From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 23 Oct 2020 10:21:57 +0000 (+0200)
Subject: CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH
X-Git-Tag: samba-4.13.14~239
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4925a110c4e0586ca74566beca2450bbc4d18e4c;p=thirdparty%2Fsamba.git

CVE-2020-25717 s3:idmap_hash: reliable return ID_TYPE_BOTH

idmap_hash used to bounce back the requested type,
which was ID_TYPE_UID, ID_TYPE_GID or ID_TYPE_NOT_SPECIFIED
before as the winbindd parent always used a lookupsids.
When the lookupsids failed because of an unknown domain,
the idmap child weren't requested at all and the caller
sees ID_TYPE_NOT_SPECIFIED.

This module should have supported ID_TYPE_BOTH since
samba-4.1.0, similar to idmap_rid and idmap_autorid.

Now that the winbindd parent will pass ID_TYPE_BOTH in order to
indicate that the domain exists, it's better to always return
ID_TYPE_BOTH instead of a random mix of ID_TYPE_UID, ID_TYPE_GID
or ID_TYPE_BOTH. In order to request a type_hint it will return
ID_REQUIRE_TYPE for ID_TYPE_NOT_SPECIFIED, which means that
the parent at least assures that the domain sid exists.
And the caller still gets ID_TYPE_NOT_SPECIFIED if the
domain doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 22 11:32:46 UTC 2021 on sn-devel-184

(cherry picked from commit d8339056eef2845805f573bd8b0f3323370ecc8f)
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Wed Jan 27 17:06:51 UTC 2021 on sn-devel-184

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

(cherry picked from commit 99673b77b069674a6145552eb870de8829dfa503)
---

diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
index be0ba45a044..d0bed7631a6 100644
--- a/source3/winbindd/idmap_hash/idmap_hash.c
+++ b/source3/winbindd/idmap_hash/idmap_hash.c
@@ -261,6 +261,25 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom,
 
 		ids[i]->status = ID_UNMAPPED;
 
+		if (ids[i]->xid.type == ID_TYPE_NOT_SPECIFIED) {
+			/*
+			 * idmap_hash used to bounce back the requested type,
+			 * which was ID_TYPE_UID, ID_TYPE_GID or
+			 * ID_TYPE_NOT_SPECIFIED before as the winbindd parent
+			 * always used a lookupsids.  When the lookupsids
+			 * failed because of an unknown domain, the idmap child
+			 * weren't requested at all and the caller sees
+			 * ID_TYPE_NOT_SPECIFIED.
+			 *
+			 * Now that the winbindd parent will pass ID_TYPE_BOTH
+			 * in order to indicate that the domain exists.
+			 * We should ask the parent to fallback to lookupsids
+			 * if the domain is not known yet.
+			 */
+			ids[i]->status = ID_REQUIRE_TYPE;
+			continue;
+		}
+
 		sid_copy(&sid, ids[i]->sid);
 		sid_split_rid(&sid, &rid);
 
@@ -270,6 +289,22 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom,
 		/* Check that both hashes are non-zero*/
 
 		if (h_domain && h_rid) {
+			/*
+			 * idmap_hash used to bounce back the requested type,
+			 * which was ID_TYPE_UID, ID_TYPE_GID or
+			 * ID_TYPE_NOT_SPECIFIED before as the winbindd parent
+			 * always used a lookupsids.
+			 *
+			 * This module should have supported ID_TYPE_BOTH since
+			 * samba-4.1.0, similar to idmap_rid and idmap_autorid.
+			 *
+			 * Now that the winbindd parent will pass ID_TYPE_BOTH
+			 * in order to indicate that the domain exists, it's
+			 * better to always return ID_TYPE_BOTH instead of a
+			 * random mix of ID_TYPE_UID, ID_TYPE_GID or
+			 * ID_TYPE_BOTH.
+			 */
+			ids[i]->xid.type = ID_TYPE_BOTH;
 			ids[i]->xid.id = combine_hashes(h_domain, h_rid);
 			ids[i]->status = ID_MAPPED;
 		}