[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Sat Jan 13 02:02:02 UTC 2018
The branch, master has been updated
via 3297f4c Mark wbinfo test flapping
via 6b09ab2 Mark whoami test flapping
via 23ec73e Mark rfc2307 test flapping
via bf19b6c ldb: version 1.3.1
via 6dd0a8c tevent: version 0.9.35
via efe317c talloc: version 2.1.11
via 0623097 talloc: Do not disclose the random talloc magic in free()'ed memory
via e2497b2 talloc: Add tests to require use-after-free to give the correct talloc_abort() string
via 00ee9da talloc: Remove talloc_abort_magic()
from 4519134 s3:tests: Fix test_net_tdb.sh with system tdb-tools
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3297f4c9bfeb8c9f20829c6a096ea1cebf3772c4
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jan 12 14:39:49 2018 +1300
Mark wbinfo test flapping
please fix and revert
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Sat Jan 13 03:01:10 CET 2018 on sn-devel-144
commit 6b09ab2139751637dc773f6ef7fb7f0dd99605e0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jan 12 14:39:28 2018 +1300
Mark whoami test flapping
please fix and revert!
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 23ec73e0e04975c93863b6f37617cef9b99306ef
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Jan 12 14:38:45 2018 +1300
Mark rfc2307 test flapping
Please fix and revert
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bf19b6ccdcd66dfafcc60d290878550f835316eb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 10 23:43:05 2018 +0100
ldb: version 1.3.1
* Intersect the index from SCOPE_ONELEVEL with the index for the search expression
(bug #13191)
* smaller/greater comparison tests
* Show the last successful DN when failing to parse LDIF
* ldb_index: Add an attriubute flag to require a unique value.
* silence some clang warnings in picky developer mode
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6dd0a8c1a67922d1f893d5ef500861ec5e7c5a36
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 12 15:08:14 2018 +0100
tevent: version 0.9.35
* Minor cleanup. wakeup_fd can always be gotten from the event context.
* Use smb_set_close_on_exec() in example code.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit efe317c59204af076bb500ad904d2a5f6a961509
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 12 07:45:09 2018 +0100
talloc: version 2.1.11
* disable-python - fix talloc wscript if bundling disabled
* Do not disclose the random talloc magic in free()'ed memory
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 062309755888349afaa05dff7ac48ea8867110e0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jan 8 17:34:31 2018 +1300
talloc: Do not disclose the random talloc magic in free()'ed memory
This may help us avoid exploits via memory read attacks on Samba by ensuring that if the read
is on an invalid chunk that the talloc magic disclosed there is not useful
to create a valid chunk and so set a destructor.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13211
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit e2497b26b2ec8a9ae4401d0380431c897959c627
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jan 12 11:17:09 2018 +1300
talloc: Add tests to require use-after-free to give the correct talloc_abort() string
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 00ee9da50b289a68621f2af755d4283fe6cb3bc7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jan 8 17:29:19 2018 +1300
talloc: Remove talloc_abort_magic()
The check required for talloc_abort_magic() prevents the 'access after free error'
from being printed.
It is also no longer possible to determine the difference between invalid memory
and a talloc version mismatch as the magic is now random on many platforms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13210
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} | 0
...yldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} | 0
...-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} | 0
lib/ldb/wscript | 2 +-
...-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} | 0
...3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} | 0
.../ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} | 0
lib/talloc/talloc.c | 128 ++++++++++++++-------
lib/talloc/testsuite.c | 68 +++++++++++
lib/talloc/wscript | 2 +-
.../ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} | 0
lib/tevent/wscript | 2 +-
selftest/flapping.d/rfc2307 | 1 +
selftest/flapping.d/wbinfo | 1 +
selftest/flapping.d/whoami | 1 +
15 files changed, 162 insertions(+), 43 deletions(-)
copy lib/ldb/ABI/{ldb-1.3.0.sigs => ldb-1.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util-1.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-1.1.10.sigs => pyldb-util.py3-1.3.1.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util-2.1.10.sigs => pytalloc-util-2.1.11.sigs} (100%)
copy lib/talloc/ABI/{pytalloc-util.py3-2.1.10.sigs => pytalloc-util.py3-2.1.11.sigs} (100%)
copy lib/talloc/ABI/{talloc-2.1.10.sigs => talloc-2.1.11.sigs} (100%)
copy lib/tevent/ABI/{tevent-0.9.31.sigs => tevent-0.9.35.sigs} (100%)
create mode 100644 selftest/flapping.d/rfc2307
create mode 100644 selftest/flapping.d/wbinfo
create mode 100644 selftest/flapping.d/whoami
Changeset truncated at 500 lines:
diff --git a/lib/ldb/ABI/ldb-1.3.0.sigs b/lib/ldb/ABI/ldb-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.3.0.sigs
copy to lib/ldb/ABI/ldb-1.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util-1.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-1.1.10.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-1.1.10.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.3.1.sigs
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 0b8ba26..8ae5be3 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.3.0'
+VERSION = '1.3.1'
blddir = 'bin'
diff --git a/lib/talloc/ABI/pytalloc-util-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util-2.1.10.sigs
copy to lib/talloc/ABI/pytalloc-util-2.1.11.sigs
diff --git a/lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs b/lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/pytalloc-util.py3-2.1.10.sigs
copy to lib/talloc/ABI/pytalloc-util.py3-2.1.11.sigs
diff --git a/lib/talloc/ABI/talloc-2.1.10.sigs b/lib/talloc/ABI/talloc-2.1.11.sigs
similarity index 100%
copy from lib/talloc/ABI/talloc-2.1.10.sigs
copy to lib/talloc/ABI/talloc-2.1.11.sigs
diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index 7721fa4..cd159ef 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -75,12 +75,13 @@
#define TALLOC_MAGIC_REFERENCE ((const char *)1)
#define TALLOC_MAGIC_BASE 0xe814ec70
-static unsigned int talloc_magic = (
- ~TALLOC_FLAG_MASK & (
- TALLOC_MAGIC_BASE +
- (TALLOC_BUILD_VERSION_MAJOR << 24) +
- (TALLOC_BUILD_VERSION_MINOR << 16) +
- (TALLOC_BUILD_VERSION_RELEASE << 8)));
+#define TALLOC_MAGIC_NON_RANDOM ( \
+ ~TALLOC_FLAG_MASK & ( \
+ TALLOC_MAGIC_BASE + \
+ (TALLOC_BUILD_VERSION_MAJOR << 24) + \
+ (TALLOC_BUILD_VERSION_MINOR << 16) + \
+ (TALLOC_BUILD_VERSION_RELEASE << 8)))
+static unsigned int talloc_magic = TALLOC_MAGIC_NON_RANDOM;
/* by default we abort when given a bad pointer (such as when talloc_free() is called
on a pointer that came from malloc() */
@@ -332,6 +333,48 @@ _PUBLIC_ int talloc_test_get_magic(void)
return talloc_magic;
}
+static inline void _talloc_chunk_set_free(struct talloc_chunk *tc,
+ const char *location)
+{
+ /*
+ * Mark this memory as free, and also over-stamp the talloc
+ * magic with the old-style magic.
+ *
+ * Why? This tries to avoid a memory read use-after-free from
+ * disclosing our talloc magic, which would then allow an
+ * attacker to prepare a valid header and so run a destructor.
+ *
+ */
+ tc->flags = TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE
+ | (tc->flags & TALLOC_FLAG_MASK);
+
+ /* we mark the freed memory with where we called the free
+ * from. This means on a double free error we can report where
+ * the first free came from
+ */
+ if (location) {
+ tc->name = location;
+ }
+}
+
+static inline void _talloc_chunk_set_not_free(struct talloc_chunk *tc)
+{
+ /*
+ * Mark this memory as not free.
+ *
+ * Why? This is memory either in a pool (and so available for
+ * talloc's re-use or after the realloc(). We need to mark
+ * the memory as free() before any realloc() call as we can't
+ * write to the memory after that.
+ *
+ * We put back the normal magic instead of the 'not random'
+ * magic.
+ */
+
+ tc->flags = talloc_magic |
+ ((tc->flags & TALLOC_FLAG_MASK) & ~TALLOC_FLAG_FREE);
+}
+
static void (*talloc_log_fn)(const char *message);
_PUBLIC_ void talloc_set_log_fn(void (*log_fn)(const char *message))
@@ -429,11 +472,6 @@ static void talloc_abort(const char *reason)
talloc_abort_fn(reason);
}
-static void talloc_abort_magic(unsigned magic)
-{
- talloc_abort("Bad talloc magic value - wrong talloc version used/mixed");
-}
-
static void talloc_abort_access_after_free(void)
{
talloc_abort("Bad talloc magic value - access after free");
@@ -450,19 +488,15 @@ static inline struct talloc_chunk *talloc_chunk_from_ptr(const void *ptr)
const char *pp = (const char *)ptr;
struct talloc_chunk *tc = discard_const_p(struct talloc_chunk, pp - TC_HDR_SIZE);
if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) != talloc_magic)) {
- if ((tc->flags & (~TALLOC_FLAG_MASK)) == talloc_magic) {
- talloc_abort_magic(tc->flags & (~TALLOC_FLAG_MASK));
- return NULL;
- }
-
- if (tc->flags & TALLOC_FLAG_FREE) {
+ if ((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK))
+ == (TALLOC_MAGIC_NON_RANDOM | TALLOC_FLAG_FREE)) {
talloc_log("talloc: access after free error - first free may be at %s\n", tc->name);
talloc_abort_access_after_free();
return NULL;
- } else {
- talloc_abort_unknown_value();
- return NULL;
}
+
+ talloc_abort_unknown_value();
+ return NULL;
}
return tc;
}
@@ -947,13 +981,7 @@ static inline void _tc_free_poolmem(struct talloc_chunk *tc,
pool_tc = talloc_chunk_from_pool(pool);
next_tc = tc_next_chunk(tc);
- tc->flags |= TALLOC_FLAG_FREE;
-
- /* we mark the freed memory with where we called the free
- * from. This means on a double free error we can report where
- * the first free came from
- */
- tc->name = location;
+ _talloc_chunk_set_free(tc, location);
TC_INVALIDATE_FULL_CHUNK(tc);
@@ -1103,13 +1131,7 @@ static inline int _tc_free_internal(struct talloc_chunk *tc,
_tc_free_children_internal(tc, ptr, location);
- tc->flags |= TALLOC_FLAG_FREE;
-
- /* we mark the freed memory with where we called the free
- * from. This means on a double free error we can report where
- * the first free came from
- */
- tc->name = location;
+ _talloc_chunk_set_free(tc, location);
if (tc->flags & TALLOC_FLAG_POOL) {
struct talloc_pool_hdr *pool;
@@ -1806,8 +1828,22 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
}
#endif
- /* by resetting magic we catch users of the old memory */
- tc->flags |= TALLOC_FLAG_FREE;
+ /*
+ * by resetting magic we catch users of the old memory
+ *
+ * We mark this memory as free, and also over-stamp the talloc
+ * magic with the old-style magic.
+ *
+ * Why? This tries to avoid a memory read use-after-free from
+ * disclosing our talloc magic, which would then allow an
+ * attacker to prepare a valid header and so run a destructor.
+ *
+ * What else? We have to re-stamp back a valid normal magic
+ * on this memory once realloc() is done, as it will have done
+ * a memcpy() into the new valid memory. We can't do this in
+ * reverse as that would be a real use-after-free.
+ */
+ _talloc_chunk_set_free(tc, NULL);
#if ALWAYS_REALLOC
if (pool_hdr) {
@@ -1906,7 +1942,7 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
if (new_chunk_size == old_chunk_size) {
TC_UNDEFINE_GROW_CHUNK(tc, size);
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
tc->size = size;
return ptr;
}
@@ -1921,7 +1957,7 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
if (space_left >= space_needed) {
TC_UNDEFINE_GROW_CHUNK(tc, size);
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
tc->size = size;
pool_hdr->end = tc_next_chunk(tc);
return ptr;
@@ -1951,12 +1987,24 @@ _PUBLIC_ void *_talloc_realloc(const void *context, void *ptr, size_t size, cons
got_new_ptr:
#endif
if (unlikely(!new_ptr)) {
- tc->flags &= ~TALLOC_FLAG_FREE;
+ /*
+ * Ok, this is a strange spot. We have to put back
+ * the old talloc_magic and any flags, except the
+ * TALLOC_FLAG_FREE as this was not free'ed by the
+ * realloc() call after all
+ */
+ _talloc_chunk_set_not_free(tc);
return NULL;
}
+ /*
+ * tc is now the new value from realloc(), the old memory we
+ * can't access any more and was preemptively marked as
+ * TALLOC_FLAG_FREE before the call. Now we mark it as not
+ * free again
+ */
tc = (struct talloc_chunk *)new_ptr;
- tc->flags &= ~TALLOC_FLAG_FREE;
+ _talloc_chunk_set_not_free(tc);
if (malloced) {
tc->flags &= ~TALLOC_FLAG_POOLMEM;
}
diff --git a/lib/talloc/testsuite.c b/lib/talloc/testsuite.c
index dfaeec1..35309e2 100644
--- a/lib/talloc/testsuite.c
+++ b/lib/talloc/testsuite.c
@@ -2006,6 +2006,72 @@ static bool test_magic_protection(void)
return true;
}
+static void test_magic_free_protection_abort(const char *reason)
+{
+ /* exit with errcode 42 to communicate successful test to the parent process */
+ if (strcmp(reason, "Bad talloc magic value - access after free") == 0) {
+ _exit(42);
+ }
+ /* not 42 */
+ _exit(404);
+}
+
+static bool test_magic_free_protection(void)
+{
+ void *pool = talloc_pool(NULL, 1024);
+ int *p1, *p2, *p3;
+ pid_t pid;
+ int exit_status;
+
+ printf("test: magic_free_protection\n");
+ p1 = talloc(pool, int);
+ p2 = talloc(pool, int);
+
+ /* To avoid complaints from the compiler assign values to the p1 & p2. */
+ *p1 = 6;
+ *p2 = 9;
+
+ p3 = talloc_realloc(pool, p2, int, 2048);
+ torture_assert("pool realloc 2048",
+ p3 != p2,
+ "failed: pointer not changed");
+
+ /*
+ * Now access the memory in the pool after the realloc(). It
+ * should be marked as free, so use of the old pointer should
+ * trigger the abort function
+ */
+ pid = fork();
+ if (pid == 0) {
+ talloc_set_abort_fn(test_magic_free_protection_abort);
+
+ talloc_get_name(p2);
+
+ /* Never reached. Make compilers happy */
+ return true;
+ }
+
+ while (wait(&exit_status) != pid);
+
+ if (!WIFEXITED(exit_status)) {
+ printf("Child exited through unexpected abnormal means\n");
+ return false;
+ }
+ if (WEXITSTATUS(exit_status) != 42) {
+ printf("Child exited with wrong exit status\n");
+ return false;
+ }
+ if (WIFSIGNALED(exit_status)) {
+ printf("Child recieved unexpected signal\n");
+ return false;
+ }
+
+ talloc_free(pool);
+
+ printf("success: magic_free_protection\n");
+ return true;
+}
+
static void test_reset(void)
{
talloc_set_log_fn(test_log_stdout);
@@ -2092,6 +2158,8 @@ bool torture_local_talloc(struct torture_context *tctx)
ret &= test_autofree();
test_reset();
ret &= test_magic_protection();
+ test_reset();
+ ret &= test_magic_free_protection();
test_reset();
talloc_disable_null_tracking();
diff --git a/lib/talloc/wscript b/lib/talloc/wscript
index ab74e72..0afa162 100644
--- a/lib/talloc/wscript
+++ b/lib/talloc/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'talloc'
-VERSION = '2.1.10'
+VERSION = '2.1.11'
blddir = 'bin'
diff --git a/lib/tevent/ABI/tevent-0.9.31.sigs b/lib/tevent/ABI/tevent-0.9.35.sigs
similarity index 100%
copy from lib/tevent/ABI/tevent-0.9.31.sigs
copy to lib/tevent/ABI/tevent-0.9.35.sigs
diff --git a/lib/tevent/wscript b/lib/tevent/wscript
index 31f7ee7..2c67f1f 100644
--- a/lib/tevent/wscript
+++ b/lib/tevent/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'tevent'
-VERSION = '0.9.34'
+VERSION = '0.9.35'
blddir = 'bin'
diff --git a/selftest/flapping.d/rfc2307 b/selftest/flapping.d/rfc2307
new file mode 100644
index 0000000..2e37edc
--- /dev/null
+++ b/selftest/flapping.d/rfc2307
@@ -0,0 +1 @@
+^idmap.rfc2307.Testing for expected group memberships
diff --git a/selftest/flapping.d/wbinfo b/selftest/flapping.d/wbinfo
new file mode 100644
index 0000000..8ccf2cb
--- /dev/null
+++ b/selftest/flapping.d/wbinfo
@@ -0,0 +1 @@
+^samba.blackbox.wbinfo\(ad_member:local\).confirm
diff --git a/selftest/flapping.d/whoami b/selftest/flapping.d/whoami
new file mode 100644
index 0000000..82f6356
--- /dev/null
+++ b/selftest/flapping.d/whoami
@@ -0,0 +1 @@
+^samba3.unix.whoami machine account.whoami\(nt4_member:local\)
--
Samba Shared Repository
More information about the samba-cvs
mailing list