!106 [sync] PR-94: fix CVE-2022-32746 CVE-2022-2031 CVE-2022-32744 CVE-2022-32742 CVE-2022-32745

From: @openeuler-sync-bot 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw

backport-CVE-2022-32742.patch

@@ -0,0 +1,216 @@
+From d6aef6838a674ab95ff9172f4ac67707667f9e00 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 7 Jun 2022 09:40:45 -0700
+Subject: [PATCH 98/99] CVE-2022-32742: s4: torture: Add raw.write.bad-write
+ test.
+
+Reproduces the test code in:
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
+
+Add knownfail.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+---
+ selftest/knownfail.d/bad-write |  2 +
+ source4/torture/raw/write.c    | 89 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 91 insertions(+)
+ create mode 100644 selftest/knownfail.d/bad-write
+
+diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write
+new file mode 100644
+index 00000000000..5fc16606a13
+--- /dev/null
++++ b/selftest/knownfail.d/bad-write
+@@ -0,0 +1,2 @@
++^samba3.raw.write.bad-write\(nt4_dc_smb1\)
++^samba3.raw.write.bad-write\(ad_dc_smb1\)
+diff --git a/source4/torture/raw/write.c b/source4/torture/raw/write.c
+index 0a2f50f425b..661485bb548 100644
+--- a/source4/torture/raw/write.c
++++ b/source4/torture/raw/write.c
+@@ -25,6 +25,7 @@
+ #include "libcli/libcli.h"
+ #include "torture/util.h"
+ #include "torture/raw/proto.h"
++#include "libcli/raw/raw_proto.h"
+ 
+ #define CHECK_STATUS(status, correct) do { \
+ 	if (!NT_STATUS_EQUAL(status, correct)) { \
+@@ -694,6 +695,93 @@ done:
+ 	return ret;
+ }
+ 
++/*
++  test a deliberately bad SMB1 write.
++*/
++static bool test_bad_write(struct torture_context *tctx,
++		       struct smbcli_state *cli)
++{
++	bool ret = false;
++	int fnum = -1;
++	struct smbcli_request *req = NULL;
++	const char *fname = BASEDIR "\\badwrite.txt";
++	bool ok = false;
++
++	if (!torture_setup_dir(cli, BASEDIR)) {
++		torture_fail(tctx, "failed to setup basedir");
++	}
++
++	torture_comment(tctx, "Testing RAW_BAD_WRITE\n");
++
++	fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE);
++	if (fnum == -1) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx,
++				"Failed to create %s - %s\n",
++				fname,
++				smbcli_errstr(cli->tree)));
++	}
++
++	req = smbcli_request_setup(cli->tree,
++				   SMBwrite,
++				   5,
++				   0);
++	if (req == NULL) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx, "talloc fail\n"));
++	}
++
++	SSVAL(req->out.vwv, VWV(0), fnum);
++	SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */
++	SIVAL(req->out.vwv, VWV(2), 0); /* offset */
++	SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */
++
++        if (!smbcli_request_send(req)) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx, "Send failed\n"));
++        }
++
++        if (!smbcli_request_receive(req)) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx, "Reveive failed\n"));
++	}
++
++	/*
++	 * Check for expected error codes.
++	 * ntvfs returns NT_STATUS_UNSUCCESSFUL.
++	 */
++	ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) ||
++	     NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL));
++
++	if (!ok) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx,
++				"Should have returned "
++				"NT_STATUS_INVALID_PARAMETER or "
++				"NT_STATUS_UNSUCCESSFUL "
++				"got %s\n",
++				nt_errstr(req->status)));
++        }
++
++	ret = true;
++
++done:
++	if (req != NULL) {
++		smbcli_request_destroy(req);
++	}
++	if (fnum != -1) {
++		smbcli_close(cli->tree, fnum);
++	}
++	smb_raw_exit(cli->session);
++	smbcli_deltree(cli->tree, BASEDIR);
++	return ret;
++}
++
+ /*
+    basic testing of write calls
+ */
+@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx)
+ 	torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock);
+ 	torture_suite_add_1smb_test(suite, "write close", test_writeclose);
+ 	torture_suite_add_1smb_test(suite, "writex", test_writex);
++	torture_suite_add_1smb_test(suite, "bad-write", test_bad_write);
+ 
+ 	return suite;
+ }
+-- 
+2.25.1
+
+
+From a4707e4a955d01edf493cd0d7ab8b1ecb4ca7991 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 8 Jun 2022 13:50:51 -0700
+Subject: [PATCH 99/99] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem()
+ macro.
+
+Fixes the raw.write.bad-write test.
+
+NB. We need the two (==0) changes in source3/smbd/reply.c
+as the gcc optimizer now knows that the return from
+smbreq_bufrem() can never be less than zero.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
+
+Remove knownfail.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+---
+ selftest/knownfail.d/bad-write | 2 --
+ source3/include/smb_macros.h   | 2 +-
+ source3/smbd/reply.c           | 4 ++--
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+ delete mode 100644 selftest/knownfail.d/bad-write
+
+diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write
+deleted file mode 100644
+index 5fc16606a13..00000000000
+--- a/selftest/knownfail.d/bad-write
++++ /dev/null
+@@ -1,2 +0,0 @@
+-^samba3.raw.write.bad-write\(nt4_dc_smb1\)
+-^samba3.raw.write.bad-write\(ad_dc_smb1\)
+diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
+index ba2c76764d1..9f1d00835d7 100644
+--- a/source3/include/smb_macros.h
++++ b/source3/include/smb_macros.h
+@@ -152,7 +152,7 @@
+ 
+ /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */
+ #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf)))
+-#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf))
++#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf))
+ 
+ 
+ /* Note that chain_size must be available as an extern int to this macro. */
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index 879d5b2ae21..88c62b891ae 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -344,7 +344,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
+ {
+ 	ssize_t bufrem = smbreq_bufrem(req, src);
+ 
+-	if (bufrem < 0) {
++	if (bufrem == 0) {
+ 		*err = NT_STATUS_INVALID_PARAMETER;
+ 		return 0;
+ 	}
+@@ -382,7 +382,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
+ {
+ 	ssize_t bufrem = smbreq_bufrem(req, src);
+ 
+-	if (bufrem < 0) {
++	if (bufrem == 0) {
+ 		return 0;
+ 	}
+ 
+-- 
+2.25.1

backport-CVE-2022-32745.patch

@@ -0,0 +1,163 @@
+From c231d424b89ba718262ed376431a982baaeef33f Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 16 Feb 2022 17:03:10 +1300
+Subject: [PATCH 15/99] CVE-2022-32745 s4/dsdb/samldb: Check for empty values
+ array
+
+This avoids potentially trying to access the first element of an empty
+array.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
+index b89d93910fd..3ecbd00e68e 100644
+--- a/source4/dsdb/samdb/ldb_modules/samldb.c
++++ b/source4/dsdb/samdb/ldb_modules/samldb.c
+@@ -751,7 +751,7 @@ static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac)
+ 		return ret;
+ 	}
+ 
+-	if (el == NULL) {
++	if (el == NULL || el->num_values == 0) {
+ 		return LDB_SUCCESS;
+ 	}
+ 
+@@ -919,7 +919,7 @@ static int samldb_schema_add_handle_mapiid(struct samldb_ctx *ac)
+ 		return ret;
+ 	}
+ 
+-	if (el == NULL) {
++	if (el == NULL || el->num_values == 0) {
+ 		return LDB_SUCCESS;
+ 	}
+ 
+-- 
+2.25.1
+
+
+From d2dbb3b6818d429b12d54e68510286d033d4abd7 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Thu, 17 Feb 2022 11:11:53 +1300
+Subject: [PATCH 16/99] CVE-2022-32745 s4/dsdb/util: Use correct value for loop
+ count limit
+
+Currently, we can crash the server by sending a large number of values
+of a specific attribute (such as sAMAccountName) spread across a few
+message elements. If val_count is larger than the total number of
+elements, we get an access beyond the elements array.
+
+Similarly, we can include unrelated message elements prior to the
+message elements of the attribute in question, so that not all of the
+attribute's values are copied into the returned elements values array.
+This can cause the server to access uninitialised data, likely resulting
+in a crash or unexpected behaviour.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ source4/dsdb/samdb/ldb_modules/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
+index 405febf0b3d..14947746837 100644
+--- a/source4/dsdb/samdb/ldb_modules/util.c
++++ b/source4/dsdb/samdb/ldb_modules/util.c
+@@ -1546,7 +1546,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
+ 
+ 	v = _el->values;
+ 
+-	for (i = 0; i < val_count; i++) {
++	for (i = 0; i < msg->num_elements; i++) {
+ 		if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
+ 			if ((operation == LDB_MODIFY) &&
+ 			    (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
+-- 
+2.25.1
+
+
+From d85bb9f5edc08ce2042be366c720dd027788f5bd Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Thu, 17 Feb 2022 11:13:38 +1300
+Subject: [PATCH 17/99] CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a
+ NULL pointer
+
+Doing so is undefined behaviour.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ source4/dsdb/samdb/ldb_modules/util.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
+index 14947746837..35ae110b5ef 100644
+--- a/source4/dsdb/samdb/ldb_modules/util.c
++++ b/source4/dsdb/samdb/ldb_modules/util.c
+@@ -1548,15 +1548,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
+ 
+ 	for (i = 0; i < msg->num_elements; i++) {
+ 		if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
++			const struct ldb_message_element *tmp_el = &msg->elements[i];
+ 			if ((operation == LDB_MODIFY) &&
+-			    (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
++			    (LDB_FLAG_MOD_TYPE(tmp_el->flags)
+ 						== LDB_FLAG_MOD_DELETE)) {
+ 				continue;
+ 			}
++			if (tmp_el->values == NULL || tmp_el->num_values == 0) {
++				continue;
++			}
+ 			memcpy(v,
+-			       msg->elements[i].values,
+-			       msg->elements[i].num_values);
+-			v += msg->elements[i].num_values;
++			       tmp_el->values,
++			       tmp_el->num_values);
++			v += tmp_el->num_values;
+ 		}
+ 	}
+ 
+-- 
+2.25.1
+
+
+From 6af497232e4ed24c33a29b77825fa854a73b5427 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Fri, 3 Jun 2022 16:16:31 +1200
+Subject: [PATCH 18/99] CVE-2022-32745 s4/dsdb/util: Correctly copy values into
+ message element
+
+To use memcpy(), we need to specify the number of bytes to copy, rather
+than the number of ldb_val structures.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+---
+ source4/dsdb/samdb/ldb_modules/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
+index 35ae110b5ef..e7fe8f855df 100644
+--- a/source4/dsdb/samdb/ldb_modules/util.c
++++ b/source4/dsdb/samdb/ldb_modules/util.c
+@@ -1559,7 +1559,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
+ 			}
+ 			memcpy(v,
+ 			       tmp_el->values,
+-			       tmp_el->num_values);
++			       tmp_el->num_values * sizeof(*v));
+ 			v += tmp_el->num_values;
+ 		}
+ 	}
+-- 
+2.25.1
+
+

samba.spec

@@ -49,7 +49,7 @@
 
 Name:           samba
 Version:        4.15.3
-Release:        6
+Release:        7
 
 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@@ -74,6 +74,10 @@ Patch4:         backport-0005-CVE-2021-44142.patch
 Patch5:         backport-0001-CVE-2022-0336.patch
 Patch6:         backport-0002-CVE-2022-0336.patch
 Patch7:         backport-CVE-2021-44141.patch
+Patch8:         backport-CVE-2022-32746.patch
+Patch9:         backport-CVE-2022-32745.patch
+Patch10:        backport-CVE-2022-2031-CVE-2022-32744.patch
+Patch11:        backport-CVE-2022-32742.patch
 
 BuildRequires: avahi-devel bison dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
 BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel libattr-devel 
@@ -2267,6 +2271,7 @@ fi
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc
@@ -2292,6 +2297,7 @@ fi
 %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
 %{python3_sitearch}/samba/tests/krb5/kdc_tests.py
 %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
+%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py
 %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
 %{python3_sitearch}/samba/tests/krb5/raw_testcase.py
 %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py
@@ -3394,6 +3400,12 @@ fi
 %endif
 
 %changelog
+* Tue Aug 02 2022 xinghe <xinghe2@h-partners.com> - 4.15.3-7
+- Type:cves
+- ID:CVE-2022-32746 CVE-2022-2031 CVE-2022-32744 CVE-2022-32742 CVE-2022-32745
+- SUG:NA
+- DESC:fix CVE-2022-32746 CVE-2022-2031 CVE-2022-32744 CVE-2022-32742 CVE-2022-32745
+
 * Wed Jul 20 2022 gaihuiying <eaglegai@163.com> - 4.15.3-6
 - Type:bugfix
 - ID:NA