Correctly validate io keys.

CVE-2022-29502

Correctly validate io keys.
CVE-2022-29502
351669e7 · Dominik Bartkiewicz · Tim Wickberg · ef62acfd · 351669e7 · 351669e7
Commit 351669e7 authored 2 years ago by Dominik Bartkiewicz Committed by Tim Wickberg 2 years ago
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,7 @@ documents those changes that are of interest to users and administrators.
 -- Ignore power_down request when node is already powering down.
 -- CVE-2022-29500 - Prevent credential abuse.
 -- CVE-2022-29501 - Prevent abuse of REQUEST_FORWARD_DATA.
+ -- CVE-2022-29502 - Correctly validate io keys.
  
 * Changes in Slurm 21.08.7
 ==========================

--- a/src/api/step_io.c
+++ b/src/api/step_io.c
@@ -834,7 +834,7 @@ static int _read_io_init_msg(int fd, client_io_t *cio, slurm_addr_t *host)
 		error("failed reading io init message");
 		goto fail;
 	}
-	if (io_init_msg_validate(&msg, cio->io_key) < 0) {
+	if (io_init_msg_validate(&msg, cio->io_key, cio->io_key_len) < 0) {
 		goto fail;
 	}
 	if (msg.nodeid >= cio->num_nodes) {

--- a/src/common/io_hdr.c
+++ b/src/common/io_hdr.c
@@ -131,7 +131,8 @@ fail:
 	return n;
 }

-extern int io_init_msg_validate(io_init_msg_t *msg, const char *sig)
+extern int io_init_msg_validate(io_init_msg_t *msg, const char *sig,
+				uint32_t sig_len)
 {
 	debug2("Entering io_init_msg_validate");

@@ -144,7 +145,8 @@ extern int io_init_msg_validate(io_init_msg_t *msg, const char *sig)
 		return SLURM_ERROR;
 	}

-	if (memcmp((void *) sig, (void *) msg->io_key, msg->io_key_len)) {
+	if (msg->io_key_len != sig_len ||
+	    memcmp((void *) sig, (void *) msg->io_key, msg->io_key_len)) {
 		error("Invalid IO init header signature");
 		return SLURM_ERROR;
 	}
@@ -243,6 +245,7 @@ extern int io_init_msg_read_from_fd(int fd, io_init_msg_t *msg)
 {
 	buf_t *buf = NULL;
 	uint32_t len;
+	int rc;

 	xassert(msg);

@@ -257,11 +260,12 @@ extern int io_init_msg_read_from_fd(int fd, io_init_msg_t *msg)
 	buf = init_buf(len);
 	safe_read(fd, buf->head, len);

-	io_init_msg_unpack(msg, buf);
+	if ((rc = io_init_msg_unpack(msg, buf)))
+		error("%s: io_init_msg_unpack failed: rc=%d", __func__, rc);

 	free_buf(buf);
 	debug2("Leaving %s", __func__);
-	return SLURM_SUCCESS;
+	return rc;

 rwfail:
 	free_buf(buf);

--- a/src/common/io_hdr.h
+++ b/src/common/io_hdr.h
@@ -87,7 +87,7 @@ int io_hdr_read_fd(int fd, io_hdr_t *hdr);
 /*
 * Validate io init msg
 */
-int io_init_msg_validate(io_init_msg_t *msg, const char *sig);
+int io_init_msg_validate(io_init_msg_t *msg, const char *sig, uint32_t sig_len);
 int io_init_msg_write_to_fd(int fd, io_init_msg_t *msg);
 int io_init_msg_read_from_fd(int fd, io_init_msg_t *msg);