krb5 commit: Prevent overflow when calculating ulog block size

ghudson at mit.edu ghudson at mit.edu
Tue Jan 28 22:24:47 EST 2025 

https://github.com/krb5/krb5/commit/78ceba024b64d49612375be4a12d1c066b0bfbd0
commit 78ceba024b64d49612375be4a12d1c066b0bfbd0
Author: Zoltan Borbely <Zoltan.Borbely at morganstanley.com>
Date:   Tue Jan 28 16:39:25 2025 -0500

    Prevent overflow when calculating ulog block size
    
    In kdb_log.c:resize(), log an error and fail if the update size is
    larger than the largest possible block size (2^16-1).
    
    CVE-2025-24528:
    
    In MIT krb5 release 1.7 and later with incremental propagation
    enabled, an authenticated attacker can cause kadmind to write beyond
    the end of the mapped region for the iprop log file, likely causing a
    process crash.
    
    [ghudson at mit.edu: edited commit message and added CVE description]
    
    ticket: 9159 (new)
    tags: pullup
    target_version: 1.21-next

 src/lib/kdb/kdb_log.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a2501..68fae919a 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -183,7 +183,7 @@ extend_file_to(int fd, unsigned int new_size)
  */
 static krb5_error_code
 resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
-       unsigned int recsize)
+       unsigned int recsize, const kdb_incr_update_t *upd)
 {
     unsigned int new_block, new_size;
 
@@ -195,6 +195,12 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd,
     new_block *= ULOG_BLOCK;
     new_size += ulogentries * new_block;
 
+    if (new_block > UINT16_MAX) {
+        syslog(LOG_ERR, _("ulog overflow caused by principal %.*s"),
+               upd->kdb_princ_name.utf8str_t_len,
+               upd->kdb_princ_name.utf8str_t_val);
+        return KRB5_LOG_ERROR;
+    }
     if (new_size > MAXLOGLEN)
         return KRB5_LOG_ERROR;
 
@@ -291,7 +297,7 @@ store_update(kdb_log_context *log_ctx, kdb_incr_update_t *upd)
     recsize = sizeof(kdb_ent_header_t) + upd_size;
 
     if (recsize > ulog->kdb_block) {
-        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize);
+        retval = resize(ulog, ulogentries, log_ctx->ulogfd, recsize, upd);
         if (retval)
             return retval;
     }

More information about the cvs-krb5 mailing list