Overview

File 0130-Prevent-overflow-when-calculating-ulog-block-size.patch of Package krb5.37285

From e312653684e20f5c2f80c5a38a49c5d5d5abcde5 Mon Sep 17 00:00:00 2001
From: Zoltan Borbely <Zoltan.Borbely@morganstanley.com>
Date: Tue, 28 Jan 2025 16:39:25 -0500
Subject: [PATCH] Prevent overflow when calculating ulog block size

In kdb_log.c:resize(), log an error and fail if the update size is
larger than the largest possible block size (2^16-1).

CVE-2025-24528:

In MIT krb5 release 1.7 and later with incremental propagation
enabled, an authenticated attacker can cause kadmind to write beyond
the end of the mapped region for the iprop log file, likely causing a
process crash.

[ghudson@mit.edu: edited commit message and added CVE description]

ticket: 9159 (new)
tags: pullup
target_version: 1.21-next

(cherry picked from commit 78ceba024b64d49612375be4a12d1c066b0bfbd0)

[scabrero@suse.com: backported for 1.12.5]
---
 src/lib/kdb/kdb_log.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 13ffbcf8a6..8f5e75d37f 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -112,7 +112,7 @@ ulog_sync_header(kdb_hlog_t *ulog)
  */
 static krb5_error_code
 ulog_resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
-            unsigned int recsize)
+            unsigned int recsize, const kdb_incr_update_t *upd)
 {
     unsigned int new_block, new_size;
 
@@ -124,6 +124,12 @@ ulog_resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
     new_block *= ULOG_BLOCK;
     new_size += ulogentries * new_block;
 
+    if (new_block > UINT16_MAX) {
+        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
+               upd->kdb_princ_name.utf8str_t_len,
+               upd->kdb_princ_name.utf8str_t_val);
+        return KRB5_LOG_ERROR;
+    }
     if (new_size > MAXLOGLEN)
         return KRB5_LOG_ERROR;
 
@@ -176,7 +182,7 @@ ulog_add_update(krb5_context context, kdb_incr_update_t *upd)
     recsize = sizeof(kdb_ent_header_t) + upd_size;
 
     if (recsize > ulog->kdb_block) {
-        retval = ulog_resize(ulog, ulogentries, ulogfd, recsize);
+        retval = ulog_resize(ulog, ulogentries, ulogfd, recsize, upd);
         if (retval)
             return retval;
     }
-- 
2.48.1
openSUSE Build Service is sponsored by
Places