libldb/backport-003-CVE-2022-32746.patch

From 7efe8182c165fbf17d2f88c173527a7a554e214b Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Feb 2022 16:10:32 +1300
Subject: [PATCH] CVE-2022-32746 ldb: Add flag to mark message element values
 as shared

When making a shallow copy of an ldb message, mark the message elements
of the copy as sharing their values with the message elements in the
original message.

This flag value will be heeded in the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 common/ldb_msg.c     | 43 +++++++++++++++++++++++++++++++-----
 include/ldb_module.h |  6 +++++
 2 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/common/ldb_msg.c b/common/ldb_msg.c
index 57dfc5a04c2b..2a9ce384bb98 100644
--- a/common/ldb_msg.c
+++ b/common/ldb_msg.c
@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)
 		       ldb_msg_element_compare_name);
 }
 
-/*
-  shallow copy a message - copying only the elements array so that the caller
-  can safely add new elements without changing the message
-*/
-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx,
 					 const struct ldb_message *msg)
 {
 	struct ldb_message *msg2;
@@ -863,6 +859,35 @@ struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
 	return NULL;
 }
 
+/*
+  shallow copy a message - copying only the elements array so that the caller
+  can safely add new elements without changing the message
+*/
+struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+					 const struct ldb_message *msg)
+{
+	struct ldb_message *msg2;
+	unsigned int i;
+
+	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
+	if (msg2 == NULL) {
+		return NULL;
+	}
+
+	for (i = 0; i < msg2->num_elements; ++i) {
+		/*
+		 * Mark this message's elements as sharing their values with the
+		 * original message, so that we don't inadvertently modify or
+		 * free them. We don't mark the original message element as
+		 * shared, so the original message element should not be
+		 * modified or freed while the shallow copy lives.
+		 */
+		struct ldb_message_element *el = &msg2->elements[i];
+		el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
+	}
+
+        return msg2;
+}
 
 /*
   copy a message, allocating new memory for all parts
@@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 	struct ldb_message *msg2;
 	unsigned int i, j;
 
-	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
+	msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
 	if (msg2 == NULL) return NULL;
 
 	if (msg2->dn != NULL) {
@@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
 				goto failed;
 			}
 		}
+
+                /*
+                 * Since we copied this element's values, we can mark them as
+                 * not shared.
+		 */
+		el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
 	}
 
 	return msg2;
diff --git a/include/ldb_module.h b/include/ldb_module.h
index 8c1e5ee7936c..4c7c85a17f00 100644
--- a/include/ldb_module.h
+++ b/include/ldb_module.h
@@ -96,6 +96,12 @@ struct ldb_module;
  */
 #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100
 
+/*
+ * indicates that this element's values are shared with another element (for
+ * example, in a shallow copy of an ldb_message) and should not be freed
+ */
+#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200
+
 /* an extended match rule that always fails to match */
 #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1"
fix CVE-2022-32746 2022-08-01 08:03:30 +00:00			`From 7efe8182c165fbf17d2f88c173527a7a554e214b Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Mon, 21 Feb 2022 16:10:32 +1300`
			`Subject: [PATCH] CVE-2022-32746 ldb: Add flag to mark message element values`
			`as shared`

			`When making a shallow copy of an ldb message, mark the message elements`
			`of the copy as sharing their values with the message elements in the`
			`original message.`

			`This flag value will be heeded in the next commit.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`---`
			`common/ldb_msg.c \| 43 +++++++++++++++++++++++++++++++-----`
			`include/ldb_module.h \| 6 +++++`
			`2 files changed, 43 insertions(+), 6 deletions(-)`

			`diff --git a/common/ldb_msg.c b/common/ldb_msg.c`
			`index 57dfc5a04c2b..2a9ce384bb98 100644`
			`--- a/common/ldb_msg.c`
			`+++ b/common/ldb_msg.c`
			`@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)`
			`ldb_msg_element_compare_name);`
			`}`

			`-/*`
			`- shallow copy a message - copying only the elements array so that the caller`
			`- can safely add new elements without changing the message`
			`-*/`
			`-struct ldb_message ldb_msg_copy_shallow(TALLOC_CTX mem_ctx,`
			`+static struct ldb_message ldb_msg_copy_shallow_impl(TALLOC_CTX mem_ctx,`
			`const struct ldb_message *msg)`
			`{`
			`struct ldb_message *msg2;`
			`@@ -863,6 +859,35 @@ struct ldb_message ldb_msg_copy_shallow(TALLOC_CTX mem_ctx,`
			`return NULL;`
			`}`

			`+/*`
			`+ shallow copy a message - copying only the elements array so that the caller`
			`+ can safely add new elements without changing the message`
			`+*/`
			`+struct ldb_message ldb_msg_copy_shallow(TALLOC_CTX mem_ctx,`
			`+ const struct ldb_message *msg)`
			`+{`
			`+ struct ldb_message *msg2;`
			`+ unsigned int i;`
			`+`
			`+ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);`
			`+ if (msg2 == NULL) {`
			`+ return NULL;`
			`+ }`
			`+`
			`+ for (i = 0; i < msg2->num_elements; ++i) {`
			`+ /*`
			`+ * Mark this message's elements as sharing their values with the`
			`+ * original message, so that we don't inadvertently modify or`
			`+ * free them. We don't mark the original message element as`
			`+ * shared, so the original message element should not be`
			`+ * modified or freed while the shallow copy lives.`
			`+ */`
			`+ struct ldb_message_element *el = &msg2->elements[i];`
			`+ el->flags \|= LDB_FLAG_INTERNAL_SHARED_VALUES;`
			`+ }`
			`+`
			`+ return msg2;`
			`+}`

			`/*`
			`copy a message, allocating new memory for all parts`
			`@@ -873,7 +898,7 @@ struct ldb_message ldb_msg_copy(TALLOC_CTX mem_ctx,`
			`struct ldb_message *msg2;`
			`unsigned int i, j;`

			`- msg2 = ldb_msg_copy_shallow(mem_ctx, msg);`
			`+ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);`
			`if (msg2 == NULL) return NULL;`

			`if (msg2->dn != NULL) {`
			`@@ -894,6 +919,12 @@ struct ldb_message ldb_msg_copy(TALLOC_CTX mem_ctx,`
			`goto failed;`
			`}`
			`}`
			`+`
			`+ /*`
			`+ * Since we copied this element's values, we can mark them as`
			`+ * not shared.`
			`+ */`
			`+ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;`
			`}`

			`return msg2;`
			`diff --git a/include/ldb_module.h b/include/ldb_module.h`
			`index 8c1e5ee7936c..4c7c85a17f00 100644`
			`--- a/include/ldb_module.h`
			`+++ b/include/ldb_module.h`
			`@@ -96,6 +96,12 @@ struct ldb_module;`
			`*/`
			`#define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100`

			`+/*`
			`+ * indicates that this element's values are shared with another element (for`
			`+ * example, in a shallow copy of an ldb_message) and should not be freed`
			`+ */`
			`+#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200`
			`+`
			`/* an extended match rule that always fails to match */`
			`#define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1"`