Samba 3.0 / 3.2 heap overflow on AIX?
yaberger at ca.ibm.com
yaberger at ca.ibm.com
Thu May 1 19:50:57 GMT 2008
Hi,
I'm trying to find a possible heap overflow which first seemed to be in
AIX 5.3 with Samba (3.0 ou 3.2).
With the AIX support, we've been able to use some debugging utility, debug
libc, etc. on AIX that allow the support to think the problem might be in
Samba code
Actually, without any modification to Samba code and using a local (AIX)
userid, Samba is working #1.
But when I add a few lines to allow AIX authentication on using the LAM
(Loadable Authentication Module) and authenticating with a DCE userid
belonging to more than 32 groups, it coredump.
The same patch/tests is working #1 without this problem on AIX 5.2 btw.
Before telling me that the problem might come from my patch or the DCE
client or AIX, please take the time to read what's below
With this scenario, Samba was coredumping when I was doing the
connection/authentication from a windows workstation with the DCE userid
(belonging to more than DCE groups). By looking at the stack/traces of the
core file, it pointed me that it was coredumping in initgroups(), which is
an OS syscall. By replacing the AIX syscall with the rep_initgroups()
you're providing to system without an initgroups() implementation, I'm
able to authenticate with this user correctly (no coredump)
I've opened a PMR (Problem Management Request) to the AIX team because I
thought the overflow was in initgroups() or a subroutine called by it
which wasn't in debug mode. After some collaboration with them, we've
ended with the following 2 tests that let us think the heap overflow might
be in Samba and possibly in rbtree.c (explaination in the test below).
It might be possible that you guys are doing some intentional overflow
while managing memory like a Java JRE would do and this would explain why
it coredump that fast when
We're using 2 environment variable to track the overflow: MALLOCDEBUG and
MALLOCTYPE. With MALLOCDEBUG, we can set the parameter "align", which is a
value in byte (0,1,2,4,8, maybe more) of what is permitted to "overflow".
By setting it value to 0, we expect Samba to coredump as soon as an
overflow occur and not further in the code (like it was happening before
setting the 2 env. var., ie coredumping in initgroups())
So here is the 2 tests I've made:
Download the latest 3_2_stable branch (I can also reproduce with 3.0.28a
if you want). Do not apply my patch or any modification to the code
Compile it one time with the CFLAGS I'm usually using (test 1) and one
time with default CFLAGS (test 2)
install, set the MALLOCDEBUG and MALLOCTYPE env. variable and start samba
it coredump, I gather the stack from the core
I'm trying to discuss about it with William Jojo (because I know he's used
with the AIX platform from my past experience) but he's currently in his
finals and I don't want to disturbe him too much.
So if any developper is understanding my problem/explanations/tests and
would like to comment them, suggest something (test, modification, etc.),
I would gratefully accept.
I still have my workaround in my pocket which is to for the use of
rep_initgroups() but I think it would be great to find and correct the
real problem if there is one
root at aix53tst ==> rsync -avzP --delete
samba.org::ftp/unpacked/samba_3_2_stable .
# the update date/time for this branch is Apr 28 04:05
root at aix53tst ==> cd samba_3_2_stable/source
root at aix53tst ==> ./configure
# modifying the CFLAGS in the Makefile
# was: CFLAGS= -O -D_SAMBA_BUILD_=3 -D_LINUX_SOURCE_COMPAT -qmaxmem=32000
# now: CFLAGS= -g -O3 -qstrict -D_SAMBA_BUILD_=3 -D_LINUX_SOURCE_COMPAT
-qmaxmem=-1 -bmaxdata:0x80000000
root at aix53tst ==> make
root at aix53tst ==> make install
# Ok here is the test first test
root at aix53tst ==> export MALLOCTYPE=debug
root at aix53tst ==> export
MALLOCDEBUG=align:0,catch_overflow,postfree_checking
root at aix53tst ==> /usr/local/samba/sbin/smbd -D
-s/usr/local/samba/lib/smb.conf
IOT/Abort trap(coredump)
root at aix53tst ==> dbx -d 100 /usr/local/samba/sbin/smbd
(dbx) where
raise.raise(sig = 6), line 78 in "raise.c"
abort.abort(), line 94 in "abort.c"
dump_core(), line 212 in "fault.c"
smb_panic(why =
"===============================================================\n"), line
1635 in "util.c"
fault_report(sig = -800942328), line 46 in "fault.c"
rb_insert_color at AF14_5(??, ??), line 152 in "rbtree.c"
db_rbt_store(rec = 0x30e57ff4, data = (...), flag = 0), line 183 in
"dbwrap_rbt.c"
dbwrap_store_bystring(db = 0x30019720, key =
"/\362$\320"$B$^P^B^\81^F/\357", data = (...), flags = 805410592), line
193 in "dbwrap.c"
hash_a_service(name = "tempdisk", idx = 3), line 5801 in "loadparm.c"
add_a_service(pservice = 0x1006aa70, name = "0\312\242'0\312\247}"), line
5749 in "loadparm.c"
loadparm.do_section(pszSectionName = warning: Unable to access address
0x6b from core
(invalid char ptr (0x0000006b)), userdata = 0x30023ff8), line 7353 in
"loadparm.c"
Section(buf = 0x2ff22640, InFile = 0x00000100, sfunc = 0x2ff22600,
userdata = 0x2945164c), line 301 in "params.c"
Parse(buf = (nil), InFile = 0x00001dd8, sfunc = 0x2ff22680, pfunc =
0x00000050, userdata = 0x100238c4), line 486 in "params.c"
pm_process(FileName = "\200A", sfunc = (nil), pfunc = 0x2ff226e0, userdata
= 0x302233c8), line 577 in "params.c"
lp_load_ex(pszFname = warning: Unable to access address 0x1a4 from core
(invalid char ptr (0x000001a4)), global_only = @0x00000000, save_defaults
= @0x2ff22ab4, add_ipc = @0x00000000, initialize_globals = @0x30bbafe2,
allow_include_registry = @0x00000000), line 8702 in "loadparm.c"
lp_load(pszFname = "Tc^F>\201\201", global_only = @0x00000000,
save_defaults = @0x30212048, add_ipc = @0x302233c8, initialize_globals =
@0x00000000), line 8780 in "loadparm.c"
reload_services(test = @0x30000718), line 846 in "server.c"
main(argc = 3, argv = 0x300006e0), line 1233 in "server.c"
# Last subroutine before the fault_report/smb_panic was in rbtree.c !!!
# Ok, I'll recompile but this time without using any additional CFLAGS
except "-g"
# CFLAGS= -g -O -D_SAMBA_BUILD_=3 -D_LINUX_SOURCE_COMPAT -qmaxmem=32000
root at aix53tst ==> export MALLOCTYPE=
root at aix53tst ==> export MALLOCDEBUG=
root at aix53tst ==> make clean
root at aix53tst ==> make
root at aix53tst ==> make install
root at aix53tst ==> export MALLOCTYPE=debug
root at aix53tst ==> export
MALLOCDEBUG=align:0,catch_overflow,postfree_checking
root at aix53tst ==> /usr/local/samba/sbin/smbd -D
-s/usr/local/samba/lib/smb.conf
IOT/Abort trap(coredump)
root at aix53tst ==> dbx -d 100 /usr/local/samba/sbin/smbd
(dbx) where
raise.raise(sig = 6), line 78 in "raise.c"
abort.abort(), line 94 in "abort.c"
dump_core(), line 212 in "fault.c"
smb_panic(why =
"===============================================================\n"), line
1635 in "util.c"
fault_report(sig = -800942328), line 46 in "fault.c"
rb_insert_color at AF14_5(??, ??), line 152 in "rbtree.c"
db_rbt_store(rec = 0x20e57ff4, data = (...), flag = 0), line 183 in
"dbwrap_rbt.c"
dbwrap_store_bystring(db = 0x20019720, key =
"/\362$\240"$B$^P^B^\8!^F/\357", data = (...), flags = 536975136), line
193 in "dbwrap.c"
hash_a_service(name = "tempdisk", idx = 3), line 5801 in "loadparm.c"
add_a_service(pservice = 0x1006aa70, name = " \312\242' \312\247}"), line
5749 in "loadparm.c"
loadparm.do_section(pszSectionName = warning: Unable to access address
0x6b from core
(invalid char ptr (0x0000006b)), userdata = 0x20023ff8), line 7353 in
"loadparm.c"
Section(buf = 0x2ff22610, InFile = 0x00000100, sfunc = 0x2ff225d0,
userdata = 0x31a4e5e3), line 301 in "params.c"
Parse(buf = (nil), InFile = 0x00001dd8, sfunc = 0x2ff22650, pfunc =
0x00000050, userdata = 0x100238c4), line 486 in "params.c"
pm_process(FileName = "\200A", sfunc = (nil), pfunc = 0x2ff226b0, userdata
= 0x202233c0), line 577 in "params.c"
lp_load_ex(pszFname = warning: Unable to access address 0x1a4 from core
(invalid char ptr (0x000001a4)), global_only = @0x00000000, save_defaults
= @0x2ff22a8c, add_ipc = @0x00000000, initialize_globals = @0x20bbafe2,
allow_include_registry = @0x00000000), line 8702 in "loadparm.c"
lp_load(pszFname = "Tc^F>\201\201", global_only = @0x00000000,
save_defaults = @0x20212040, add_ipc = @0x202233c0, initialize_globals =
@0x00000000), line 8780 in "loadparm.c"
reload_services(test = @0x20000718), line 846 in "server.c"
main(argc = 3, argv = 0x200006e0), line 1233 in "server.c"
# Last subroutine before the fault_report/smb_panic was in rbtree.c
again!!!
Yannick Bergeron
yaberger at ca.ibm.com
More information about the samba-technical
mailing list