git.openafs.org Git - openafs.git/commit

author	Andrew Deason <adeason@sinenomine.net>
	Wed, 21 Aug 2024 05:41:49 +0000 (00:41 -0500)
committer	Benjamin Kaduk <kaduk@mit.edu>
	Tue, 12 Nov 2024 18:05:41 +0000 (13:05 -0500)
commit	bb01d76a2095baa65880bdc5d504e7a198958265
tree	cf571761b3b9d772e89909b89ccbe916da146904	tree \| snapshot
parent	ee020f7cba7d82bc3d4b468210b5052af53c5db5	commit \| diff

OPENAFS-SA-2024-002: viced: Avoid unchecked ACL in StoreACL audit log

CVE-2024-10396

Currently in SRXAFS_StoreACL, if CallPreamble() or check_acl() fail, we
will jump to Bad_StoreACL, which will pass the ACL string from the
client to osi_auditU. Since check_acl() hasn't yet checked if the given
ACL contains a NUL byte, the ACL may be an unterminated string. If
auditing is enabled, this can cause garbage to be logged to the audit
log, or cause the fileserver to crash.

To avoid this, set 'rawACL' to NULL at first, only setting it to the
actual ACL string after check_acl() has succeeded. This ensures that all
code accessing 'rawACL' is guaranteed to be using a terminated string.

This may mean that we pass a NULL AUD_ACL to osi_auditU. Our auditing
code explicitly checks for and handles handles NULL strings, so this is
fine.

FIXES 135445

Reviewed-on: https://gerrit.openafs.org/15913
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit c9eae1e8b26144063e5d1db23d47ee82c4b9ef3a)

Change-Id: Ieda6f910d875c4b5179011e5e93e5694d3f4ce47
Reviewed-on: https://gerrit.openafs.org/15934
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>