main/samba/0007-CVE-2018-10919-acl_read-Split-access_mask-logic-out-.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

From e95c621a7f243058a24f00a02e25d5edde35565d Mon Sep 17 00:00:00 2001
From: Tim Beale <timbeale@catalyst.net.nz>
Date: Fri, 20 Jul 2018 13:52:24 +1200
Subject: [PATCH] CVE-2018-10919 acl_read: Split access_mask logic out into
 helper function

So we can re-use the same logic laster for checking the search-ops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
---
 source4/dsdb/samdb/ldb_modules/acl_read.c | 54 +++++++++++++++--------
 1 file changed, 35 insertions(+), 19 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 3c9cf7c0672..f42b131948c 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -227,6 +227,40 @@ static int aclread_get_sd_from_ldb_message(struct aclread_context *ac,
 	return LDB_SUCCESS;
 }
 
+/*
+ * Returns the access mask required to read a given attribute
+ */
+static uint32_t get_attr_access_mask(const struct dsdb_attribute *attr,
+				     uint32_t sd_flags)
+{
+
+	uint32_t access_mask = 0;
+	bool is_sd;
+
+	/* nTSecurityDescriptor is a special case */
+	is_sd = (ldb_attr_cmp("nTSecurityDescriptor",
+			      attr->lDAPDisplayName) == 0);
+
+	if (is_sd) {
+		if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+			access_mask |= SEC_STD_READ_CONTROL;
+		}
+		if (sd_flags & SECINFO_DACL) {
+			access_mask |= SEC_STD_READ_CONTROL;
+		}
+		if (sd_flags & SECINFO_SACL) {
+			access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+		}
+	} else {
+		access_mask = SEC_ADS_READ_PROP;
+	}
+
+	if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
+		access_mask |= SEC_ADS_CONTROL_ACCESS;
+	}
+
+	return access_mask;
+}
 
 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 {
@@ -342,26 +376,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 				aclread_mark_inaccesslible(&msg->elements[i]);
 				continue;
 			}
-			/* nTSecurityDescriptor is a special case */
-			if (is_sd) {
-				access_mask = 0;
-
-				if (ac->sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
-					access_mask |= SEC_STD_READ_CONTROL;
-				}
-				if (ac->sd_flags & SECINFO_DACL) {
-					access_mask |= SEC_STD_READ_CONTROL;
-				}
-				if (ac->sd_flags & SECINFO_SACL) {
-					access_mask |= SEC_FLAG_SYSTEM_SECURITY;
-				}
-			} else {
-				access_mask = SEC_ADS_READ_PROP;
-			}
 
-			if (attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL) {
-				access_mask |= SEC_ADS_CONTROL_ACCESS;
-			}
+			access_mask = get_attr_access_mask(attr, ac->sd_flags);
 
 			if (access_mask == 0) {
 				aclread_mark_inaccesslible(&msg->elements[i]);
-- 
2.18.0