SMBFS stack overflow?
Ryan Murray
rmurray at cyberhqz.com
Thu May 20 13:40:38 GMT 1999
Sorry about the previous message...
Note that the maintainer listed in MAINTAINERS is no longer active, so
perhaps it should be updated?
I've found a problem with SMBFS and *really* long pathnames. It causes
the kernel to OOPS, and sometimes corrupts the kernel stack. I've even had
it corrupt the SLAB allocator so bad that no binary could be run :)
REPORTING-BUGS format answers, let me know if there is anything else you
would like to know:
1. SMBFS OOPS on really long pathnames
2. Here's my test setup:
2.2.9 stock SMP kernel on a UP system. SMBFS is in the kernel. Using
samba 2.0.2's smbmount.
2.0.36 stock SMP kernel on an SMP system. Samba 1.9.18p8 server.
Exporting a root share. The share contains a recursive directory
structure:
/etc: inet -> .
There is also an *empty* fs directory in /etc
To reproduce the OOPS, simply cd to /etc/inet/inet/inet.. (as far as you
can go until directory not found is returned), then into fs.
samba's chopping of directory names is incorrect in the version of the
server that is running, and will show an fs directory inside the fs
directory. Continue to traverse the fs directories until the kernel
on the client OOPS's.
One can argue that the version of samba on the server is the problem --
it should be better behaved, however, I think this error would occur on
a legitimate directory, if the path structure was long enough (NT can
have a 65535 character path)
While running this the server samba reports the following style of error
message:
ERROR: string overflow by 33677 in safe_strcpy [\etc\inet\inet\inet\inet\inet\inet\inet\inet\inet\]
ERROR: string overflow by 1 in safe_strcat [/etc/inet/inet/inet/inet/inet/inet/inet/inet/inet/]
This is repeated several times, with the value of the first string
overflow increasing on each iteration into a new fs directory.
The client SMBFS reports the following error message:
May 17 00:03:42 core kernel: smb_setup_header: Aieee, xmit len > packet! len=34780, size=4096
Again, this is repeated with the value getting larger the farther we traverse
down the dir structure.
3. SMBFS, kernel, samba, OOPS
4. client: Linux version 2.2.9 (root at straylight) (gcc version 2.7.2.3) #1 SMP Fri May 14 06:46:55 PDT 1999
server: Linux version 2.0.36 (root at straylight) (gcc version 2.7.2.3) #1 Sun Dec 20 20:35:25 PST 1998
client is uni-processor 486-33, server is dual-processor P 233
5.
May 17 00:03:42 core kernel: Unable to handle kernel paging request at virtual address c1f5ffe0
May 17 00:03:42 core kernel: current->tss.cr3 = 013eb000, %cr3 = 013eb000
May 17 00:03:42 core kernel: *pde = 00000000
May 17 00:03:42 core kernel: Oops: 0000
May 17 00:03:43 core kernel: CPU: 0
May 17 00:03:43 core kernel: EIP: 0010:[put_cached_page+25/100]
May 17 00:03:43 core kernel: EFLAGS: 00010217
May 17 00:03:43 core kernel: eax: 00380ff9 ebx: c1f5ffc8 ecx: 00000000 edx: c0358000
May 17 00:03:43 core kernel: esi: 00000000 edi: c0de9000 ebp: 00000001 esp: c13dde60
May 17 00:03:43 core kernel: ds: 0018 es: 0018 ss: 0018
May 17 00:03:43 core kernel: Process bash (pid: 75, process nr: 5, stackpage=c13dd000)
May 17 00:03:43 core kernel: Stack: 73665c73 0000878f 00000002 c0de9000 c01769e3 c0de9000 c0bec790 c01756a3
May 17 00:03:43 core kernel: c0de9000 c12f9644 c0de380c c0cf9c00 c02b14cc c0de9000 00000002 c0de9000
May 17 00:03:43 core kernel: c0cf9c00 c0306ee4 c0349b78 c01b7bfa c0009380 c13ddec0 00000000 00000000
May 17 00:03:43 core kernel: Call Trace: [smb_init_dircache+11/28] [smb_proc_readdir_long+183/968]
[start_next_request+78/96] [ide_intr+228/240] [smb_proc_readdir+35/60] [smb_refill_dircache+31/100]
[smb_readdir+81/384]
May 17 00:03:43 core kernel: [smb_dir_open+67/80] [sys_getdents+245/352] [filldir+0/132]
[smb_readdir+0/384] [system_call+52/64]
May 17 00:03:43 core kernel: Code: 8b 43 18 a8 01 75 0d 68 a9 0f 26 c0 e8 12 49 ff ff 83 c4 04
6. Run updatedb across the network with a recursive link, or manually cd through each directory.
7. See 2. for the test environment
7.1
server:
-- Versions installed: (if some fields are empty or looks
-- unusual then possibly you have very old versions)
Linux straylight 2.0.36 #1 Sun Dec 20 20:35:25 PST 1998 i586 unknown
Kernel modules 2.1.34
Gnu C 2.7.2.3
Binutils 2.8.1.0.23
Linux C Library 5.4.46
Dynamic linker ldd: version 1.9.9
Linux C++ Library 27.2.8
Linux C++ Library 27.2.8
Procps 2.0.0
Mount 2.8
Net-tools 1.45
Kbd 0.89
Sh-utils 1.16
Modules Loaded ppa ip_masq_ftp
client:
-- Versions installed: (if some fields are empty or looks
-- unusual then possibly you have very old versions)
Linux core 2.2.9 #1 SMP Fri May 14 06:46:55 PDT 1999 i486 unknown
Kernel modules 2.1.85
Gnu C egcs-2.90.29 980515 (egcs-1.0.3 release)
Binutils 2.8.1.0.23
Linux C Library 5.4.44
Dynamic linker ldd: version 1.9.9
Linux C++ Library 2.8.
Procps 2.0.0
Mount 2.7l
Net-tools 1.51
Kbd 0.94
Sh-utils 1.16
Modules Loaded
7.2
server:
processor : 0
cpu : 586
model : Pentium MMX
vendor_id : GenuineIntel
stepping : 3
fdiv_bug : no
hlt_bug : no
f00f_bug : yes
fpu : yes
fpu_exception : yes
cpuid : yes
wp : yes
flags : fpu vme de pse tsc msr mce cx8 apic mmx
bogomips : 463.67
processor : 1
cpu : 586
model : Pentium MMX
vendor_id : GenuineIntel
stepping : 3
fdiv_bug : no
hlt_bug : no
f00f_bug : yes
fpu : yes
fpu_exception : yes
cpuid : yes
wp : yes
flags : fpu vme de pse tsc msr mce cx8 apic mmx
bogomips : 465.31
client:
processor : 0
vendor_id : unknown
cpu family : 4
model : 0
model name : unknown
stepping : unknown
fdiv_bug : no
hlt_bug : no
sep_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : -1
wp : yes
flags :
bogomips : 16.54
7.3
server:
ppa 3 0
ip_masq_ftp 1 0
client: N/A
7.4:
server:
Attached devices:
Host: scsi1 Channel: 00 Id: 06 Lun: 00
Vendor: IOMEGA Model: ZIP 100 Rev: D.17
Type: Direct-Access ANSI SCSI revision: 02
client:
Host: scsi0 Channel: 00 Id: 00 Lun: 00
Vendor: FUJITSU Model: M2654S-512 Rev: 010P
Type: Direct-Access ANSI SCSI revision: 02
--
Ryan Murray (rmurray at cyberhqz.com, rmurray at glenayre.com)
Engineering Technologist, Glenayre Technologies Inc.
The opinions expressed here are my own.
More information about the samba
mailing list