[Bug 268059] client can cause kadmind's kadm5_s_create_principal() to use uninitialized pointers
Date: Tue, 29 Nov 2022 16:19:29 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268059 Bug ID: 268059 Summary: client can cause kadmind's kadm5_s_create_principal() to use uninitialized pointers Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #238422 text/plain mime type: Created attachment 238422 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238422&action=edit client that causes kadmind to use uninitialized pointers If the client sends kadmind a kadm_create with a zero mask, kadm5_s_create_principal()'s call to create_principal(...,&ent,...) returns error KADM5_BAD_MASK before zeroing ent, and in response to the error kadm5_s_create_principal() calls hdb_free_entry(...,&ent) which reads (and perhaps writes and calls) uninitialized pointers in ent. I've attached a demo, which requires kinit and perhaps permissions in /var/heimdal/kadmind.acl. # cc kadmind18a.c -lkrb5 # /usr/libexec/kadmind --debug & # ./a.out #0 0x0000000040173506 in hdb_free_entry (context=<optimized out>, ent=0x3fffffe608) at /usr/rtm/symbsd/src/crypto/heimdal/lib/hdb/hdb.c:179 #1 0x00000000401533fc in kadm5_s_create_principal (server_handle=0x40b304c0, princ=<optimized out>, mask=0, password=0x40b42060 "") at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/create_s.c:191 #2 0x000000000010a70c in kadmind_dispatch (kadm_handlep=0x40b304c0, initial=0, in=0x3fffffe790, out=0x3fffffe780) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:149 #3 v5_loop (contextp=0x40aeae10, fd=5, ac=<optimized out>, initial=<optimized out>, kadm_handlep=<optimized out>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:477 #4 handle_v5 (contextp=0x40aeae10, keytab=<optimized out>, fd=<optimized out>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:556 #5 kadmind_loop (contextp=0x40aeae10, keytab=<optimized out>, sock=<optimized out>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:584 #6 0x000000000010ab30 in main (argc=<optimized out>, argv=<optimized out>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/kadmind.c:202 -- You are receiving this mail because: You are the assignee for the bug.