RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-02-23 19:17:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16823 from adamemerson/wip-use-after-free

Browse Source 
rgw: Fix use after free in IAM policy parser
This commit is contained in:
Matt Benjamin 2017-08-07 19:42:30 -04:00 committed by GitHub
commit 94883e0459
1 changed files with 39 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
src/rgw/rgw_iam_policy.cc
View File

@ -507,7 +507,7 @@ struct PolicyParser : public BaseReaderHandler<UTF8<>, PolicyParser> {
CephContext* cct;
const string& tenant;
Policy& policy;
std::set<TokenID> v;
uint32_t v = 0;
uint32_t seen = 0;
@ -554,49 +554,59 @@ struct PolicyParser : public BaseReaderHandler<UTF8<>, PolicyParser> {
}
void set(TokenID in) {
seen |= dex(in);
if (in == TokenID::Sid || in == TokenID::Effect || in == TokenID::Principal || in == TokenID::NotPrincipal ||
in == TokenID::Action || in == TokenID::NotAction || in == TokenID::Resource || in == TokenID::NotResource ||
in == TokenID::Condition || in == TokenID::AWS || in == TokenID::Federated || in == TokenID::Service ||
in == TokenID::CanonicalUser) {
v.insert(in);
if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
dex(TokenID::Action) | dex(TokenID::NotAction) |
dex(TokenID::Resource) | dex(TokenID::NotResource) |
dex(TokenID::Condition) | dex(TokenID::AWS) |
dex(TokenID::Federated) | dex(TokenID::Service) |
dex(TokenID::CanonicalUser))) {
v |= dex(in);
}
}
void set(std::initializer_list<TokenID> l) {
for (auto in : l) {
seen |= dex(in);
if (in == TokenID::Sid || in == TokenID::Effect || in == TokenID::Principal || in == TokenID::NotPrincipal ||
in == TokenID::Action || in == TokenID::NotAction || in == TokenID::Resource || in == TokenID::NotResource ||
in == TokenID::Condition || in == TokenID::AWS || in == TokenID::Federated || in == TokenID::Service ||
in == TokenID::CanonicalUser) {
v.insert(in);
if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
dex(TokenID::Action) | dex(TokenID::NotAction) |
dex(TokenID::Resource) | dex(TokenID::NotResource) |
dex(TokenID::Condition) | dex(TokenID::AWS) |
dex(TokenID::Federated) | dex(TokenID::Service) |
dex(TokenID::CanonicalUser))) {
v |= dex(in);
}
}
}
void reset(TokenID in) {
seen &= ~dex(in);
if (in == TokenID::Sid || in == TokenID::Effect || in == TokenID::Principal || in == TokenID::NotPrincipal ||
in == TokenID::Action || in == TokenID::NotAction || in == TokenID::Resource || in == TokenID::NotResource ||
in == TokenID::Condition || in == TokenID::AWS || in == TokenID::Federated || in == TokenID::Service ||
in == TokenID::CanonicalUser) {
v.erase(in);
if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
dex(TokenID::Action) | dex(TokenID::NotAction) |
dex(TokenID::Resource) | dex(TokenID::NotResource) |
dex(TokenID::Condition) | dex(TokenID::AWS) |
dex(TokenID::Federated) | dex(TokenID::Service) |
dex(TokenID::CanonicalUser))) {
v &= ~dex(in);
}
}
void reset(std::initializer_list<TokenID> l) {
for (auto in : l) {
seen &= ~dex(in);
if (in == TokenID::Sid || in == TokenID::Effect || in == TokenID::Principal || in == TokenID::NotPrincipal ||
in == TokenID::Action || in == TokenID::NotAction || in == TokenID::Resource || in == TokenID::NotResource ||
in == TokenID::Condition || in == TokenID::AWS || in == TokenID::Federated || in == TokenID::Service ||
in == TokenID::CanonicalUser) {
v.erase(in);
if (dex(in) & (dex(TokenID::Sid) | dex(TokenID::Effect) |
dex(TokenID::Principal) | dex(TokenID::NotPrincipal) |
dex(TokenID::Action) | dex(TokenID::NotAction) |
dex(TokenID::Resource) | dex(TokenID::NotResource) |
dex(TokenID::Condition) | dex(TokenID::AWS) |
dex(TokenID::Federated) | dex(TokenID::Service) |
dex(TokenID::CanonicalUser))) {
v &= ~dex(in);
}
}
}
void reset(std::set<TokenID> v) {
for (auto in : v) {
seen &= ~dex(in);
v.erase(in);
}
void reset(uint32_t& v) {
seen &= ~v;
v = 0;
}
PolicyParser(CephContext* cct, const string& tenant, Policy& policy)
@ -688,9 +698,11 @@ bool ParseState::key(const char* s, size_t l) {
if (!k) {
if (w->kind == TokenKind::cond_op) {
auto id = w->id;
auto& t = pp->policy.statements.back();
auto c_ife = cond_ifexists;
pp->s.emplace_back(pp, cond_key);
t.conditions.emplace_back(w->id, s, l, cond_ifexists);
t.conditions.emplace_back(id, s, l, c_ife);
return true;
} else {
return false;