From e8c3982fd8d48126d6799638144638cb623d959e Mon Sep 17 00:00:00 2001 From: wangjiang Date: Tue, 18 Jun 2024 15:52:23 +0800 Subject: [PATCH] backport upstream patches --- ...ER-use-proper-context-for-getDomains.patch | 55 ++++++++++++ ...S-inotify-avoid-potential-NULL-deref.patch | 57 +++++++++++++ ...fresh-root-domain-when-read-directly.patch | 84 +++++++++++++++++++ sssd.spec | 8 +- 4 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 backport-RESPONDER-use-proper-context-for-getDomains.patch create mode 100644 backport-UTILS-inotify-avoid-potential-NULL-deref.patch create mode 100644 backport-ad-refresh-root-domain-when-read-directly.patch diff --git a/backport-RESPONDER-use-proper-context-for-getDomains.patch b/backport-RESPONDER-use-proper-context-for-getDomains.patch new file mode 100644 index 0000000..98935e2 --- /dev/null +++ b/backport-RESPONDER-use-proper-context-for-getDomains.patch @@ -0,0 +1,55 @@ +From 18f378921ed95dfd6a5e373c87712f7935247d71 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 26 Apr 2024 14:04:50 +0200 +Subject: [PATCH] RESPONDER: use proper context for getDomains() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Request was created on a long term responder context, but a callback +for this request tries to access memory that is allocated on a short +term client context. So if client disconnects before request is +completed, then callback dereferences already freed memory. + +Resolves: https://github.com/SSSD/sssd/issues/7319 + +Reviewed-by: Alejandro López +Reviewed-by: Pavel Březina + +Reference:https://github.com/SSSD/sssd/commit/dc637c9730d0ba04a0d8aa2645ee537224cd4b19 +Conflict:NA + +--- + src/responder/pac/pacsrv_cmd.c | 2 +- + src/responder/pam/pamsrv_cmd.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c +index e3aab88..29d5574 100644 +--- a/src/responder/pac/pacsrv_cmd.c ++++ b/src/responder/pac/pacsrv_cmd.c +@@ -140,7 +140,7 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx) + ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str, + &pr_ctx->dom); + if (ret == EAGAIN || ret == ENOENT) { +- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, ++ req = sss_dp_get_domains_send(cctx, cctx->rctx, true, + pr_ctx->domain_name); + if (req == NULL) { + ret = ENOMEM; +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 20c332b..1570304 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -1510,7 +1510,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) + + ret = pam_forwarder_parse_data(cctx, pd); + if (ret == EAGAIN) { +- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, pd->domain); ++ req = sss_dp_get_domains_send(cctx, cctx->rctx, true, pd->domain); + if (req == NULL) { + ret = ENOMEM; + } else { +-- +2.33.0 + diff --git a/backport-UTILS-inotify-avoid-potential-NULL-deref.patch b/backport-UTILS-inotify-avoid-potential-NULL-deref.patch new file mode 100644 index 0000000..9011e50 --- /dev/null +++ b/backport-UTILS-inotify-avoid-potential-NULL-deref.patch @@ -0,0 +1,57 @@ +From d24073823fa7d82726f631628923e9a5378d529d Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 18 Mar 2024 12:15:21 +0100 +Subject: [PATCH] UTILS: inotify: avoid potential NULL deref +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes following error: +``` +Error: STRING_NULL (CWE-170): +sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.] +sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string. +sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string. +sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string. + # 325| + # 326| if (snctx->wctx->dir_wd == in_event->wd) { + # 327|-> ret = process_dir_event(snctx, in_event); + # 328| } else if (snctx->wctx->file_wd == in_event->wd) { + # 329| ret = process_file_event(snctx, in_event); +``` + -- it might be unsafe to dereference `in_event->name` +if `in_event->len == 0` + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose + +Reference:https://github.com/SSSD/sssd/commit/4085ee07926303aa26e46dfcc6dec87776432c62 +Conflict:NA + +--- + src/util/inotify.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/util/inotify.c b/src/util/inotify.c +index a3c33ed..8192cfd 100644 +--- a/src/util/inotify.c ++++ b/src/util/inotify.c +@@ -233,9 +233,13 @@ static errno_t process_dir_event(struct snotify_ctx *snctx, + { + errno_t ret; + ++ if (in_event->len == 0) { ++ DEBUG(SSSDBG_TRACE_FUNC, "Not interested in nameless event\n"); ++ return EOK; ++ } ++ + DEBUG(SSSDBG_TRACE_ALL, "inotify name: %s\n", in_event->name); +- if (in_event->len == 0 \ +- || strcmp(in_event->name, snctx->base_name) != 0) { ++ if (strcmp(in_event->name, snctx->base_name) != 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Not interested in %s\n", in_event->name); + return EOK; + } +-- +2.33.0 + diff --git a/backport-ad-refresh-root-domain-when-read-directly.patch b/backport-ad-refresh-root-domain-when-read-directly.patch new file mode 100644 index 0000000..3a1a300 --- /dev/null +++ b/backport-ad-refresh-root-domain-when-read-directly.patch @@ -0,0 +1,84 @@ +From 4d841bf2060717171fecad628480c8f2bc03760d Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 1 Mar 2024 10:50:07 +0100 +Subject: [PATCH] ad: refresh root domain when read directly +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the domain object of the forest root domain cannot be found in the +LDAP tree of the local AD domain SSSD tries to read the request data +from an LDAP server of the forest root domain directly. After reading +this data the information is stored in the cache but currently the +information about the domain store in memory is not updated with the +additional data. As a result e.g. the domain SID is missing in this data +and only becomes available after a restart where it is read from the +cache. + +With this patch an unconditional refresh is triggered at the end of the +fallback code path. + +Resolves: https://github.com/SSSD/sssd/issues/7250 + +Reviewed-by: Dan Lavu +Reviewed-by: Tomáš Halman + +Reference:https://github.com/SSSD/sssd/commit/0de6c33047ac7a2b5316ec5ec936d6b675671c53 +Conflict:NA + +--- + src/providers/ad/ad_subdomains.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 5bddf9b..e6745ce 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -1389,7 +1389,7 @@ struct ad_get_root_domain_state { + static void ad_get_root_domain_done(struct tevent_req *subreq); + static void ad_check_root_domain_done(struct tevent_req *subreq); + static errno_t +-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state); ++ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh); + + struct tevent_req * + ad_check_domain_send(TALLOC_CTX *mem_ctx, +@@ -1571,7 +1571,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) + return; + } + +- ret = ad_get_root_domain_refresh(state); ++ ret = ad_get_root_domain_refresh(state, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); + } +@@ -1664,7 +1664,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq) + + state->reply_count = 1; + +- ret = ad_get_root_domain_refresh(state); ++ ret = ad_get_root_domain_refresh(state, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n"); + } +@@ -1679,7 +1679,7 @@ done: + } + + static errno_t +-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) ++ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh) + { + struct sss_domain_info *root_domain; + bool has_changes; +@@ -1695,7 +1695,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state) + goto done; + } + +- if (has_changes) { ++ if (has_changes || refresh) { + ret = ad_subdom_reinit(state->sd_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n"); +-- +2.33.0 + diff --git a/sssd.spec b/sssd.spec index 23d325e..04df14d 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,6 +1,6 @@ Name: sssd Version: 2.6.1 -Release: 14 +Release: 15 Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ URL: https://pagure.io/SSSD/sssd/ @@ -49,6 +49,9 @@ Patch6039: backport-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch Patch6040: backport-nssidmap-fix-sss_nss_getgrouplist_timeout-with-empty.patch Patch6041: backport-KCM-Fix-a-memory-leak.patch Patch6042: backport-CVE-2023-3758.patch +Patch6043: backport-UTILS-inotify-avoid-potential-NULL-deref.patch +Patch6044: backport-ad-refresh-root-domain-when-read-directly.patch +Patch6045: backport-RESPONDER-use-proper-context-for-getDomains.patch Requires: python3-sssd = %{version}-%{release} Requires: libldb @@ -586,6 +589,9 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Tue Jun 18 2024 wangjiang - 2.6.1-15 +- backport upstream patches + * Fri Apr 19 2024 liweigang - 2.6.1-14 - fix CVE-2023-3758 -- Gitee