1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

120370 Commits

Author SHA1 Message Date
Andrew Bartlett
f7bcf227f7 librpc: Set the switch_value before NDR_BUFFERS to prepare for new libndr behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
a22a22e4a8 negoex: Set the switch_value before NDR_BUFFERS to prepare for new libndr behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
ae43093b79 s4-libcli/rap: Set the switch_value before NDR_BUFFERS to prepare for new libndr behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:40 +00:00
Andrew Bartlett
7a0ed44b0e ndr: Restrict size of ndr_token lists to avoid memory abuse by malicious clients
This is designed to stop a very large number of tokens from being stored for
arrays of structures containing relative pointers in particular.

This was one part of the minimum patch for CVE-2019-14908 before
being downgraded as not a security-release worthy issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:39 +00:00
Andrew Bartlett
4501663f6e libndr: Do not overwrite token list with NULL on allocation failure
This was one part of the minimum patch for CVE-2019-14908 before
being downgraded as not a security-release worthy issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:39 +00:00
Andrew Bartlett
bcffdc9a89 selftest: Add test for ndr_size_struct() faulting on a NULL pointer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:39 +00:00
Andrew Bartlett
f56fa3bb6a selftest: Add test for ndr_size_union() faulting on a NULL pointer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:39 +00:00
Andrew Bartlett
6ef5014549 selftest: Add example xattr_NTACL packets to demonstrate switch/union behaviour
This is a good example with both buffers and scalars in the union.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:39 +00:00
Andrew Bartlett
cf83eec565 selftest: Add test for structure with NDR_BUFFERS only in a union
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-12 02:30:39 +00:00
Samuel Cabrero
3f69c6b132 selftest: Do not force the endpoint for fsrvp tests
The test suite will bind to the srvsvc interface, let it find the
correct endpoint through the endpoint mapper.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 12 02:00:19 UTC 2019 on sn-devel-184
2019-12-12 02:00:19 +00:00
Samuel Cabrero
4a608b281c s4:torture/rpc: Fix torture comment in mdssvc.c
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:31 +00:00
Samuel Cabrero
e24ce0023f pidl:NDR/Server: Allow to define endpoint server shutdown functions
The next commits will register legacy api_struct when the endpoint server
is initialized. This commit adds a shutdown function which will be used
to unregister the legacy api_struct.

The shutdown function will be also used to replace the rpc_srv_callbacks
struct shutdown member used, for example, by the spoolss service to
cleanup before exiting.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:31 +00:00
Samuel Cabrero
79af978c81 librpc:core: Add a function to reinitialize the dcesrv_context
Clears all registered endpoints and interfaces, association groups and
broken connections.

To be used by S3 forked daemons.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:30 +00:00
Samuel Cabrero
90eb485cf9 librpc:core: Add public functions to initialize endpoint servers
The dcesrv_init_registered_ep_servers() will be used by the S3 server to
initialize all registered endpoint servers (for embedded services), and
the dcesrv_init_ep_server() function will be used by the external
daemons to initialize the required ones.

As serveral S3 services may require to initialize another one before
itself (svcctl and eventlog for example require winreg) a boolean flag is
added to track the initialization status.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:30 +00:00
Samuel Cabrero
39dfc5c82b librpc:core: Split dcesrv context init and endpoint servers init
The S4 server will initialize the endpoint servers specified in smb.conf,
but the S3 server need to initialize all registered endpoint servers (the
embedded ones).

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:30 +00:00
Andrew Bartlett
fee5c6a424 librpc/idl/dnsserver.idl: Ensure DnsProperty id matches what is pulled from the stored buffer
There are two concerns here, assuming the attacker can place arbitary values
in a dnsProperty attribute over LDAP (eg is a DNS administrator).

This comes from the fact that id is used as the switch value at the C layer
but at the NDR layer the wDataLength value is considered first.

One concern is that a pull/push round-trip could include server memory:

 The previous switch_is() behaviour could store the server memory back
 into the attribute.

 However this pattern of pull/push only happens in ndrdump and fuzzing tools, as
 dnsserver_db_do_reset_dword() operates only on the uint32/bitmap union
 arms, and fully initialises those.

The other is that a pull of the attacker-supplied value could
cause the server to expose memory.

 This would be over the network via DNS or the RPC dnsserver protocols.
 However at all times the ndr_pull_struct_blob is passed zeroed memory.

The final concern (which fuzz_ndr_X found) is that in the ndr_size_dnsPropertyData()
the union descriminent is only id.

 This has no impact as only zeroed memory is used so there will be a
 zero value in all scalars, including data->d_ns_servers.AddrArray.

 Therefore the server will not crash processing the attacker-supplied blob

[MS-DNSP] 2.3.2.1 dnsProperty has no mention of this special behaviour.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/445c7843-e4a1-4222-8c0f-630c230a4c80

This was known as CVE-2019-14908 before being triaged back to a normal bug.

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X fuzzer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14206
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-12 00:35:30 +00:00
Gary Lockyer
ee4617ec5f librpc dnsp test: Ensure length matches union selector
Ensure that a dnsp_DnsProperty is rejected if the length data does not not
correspond to the length indicated by the union id.  It was possible for
the union to be referencing memory past the end of the structure.

Found by Douglas Bagnall using Hongfuzz and the new fuzz_ndr_X fuzzer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14206
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-12 00:35:30 +00:00
Andrew Bartlett
049f0c3870 lib/krb5_wrap: Remove unused smb_krb5_get_allowed_weak_crypto()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Wed Dec 11 22:18:47 UTC 2019 on sn-devel-184
2019-12-11 22:18:47 +00:00
Andrew Bartlett
545711ffea lib/fuzzing: Fix argument order to ldb_filter_from_tree in fuzz_ldb_parse_tree
Found by the oss-fuzz CI tooling.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 11 04:21:28 UTC 2019 on sn-devel-184
2019-12-11 04:21:28 +00:00
Andrew Bartlett
e6fc8e79ae lib/fuzzing: Split up automatically build fuzzers into TYPE_{IN,OUT,STRUCT}
The advise is that a fuzz target should be as small as possible
so we split this up.  Splitting up by function would build too
many fuzzers, but this should help a little.

See for example:
https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md#large-apis

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
6e5aefc2d3 lib/fuzzing: Ensure mem_ctx is freed each time fuzz_ldb_parse_tree is run
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
0be0c044b6 autobuild: extend autobuild with samba-fuzz job to build the fuzzers in AFL mode using oss-fuzz scripts
This helps ensure the build_samba.sh file keeps working and the fuzzers build
(because they are excluded from the main build).

This is not in the default autobuild because it uses too much
space on sn-devel (4GB).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
d349d344f8 autobuild.py: Avoid listing jobs twice
We use the tasks table instead, to avoid the issue shown in the previous commit.

Now we just have to keep .gitlab-ci.yml and the tasks table in sync.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
df38d51104 autobuild.py: Add missing samba-simpleserver job
This was missed when the job was split out in f0e8dd1a08.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
de02a55399 .gitlab-ci.yml: Align tasks with "pages" dependency to get comprehensive code coverage
These two lists can get out of skew very easily.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Volker Lendecke
fbd97ee822 smbd: Fix a leases.tdb record leak
If we set e->stale=true in the share_mode_forall_entries() callback,
the share entry will be removed directly. Thus further down
share_mode_forall_leases() won't find anything anymore. Only find
possibly still connected entries in the first walk, and then remove
the share_entries.tdb record straight away after the leases and
brlocks have been removed.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 10 21:57:05 UTC 2019 on sn-devel-184
2019-12-10 21:57:05 +00:00
Volker Lendecke
7535359602 torture: Run durable_v2_reconnect_delay_msec with leases
This will show a leases.tdb record leak. If you SIGSTOP the smbtorture
process while it's in the 10-second wait, you will find locking.tdb
and share_entries.tdb empty after the scavenger has cleaned up. But
there will be an entry in leases.tdb left.

I have no clue how to test this properly, or how to have a reasonably
cheap assert in smbd during normal operations. The problem is that
this leak can't really be distinguished from a "normal" leak that a
crashed smbd would leave behind. Possibly we need a background job
walking leases.tdb to clean this up properly.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-12-10 20:31:40 +00:00
Volker Lendecke
79b2ee8dc2 torture4: Use generate_random_u64() instead of random()
random() returns an int, which is not necessarily a uint64

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-12-10 20:31:40 +00:00
Andreas Schneider
20b9cae63d lib:crypto: Build intel aes-ni only if GnuTLS doesn't provide AES CMAC
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 10 20:30:57 UTC 2019 on sn-devel-184
2019-12-10 20:30:57 +00:00
Andreas Schneider
6713617724 lib:crypto: Only build AES code if we need AES CMAC
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 19:06:28 +00:00
Andreas Schneider
337c51c9f5 lib:crypto: Remove our implementation of AES GCM
We require GnuTLS >= 3.4.7 which provides AES GCM.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 19:06:27 +00:00
Andreas Schneider
c3250ff7ab lib:crypto: Remove our implementation of AES CCM
We require GnuTLS >= 3.4.7 which provides AES CCM.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 19:06:27 +00:00
Andrew Bartlett
bc0c876a9e pidl:NDR/Parser: only include structs in ndr_interface_public_struct
We only have ndrdump and the fuzzers set up for structures, not BITMAPS,
ENUMS etc.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 10 17:45:46 UTC 2019 on sn-devel-184
2019-12-10 17:45:46 +00:00
Andrew Bartlett
238d08b07d selftest: Confirm that ndrdump struct mode is not available for enums
These are not passed by pointer so the structure dump system does not work
for these.  It is best to dump the containing structure instead.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-12-10 16:22:37 +00:00
Isaac Boukris
73f4362606 CVE-2019-14870: mit-kdc: enforce delegation_not_allowed flag
Signed-off-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Dec 10 10:44:01 UTC 2019 on sn-devel-184
2019-12-10 10:44:01 +00:00
Isaac Boukris
84de46f534 CVE-2019-14870: heimdal: enforce delegation_not_allowed in S4U2Self
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
2019-12-10 09:18:46 +00:00
Isaac Boukris
df72956ade CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
2019-12-10 09:18:46 +00:00
Isaac Boukris
aa17d5fcaf samba-tool: add user-sensitive command to set not-delegated flag
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
2019-12-10 09:18:46 +00:00
Andrew Bartlett
aaf037dfb3 CVE-2019-14861: Test to demonstrate the bug
This test does not fail every time, but when it does it casues a segfault which
takes out the rpc_server master process, as this hosts the dnsserver pipe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 09:18:46 +00:00
Andrew Bartlett
defb237325 CVE-2019-14861: s4-rpc/dnsserver: Avoid crash in ldb_qsort() via dcesrv_DnssrvEnumRecords)
dns_name_compare() had logic to put @ and the top record in the tree being
enumerated first, but if a domain had both then this would break the
older qsort() implementation in ldb_qsort() and cause a read of memory
before the base pointer.

By removing this special case (not required as the base pointer
is already seperatly located, no matter were it is in the
returned records) the crash is avoided.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 09:18:46 +00:00
Andrew Bartlett
4333e41c22 CVE-2019-14861: s4-rpc_server: Remove special case for @ in dns_build_tree()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 09:18:46 +00:00
Andrew Bartlett
a25a2e4513 CVE-2019-14861: s4-rpc/dnsserver: Confirm sort behaviour in dcesrv_DnssrvEnumRecords
The sort behaviour for child records is not correct in Samba so
we add a flapping entry.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14138

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 09:18:46 +00:00
Andrew Bartlett
8b06cabc7d bootstrap: Add chrpath as a required package
This is used to test build.sh, part of the oss-fuzz integration, and so also that we
correctly build our fuzzers.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 10 09:15:43 UTC 2019 on sn-devel-184
2019-12-10 09:15:43 +00:00
Andrew Bartlett
96184c10b8 build: Skip build of python bindings when in fuzzing mode
This will just save a bit of time and space.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
4c8388fb19 lib/fuzzing Truncate the original files after RUNPATH manipulation in build.sh
This saves space on the rackspace runners in particular.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
5e5d18c5b1 lib/fuzzing Add comments to explain RUNPATH manipulation in build.sh
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
5bb9ecdf15 lib/fuzzing: Support an oss-fuzz build with either address or undefined behaviour sanitizers
Add handler for $SANITIZER in build.sh

This allows a build with the undefined behaviour sanitizer.

Otherwise we fail the oss-fuzz CI because the UBSan build links with ASan.

Once this in in then https://github.com/google/oss-fuzz/pull/3094
can be merged to oss-fuzz.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
f79caf3b6b lib/fuzzing: Remove oss-fuzz build.sh stub from the Samba repo
We need to ship the stub build.sh in the oss-fuzz repo, not ours.
This is because otherwise the travis CI checks skip the build
(it thinks we are not set up yet, or have been disabled).

See https://github.com/google/oss-fuzz/pull/3094 for the PR
creating a similar file there.  This is very similar to how
janus-gateway operates, so this is an accepted pattern.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Andrew Bartlett
8382fa6408 oss-fuzz: Align build.sh sh parameters with pattern from the oss-fuzz project
We should run build_samba.sh with -eux to ensure we exit on failure,
refuse to use an unset varible and print the commands we are running.

(The suggested build.sh on the oss-fuzz side uses -eu).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:29 +00:00
Douglas Bagnall
47c7f54995 fuzz/decode_ndr_X_crash: -f to filter crashes by regex
If you go:

$ ./lib/fuzzing/decode_ndr_X_crash -H HONGGFUZZ_REPORT.txt -f 'SIG[^V]' > ./crash.sh

you will get all the crashes and not the timeouts (which have SIGVTALARM).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 07:50:29 +00:00