1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/selftest
Douglas Bagnall dbb3e65f7e CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
A DN string with lots of trailing space can cause ldb_dn_explode() to
put a zero byte in the wrong place in the heap.

When a DN string has a value represented with trailing spaces,
like this

     "CN=foo   ,DC=bar"

the whitespace is supposed to be ignored. We keep track of this in the
`t` pointer, which is NULL when we are not walking through trailing
spaces, and points to the first space when we are. We are walking with
the `p` pointer, writing the value to `d`, and keeping the length in
`l`.

     "CN=foo   ,DC= "       ==>       "foo   "
            ^  ^                             ^
            t  p                             d
                                       --l---

The value is finished when we encounter a comma or the end of the
string. If `t` is not NULL at that point, we assume there are trailing
spaces and wind `d and `l` back by the correct amount. Then we switch
to expecting an attribute name (e.g. "CN"), until we get to an "=",
which puts us back into looking for a value.

Unfortunately, we forget to immediately tell `t` that we'd finished
the last value, we can end up like this:

     "CN=foo   ,DC= "       ==>        ""
            ^      ^                    ^
            t      p                    d
                                        l=0

where `p` is pointing to a new value that contains only spaces, while
`t` is still referring to the old value. `p` notices the value ends,
and we subtract `p - t` from `d`:

     "CN=foo   ,DC= "       ==>  ?     ""
            ^       ^            ^
            t       p            d
                                      l ~= SIZE_MAX - 8

At that point `d` wants to terminate its string with a '\0', but
instead it terminates someone else's byte. This does not crash if the
number of trailing spaces is small, as `d` will point into a previous
value (a copy of "foo" in this example). Corrupting that value will
ultimately not matter, as we will soon try to allocate a buffer `l`
long, which will be greater than the available memory and the whole
operation will fail properly.

However, with more spaces, `d` will point into memory before the
beginning of the allocated buffer, with the exact offset depending on
the length of the earlier attributes and the number of spaces.

What about a longer DN with more attributes? For example,
"CN=foo     ,DC= ,DC=example,DC=com" -- since `d` has moved out of
bounds, won't we continue to use it and write more DN values into
mystery memory? Fortunately not, because the aforementioned allocation
of `l` bytes must happen first, and `l` is now huge. The allocation
happens in a talloc_memdup(), which is by default restricted to
allocating 256MB.

So this allows a person who controls a string parsed by ldb_dn_explode
to corrupt heap memory by placing a single zero byte at a chosen
offset before the allocated buffer.

An LDAP bind request can send a string DN as a username. This DN is
necessarily parsed before the password is checked, so an attacker does
not need proper credentials. The attacker can easily cause a denial of
service and we cannot rule out more subtle attacks.

The immediate solution is to reset `t` to NULL when a comma is
encountered, indicating that we are no longer looking at trailing
whitespace.

Found with the help of Honggfuzz.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-24 12:05:32 +00:00
..
flapping.d selftest/flapping: remove python[23] lines 2021-03-17 07:03:27 +00:00
gnupg
knownfail.d CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode 2021-03-24 12:05:32 +00:00
manage-ca selftest/manage-ca: Add certificiate etc. for DC addcsmb1 2020-04-03 15:08:26 +00:00
ns selftest: use 10.53.57.0/8 instead of 127.0.0.1/8 2020-03-27 09:02:38 +00:00
target selftest: add a test for %U variable expansion in spoolssd 2021-03-11 23:43:32 +00:00
checkpassword_arg1.sh selftest: require SAMBA_CPS_ACCOUNT_NAME in checkpassword_arg1.sh 2019-02-11 07:43:32 +01:00
create_smb1_fail_skipfile.txt selftest: Create instructions for generating skip file entries 2020-04-03 15:08:33 +00:00
devel_env.sh
filter-subunit python2 reduction: Merge remaining compat code into common 2020-10-02 14:49:36 +00:00
flapping selftest: Remove samba3.blackbox.smbclient_tar from flapping tests 2020-12-01 19:06:45 +00:00
format-subunit PY3: change shebang to python3 in misc dirs 2018-12-14 18:00:40 +01:00
format-subunit-json selftest/format-subunit-json: remove useless py2 print 2019-03-12 00:42:18 +00:00
gdb_backtrace selftest/gdb_backtrace: add an off switch 2021-02-22 14:45:38 +00:00
gdb_backtrace_test.c
gdb_run
in_screen testenv: No "mktemp" for in_screen 2020-01-21 14:38:44 +00:00
knownfail knownfail: remove python[23] lines 2021-03-17 05:57:34 +00:00
knownfail_heimdal_kdc tests python krb5: Add python kerberos compatability tests 2020-11-09 02:46:50 +00:00
knownfail_mit_kdc tests python krb5: initial TGS tests 2020-12-16 23:48:05 +00:00
knownfail_mit_krb5_pre_1_18 Fix uxsuccess test with new MIT krb5 library 1.18 2020-03-10 13:02:27 +00:00
no-python-tests.txt selftest: Add basic sanity-check tests for nopython target 2019-02-20 02:10:00 +01:00
perf_tests.py perf-tests: rename paged search test for regex disambiguation 2019-04-05 04:41:25 +00:00
quick selftest: Run test of how userPassword / crypt() style passwords are stored in quicktest 2020-07-01 13:34:30 +00:00
README
save.env.sh
selftest.pl selftest: Fix libasan preload 2021-02-03 04:19:36 +00:00
selftest.pl.1
selftesthelpers.py selftest: add option to pass args to tests to planpythontestsuite() 2020-12-17 13:59:38 +00:00
skip selftest: remove POSIX test from planned tests for ad_dc_ntvfs environ 2020-10-23 07:56:32 +00:00
skip_mit_kdc selftest: add python S4U2Self tests including unkeyed checksums 2020-05-15 12:25:40 +00:00
skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X script/autobuild.py: try make test TESTS=samba3.*ktest for samba-systemkrb5 2017-01-10 13:54:17 +01:00
skip.opath-required CI: add samba-no-opath 2020-12-16 09:08:30 +00:00
slow
slow-none selftest: Move some more tests from the samba-o3 job 2020-10-01 01:18:38 +00:00
SocketWrapper.pm selftest: enable perl warnings 2020-02-04 05:13:39 +00:00
Subunit.pm selftest: enable perl warnings 2020-02-04 05:13:39 +00:00
subunithelper.py selftest: Add support for python-dateutil >= 2.7.1 2021-02-02 19:53:35 +00:00
tap2subunit
tests.py lib:util: Add basic memcache unit test 2021-02-03 09:53:32 +00:00
TODO
todo_smb2_tests_to_port.list s4:torture: Convert samba3.raw.mkdir test to smb2 2020-04-28 19:46:32 +00:00
ubsan.supp selftest: enable undefined behaviour sanitizer 2019-05-14 07:20:28 +00:00
valgrind_run
wscript selftest: Disable detection of ODR violations 2021-02-01 21:50:32 +00:00

# vim: ft=rst

This directory contains test scripts that are useful for running a
bunch of tests all at once.

There are two parts to this:

 * The test runner (selftest/selftest.pl)
 * The test formatter

selftest.pl simply outputs subunit, which can then be formatted or analyzed
by tools that understand the subunit protocol. One of these tools is
format-subunit, which is used by default as part of "make test".

Available testsuites
====================
The available testsuites are obtained from a script, usually
source{3,4}/selftest/tests.py. This script should for each testsuite output
the name of the test, the command to run and the environment that should be
provided. Use the included "plantest" function to generate the required output.

Testsuite behaviour
===================

Exit code
------------
The testsuites should exit with a non-zero exit code if at least one
test failed. Skipped tests should not influence the exit code.

Output format
-------------
Testsuites can simply use the exit code to indicate whether all of their
tests have succeeded or one or more have failed. It is also possible to
provide more granular information using the Subunit protocol.

This protocol works by writing simple messages to standard output. Any
messages that can not be interpreted by this protocol are considered comments
for the last announced test.

For a full description of the subunit protocol, see the README file in the subunit
repository at http://github.com/testing-cabal/subunit.

The following commands are Samba extensions to Subunit:

start-testsuite
~~~~~~~~~~~~~~~
start-testsuite: name

The testsuite name is used as prefix for all containing tests.

skip-testsuite
~~~~~~~~~~~~~~
skip-testsuite: name

Mark the testsuite with the specified name as skipped.

testsuite-success
~~~~~~~~~~~~~~~~~
testsuite-success: name

Indicate that the testsuite has succeeded successfully.

testsuite-fail
~~~~~~~~~~~~~~
testsuite-fail: name

Indicate that a testsuite has failed.

Environments
============
Tests often need to run against a server with particular things set up,
a "environment". This environment is provided by the test "target": Samba 3,
Samba 4 or Windows.

The environments are currently available include

 - none: No server set up, no variables set.
 - dc,s3dc: Domain controller set up. The following environment variables will
   be set:

     * USERNAME: Administrator user name
     * PASSWORD: Administrator password
     * DOMAIN: Domain name
     * REALM: Realm name
     * SERVER: DC host name
     * SERVER_IP: DC IPv4 address
     * SERVER_IPV6: DC IPv6 address
     * NETBIOSNAME: DC NetBIOS name
     * NETIOSALIAS: DC NetBIOS alias

 - member,s4member,s3member: Domain controller and member server that is joined to it set up. The
   following environment variables will be set:

     * USERNAME: Domain administrator user name
     * PASSWORD: Domain administrator password
     * DOMAIN: Domain name
     * REALM: Realm name
     * SERVER: Name of the member server

See Samba.pm, Samba3.pm and Samba4.pm for the full list.

Running tests
=============

To run all the tests use::

   make test

To run a quicker subset run::

   make quicktest

To run a specific test, use this syntax::

   make test TESTS=testname

for example::

   make test TESTS=samba4.BASE-DELETE