Fix double-free in KDC TGS processing

When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket.  Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.

[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]

CVE-2023-39975:

In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.

ticket: 9101 (new)
tags: pullup
target_version: 1.21-next

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 6e4c8fa9f382f31b70af773b961c9d4aa1c9f3e0..0acc45850fde88174a50ee4bbf551b00283524d6 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t,
     }
 
     if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) {
-        /* Copy the whole header ticket except for authorization data. */
-        ticket_reply = *t->header_tkt;
+        /* Copy the header ticket server and all enc-part fields except for
+         * authorization data. */
+        ticket_reply.server = t->header_tkt->server;
         enc_tkt_reply = *t->header_tkt->enc_part2;
         enc_tkt_reply.authorization_data = NULL;
     } else {