samba/backport-0031-CVE-2023-0614.patch

From 62d100b64a25c740187f687dd058a543d43984ec Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 24 Feb 2023 10:03:25 +1300
Subject: [PATCH 29/34] CVE-2023-0614 s4-dsdb: Treat confidential attributes as
 unindexed

In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17821
---
 source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 10 +++++++++-
 source4/dsdb/schema/schema_description.c        |  7 +++++++
 source4/dsdb/schema/schema_init.c               | 11 +++++++++--
 source4/dsdb/schema/schema_set.c                |  9 ++++++++-
 4 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index 1dc1e1f2d42..248bb66f039 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -423,7 +423,15 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat
 	guid_val = ldb_dn_get_extended_component(dn, "GUID");
 	sid_val  = ldb_dn_get_extended_component(dn, "SID");
 
-	if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) {
+	/*
+	 * Is the attribute indexed? By treating confidential attributes
+	 * as unindexed, we force searches to go through the unindexed
+	 * search path, avoiding observable timing differences.
+	 */
+	if (!guid_val && !sid_val &&
+	    (attribute->searchFlags & SEARCH_FLAG_ATTINDEX) &&
+	    !(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+	{
 		/* if it is indexed, then fixing the string DN will do
 		   no good here, as we will not find the attribute in
 		   the index. So for now fall through to a standard DN
diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c
index 243a02a15f3..5fc70154bf8 100644
--- a/source4/dsdb/schema/schema_description.c
+++ b/source4/dsdb/schema/schema_description.c
@@ -160,6 +160,13 @@ char *schema_attribute_to_extendedInfo(TALLOC_CTX *mem_ctx, const struct dsdb_at
 					       attribute->rangeUpper,
 					       GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID),
 					       GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID),
+					       /*
+						* We actually ignore the indexed
+						* flag for confidential
+						* attributes, but we'll include
+						* it for the purposes of
+						* description.
+						*/
 					       (attribute->searchFlags & SEARCH_FLAG_ATTINDEX),
 					       attribute->systemOnly);
 	talloc_free(tmp_ctx);
diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c
index a3b00497b6b..c8197b86306 100644
--- a/source4/dsdb/schema/schema_init.c
+++ b/source4/dsdb/schema/schema_init.c
@@ -514,8 +514,15 @@ static int dsdb_schema_setup_ldb_schema_attribute(struct ldb_context *ldb,
 	if (attr->isSingleValued) {
 		a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE;
 	}
-	
-	if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
+
+	/*
+	 * Is the attribute indexed? By treating confidential attributes as
+	 * unindexed, we force searches to go through the unindexed search path,
+	 * avoiding observable timing differences.
+	 */
+	if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
+	    !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+	{
 		a->flags |= LDB_ATTR_FLAG_INDEXED;
 	}
 
diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c
index 45faa0912ec..03cf2405595 100644
--- a/source4/dsdb/schema/schema_set.c
+++ b/source4/dsdb/schema/schema_set.c
@@ -221,7 +221,14 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb,
 			break;
 		}
 
-		if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {
+		/*
+		 * Is the attribute indexed? By treating confidential attributes
+		 * as unindexed, we force searches to go through the unindexed
+		 * search path, avoiding observable timing differences.
+		 */
+		if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
+		    !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
+		{
 			/*
 			 * When preparing to downgrade Samba, we need to write
 			 * out an LDB without the new key word ORDERED_INTEGER.
-- 
2.25.1
fix CVE-2023-0225 CVE-2023-0614 CVE-2023-0922 2023-04-01 06:13:02 +00:00			`From 62d100b64a25c740187f687dd058a543d43984ec Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Fri, 24 Feb 2023 10:03:25 +1300`
			`Subject: [PATCH 29/34] CVE-2023-0614 s4-dsdb: Treat confidential attributes as`
			`unindexed`

			`In the unlikely case that someone adds a confidential indexed attribute`
			`to the schema, LDAP search expressions on that attribute could disclose`
			`information via timing differences. Let's not use the index for searches`
			`on confidential attributes.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17821`
			`---`
			`source4/dsdb/samdb/ldb_modules/extended_dn_in.c \| 10 +++++++++-`
			`source4/dsdb/schema/schema_description.c \| 7 +++++++`
			`source4/dsdb/schema/schema_init.c \| 11 +++++++++--`
			`source4/dsdb/schema/schema_set.c \| 9 ++++++++-`
			`4 files changed, 33 insertions(+), 4 deletions(-)`

			`diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c`
			`index 1dc1e1f2d42..248bb66f039 100644`
			`--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c`
			`+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c`
			`@@ -423,7 +423,15 @@ static int extended_dn_filter_callback(struct ldb_parse_tree tree, void privat`
			`guid_val = ldb_dn_get_extended_component(dn, "GUID");`
			`sid_val = ldb_dn_get_extended_component(dn, "SID");`

			`- if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) {`
			`+ /*`
			`+ * Is the attribute indexed? By treating confidential attributes`
			`+ * as unindexed, we force searches to go through the unindexed`
			`+ * search path, avoiding observable timing differences.`
			`+ */`
			`+ if (!guid_val && !sid_val &&`
			`+ (attribute->searchFlags & SEARCH_FLAG_ATTINDEX) &&`
			`+ !(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL))`
			`+ {`
			`/* if it is indexed, then fixing the string DN will do`
			`no good here, as we will not find the attribute in`
			`the index. So for now fall through to a standard DN`
			`diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c`
			`index 243a02a15f3..5fc70154bf8 100644`
			`--- a/source4/dsdb/schema/schema_description.c`
			`+++ b/source4/dsdb/schema/schema_description.c`
			`@@ -160,6 +160,13 @@ char schema_attribute_to_extendedInfo(TALLOC_CTX mem_ctx, const struct dsdb_at`
			`attribute->rangeUpper,`
			`GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID),`
			`GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID),`
			`+ /*`
			`+ * We actually ignore the indexed`
			`+ * flag for confidential`
			`+ * attributes, but we'll include`
			`+ * it for the purposes of`
			`+ * description.`
			`+ */`
			`(attribute->searchFlags & SEARCH_FLAG_ATTINDEX),`
			`attribute->systemOnly);`
			`talloc_free(tmp_ctx);`
			`diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c`
			`index a3b00497b6b..c8197b86306 100644`
			`--- a/source4/dsdb/schema/schema_init.c`
			`+++ b/source4/dsdb/schema/schema_init.c`
			`@@ -514,8 +514,15 @@ static int dsdb_schema_setup_ldb_schema_attribute(struct ldb_context *ldb,`
			`if (attr->isSingleValued) {`
			`a->flags \|= LDB_ATTR_FLAG_SINGLE_VALUE;`
			`}`
			`-`
			`- if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {`
			`+`
			`+ /*`
			`+ * Is the attribute indexed? By treating confidential attributes as`
			`+ * unindexed, we force searches to go through the unindexed search path,`
			`+ * avoiding observable timing differences.`
			`+ */`
			`+ if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&`
			`+ !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))`
			`+ {`
			`a->flags \|= LDB_ATTR_FLAG_INDEXED;`
			`}`

			`diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c`
			`index 45faa0912ec..03cf2405595 100644`
			`--- a/source4/dsdb/schema/schema_set.c`
			`+++ b/source4/dsdb/schema/schema_set.c`
			`@@ -221,7 +221,14 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb,`
			`break;`
			`}`

			`- if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) {`
			`+ /*`
			`+ * Is the attribute indexed? By treating confidential attributes`
			`+ * as unindexed, we force searches to go through the unindexed`
			`+ * search path, avoiding observable timing differences.`
			`+ */`
			`+ if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&`
			`+ !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))`
			`+ {`
			`/*`
			`* When preparing to downgrade Samba, we need to write`
			`* out an LDB without the new key word ORDERED_INTEGER.`
			`--`
			`2.25.1`