From 9ccec2afdaf8af463f321eb37d3c3bb90d1d432e Mon Sep 17 00:00:00 2001

From: Jeremy Allison <jra@samba.org>

Date: Tue, 7 Jun 2022 09:40:45 -0700

Subject: [PATCH 1/2] CVE-2022-32742: s4: torture: Add raw.write.bad-write test.

Reproduces the test code in:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085

Add knownfail.

Signed-off-by: Jeremy Allison <jra@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>

---

 selftest/knownfail.d/bad-write |  2 +

 source4/torture/raw/write.c    | 89 ++++++++++++++++++++++++++++++++++

 2 files changed, 91 insertions(+)

 create mode 100644 selftest/knownfail.d/bad-write

diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write

new file mode 100644

index 00000000000..5fc16606a13

--- /dev/null

+++ b/selftest/knownfail.d/bad-write

@@ -0,0 +1,2 @@

+^samba3.raw.write.bad-write\(nt4_dc_smb1\)

+^samba3.raw.write.bad-write\(ad_dc_smb1\)

diff --git a/source4/torture/raw/write.c b/source4/torture/raw/write.c

index 0a2f50f425b..661485bb548 100644

--- a/source4/torture/raw/write.c

+++ b/source4/torture/raw/write.c

@@ -25,6 +25,7 @@

 #include "libcli/libcli.h"

 #include "torture/util.h"

 #include "torture/raw/proto.h"

+#include "libcli/raw/raw_proto.h"

 #define CHECK_STATUS(status, correct) do { \

 	if (!NT_STATUS_EQUAL(status, correct)) { \

@@ -694,6 +695,93 @@ done:

 	return ret;

 }

+/*

+  test a deliberately bad SMB1 write.

+*/

+static bool test_bad_write(struct torture_context *tctx,

+		       struct smbcli_state *cli)

+{

+	bool ret = false;

+	int fnum = -1;

+	struct smbcli_request *req = NULL;

+	const char *fname = BASEDIR "\\badwrite.txt";

+	bool ok = false;

+

+	if (!torture_setup_dir(cli, BASEDIR)) {

+		torture_fail(tctx, "failed to setup basedir");

+	}

+

+	torture_comment(tctx, "Testing RAW_BAD_WRITE\n");

+

+	fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE);

+	if (fnum == -1) {

+		torture_fail_goto(tctx,

+			done,

+			talloc_asprintf(tctx,

+				"Failed to create %s - %s\n",

+				fname,

+				smbcli_errstr(cli->tree)));

+	}

+

+	req = smbcli_request_setup(cli->tree,

+				   SMBwrite,

+				   5,

+				   0);

+	if (req == NULL) {

+		torture_fail_goto(tctx,

+			done,

+			talloc_asprintf(tctx, "talloc fail\n"));

+	}

+

+	SSVAL(req->out.vwv, VWV(0), fnum);

+	SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */

+	SIVAL(req->out.vwv, VWV(2), 0); /* offset */

+	SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */

+

+        if (!smbcli_request_send(req)) {

+		torture_fail_goto(tctx,

+			done,

+			talloc_asprintf(tctx, "Send failed\n"));

+        }

+

+        if (!smbcli_request_receive(req)) {

+		torture_fail_goto(tctx,

+			done,

+			talloc_asprintf(tctx, "Reveive failed\n"));

+	}

+

+	/*

+	 * Check for expected error codes.

+	 * ntvfs returns NT_STATUS_UNSUCCESSFUL.

+	 */

+	ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) ||

+	     NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL));

+

+	if (!ok) {

+		torture_fail_goto(tctx,

+			done,

+			talloc_asprintf(tctx,

+				"Should have returned "

+				"NT_STATUS_INVALID_PARAMETER or "

+				"NT_STATUS_UNSUCCESSFUL "

+				"got %s\n",

+				nt_errstr(req->status)));

+        }

+

+	ret = true;

+

+done:

+	if (req != NULL) {

+		smbcli_request_destroy(req);

+	}

+	if (fnum != -1) {

+		smbcli_close(cli->tree, fnum);

+	}

+	smb_raw_exit(cli->session);

+	smbcli_deltree(cli->tree, BASEDIR);

+	return ret;

+}

+

 /*

    basic testing of write calls

 */

@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx)

 	torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock);

 	torture_suite_add_1smb_test(suite, "write close", test_writeclose);

 	torture_suite_add_1smb_test(suite, "writex", test_writex);

+	torture_suite_add_1smb_test(suite, "bad-write", test_bad_write);

 	return suite;

 }

-- 

2.34.1

From 9097c5363605e1d5f99ff5a59dc6795c612d472f Mon Sep 17 00:00:00 2001

From: Jeremy Allison <jra@samba.org>

Date: Wed, 8 Jun 2022 13:50:51 -0700

Subject: [PATCH 2/2] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.

Fixes the raw.write.bad-write test.

NB. We need the two (==0) changes in source3/smbd/reply.c

as the gcc optimizer now knows that the return from

smbreq_bufrem() can never be less than zero.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085

Remove knownfail.

Signed-off-by: Jeremy Allison <jra@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>

---

 selftest/knownfail.d/bad-write | 2 --

 source3/include/smb_macros.h   | 2 +-

 source3/smbd/reply.c           | 4 ++--

 3 files changed, 3 insertions(+), 5 deletions(-)

 delete mode 100644 selftest/knownfail.d/bad-write

diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write

deleted file mode 100644

index 5fc16606a13..00000000000

--- a/selftest/knownfail.d/bad-write

+++ /dev/null

@@ -1,2 +0,0 @@

-^samba3.raw.write.bad-write\(nt4_dc_smb1\)

-^samba3.raw.write.bad-write\(ad_dc_smb1\)

diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h

index 344a997cbd2..c75b93fcc25 100644

--- a/source3/include/smb_macros.h

+++ b/source3/include/smb_macros.h

@@ -152,7 +152,7 @@

 /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */

 #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf)))

-#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf))

+#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf))

 /* Note that chain_size must be available as an extern int to this macro. */

diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c

index d4573d3da55..e1a47a65662 100644

--- a/source3/smbd/reply.c

+++ b/source3/smbd/reply.c

@@ -345,7 +345,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,

 {

 	ssize_t bufrem = smbreq_bufrem(req, src);

-	if (bufrem < 0) {

+	if (bufrem == 0) {

 		*err = NT_STATUS_INVALID_PARAMETER;

 		return 0;

 	}

@@ -383,7 +383,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,

 {

 	ssize_t bufrem = smbreq_bufrem(req, src);

-	if (bufrem < 0) {

+	if (bufrem == 0) {

 		return 0;

 	}

-- 

2.34.1