[Bug 268059] client can cause kadmind's kadm5_s_create_principal() to use uninitialized pointers

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 29 Nov 2022 16:19:29 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268059

            Bug ID: 268059
           Summary: client can cause kadmind's kadm5_s_create_principal()
                    to use uninitialized pointers
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #238422 text/plain
         mime type:

Created attachment 238422
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=238422&action=edit
client that causes kadmind to use uninitialized pointers

If the client sends kadmind a kadm_create with a zero mask,
kadm5_s_create_principal()'s call to create_principal(...,&ent,...)
returns error KADM5_BAD_MASK before zeroing ent, and in response to
the error kadm5_s_create_principal() calls hdb_free_entry(...,&ent)
which reads (and perhaps writes and calls) uninitialized pointers in ent.

I've attached a demo, which requires kinit and perhaps permissions
in /var/heimdal/kadmind.acl.

# cc kadmind18a.c -lkrb5
# /usr/libexec/kadmind --debug &
# ./a.out

#0  0x0000000040173506 in hdb_free_entry (context=<optimized out>, 
    ent=0x3fffffe608) at /usr/rtm/symbsd/src/crypto/heimdal/lib/hdb/hdb.c:179
#1  0x00000000401533fc in kadm5_s_create_principal (server_handle=0x40b304c0, 
    princ=<optimized out>, mask=0, password=0x40b42060 "")
    at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/create_s.c:191
#2  0x000000000010a70c in kadmind_dispatch (kadm_handlep=0x40b304c0, 
    initial=0, in=0x3fffffe790, out=0x3fffffe780)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:149
#3  v5_loop (contextp=0x40aeae10, fd=5, ac=<optimized out>, 
    initial=<optimized out>, kadm_handlep=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:477
#4  handle_v5 (contextp=0x40aeae10, keytab=<optimized out>, fd=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:556
#5  kadmind_loop (contextp=0x40aeae10, keytab=<optimized out>, 
    sock=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:584
#6  0x000000000010ab30 in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/kadmind.c:202

-- 
You are receiving this mail because:
You are the assignee for the bug.