samba/backport-0010-CVE-2022-38023.patch

From 0ba8ec7deae74b5d945278614f0634d920e2c3c7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2022 14:03:50 +0100
Subject: [PATCH 10/30] CVE-2022-38023 s4:rpc_server/netlogon: add
 talloc_stackframe() to dcesrv_netr_creds_server_step_check()

This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++--------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 16c0101d1ea0..59386c4d5290 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -637,6 +637,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 						    struct netlogon_creds_CredentialState **creds_out)
 {
 	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+	TALLOC_CTX *frame = talloc_stackframe();
 	NTSTATUS nt_status;
 	int schannel = lpcfg_server_schannel(lp_ctx);
 	bool schannel_global_required = (schannel == true);
@@ -680,6 +681,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 	if (schannel_required) {
 		if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
 			*creds_out = creds;
+			TALLOC_FREE(frame);
 			return NT_STATUS_OK;
 		}
 
@@ -687,13 +689,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 			"%s request (opnum[%u]) without schannel from "
 			"client_account[%s] client_computer_name[%s]\n",
 			opname, opnum,
-			log_escape(mem_ctx, creds->account_name),
-			log_escape(mem_ctx, creds->computer_name));
+			log_escape(frame, creds->account_name),
+			log_escape(frame, creds->computer_name));
 		DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
-			"'server require schannel:%s = no' is needed! \n",
-			log_escape(mem_ctx, creds->account_name));
+			"'server require schannel:%s = no' "
+			"might be needed for a legacy client.\n",
+			log_escape(frame, creds->account_name));
 		TALLOC_FREE(creds);
 		ZERO_STRUCTP(return_authenticator);
+		TALLOC_FREE(frame);
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -702,13 +706,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 			"%s request (opnum[%u]) WITH schannel from "
 			"client_account[%s] client_computer_name[%s]\n",
 			opname, opnum,
-			log_escape(mem_ctx, creds->account_name),
-			log_escape(mem_ctx, creds->computer_name));
+			log_escape(frame, creds->account_name),
+			log_escape(frame, creds->computer_name));
 		DBG_ERR("CVE-2020-1472(ZeroLogon): "
 			"Option 'server require schannel:%s = no' not needed!?\n",
-			log_escape(mem_ctx, creds->account_name));
+			log_escape(frame, creds->account_name));
 
 		*creds_out = creds;
+		TALLOC_FREE(frame);
 		return NT_STATUS_OK;
 	}
 
@@ -718,24 +723,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 			 "%s request (opnum[%u]) without schannel from "
 			 "client_account[%s] client_computer_name[%s]\n",
 			 opname, opnum,
-			 log_escape(mem_ctx, creds->account_name),
-			 log_escape(mem_ctx, creds->computer_name));
+			 log_escape(frame, creds->account_name),
+			 log_escape(frame, creds->computer_name));
 		DBG_INFO("CVE-2020-1472(ZeroLogon): "
 			 "Option 'server require schannel:%s = no' still needed!\n",
-			 log_escape(mem_ctx, creds->account_name));
+			 log_escape(frame, creds->account_name));
 	} else {
 		DBG_ERR("CVE-2020-1472(ZeroLogon): "
 			"%s request (opnum[%u]) without schannel from "
 			"client_account[%s] client_computer_name[%s]\n",
 			opname, opnum,
-			log_escape(mem_ctx, creds->account_name),
-			log_escape(mem_ctx, creds->computer_name));
+			log_escape(frame, creds->account_name),
+			log_escape(frame, creds->computer_name));
 		DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
 			"'server require schannel:%s = no' might be needed!\n",
-			log_escape(mem_ctx, creds->account_name));
+			log_escape(frame, creds->account_name));
 	}
 
 	*creds_out = creds;
+	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
 }
 
-- 
2.34.1
fix CVE-2022-38023 CVE-2022-37966 CVE-2022-37967 2022-12-29 07:17:40 +00:00			`From 0ba8ec7deae74b5d945278614f0634d920e2c3c7 Mon Sep 17 00:00:00 2001`
			`From: Stefan Metzmacher <metze@samba.org>`
			`Date: Mon, 12 Dec 2022 14:03:50 +0100`
			`Subject: [PATCH 10/30] CVE-2022-38023 s4:rpc_server/netlogon: add`
			`talloc_stackframe() to dcesrv_netr_creds_server_step_check()`

			`This will simplify the following changes.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240`

			`Signed-off-by: Stefan Metzmacher <metze@samba.org>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`Reviewed-by: Ralph Boehme <slow@samba.org>`
			`(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17692`
			`---`
			`source4/rpc_server/netlogon/dcerpc_netlogon.c \| 32 +++++++++++--------`
			`1 file changed, 19 insertions(+), 13 deletions(-)`

			`diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`index 16c0101d1ea0..59386c4d5290 100644`
			`--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c`
			`@@ -637,6 +637,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc`
			`struct netlogon_creds_CredentialState **creds_out)`
			`{`
			`struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;`
			`+ TALLOC_CTX *frame = talloc_stackframe();`
			`NTSTATUS nt_status;`
			`int schannel = lpcfg_server_schannel(lp_ctx);`
			`bool schannel_global_required = (schannel == true);`
			`@@ -680,6 +681,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc`
			`if (schannel_required) {`
			`if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {`
			`*creds_out = creds;`
			`+ TALLOC_FREE(frame);`
			`return NT_STATUS_OK;`
			`}`

			`@@ -687,13 +689,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc`
			`"%s request (opnum[%u]) without schannel from "`
			`"client_account[%s] client_computer_name[%s]\n",`
			`opname, opnum,`
			`- log_escape(mem_ctx, creds->account_name),`
			`- log_escape(mem_ctx, creds->computer_name));`
			`+ log_escape(frame, creds->account_name),`
			`+ log_escape(frame, creds->computer_name));`
			`DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "`
			`- "'server require schannel:%s = no' is needed! \n",`
			`- log_escape(mem_ctx, creds->account_name));`
			`+ "'server require schannel:%s = no' "`
			`+ "might be needed for a legacy client.\n",`
			`+ log_escape(frame, creds->account_name));`
			`TALLOC_FREE(creds);`
			`ZERO_STRUCTP(return_authenticator);`
			`+ TALLOC_FREE(frame);`
			`return NT_STATUS_ACCESS_DENIED;`
			`}`

			`@@ -702,13 +706,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc`
			`"%s request (opnum[%u]) WITH schannel from "`
			`"client_account[%s] client_computer_name[%s]\n",`
			`opname, opnum,`
			`- log_escape(mem_ctx, creds->account_name),`
			`- log_escape(mem_ctx, creds->computer_name));`
			`+ log_escape(frame, creds->account_name),`
			`+ log_escape(frame, creds->computer_name));`
			`DBG_ERR("CVE-2020-1472(ZeroLogon): "`
			`"Option 'server require schannel:%s = no' not needed!?\n",`
			`- log_escape(mem_ctx, creds->account_name));`
			`+ log_escape(frame, creds->account_name));`

			`*creds_out = creds;`
			`+ TALLOC_FREE(frame);`
			`return NT_STATUS_OK;`
			`}`

			`@@ -718,24 +723,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc`
			`"%s request (opnum[%u]) without schannel from "`
			`"client_account[%s] client_computer_name[%s]\n",`
			`opname, opnum,`
			`- log_escape(mem_ctx, creds->account_name),`
			`- log_escape(mem_ctx, creds->computer_name));`
			`+ log_escape(frame, creds->account_name),`
			`+ log_escape(frame, creds->computer_name));`
			`DBG_INFO("CVE-2020-1472(ZeroLogon): "`
			`"Option 'server require schannel:%s = no' still needed!\n",`
			`- log_escape(mem_ctx, creds->account_name));`
			`+ log_escape(frame, creds->account_name));`
			`} else {`
			`DBG_ERR("CVE-2020-1472(ZeroLogon): "`
			`"%s request (opnum[%u]) without schannel from "`
			`"client_account[%s] client_computer_name[%s]\n",`
			`opname, opnum,`
			`- log_escape(mem_ctx, creds->account_name),`
			`- log_escape(mem_ctx, creds->computer_name));`
			`+ log_escape(frame, creds->account_name),`
			`+ log_escape(frame, creds->computer_name));`
			`DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "`
			`"'server require schannel:%s = no' might be needed!\n",`
			`- log_escape(mem_ctx, creds->account_name));`
			`+ log_escape(frame, creds->account_name));`
			`}`

			`*creds_out = creds;`
			`+ TALLOC_FREE(frame);`
			`return NT_STATUS_OK;`
			`}`

			`--`
			`2.34.1`