Created attachment 238235 [details] crash kadmind with a missing realm string kadmind's handle_v5() reads a client message that can optionally contain the realm name: if(kadm_version == 1) { krb5_data params; ret = krb5_read_priv_message(contextp, ac, &fd, ¶ms); if(ret) krb5_err(contextp, 1, ret, "krb5_read_priv_message"); _kadm5_unmarshal_params(contextp, ¶ms, &realm_params); } If the client sends a mask containing KADM5_CONFIG_REALM, but the client's message stops too early, realm_params.mask will have that bit set, but realm_params.realm will be NULL. _kadm5_unmarshal_params() returns an error in this case, but handle_b5() doesn't check its return value. Later, _kadm5_s_init_context() says #define is_set(M) (params && params->mask & KADM5_CONFIG_ ## M) if(is_set(REALM)) (*ctx)->config.realm = strdup(params->realm); The bit is set, so strdup() crashes. I've attached a demo program. It must be run on a system with kdc and kadmind running, and the user must have tickets. Here's a backtrace: #0 strlen (str=<optimized out>) at /usr/rtm/symbsd/src/lib/libc/string/strlen.c:94 #1 0x00000006afe04f48 in strdup (str=0x0) at /usr/rtm/symbsd/src/lib/libc/string/strdup.c:48 #2 0x00000006ac04b270 in _kadm5_s_init_context (ctx=0x6aa2d9fd8, params=0x6aa2da030, context=0x6b9381e10) at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/context_s.c:153 #3 0x00000006ac04c90a in kadm5_s_init_with_context (context=0x0, client_name=0x6b93cec50 "root@EXAMPLE.ORG", service_name=<optimized out>, realm_params=0x6afcc8fd8, struct_version=<optimized out>, api_version=<optimized out>, server_handle=0x6aa2da078) at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/init_s.c:50 #4 0x00000006ac04c8dc in kadm5_s_init_with_password_ctx (context=0x0, client_name=0x6afcc8fd8 "\377\376\376\376\376\376\376\376environmUUUUUUUU\333\064\266×\336\033CaCoc\247\207\322?hfffffff\213\200", password=<optimized out>, service_name=<optimized out>, realm_params=0x0, struct_version=<optimized out>, api_version=<optimized out>, server_handle=0x186db) at /usr/rtm/symbsd/src/crypto/heimdal/lib/kadm5/init_s.c:104 #5 0x0000000629fe5d72 in handle_v5 (contextp=<optimized out>, keytab=<optimized out>, fd=<optimized out>) at /usr/rtm/symbsd/src/crypto/heimdal/kadmin/server.c:539 #6 0x0000000629fe5c96 in kadmind_loop (contextp=0x6b9381e10,
Further, _kadm5_unmarshal_params() lets the client set any bits in params->mask, but only tries to read params->realm, leaving the other params-> fields unset despite bits set by the client. One consequence is that the client can cause _kadm5_s_init_context() to crash in some of these lines: if(is_set(DBNAME)) (*ctx)->config.dbname = strdup(params->dbname); if(is_set(ACL_FILE)) (*ctx)->config.acl_file = strdup(params->acl_file); if(is_set(STASH_FILE)) (*ctx)->config.stash_file = strdup(params->stash_file);
I'll take this. Both ports will likely need to be looked at too.
I'm not able to reproduce this problem here. Not sure how differently your realm is set up from mine -- I exported my MIT KDC DB, importing it into the Heimdal KDC DB. The client reports: bob$ /tmp/kadmind12a kadmind12a: krb5_sendauth: KDC policy rejects request bob$ The server reports, Nov 22 17:06:17 bob kadmind[6486]: connection from IPv4:127.0.0.1 Nov 22 17:06:17 bob kdc[6458]: TGS-REQ kadmin/admin@CWSENT.COM from IPv4:10.1.1.7 for kadmin/admin@CWSENT.COM [canonicalize] Nov 22 17:06:17 bob kdc[6458]: AS-REQ is required for server -- kadmin/admin@CWSENT.COM Nov 22 17:06:17 bob kdc[6458]: Failed building TGS-REP to IPv4:10.1.1.7 Nov 22 17:06:17 bob kdc[6458]: sending 107 bytes to IPv4:10.1.1.7 Nov 22 17:06:17 bob kdc[6458]: TGS-REQ kadmin/admin@CWSENT.COM from IPv4:10.1.1.7 for kadmin/admin@CWSENT.COM Nov 22 17:06:17 bob kdc[6458]: AS-REQ is required for server -- kadmin/admin@CWSENT.COM Nov 22 17:06:17 bob kdc[6458]: Failed building TGS-REP to IPv4:10.1.1.7 Nov 22 17:06:17 bob kdc[6458]: sending 107 bytes to IPv4:10.1.1.7 Nov 22 17:06:17 bob kadmind[6486]: krb5_recvauth: End of file Instead, when a patch is developed, it will be posted here. I'd appreciate if you could test it for me.
My /etc/krb5.conf: [libdefaults] default_realm = EXAMPLE.ORG [realms] EXAMPLE.ORG = { kdc = tcp/127.0.0.1:88 admin_server = localhost } [domain_realm] .example.org = EXAMPLE.ORG [logging] kdc = STDERR kadmind = STDERR I set up a fresh realm like this: rm -rf /var/heimdal/* kstash --random-key kadmin -l kadmin> init EXAMPLE.ORG kadmin> add root I run /usr/libexec/kadmind --debug And I run the demo program as root.
Thank you. The bug has been verified. I was using a Heimdal DB previously exported from my MIT DB.
Success: bob# /usr/libexec/kadmind --debug 2022-11-24T06:14:38 _kadm5_unmarshal_params: Invalid argument bob#
Created attachment 238301 [details] First of two proposed commits Fix NULL dereference.
Created attachment 238303 [details] Second of two proposed commits Handle other types of garbage data.
Created attachment 238305 [details] Heimdal ports commits The three heimdal ports commits plus a prerequisite not related to this PR.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=05bc50bdb1c1ddbbeb853ea4b184aced0eca9b3f commit 05bc50bdb1c1ddbbeb853ea4b184aced0eca9b3f Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 14:22:13 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-11-24 17:21:13 +0000 heimdal: Fix NULL dereference when mangled realm message Fix a NULL dereference in _kadm5_s_init_context() when the client sends a mangled realm message. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days crypto/heimdal/kadmin/server.c | 4 +++- crypto/heimdal/lib/kadm5/marshall.c | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=91db848212e3b95cc689a1e8133a1d550b524919 commit 91db848212e3b95cc689a1e8133a1d550b524919 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 15:07:43 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-11-24 17:23:23 +0000 heimdal: Handle other types of garbage data In addition to garbage realm data, also handle garbage dbname, acl_file, stash_file, and invalid bitmask garbage data. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days crypto/heimdal/lib/kadm5/marshall.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8cafd5bc0d866a425eb883e00cef02df1ef31db4 commit 8cafd5bc0d866a425eb883e00cef02df1ef31db4 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 16:52:45 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-11-24 17:22:43 +0000 security/heimdal*: Handle other types of garbage data In addition to garbage realm data, also handle garbage dbname, acl_file, stash_file, and invalid bitmask garbage data. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> MFH: 2022Q4 security/heimdal-devel/Makefile | 2 +- .../heimdal-devel/files/patch-lib_kadm5_marshall.c | 32 ++++++++++++++++++++-- security/heimdal/Makefile | 2 +- security/heimdal/files/patch-lib_kadm5_marshall.c | 32 ++++++++++++++++++++-- 4 files changed, 62 insertions(+), 6 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=678bdaf21b9a05d99e0aceecd414782926e57ae4 commit 678bdaf21b9a05d99e0aceecd414782926e57ae4 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 16:37:45 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-11-24 17:22:01 +0000 security/heimdal*: Fix NULL dereference when mangled realm message Fix a NULL dereference in _kadm5_s_init_context() when the client sends a mangled realm message. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> MFH: 2022Q4 security/heimdal-devel/Makefile | 2 +- .../heimdal-devel/files/patch-lib_kadm5_marshall.c (new) | 16 ++++++++++++++++ security/heimdal/Makefile | 2 +- security/heimdal/files/patch-kadmin_server.c (new) | 13 +++++++++++++ security/heimdal/files/patch-lib_kadm5_marshall.c (new) | 16 ++++++++++++++++ 5 files changed, 47 insertions(+), 2 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=387abd40650c755f1745533c5b4ec0b85a8b9582 commit 387abd40650c755f1745533c5b4ec0b85a8b9582 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 14:22:13 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-01 14:25:10 +0000 heimdal: Fix NULL dereference when mangled realm message Fix a NULL dereference in _kadm5_s_init_context() when the client sends a mangled realm message. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 05bc50bdb1c1ddbbeb853ea4b184aced0eca9b3f) crypto/heimdal/kadmin/server.c | 4 +++- crypto/heimdal/lib/kadm5/marshall.c | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=53c5d72d287ae04a5adafe2a50f11a176c26ffe8 commit 53c5d72d287ae04a5adafe2a50f11a176c26ffe8 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 15:07:43 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-01 14:25:10 +0000 heimdal: Handle other types of garbage data In addition to garbage realm data, also handle garbage dbname, acl_file, stash_file, and invalid bitmask garbage data. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 91db848212e3b95cc689a1e8133a1d550b524919) crypto/heimdal/lib/kadm5/marshall.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7b07c9924f2de5a2d7b9951611770de45c6f8dab commit 7b07c9924f2de5a2d7b9951611770de45c6f8dab Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 15:07:43 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-01 14:25:52 +0000 heimdal: Handle other types of garbage data In addition to garbage realm data, also handle garbage dbname, acl_file, stash_file, and invalid bitmask garbage data. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 91db848212e3b95cc689a1e8133a1d550b524919) crypto/heimdal/lib/kadm5/marshall.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=709a426717c9d8e9eedf92a07f5410f6c05409ac commit 709a426717c9d8e9eedf92a07f5410f6c05409ac Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 14:22:13 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-01 14:25:52 +0000 heimdal: Fix NULL dereference when mangled realm message Fix a NULL dereference in _kadm5_s_init_context() when the client sends a mangled realm message. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 05bc50bdb1c1ddbbeb853ea4b184aced0eca9b3f) crypto/heimdal/kadmin/server.c | 4 +++- crypto/heimdal/lib/kadm5/marshall.c | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-)
fixed
A commit in branch 2022Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6fecfd8831794f809b1c1c87a9621104ee3f6599 commit 6fecfd8831794f809b1c1c87a9621104ee3f6599 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 16:52:45 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-05 20:06:15 +0000 security/heimdal*: Handle other types of garbage data In addition to garbage realm data, also handle garbage dbname, acl_file, stash_file, and invalid bitmask garbage data. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 8cafd5bc0d866a425eb883e00cef02df1ef31db4) security/heimdal-devel/Makefile | 2 +- .../heimdal-devel/files/patch-lib_kadm5_marshall.c | 32 ++++++++++++++++++++-- security/heimdal/Makefile | 2 +- security/heimdal/files/patch-lib_kadm5_marshall.c | 32 ++++++++++++++++++++-- 4 files changed, 62 insertions(+), 6 deletions(-)
A commit in branch 2022Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=fecfd3cc71aefc4b93d9fd085d40ce107c6756a9 commit fecfd3cc71aefc4b93d9fd085d40ce107c6756a9 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-11-24 16:37:45 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-12-05 20:06:14 +0000 security/heimdal*: Fix NULL dereference when mangled realm message Fix a NULL dereference in _kadm5_s_init_context() when the client sends a mangled realm message. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> (cherry picked from commit 678bdaf21b9a05d99e0aceecd414782926e57ae4) security/heimdal-devel/Makefile | 2 +- .../heimdal-devel/files/patch-lib_kadm5_marshall.c (new) | 16 ++++++++++++++++ security/heimdal/Makefile | 2 +- security/heimdal/files/patch-kadmin_server.c (new) | 13 +++++++++++++ security/heimdal/files/patch-lib_kadm5_marshall.c (new) | 16 ++++++++++++++++ 5 files changed, 47 insertions(+), 2 deletions(-)