[SCM] Samba Shared Repository - branch master updated

Tue Jun 2 13:03:07 MDT 2015

The branch, master has been updated
       via  9d797ff tevent: fix access after free in tevent_common_check_signal()
      from  60d95bb s4-torture: call clusapi_CreateResEnum for all cluster resources.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9d797ffb27bf4be100c900b0373f62b029679de3
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jun 2 12:18:22 2015 +0200

    tevent: fix access after free in tevent_common_check_signal()
    
    This was reported by Pavel Březina <pbrezina at redhat.com>:
    
        We found a crash in SSSD when a tevent signal is freed in its handler, tevent
        than crashes when it access siginfo.
    
        sig_info is freed in signal destructor:
    
        > #ifdef SA_SIGINFO
        >         if (se->sa_flags & SA_SIGINFO) {
        >             if (sig_state->sig_info[se->signum]) {
        >                 talloc_free(sig_state->sig_info[se->signum]);
        >                 sig_state->sig_info[se->signum] = NULL;
        >             }
        >         }
        > #endif
    
        (gdb) bt
        #0  0x00007f5d4d86cc74 in tevent_signal_destructor (se=0x7f5d5370f920) at
        ../tevent_signal.c:213
        #1  0x00007f5d4d65f233 in _talloc_free_internal () from /lib64/libtalloc.so.2
        #2  0x00007f5d4d6593a3 in _talloc_free () from /lib64/libtalloc.so.2
        #3  0x00007f5d4342f3d4 in proxy_child_init_done (subreq=0x7f5d5370f600) at
        src/providers/proxy/proxy_auth.c:436
        #4  0x00007f5d4d86b0c2 in _tevent_req_error (req=req at entry=0x7f5d5370f600,
        error=error at entry=5, location=location at entry=0x7f5d43433010
        "src/providers/proxy/proxy_auth.c:356")
            at ../tevent_req.c:167
        #5  0x00007f5d4342ef5e in pc_init_sig_handler (ev=<optimized out>,
        sige=<optimized out>, signum=<optimized out>, count=<optimized out>,
        __siginfo=<optimized out>, pvt=<optimized out>)
            at src/providers/proxy/proxy_auth.c:356
        #6  0x00007f5d4d86d48c in tevent_common_check_signal (ev=0x7f5d536de670) at
        ../tevent_signal.c:428
        #7  0x00007f5d4d86f28c in epoll_event_loop (tvalp=0x7fff7b568490,
        epoll_ev=0x7f5d536de8b0) at ../tevent_epoll.c:647
        #8  epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at
        ../tevent_epoll.c:926
        #9  0x00007f5d4d86d7d7 in std_event_loop_once (ev=0x7f5d536de670,
        location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:114
        #10 0x00007f5d4d869fbd in _tevent_loop_once (ev=ev at entry=0x7f5d536de670,
        location=location at entry=0x7f5d50faedc3 "src/util/server.c:668") at
        ../tevent.c:530
        #11 0x00007f5d4d86a15b in tevent_common_loop_wait (ev=0x7f5d536de670,
        location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:634
        #12 0x00007f5d4d86d777 in std_event_loop_wait (ev=0x7f5d536de670,
        location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:140
        #13 0x00007f5d50f96863 in server_loop (main_ctx=0x7f5d536dfac0) at
        src/util/server.c:668
        #14 0x00007f5d5180aa42 in main (argc=8, argv=<optimized out>) at
        src/providers/data_provider_be.c:2909
    
        But then it is accessed again in tevent_common_check_signal:
    
        > #ifdef SA_SIGINFO
        >         if (clear_processed_siginfo) {
        >             uint32_t j;
        >             for (j=0;j<count;j++) {
        >                 uint32_t ofs = (counter.seen + j)
        >                     % TEVENT_SA_INFO_QUEUE_COUNT;
        >                 memset((void*)&sig_state->sig_info[i][ofs],
        >                     '\0',
        >                     sizeof(siginfo_t));
        >             }
        >         }
        > #endif
    
        (gdb) bt
        #0  0x00007fd7ba400505 in memset (__len=<optimized out>, __ch=<optimized out>,
        __dest=<optimized out>) at /usr/include/bits/string3.h:84
        #1  tevent_common_check_signal (ev=0x7fd7bfddf670) at ../tevent_signal.c:459
        #2  0x00007fd7ba40228c in epoll_event_loop (tvalp=0x7fff85536430,
        epoll_ev=0x7fd7bfddf8b0) at ../tevent_epoll.c:647
        #3  epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at
        ../tevent_epoll.c:926
        #4  0x00007fd7ba4007d7 in std_event_loop_once (ev=0x7fd7bfddf670,
        location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:114
        #5  0x00007fd7ba3fcfbd in _tevent_loop_once (ev=ev at entry=0x7fd7bfddf670,
        location=location at entry=0x7fd7bdb417c3 "src/util/server.c:668") at
        ../tevent.c:530
        #6  0x00007fd7ba3fd15b in tevent_common_loop_wait (ev=0x7fd7bfddf670,
        location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:634
        #7  0x00007fd7ba400777 in std_event_loop_wait (ev=0x7fd7bfddf670,
        location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:140
        #8  0x00007fd7bdb29343 in server_loop (main_ctx=0x7fd7bfde0ac0) at
        src/util/server.c:668
        #9  0x00007fd7be39ca42 in main (argc=8, argv=<optimized out>) at
        src/providers/data_provider_be.c:2909
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11308
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Tue Jun  2 21:02:11 CEST 2015 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 lib/tevent/tevent_signal.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/lib/tevent/tevent_signal.c b/lib/tevent/tevent_signal.c
index b54da2e..924dc05 100644
--- a/lib/tevent/tevent_signal.c
+++ b/lib/tevent/tevent_signal.c
@@ -457,7 +457,7 @@ int tevent_common_check_signal(struct tevent_context *ev)
 		}
 
 #ifdef SA_SIGINFO
-		if (clear_processed_siginfo) {
+		if (clear_processed_siginfo && sig_state->sig_info[i] != NULL) {
 			uint32_t j;
 			for (j=0;j<count;j++) {
 				uint32_t ofs = (counter.seen + j)


-- 
Samba Shared Repository
