From: Noel Power <noel.power@suse.com>
Date: Fri, 14 Oct 2022 10:23:37 +0000 (+0100)
Subject: s3/param: Fix use after free with popt-1.19
X-Git-Tag: talloc-2.4.0~723
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ff003fc87b8164610dfd6572347c05308c4b2fd7;p=thirdparty%2Fsamba.git

s3/param: Fix use after free with popt-1.19

popt1.19 fixes a leak that exposes a use as free,
make sure we duplicate return of poptGetArg if
poptFreeContext is called before we use it.

==5325== Invalid read of size 1
==5325==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 8
==5325==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 2
==5325==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==
==5325== Invalid read of size 1
==5325==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
==5325==    by 0x10ABD7: main (test_lp_load.c:98)
==5325==  Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB8E: main (test_lp_load.c:90)
==5325==  Block was alloc'd at
==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
==5325==    by 0x10AB49: main (test_lp_load.c:74)
==5325==

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source3/param/test_lp_load.c b/source3/param/test_lp_load.c
index 2c6a5c8891b..03be4118efd 100644
--- a/source3/param/test_lp_load.c
+++ b/source3/param/test_lp_load.c
@@ -82,7 +82,7 @@ int main(int argc, const char **argv)
 	}
 
 	if (poptPeekArg(pc)) {
-		config_file = poptGetArg(pc);
+		config_file = talloc_strdup(frame, poptGetArg(pc));
 	} else {
 		config_file = get_dyn_CONFIGFILE();
 	}