sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
Code

s4/lib/registry: Fix use after free with popt 1.19

Browse Source 
popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==6357== Command: ./bin/regpatch file
==6357==
Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
==6357== Syscall param openat(filename) points to unaddressable byte(s)
==6357==    at 0x4BFE535: open (in /usr/lib64/libc.so.6)
==6357==    by 0x4861432: reg_diff_load (patchfile.c:345)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
==6357== Invalid read of size 1
==6357==    at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
==6357==    by 0x10ADF9: main (regpatch.c:114)
==6357==  Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ADCF: main (regpatch.c:111)
==6357==  Block was alloc'd at
==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==6357==    by 0x10ACBD: main (regpatch.c:79)
==6357==
Error reading registry patch file `file'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184
This commit is contained in:
Noel Power 2022-10-14 11:53:53 +01:00 committed by Ralph Boehme
parent 4b15d8c2a5
commit 7e0e3f47cd
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source4/lib/registry/tools/regpatch.c
View File

@ -101,7 +101,7 @@ int main(int argc, char **argv)
return 1;
}
patch = poptGetArg(pc);
patch = talloc_strdup(mem_ctx, poptGetArg(pc));
if (patch == NULL) {
poptPrintUsage(pc, stderr, 0);
TALLOC_FREE(mem_ctx);