[Bug 267972] kadmind can use uninitialized ent.tl_data...tl_data_contents and tl_data_length

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 24 Nov 2022 18:29:58 UTC

            Bug ID: 267972
           Summary: kadmind can use uninitialized
                    ent.tl_data...tl_data_contents and tl_data_length
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #238312 text/plain
         mime type:

Created attachment 238312
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238312&action=edit
crash kadmind with a short kadm_modify message

If a client kadm_modify message ends unexpectedly early during
KADM5_TL_DATA, krb5_ret_data() can return (due to error) before
setting data->size of data->length. But the call from
kadm5_ret_tl_data() doesn't check for an error, and the surrounding
call from ret_principal_ent() for KADM5_TL_DATA doesn't check for an
error either. So list elements in ent.tl_data (princ->tl_data) may
contain uninitialized junk.

I've attached a demo. It expects to be run with tickets. Maybe some
previous bugs have to be fixed in order for kadmind to get as far as
this one.

# cc kadmind16a.c -lkrb5
# ./a.out

A backtrace from kadmin:

#0  memset (xdst=0x17e4ffb480, c=0, len=18446744073709541600)
#1  0x00000017d6b6bff2 in kadm5_free_principal_ent (
    server_handle=<optimized out>, princ=0x17d5c2f420)
    at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/free.c:73
#2  0x0000001754e3c340 in kadmind_dispatch (kadm_handlep=0x17e4fd44c0, 
    initial=0, in=<optimized out>, out=0x17d5c2f5f8)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:161
#3  0x0000001754e3bf9e in v5_loop (contextp=<optimized out>, 
    ac=<optimized out>, initial=<optimized out>, kadm_handlep=<optimized out>, 
    fd=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:459
#4  0x0000001754e3be72 in handle_v5 (contextp=0x17e4f8ee10, 
    keytab=<optimized out>, fd=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:551
#5  0x0000001754e3bd7a in kadmind_loop (contextp=0x17e4f8ee10, 
    keytab=0x17e4fad330, sock=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:579
#6  0x0000001754e3ccb2 in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/kadmind.c:202

You are receiving this mail because:
You are the assignee for the bug.