samba/backport-0005-CVE-2023-0614.patch

From 89f882b49d2669ba8b51e9b5de644164f5c1995e Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 7 Feb 2023 09:29:51 +1300
Subject: [PATCH 03/34] CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more
 consistently

It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17821
---
 source4/dsdb/samdb/ldb_modules/acl_read.c          | 4 ++--
 source4/dsdb/samdb/ldb_modules/acl_util.c          | 2 +-
 source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +-
 source4/dsdb/samdb/ldb_modules/password_hash.c     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index b221dcde445..16a1927183c 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -268,7 +268,7 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,
 	struct ldb_message_element *sd_element;
 	struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
 	struct aclread_private *private_data
-		= talloc_get_type(ldb_module_get_private(ac->module),
+		= talloc_get_type_abort(ldb_module_get_private(ac->module),
 				  struct aclread_private);
 	enum ndr_err_code ndr_err;
 
@@ -568,7 +568,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 	const struct dsdb_class *objectclass;
 	bool suppress_result = false;
 
-	ac = talloc_get_type(req->context, struct aclread_context);
+	ac = talloc_get_type_abort(req->context, struct aclread_context);
 	ldb = ldb_module_get_ctx(ac->module);
 	if (!ares) {
 		return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 12f00fbff16..367c11d1ba9 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -298,7 +298,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
 
 	sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
 	if (sd_control != NULL && sd_control->data != NULL) {
-		struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
+		struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control);
 
 		sd_flags = sdctr->secinfo_flags;
 
diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c
index 5ef075f2037..317df9d3e0e 100644
--- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c
+++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c
@@ -104,7 +104,7 @@ static int handle_verify_name_control(TALLOC_CTX *ctx, struct ldb_context *ldb,
 	 * If we are a GC let's remove the control,
 	 * if there is a specified GC check that is us.
 	 */
-	struct ldb_verify_name_control *lvnc = (struct ldb_verify_name_control *)control->data;
+	struct ldb_verify_name_control *lvnc = talloc_get_type_abort(control->data, struct ldb_verify_name_control);
 	if (samdb_is_gc(ldb)) {
 		/* Because we can't easily talloc a struct ldb_dn*/
 		struct ldb_dn **dn = talloc_array(ctx, struct ldb_dn *, 1);
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index b308226a9f9..6a713b86736 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -4066,7 +4066,7 @@ static void ph_apply_controls(struct ph_context *ac)
 	ctrl = ldb_request_get_control(ac->req,
 				       DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID);
 	if (ctrl != NULL) {
-		ac->change = (struct dsdb_control_password_change *) ctrl->data;
+		ac->change = talloc_get_type_abort(ctrl->data, struct dsdb_control_password_change);
 
 		/* Mark the "change" control as uncritical (done) */
 		ctrl->critical = false;
-- 
2.25.1
fix CVE-2023-0225 CVE-2023-0614 CVE-2023-0922 2023-04-01 06:13:02 +00:00			`From 89f882b49d2669ba8b51e9b5de644164f5c1995e Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Tue, 7 Feb 2023 09:29:51 +1300`
			`Subject: [PATCH 03/34] CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more`
			`consistently`

			`It is better to explicitly abort than to dereference a NULL pointer or`
			`try to read data cast to the wrong type.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17821`
			`---`
			`source4/dsdb/samdb/ldb_modules/acl_read.c \| 4 ++--`
			`source4/dsdb/samdb/ldb_modules/acl_util.c \| 2 +-`
			`source4/dsdb/samdb/ldb_modules/linked_attributes.c \| 2 +-`
			`source4/dsdb/samdb/ldb_modules/password_hash.c \| 2 +-`
			`4 files changed, 5 insertions(+), 5 deletions(-)`

			`diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c`
			`index b221dcde445..16a1927183c 100644`
			`--- a/source4/dsdb/samdb/ldb_modules/acl_read.c`
			`+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c`
			`@@ -268,7 +268,7 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,`
			`struct ldb_message_element *sd_element;`
			`struct ldb_context *ldb = ldb_module_get_ctx(ac->module);`
			`struct aclread_private *private_data`
			`- = talloc_get_type(ldb_module_get_private(ac->module),`
			`+ = talloc_get_type_abort(ldb_module_get_private(ac->module),`
			`struct aclread_private);`
			`enum ndr_err_code ndr_err;`

			`@@ -568,7 +568,7 @@ static int aclread_callback(struct ldb_request req, struct ldb_reply ares)`
			`const struct dsdb_class *objectclass;`
			`bool suppress_result = false;`

			`- ac = talloc_get_type(req->context, struct aclread_context);`
			`+ ac = talloc_get_type_abort(req->context, struct aclread_context);`
			`ldb = ldb_module_get_ctx(ac->module);`
			`if (!ares) {`
			`return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );`
			`diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c`
			`index 12f00fbff16..367c11d1ba9 100644`
			`--- a/source4/dsdb/samdb/ldb_modules/acl_util.c`
			`+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c`
			`@@ -298,7 +298,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request req, bool explicit)`

			`sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);`
			`if (sd_control != NULL && sd_control->data != NULL) {`
			`- struct ldb_sd_flags_control sdctr = (struct ldb_sd_flags_control )sd_control->data;`
			`+ struct ldb_sd_flags_control *sdctr = talloc_get_type_abort(sd_control->data, struct ldb_sd_flags_control);`

			`sd_flags = sdctr->secinfo_flags;`

			`diff --git a/source4/dsdb/samdb/ldb_modules/linked_attributes.c b/source4/dsdb/samdb/ldb_modules/linked_attributes.c`
			`index 5ef075f2037..317df9d3e0e 100644`
			`--- a/source4/dsdb/samdb/ldb_modules/linked_attributes.c`
			`+++ b/source4/dsdb/samdb/ldb_modules/linked_attributes.c`
			`@@ -104,7 +104,7 @@ static int handle_verify_name_control(TALLOC_CTX ctx, struct ldb_context ldb,`
			`* If we are a GC let's remove the control,`
			`* if there is a specified GC check that is us.`
			`*/`
			`- struct ldb_verify_name_control lvnc = (struct ldb_verify_name_control )control->data;`
			`+ struct ldb_verify_name_control *lvnc = talloc_get_type_abort(control->data, struct ldb_verify_name_control);`
			`if (samdb_is_gc(ldb)) {`
			`/* Because we can't easily talloc a struct ldb_dn*/`
			`struct ldb_dn *dn = talloc_array(ctx, struct ldb_dn , 1);`
			`diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c`
			`index b308226a9f9..6a713b86736 100644`
			`--- a/source4/dsdb/samdb/ldb_modules/password_hash.c`
			`+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c`
			`@@ -4066,7 +4066,7 @@ static void ph_apply_controls(struct ph_context *ac)`
			`ctrl = ldb_request_get_control(ac->req,`
			`DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID);`
			`if (ctrl != NULL) {`
			`- ac->change = (struct dsdb_control_password_change *) ctrl->data;`
			`+ ac->change = talloc_get_type_abort(ctrl->data, struct dsdb_control_password_change);`

			`/* Mark the "change" control as uncritical (done) */`
			`ctrl->critical = false;`
			`--`
			`2.25.1`