[SSSD] [sssd PR#5902][opened] SSS_CLIENT: fixed few covscan issues

alexey-tikhonov Fri, 03 Dec 2021 11:00:30 -0800

   URL: https://github.com/SSSD/sssd/pull/5902
Author: alexey-tikhonov
 Title: #5902: SSS_CLIENT: fixed few covscan issues
Action: opened


PR body:
"""
Fixes following covscan issues:
```
Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:75: tainted_argument: Calling 
function "sss_cli_make_request_with_checks" taints argument "*repbuf".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: identity_transfer: Passing 
"repbuf + 4UL" as argument 2 to function "safealign_memcpy", which sets 
"num_results" to the dereference of that argument.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: tainted_data_transitive: Call 
to function "safealign_memcpy" with tainted argument "*repbuf" transitively 
taints "num_results".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:116: tainted_data: Passing tainted 
expression "num_results * 16UL" to "malloc", which uses it as an allocation 
size.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:116: remediation: Ensure that 
tainted values are properly sanitized, by checking that their values are within 
a permissible range.
 #  114|       }
 #  115|
 #  116|->     *ranges = malloc(num_results * sizeof(struct subid_range));
 #  117|       if (!*ranges) {
 #  118|           free(repbuf);

Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:75: tainted_argument: Calling 
function "sss_cli_make_request_with_checks" taints argument "*repbuf".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: identity_transfer: Passing 
"repbuf + 4UL" as argument 2 to function "safealign_memcpy", which sets 
"num_results" to the dereference of that argument.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: tainted_data_transitive: Call 
to function "safealign_memcpy" with tainted argument "*repbuf" transitively 
taints "num_results".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:122: tainted_data: Using tainted 
variable "num_results" as a loop boundary.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:122: remediation: Ensure that 
tainted values are properly sanitized, by checking that their values are within 
a permissible range.
 #  120|       }
 #  121|
 #  122|->     for (uint32_t c = 0; c < num_results; ++c) {
 #  123|           SAFEALIGN_COPY_UINT32(&val, repbuf + index, &index);
 #  124|           (*ranges)[c].start = val;

Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:176: tainted_argument: Calling 
function "shadow_subid_list_owner_ranges" taints argument "amount".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:183: tainted_data: Using tainted 
variable "amount" as a loop boundary.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:183: remediation: Ensure that 
tainted values are properly sanitized, by checking that their values are within 
a permissible range.
 #  181|       *result = false;
 #  182|
 #  183|->     for (int i = 0; i < amount; ++i) {
 #  184|           if ((range[i].start <= start) &&
 #  185|               (range[i].start + range[i].count >= end)) {
```

Resolves: https://github.com/SSSD/sssd/issues/5878
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5902/head:pr5902
git checkout pr5902

From 089c41ece672601a1d4c00db6579a2d1f14bb8e4 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikh...@redhat.com>
Date: Wed, 1 Dec 2021 21:56:53 +0100
Subject: [PATCH] SSS_CLIENT: fixed few covscan issues

Fixes following covscan issues:
```
Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:75: tainted_argument: Calling function "sss_cli_make_request_with_checks" taints argument "*repbuf".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: identity_transfer: Passing "repbuf + 4UL" as argument 2 to function "safealign_memcpy", which sets "num_results" to the dereference of that argument.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: tainted_data_transitive: Call to function "safealign_memcpy" with tainted argument "*repbuf" transitively taints "num_results".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:116: tainted_data: Passing tainted expression "num_results * 16UL" to "malloc", which uses it as an allocation size.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:116: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
 #  114|       }
 #  115|
 #  116|->     *ranges = malloc(num_results * sizeof(struct subid_range));
 #  117|       if (!*ranges) {
 #  118|           free(repbuf);

Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:75: tainted_argument: Calling function "sss_cli_make_request_with_checks" taints argument "*repbuf".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: identity_transfer: Passing "repbuf + 4UL" as argument 2 to function "safealign_memcpy", which sets "num_results" to the dereference of that argument.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:94: tainted_data_transitive: Call to function "safealign_memcpy" with tainted argument "*repbuf" transitively taints "num_results".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:122: tainted_data: Using tainted variable "num_results" as a loop boundary.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:122: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
 #  120|       }
 #  121|
 #  122|->     for (uint32_t c = 0; c < num_results; ++c) {
 #  123|           SAFEALIGN_COPY_UINT32(&val, repbuf + index, &index);
 #  124|           (*ranges)[c].start = val;

Error: TAINTED_SCALAR (CWE-20):
sssd-2.6.1/src/sss_client/subid/sss_subid.c:176: tainted_argument: Calling function "shadow_subid_list_owner_ranges" taints argument "amount".
sssd-2.6.1/src/sss_client/subid/sss_subid.c:183: tainted_data: Using tainted variable "amount" as a loop boundary.
sssd-2.6.1/src/sss_client/subid/sss_subid.c:183: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
 #  181|       *result = false;
 #  182|
 #  183|->     for (int i = 0; i < amount; ++i) {
 #  184|           if ((range[i].start <= start) &&
 #  185|               (range[i].start + range[i].count >= end)) {
```

Resolves: https://github.com/SSSD/sssd/issues/5878
---
 src/sss_client/subid/sss_subid.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/sss_client/subid/sss_subid.c b/src/sss_client/subid/sss_subid.c
index ae74ece3cd..e301e6b294 100644
--- a/src/sss_client/subid/sss_subid.c
+++ b/src/sss_client/subid/sss_subid.c
@@ -87,11 +87,20 @@ enum subid_status shadow_subid_list_owner_ranges(const char *user,
     }

     SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL);
+    if (num_results > (replen/sizeof(uint32_t) - 2)/2) {
+        free(repbuf);
+        return SUBID_STATUS_ERROR;
+    }
+
     if (id_type == ID_TYPE_UID) {
         index = 2 * sizeof(uint32_t);
     } else {
         index = (2 + 2*num_results) * sizeof(uint32_t);
         SAFEALIGN_COPY_UINT32(&num_results, repbuf + sizeof(uint32_t), NULL);
+        if (num_results > ((replen - index)/sizeof(uint32_t)/2)) {
+            free(repbuf);
+            return SUBID_STATUS_ERROR;
+        }
     }
     if (num_results == 0) {
         /* TODO: how to distinguish "user not found" vs "user doesn't have ranges defined" here?

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5902][opened] SSS_CLIENT: fixed few covscan issues

Reply via email to