[17106] in Kerberos-V5-bugs
[krbdev.mit.edu #9215] [PATCH] Fix DB2 hash bitmap page count
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Thu May 21 17:45:10 2026
From: "=?UTF-8?B?0JHQvtCz0LTQsNC9INCR0L7Qs9GD0YHQu9Cw0LLRgdC60LjQuQ==?= via
RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: <0409bd55-9567-4120-8612-eb5030f6f05c@basealt.ru>
Message-ID: <rt-4.4.3-2-3012212-1779399905-125.9215-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9215":;
Content-Type: multipart/mixed; boundary="----------=_1779399905-3012212-0"
Date: Thu, 21 May 2026 17:45:05 -0400
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To: rt-comment@krbdev.mit.edu
Errors-To: krb5-bugs-bounces@mit.edu
This is a multi-part message in MIME format...
------------=_1779399905-3012212-0
Content-Type: text/plain; charset="utf-8"
Thu May 21 17:45:05 2026: Request 9215 was acted upon.
Transaction: Ticket created by boguslavskijbj@basealt.ru
Queue: krb5
Subject: [PATCH] Fix DB2 hash bitmap page count validation
Owner: Nobody
Requestors: boguslavskijbj@basealt.ru
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9215 >
Hello,
I found a possible out-of-bounds write in the DB2 hash backend.
In __kdb2_hash_open(), bpages is computes from the hash file header and
then used as the size argument when clearing hashp->mapp. The mapp array
has only NCACHED entries, so a malformed hash database can cause
memset() to write past the end of the array.
The attached patch rejects negative bitmap page counts and values
greater than NCACHED.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Regards,
Bogdan Boguslavskij
------------=_1779399905-3012212-0
Content-Type: text/x-patch;
charset="utf-8";
name="fix-db2-hash-bitmap-page-count-validation.patch"
Content-Disposition: attachment;
filename="fix-db2-hash-bitmap-page-count-validation.patch"
Content-Transfer-Encoding: 7bit
RT-Attachment: 9215/104376/26155
From 466965a048cea8aecd6cf5691ffe58aa04cbebb2 Mon Sep 17 00:00:00 2001
From: Bogdan Boguslavskij <bogdanb@altlinux.org>
Date: Wed, 20 May 2026 17:07:20 +0300
Subject: [PATCH] Fix DB2 hash bitmap page count validation
In __kdb2_hash_open(), bpages is computed from the hash file
header and then used as the size argument when clearing hashp->mapp.
The mapp array has only NCACHED entries, so a malformed hash
database can cause memset() to write past the end of the array.
Return EFTYPE if the computed bitmap page count is negative or
greater then NCACHED.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Bogdan Boguslavskij <bogdanb@altlinux.org>
---
krb5/src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/krb5/src/plugins/kdb/db2/libdb2/hash/hash.c b/krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
index 862dbb164..6431b904c 100644
--- a/krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -172,6 +172,9 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
(hashp->hdr.bsize << BYTE_SHIFT) - 1) >>
(hashp->hdr.bshift + BYTE_SHIFT);
+ if (bpages > NCACHED || bpages < 0)
+ RETURN_ERROR(EFTYPE, error1);
+
hashp->nmaps = bpages;
(void)memset(&hashp->mapp[0], 0, bpages * sizeof(u_int32_t *));
}
--
2.50.1
------------=_1779399905-3012212-0
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
------------=_1779399905-3012212-0--
