ 
+ /* Return the list of etypes available for client in keytab. */
+-- 
+2.32.0.windows.1
+
--- a/backport-Fix-preauth-crash-on-memory-exhaustion.patch
+++ b/backport-Fix-preauth-crash-on-memory-exhaustion.patch
@ -0,0 +1,32 @@
+From 7736144eb613f797dea57a44da33007a19602e5e Mon Sep 17 00:00:00 2001
+From: ChenChen Zhou <357726167@qq.com>
+Date: Sun, 27 Nov 2022 22:24:24 +0800
+Subject: [PATCH] Fix preauth crash on memory exhaustion
+
+In k5_preauth_request_context_init(), check the result of calloc().
+
+[ghudson@mit.edu: rewrote commit message; added free() of reqctx on error]
+
+ticket: 9079 (new)
+---
+ src/lib/krb5/krb/preauth2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
+index ffca476c2..32f35b761 100644
+--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
+@@ -263,6 +263,10 @@ k5_preauth_request_context_init(krb5_context context,
+      * preauth context's array of handles. */
+     for (count = 0; pctx->handles[count] != NULL; count++);
+     reqctx->modreqs = calloc(count, sizeof(*reqctx->modreqs));
+    if (reqctx->modreqs == NULL) {
+        free(reqctx);
+        return;
+    }
+     for (i = 0; i < count; i++) {
+         h = pctx->handles[i];
+         if (h->vt.request_init != NULL)
+-- 
+2.32.0.windows.1
+
--- a/backport-Fix-profile-crash-on-memory-exhaustion.patch
+++ b/backport-Fix-profile-crash-on-memory-exhaustion.patch
@ -0,0 +1,32 @@
+From 2929ec400c174bc848a9c438a61b0e3506b91d0e Mon Sep 17 00:00:00 2001
+From: ChenChen Zhou <357726167@qq.com>
+Date: Thu, 24 Nov 2022 21:59:21 +0800
+Subject: [PATCH] Fix profile crash on memory exhaustion
+
+In profile_get_values(), if init_list() fails to allocate values.list,
+end_list() will dereference a null pointer.  Fix end_list() to handle
+list->list being null.
+
+[ghudson@mit.edu: rewrote commit message]
+
+ticket: 9078 (new)
+---
+ src/util/profile/prof_get.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/profile/prof_get.c b/src/util/profile/prof_get.c
+index 0e14200ca..12c7b9641 100644
+--- a/src/util/profile/prof_get.c
+++ b/src/util/profile/prof_get.c
+@@ -62,7 +62,7 @@ static void end_list(struct profile_string_list *list, char ***ret_list)
+         *ret_list = list->list;
+         return;
+     } else {
+-        for (cp = list->list; *cp; cp++)
+        for (cp = list->list; cp && *cp; cp++)
+             free(*cp);
+         free(list->list);
+     }
+-- 
+2.32.0.windows.1
+
--- a/krb5.spec
+++ b/krb5.spec
@ -3,7 +3,7 @@

 Name:     krb5
 Version:  1.19.2
-Release:  4
+Release:  5
 Summary:  The Kerberos network authentication protocol
 License:  MIT
 URL:      http://web.mit.edu/kerberos/www/
@ -28,6 +28,9 @@ Patch5: Remove-3des-support.patch
 Patch6: FIPS-with-PRNG-and-RADIUS-and-MD4.patch
 Patch7: backport-CVE-2021-37750.patch
 Patch8: Fix-CVE-2022-42898-integer-overflows-in-PAC-parsing.patch
+Patch9: backport-Fix-profile-crash-on-memory-exhaustion.patch
+Patch10: backport-Fix-preauth-crash-on-memory-exhaustion.patch
+Patch11: backport-Fix-gic_keytab-crash-on-memory-exhaustion.patch

 BuildRequires:  gettext
 BuildRequires:  gcc make automake autoconf pkgconfig pam-devel libselinux-devel byacc
@ -320,6 +323,9 @@ make -C src check || :


 %changelog
+* Tue Dec 20 2022 zhouchenchen <zhouchenchen@huawei.com> - 1.19.2-5
+- fix some coredump
+
 * Sat Dec 17 2022 fangxiuning <fangxiuning@huawei.com> - 1.19.2-4
 - fix CVE-2022-42898