1From 4e661f0085ec5f969c76c0896a34322c6c432de4 Mon Sep 17 00:00:00 2001 2From: Greg Hudson <ghudson@mit.edu> 3Date: Mon, 17 Oct 2022 20:25:11 -0400 4Subject: [PATCH] Fix integer overflows in PAC parsing 5 6In krb5_parse_pac(), check for buffer counts large enough to threaten 7integer overflow in the header length and memory length calculations. 8Avoid potential integer overflows when checking the length of each 9buffer. Credit to OSS-Fuzz for discovering one of the issues. 10 11CVE-2022-42898: 12 13In MIT krb5 releases 1.8 and later, an authenticated attacker may be 14able to cause a KDC or kadmind process to crash by reading beyond the 15bounds of allocated memory, creating a denial of service. A 16privileged attacker may similarly be able to cause a Kerberos or GSS 17application service to crash. On 32-bit platforms, an attacker can 18also cause insufficient memory to be allocated for the result, 19potentially leading to remote code execution in a KDC, kadmind, or GSS 20or Kerberos application server process. An attacker with the 21privileges of a cross-realm KDC may be able to extract secrets from a 22KDC process's memory by having them copied into the PAC of a new 23ticket. 24 25(cherry picked from commit ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583) 26 27ticket: 9074 28version_fixed: 1.19.4 29 30Upstream-Status: Backport [https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4] 31CVE: CVE-2022-42898 32Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 33--- 34 src/lib/krb5/krb/pac.c | 9 +++++++-- 35 src/lib/krb5/krb/t_pac.c | 18 ++++++++++++++++++ 36 2 files changed, 25 insertions(+), 2 deletions(-) 37 38diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c 39index cc74f37..70428a1 100644 40--- a/src/lib/krb5/krb/pac.c 41+++ b/src/lib/krb5/krb/pac.c 42@@ -27,6 +27,8 @@ 43 #include "k5-int.h" 44 #include "authdata.h" 45 46+#define MAX_BUFFERS 4096 47+ 48 /* draft-brezak-win2k-krb-authz-00 */ 49 50 /* 51@@ -316,6 +318,9 @@ krb5_pac_parse(krb5_context context, 52 if (version != 0) 53 return EINVAL; 54 55+ if (cbuffers < 1 || cbuffers > MAX_BUFFERS) 56+ return ERANGE; 57+ 58 header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); 59 if (len < header_len) 60 return ERANGE; 61@@ -348,8 +353,8 @@ krb5_pac_parse(krb5_context context, 62 krb5_pac_free(context, pac); 63 return EINVAL; 64 } 65- if (buffer->Offset < header_len || 66- buffer->Offset + buffer->cbBufferSize > len) { 67+ if (buffer->Offset < header_len || buffer->Offset > len || 68+ buffer->cbBufferSize > len - buffer->Offset) { 69 krb5_pac_free(context, pac); 70 return ERANGE; 71 } 72diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c 73index 7b756a2..2353e9f 100644 74--- a/src/lib/krb5/krb/t_pac.c 75+++ b/src/lib/krb5/krb/t_pac.c 76@@ -431,6 +431,16 @@ static const unsigned char s4u_pac_ent_xrealm[] = { 77 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 78 }; 79 80+static const unsigned char fuzz1[] = { 81+ 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 82+ 0x06, 0xff, 0xff, 0xff, 0x00, 0x00, 0xf5 83+}; 84+ 85+static const unsigned char fuzz2[] = { 86+ 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 87+ 0x20, 0x20 88+}; 89+ 90 static const char *s4u_principal = "w2k8u@ACME.COM"; 91 static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; 92 93@@ -646,6 +656,14 @@ main(int argc, char **argv) 94 krb5_free_principal(context, sep); 95 } 96 97+ /* Check problematic PACs found by fuzzing. */ 98+ ret = krb5_pac_parse(context, fuzz1, sizeof(fuzz1), &pac); 99+ if (!ret) 100+ err(context, ret, "krb5_pac_parse should have failed"); 101+ ret = krb5_pac_parse(context, fuzz2, sizeof(fuzz2), &pac); 102+ if (!ret) 103+ err(context, ret, "krb5_pac_parse should have failed"); 104+ 105 /* 106 * Test empty free 107 */ 108-- 1092.25.1 110 111