CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH

idmap_hash used to bounce back the requested type,
which was ID_TYPE_UID, ID_TYPE_GID or ID_TYPE_NOT_SPECIFIED
before as the winbindd parent always used a lookupsids.
When the lookupsids failed because of an unknown domain,
the idmap child weren't requested at all and the caller
sees ID_TYPE_NOT_SPECIFIED.

This module should have supported ID_TYPE_BOTH since
samba-4.1.0, similar to idmap_rid and idmap_autorid.

Now that the winbindd parent will pass ID_TYPE_BOTH in order to
indicate that the domain exists, it's better to always return
ID_TYPE_BOTH instead of a random mix of ID_TYPE_UID, ID_TYPE_GID
or ID_TYPE_BOTH. In order to request a type_hint it will return
ID_REQUIRE_TYPE for ID_TYPE_NOT_SPECIFIED, which means that
the parent at least assures that the domain sid exists.
And the caller still gets ID_TYPE_NOT_SPECIFIED if the
domain doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 22 11:32:46 UTC 2021 on sn-devel-184

(cherry picked from commit d8339056eef2845805f573bd8b0f3323370ecc8f)
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Wed Jan 27 17:06:51 UTC 2021 on sn-devel-184

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

(cherry picked from commit 99673b77b069674a6145552eb870de8829dfa503)

diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
index be0ba45a044346bfa278d6794f636f77359e4504..d0bed7631a615e262d68b00f7b599f74bb5196d0 100644 (file)
--- a/source3/winbindd/idmap_hash/idmap_hash.c
+++ b/source3/winbindd/idmap_hash/idmap_hash.c
@@ -261,6 +261,25 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom,
 
                ids[i]->status = ID_UNMAPPED;
 
+               if (ids[i]->xid.type == ID_TYPE_NOT_SPECIFIED) {
+                       /*
+                        * idmap_hash used to bounce back the requested type,
+                        * which was ID_TYPE_UID, ID_TYPE_GID or
+                        * ID_TYPE_NOT_SPECIFIED before as the winbindd parent
+                        * always used a lookupsids.  When the lookupsids
+                        * failed because of an unknown domain, the idmap child
+                        * weren't requested at all and the caller sees
+                        * ID_TYPE_NOT_SPECIFIED.
+                        *
+                        * Now that the winbindd parent will pass ID_TYPE_BOTH
+                        * in order to indicate that the domain exists.
+                        * We should ask the parent to fallback to lookupsids
+                        * if the domain is not known yet.
+                        */
+                       ids[i]->status = ID_REQUIRE_TYPE;
+                       continue;
+               }
+
                sid_copy(&sid, ids[i]->sid);
                sid_split_rid(&sid, &rid);
 
@@ -270,6 +289,22 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom,
                /* Check that both hashes are non-zero*/
 
                if (h_domain && h_rid) {
+                       /*
+                        * idmap_hash used to bounce back the requested type,
+                        * which was ID_TYPE_UID, ID_TYPE_GID or
+                        * ID_TYPE_NOT_SPECIFIED before as the winbindd parent
+                        * always used a lookupsids.
+                        *
+                        * This module should have supported ID_TYPE_BOTH since
+                        * samba-4.1.0, similar to idmap_rid and idmap_autorid.
+                        *
+                        * Now that the winbindd parent will pass ID_TYPE_BOTH
+                        * in order to indicate that the domain exists, it's
+                        * better to always return ID_TYPE_BOTH instead of a
+                        * random mix of ID_TYPE_UID, ID_TYPE_GID or
+                        * ID_TYPE_BOTH.
+                        */
+                       ids[i]->xid.type = ID_TYPE_BOTH;
                        ids[i]->xid.id = combine_hashes(h_domain, h_rid);
                        ids[i]->status = ID_MAPPED;
                }