File 0010-Fix-integer-overflows-in-PAC-parsing.patch of Package krb5.34549

Overview Repositories Revisions Requests Users Attributes Meta

File 0010-Fix-integer-overflows-in-PAC-parsing.patch of Package krb5.34549

commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583
Author: Greg Hudson <ghudson@mit.edu>
Date:   Mon Oct 17 20:25:11 2022 -0400

Fix integer overflows in PAC parsing
    
    In krb5_parse_pac(), check for buffer counts large enough to threaten
    integer overflow in the header length and memory length calculations.
    Avoid potential integer overflows when checking the length of each
    buffer.  Credit to OSS-Fuzz for discovering one of the issues.
    
    CVE-2022-42898:
    
    In MIT krb5 releases 1.8 and later, an authenticated attacker may be
    able to cause a KDC or kadmind process to crash by reading beyond the
    bounds of allocated memory, creating a denial of service.  A
    privileged attacker may similarly be able to cause a Kerberos or GSS
    application service to crash.  On 32-bit platforms, an attacker can
    also cause insufficient memory to be allocated for the result,
    potentially leading to remote code execution in a KDC, kadmind, or GSS
    or Kerberos application server process.  An attacker with the
    privileges of a cross-realm KDC may be able to extract secrets from a
    KDC process's memory by having them copied into the PAC of a new
    ticket.
    
    ticket: 9074 (new)
    tags: pullup
    target_version: 1.20-next
    target_version: 1.19-next

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 2f1df8d42b..f6c4373de0 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -27,6 +27,8 @@
 #include "k5-int.h"
 #include "authdata.h"
 
+#define MAX_BUFFERS 4096
+
 /* draft-brezak-win2k-krb-authz-00 */
 
 /*
@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context,
     if (version != 0)
         return EINVAL;
 
+    if (cbuffers < 1 || cbuffers > MAX_BUFFERS)
+        return ERANGE;
+
     header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH);
     if (len < header_len)
         return ERANGE;
@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context,
             krb5_pac_free(context, pac);
             return EINVAL;
         }
-        if (buffer->Offset < header_len ||
-            buffer->Offset + buffer->cbBufferSize > len) {
+        if (buffer->Offset < header_len || buffer->Offset > len ||
+            buffer->cbBufferSize > len - buffer->Offset) {
             krb5_pac_free(context, pac);
             return ERANGE;
         }
diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c
index 0b1b1f0564..173bde7bab 100644
--- a/src/lib/krb5/krb/t_pac.c
+++ b/src/lib/krb5/krb/t_pac.c
@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = {
     0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00
 };
 
+static const unsigned char fuzz1[] = {
+    0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00,
+    0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5
+};
+
+static const unsigned char fuzz2[] = {
+    0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
+    0x20, 0x20
+};
+
 static const char *s4u_principal = "w2k8u@ACME.COM";
 static const char *s4u_enterprise = "w2k8u@abc@ACME.COM";
 
@@ -646,6 +656,14 @@ main(int argc, char **argv)
         krb5_free_principal(context, sep);
     }
 
+    /* Check problematic PACs found by fuzzing. */
+    ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac);
+    if (!ret)
+        err(context, ret, "krb5_pac_parse should have failed");
+    ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac);
+    if (!ret)
+        err(context, ret, "krb5_pac_parse should have failed");
+
     /*
      * Test empty free
      */

Places

File 0010-Fix-integer-overflows-in-PAC-parsing.patch of Package krb5.34549

Places