[SCM] Samba Shared Repository - branch v3-6-stable updated

Karolin Seeger Tue, 10 Apr 2012 07:48:04 -0700

The branch, v3-6-stable has been updated
       via  0b9d59d pidl/NDR/Parser: also do range checks on the array size
       via  3e0e6f5 pidl/NDR/Parser: do array range validation in 
ParseArrayPullGetLength()
       via  e94415c pidl/NDR/Parser: use helper variables for array size and 
length
       via  25f6881 pidl/NDR/Parser: remember if we already know the array 
length
       via  8e99484 pidl/NDR/Parser: use ParseArrayPullGetLength() to get the 
number of array elements (bug #8815 / CVE-2012-1182)
       via  dc9c68c pidl/NDR/Parser: split off ParseArrayPullGetSize() and 
ParseArrayPullGetLength()
       via  d15b715 pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
       via  94622ce pidl/NDR/Parser: declare all union helper variables in 
ParseUnionPull()
       via  0d45a24 WHATSNEW: Prepare release notes for 3.6.4.
      from  4b7fad3 WHATSNEW: Start release notes for Samba 3.6.4.


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable


- Log -----------------------------------------------------------------
commit 0b9d59d256a74594e89467e5ebe4e62c25c9572e
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 15 17:03:05 2012 +0100

    pidl/NDR/Parser: also do range checks on the array size
    
    metze
    
    The last 8 patches address bug #8815 (PIDL based autogenerated code allows
    overwriting beyond of allocated array; CVE-2012-1182).

commit 3e0e6f56a671b40b21c37838ff292fe8902889bb
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 15 13:14:48 2012 +0100

    pidl/NDR/Parser: do array range validation in ParseArrayPullGetLength()
    
    metze

commit e94415cf237d1e434daa5da70e6df0b4b6926bae
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 15 13:13:20 2012 +0100

    pidl/NDR/Parser: use helper variables for array size and length
    
    metze

commit 25f68811af3399c6148fa5d31d932465e27a2125
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 15 15:07:08 2012 +0100

    pidl/NDR/Parser: remember if we already know the array length
    
    metze

commit 8e99484dec90690ec1e00c17580150278963e063
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 15 13:07:47 2012 +0100

    pidl/NDR/Parser: use ParseArrayPullGetLength() to get the number of array 
elements (bug #8815 / CVE-2012-1182)
    
    An anonymous researcher and Brian Gorenc (HP DVLabs) working
    with HP's Zero Day Initiative program have found this and notified us.
    
    metze

commit dc9c68c8992db8225c93043757c4d33b8814c428
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 15 13:05:39 2012 +0100

    pidl/NDR/Parser: split off ParseArrayPullGetSize() and 
ParseArrayPullGetLength()
    
    metze

commit d15b71523d228f78f317f44181900dbf10b52e33
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 15 13:12:04 2012 +0100

    pidl/NDR/Parser: simplify logic in DeclareArrayVariables*()
    
    metze

commit 94622cea2b2f4914b4ced35e952680c20cc4985b
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 15 13:09:51 2012 +0100

    pidl/NDR/Parser: declare all union helper variables in ParseUnionPull()
    
    metze

commit 0d45a24cffef841de5db2344910224e4df9bce3a
Author: Karolin Seeger <ksee...@samba.org>
Date:   Sat Apr 7 15:20:25 2012 +0200

    WHATSNEW: Prepare release notes for 3.6.4.
    
    Karolin

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                             |   15 ++-
 pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm |  154 +++++++++++++++++++-----------
 2 files changed, 106 insertions(+), 63 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 92754cf..2f131e8 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,20 +1,25 @@
                    =============================
                    Release Notes for Samba 3.6.4
-                         , 2012
+                          April 10, 2012
                    =============================
 
 
-This is the latest stable release of Samba 3.6.
+This is a security release in order to address
+CVE-2012-1182 ("root" credential remote code execution).
 
-Major enhancements in Samba 3.6.4 include:
+o  CVE-2012-1182:
+   Samba 3.0.x to 3.6.3 are affected by a
+   vulnerability that allows remote code
+   execution as the "root" user.
 
-o  
 
 Changes since 3.6.3:
 --------------------
 
 
-o   Jeremy Allison <j...@samba.org>
+o   Stefan Metzmacher <me...@samba.org>
+    *BUG 8815: PIDL based autogenerated code allows overwriting beyond of
+     allocated array (CVE-2012-1182).
 
 
 ######################################################################
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm 
b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
index 2078f58..3676d6d 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
@@ -315,39 +315,99 @@ sub check_null_pointer($$$$)
        }
 }
 
-#####################################################################
-# parse an array - pull side
-sub ParseArrayPullHeader($$$$$$)
+sub ParseArrayPullGetSize($$$$$$)
 {
        my ($self,$e,$l,$ndr,$var_name,$env) = @_;
 
-       my $length;
        my $size;
 
        if ($l->{IS_CONFORMANT}) {
-               $length = $size = "ndr_get_array_size($ndr, " . 
get_pointer_to($var_name) . ")";
+               $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) 
. ")";
        } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and 
$l->{LENGTH_IS} == 0) { # Noheader arrays
-               $length = $size = "ndr_get_string_size($ndr, 
sizeof(*$var_name))";
+               $size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
        } else {
-               $length = $size = ParseExprExt($l->{SIZE_IS}, $env, 
$e->{ORIGINAL},
+               $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
                        check_null_pointer($e, $env, sub { $self->pidl(shift); 
},
                                           "return ndr_pull_error($ndr, 
NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"),
                        check_fully_dereferenced($e, $env));
        }
 
+       $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;");
+       my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}";
+
+       if (my $range = has_property($e, "range")) {
+               my ($low, $high) = split(/,/, $range, 2);
+               if ($low < 0) {
+                       warning(0, "$low is invalid for the range of an array 
size");
+               }
+               if ($low == 0) {
+                       $self->pidl("if ($array_size > $high) {");
+               } else {
+                       $self->pidl("if ($array_size < $low || $array_size > 
$high) {");
+               }
+               $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, 
\"value out of range\");");
+               $self->pidl("}");
+       }
+
+       return $array_size;
+}
+
+#####################################################################
+# parse an array - pull side
+sub ParseArrayPullGetLength($$$$$$;$)
+{
+       my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_;
+
+       if (not defined($array_size)) {
+               $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, 
$var_name, $env);
+       }
+
+       if (not $l->{IS_VARYING}) {
+               return $array_size;
+       }
+
+       my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) 
.")";
+       $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
+       my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
+
+       if (my $range = has_property($e, "range")) {
+               my ($low, $high) = split(/,/, $range, 2);
+               if ($low < 0) {
+                       warning(0, "$low is invalid for the range of an array 
size");
+               }
+               if ($low == 0) {
+                       $self->pidl("if ($array_length > $high) {");
+               } else {
+                       $self->pidl("if ($array_length < $low || $array_length 
> $high) {");
+               }
+               $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, 
\"value out of range\");");
+               $self->pidl("}");
+       }
+
+       return $array_length;
+}
+
+#####################################################################
+# parse an array - pull side
+sub ParseArrayPullHeader($$$$$$)
+{
+       my ($self,$e,$l,$ndr,$var_name,$env) = @_;
+
        if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) {
                $self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . 
get_pointer_to($var_name) . "));");
        }
 
        if ($l->{IS_VARYING}) {
                $self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . 
get_pointer_to($var_name) . "));");
-               $length = "ndr_get_array_length($ndr, " . 
get_pointer_to($var_name) .")";
        }
 
-       if ($length ne $size) {
-               $self->pidl("if ($length > $size) {");
+       my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, 
$env);
+       my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, 
$var_name, $env, $array_size);
+
+       if ($array_length ne $array_size) {
+               $self->pidl("if ($array_length > $array_size) {");
                $self->indent;
-               $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, 
\"Bad array size %u should exceed array length %u\", $size, $length);");
+               $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, 
\"Bad array size %u should exceed array length %u\", $array_size, 
$array_length);");
                $self->deindent;
                $self->pidl("}");
        }
@@ -377,10 +437,10 @@ sub ParseArrayPullHeader($$$$$$)
        }
 
        if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) {
-               $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size);
+               $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size);
        }
 
-       return $length;
+       return $array_length;
 }
 
 sub compression_alg($$)
@@ -999,6 +1059,7 @@ sub ParseElementPullLevel
        my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_;
 
        my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred);
+       my $array_length = undef;
 
        if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or 
$l->{IS_CONFORMANT})) {
                $var_name = get_pointer_to($var_name);
@@ -1012,20 +1073,7 @@ sub ParseElementPullLevel
                        $self->ParseSubcontextPullEnd($e, $l, $ndr, $env);
                } elsif ($l->{TYPE} eq "ARRAY") {
                        my $length = $self->ParseArrayPullHeader($e, $l, $ndr, 
$var_name, $env);
-
-                       if (my $range = has_property($e, "range")) {
-                               my ($low, $high) = split(/,/, $range, 2);
-                               if ($low < 0) {
-                                       warning(0, "$low is invalid for the 
range of an array size");
-                               }
-                               if ($low == 0) {
-                                       $self->pidl("if ($length > $high) {");
-                               } else {
-                                       $self->pidl("if ($length < $low || 
$length > $high) {");
-                               }
-                               $self->pidl("\treturn ndr_pull_error($ndr, 
NDR_ERR_RANGE, \"value out of range\");");
-                               $self->pidl("}");
-                       }
+                       $array_length = $length;
 
                        my $nl = GetNextLevel($e, $l);
 
@@ -1091,26 +1139,12 @@ sub ParseElementPullLevel
                }
        } elsif ($l->{TYPE} eq "ARRAY" and 
                        not has_fast_array($e,$l) and not is_charset_array($e, 
$l)) {
-               my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+               my $length = $array_length;
                my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
                my $array_name = $var_name;
 
-               if ($l->{IS_VARYING}) {
-                       $length = "ndr_get_array_length($ndr, " . 
get_pointer_to($var_name) .")";
-               }
-
-               if (my $range = has_property($e, "range")) {
-                       my ($low, $high) = split(/,/, $range, 2);
-                       if ($low < 0) {
-                               warning(0, "$low is invalid for the range of an 
array size");
-                       }
-                       if ($low == 0) {
-                               $self->pidl("if ($length > $high) {");
-                       } else {
-                               $self->pidl("if ($length < $low || $length > 
$high) {");
-                       }
-                       $self->pidl("\treturn ndr_pull_error($ndr, 
NDR_ERR_RANGE, \"value out of range\");");
-                       $self->pidl("}");
+               if (not defined($length)) {
+                       $length = $self->ParseArrayPullGetLength($e, $l, $ndr, 
$var_name, $env);
                }
 
                $var_name = get_array_element($var_name, $counter);
@@ -1527,16 +1561,21 @@ sub DeclarePtrVariables($$)
        }
 }
 
-sub DeclareArrayVariables($$)
+sub DeclareArrayVariables($$;$)
 {
-       my ($self,$e) = @_;
+       my ($self,$e,$pull) = @_;
 
        foreach my $l (@{$e->{LEVELS}}) {
+               next if ($l->{TYPE} ne "ARRAY");
+               if (defined($pull)) {
+                       $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} 
= 0;");
+                       if ($l->{IS_VARYING}) {
+                               $self->pidl("uint32_t 
length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
+                       }
+               }
                next if has_fast_array($e,$l);
                next if is_charset_array($e,$l);
-               if ($l->{TYPE} eq "ARRAY") {
-                       $self->pidl("uint32_t 
cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
-               }
+               $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
        }
 }
 
@@ -1545,15 +1584,14 @@ sub DeclareArrayVariablesNoZero($$$)
        my ($self,$e,$env) = @_;
 
        foreach my $l (@{$e->{LEVELS}}) {
+               next if ($l->{TYPE} ne "ARRAY");
                next if has_fast_array($e,$l);
                next if is_charset_array($e,$l);
-               if ($l->{TYPE} eq "ARRAY") {
-                   my $length = ParseExpr($l->{LENGTH_IS}, $env, 
$e->{ORIGINAL});
-                   if ($length eq "0") {
+               my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+               if ($length eq "0") {
                        warning($e->{ORIGINAL}, "pointless array cntr: 
'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length");
-                   } else {
+               } else {
                        $self->pidl("uint32_t 
cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
-                   }
                }
        }
 }
@@ -1619,7 +1657,7 @@ sub ParseStructPull($$$$)
        # declare any internal pointers we need
        foreach my $e (@{$struct->{ELEMENTS}}) {
                $self->DeclarePtrVariables($e);
-               $self->DeclareArrayVariables($e);
+               $self->DeclareArrayVariables($e, "pull");
                $self->DeclareMemCtxVariables($e);
        }
 
@@ -1882,8 +1920,6 @@ sub ParseUnionPullPrimitives($$$$$)
 
                if ($el->{TYPE} ne "EMPTY") {
                        $self->indent;
-                       $self->DeclarePtrVariables($el);
-                       $self->DeclareArrayVariables($el);
                        if (defined($e->{PROPERTIES}{relative_base})) {
                                $self->pidl("NDR_CHECK(ndr_pull_align($ndr, 
$el->{ALIGN}));");
                                # set the current offset as base for relative 
pointers
@@ -1960,6 +1996,8 @@ sub ParseUnionPull($$$$)
                next if ($el->{TYPE} eq "EMPTY");
                next if ($double_cases{"$el->{NAME}"});
                $self->DeclareMemCtxVariables($el);
+               $self->DeclarePtrVariables($el);
+               $self->DeclareArrayVariables($el, "pull");
                $double_cases{"$el->{NAME}"} = 1;
        }
 
@@ -2325,7 +2363,7 @@ sub ParseFunctionPull($$)
        # declare any internal pointers we need
        foreach my $e (@{$fn->{ELEMENTS}}) { 
                $self->DeclarePtrVariables($e);
-               $self->DeclareArrayVariables($e);
+               $self->DeclareArrayVariables($e, "pull");
        }
 
        my %double_cases = ();


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-6-stable updated

Reply via email to