[SCM] Samba Shared Repository - branch v4-18-test updated

Jule Anger janger at samba.org
Tue Jan 31 12:50:01 UTC 2023 

The branch, v4-18-test has been updated
       via  af00a0df70a s3/lib: Prevent use after free of messaging_ctdb_fde_ev structs
       via  f21236ac004 s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac()
       via  6e6913bcac2 WHATSNEW: add acl_xattr:security_acl_name option
      from  8b97aca0dee WHATSNEW 4.18: mention samba-tool dsacl delete

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test


- Log -----------------------------------------------------------------
commit af00a0df70a591ef5890274ba700349abe9ec928
Author: Noel Power <noel.power at suse.com>
Date:   Wed Jan 25 17:03:07 2023 +0000

    s3/lib: Prevent use after free of messaging_ctdb_fde_ev structs
    
    In a cluster setup samba-bgqd async callback
    cups_pcap_load_async can access messaging_ctdb_fde_ev associated
    with already destructed global_ctdb_ctx_destructor
    
    ==26053== Invalid read of size 8
    ==26053==    at 0x71692E1: messaging_ctdb_fde_ev_destructor (messages_ctdb.c:181)
    ==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
    ==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
    ==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
    ==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
    ==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
    ==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
    ==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
    ==26053==    by 0x4056BCA: tevent_req_received (tevent_req.c:301)
    ==26053==    by 0x405673D: tevent_req_destructor (tevent_req.c:135)
    ==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
    ==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
    ==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
    ==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
    ==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
    ==26053==    by 0x1384EF: cups_pcap_load_async (print_cups.c:507)
    ==26053==    by 0x13894B: cups_cache_reload (print_cups.c:602)
    ==26053==    by 0x1373AE: pcap_cache_reload (pcap.c:140)
    ==26053==    by 0x1369D2: register_printing_bq_handlers (queue_process.c:323)
    ==26053==    by 0x122AD6: main (samba-bgqd.c:316)
    ==26053==  Address 0xed64d48 is 120 bytes inside a block of size 128 free'd
    ==26053==    at 0x4C370EB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==26053==    by 0x40B25E1: _tc_free_internal (talloc.c:1222)
    ==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
    ==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
    ==26053==    by 0x71691F6: messaging_ctdb_destroy (messages_ctdb.c:141)
    ==26053==    by 0x7169C21: msg_ctdb_ref_destructor (messages_ctdb_ref.c:142)
    ==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
    ==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
    ==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
    ==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
    ==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
    ==26053==    by 0x4157380: messaging_reinit (messages.c:646)
    ==26053==    by 0x416C01E: reinit_after_fork (util.c:488)
    ==26053==    by 0x13844C: cups_pcap_load_async (print_cups.c:498)
    ==26053==    by 0x13894B: cups_cache_reload (print_cups.c:602)
    ==26053==    by 0x1373AE: pcap_cache_reload (pcap.c:140)
    ==26053==    by 0x1369D2: register_printing_bq_handlers (queue_process.c:323)
    ==26053==    by 0x122AD6: main (samba-bgqd.c:316)
    ==26053==  Block was alloc'd at
    ==26053==    at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==26053==    by 0x40B1989: __talloc_with_prefix (talloc.c:783)
    ==26053==    by 0x40B1B23: __talloc (talloc.c:825)
    ==26053==    by 0x40B1ECC: _talloc_named_const (talloc.c:982)
    ==26053==    by 0x40B49C3: _talloc_zero (talloc.c:2421)
    ==26053==    by 0x7168E68: messaging_ctdb_init (messages_ctdb.c:93)
    ==26053==    by 0x716979D: messaging_ctdb_ref (messages_ctdb_ref.c:75)
    ==26053==    by 0x415702A: messaging_init_internal (messages.c:563)
    ==26053==    by 0x41572FD: messaging_init (messages.c:622)
    ==26053==    by 0x4163ED3: global_messaging_context (global_contexts.c:62)
    ==26053==    by 0x12273B: main (samba-bgqd.c:271)
    ==26053==
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=15293
    
    Signed-off-by: Noel Power <npower at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 7a880ef52dfc85ed2f674250b5baf5109f8d4691)
    
    Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-18-test): Tue Jan 31 12:49:50 UTC 2023 on atb-devel-224

commit f21236ac004b42f822214277c6f8be4c6450b13f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 16 18:24:16 2021 +0100

    s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15286
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit e27084f5d8c3a151c5d0b266118f0d71b641dc85)

commit 6e6913bcac289649af4084682262ebf8a2240dd2
Author: Björn Baumbach <bb at sernet.de>
Date:   Thu Jan 19 14:52:04 2023 +0100

    WHATSNEW: add acl_xattr:security_acl_name option
    
    Signed-off-by: Björn Baumbach <bb at sernet.de>
    Reviewed-by: Ralph Boehme <slow at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                | 17 +++++++++++++++++
 source3/auth/auth_generic.c |  1 +
 source3/lib/messages_ctdb.c | 19 +++++++++++++++++++
 3 files changed, 37 insertions(+)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4aa903c2fec..46c9c5fadc1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -90,6 +90,22 @@ which forces the trust account password to be changed at a specified domain
 controller. If the specified domain controller cannot be contacted the
 password change fails rather than trying other DCs.
 
+New option to change the NT ACL default location
+------------------------------------------------
+
+Usually the NT ACLs are stored in the security.NTACL extended
+attribute (xattr) of files and directories. The new
+"acl_xattr:security_acl_name" option allows to redefine the default
+location. The default "security.NTACL" is a protected location, which
+means the content of the security.NTACL attribute is not accessible
+from normal users outside of Samba. When this option is set to use a
+user-defined value, e.g. user.NTACL then any user can potentially
+access and overwrite this information. The module prevents access to
+this xattr over SMB, but the xattr may still be accessed by other
+means (eg local access, SSH, NFS). This option must only be used when
+this consequence is clearly understood and when specific precautions
+are taken to avoid compromising the ACL content.
+
 
 REMOVED FEATURES
 ================
@@ -100,6 +116,7 @@ smb.conf changes
 
   Parameter Name                          Description     Default
   --------------                          -----------     -------
+  acl_xattr:security_acl_name             New             security.NTACL
 
 
 KNOWN ISSUES
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index ff51307e43a..6c61eb4e827 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -143,6 +143,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 							  info->account_name,
 							  info->domain_name,
 							  info, &server_info);
+		wbcFreeMemory(info);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n",
 				   nt_errstr(status)));
diff --git a/source3/lib/messages_ctdb.c b/source3/lib/messages_ctdb.c
index 3e784bf7237..d55b53bf601 100644
--- a/source3/lib/messages_ctdb.c
+++ b/source3/lib/messages_ctdb.c
@@ -76,6 +76,21 @@ static int messaging_ctdb_recv(
 
 struct messaging_ctdb_context *global_ctdb_context;
 
+static int global_ctdb_ctx_destructor(struct messaging_ctdb_context *ctx)
+{
+	if (ctx != NULL) {
+		struct messaging_ctdb_fde_ev *fde_ev = NULL;
+		for (fde_ev = ctx->fde_evs;
+		     fde_ev != NULL;
+		     fde_ev = fde_ev->next) {
+			if (fde_ev->ctx == ctx) {
+				fde_ev->ctx = NULL;
+			}
+		}
+	}
+	return 0;
+}
+
 int messaging_ctdb_init(const char *sockname, int timeout, uint64_t unique_id,
 			void (*recv_cb)(struct tevent_context *ev,
 					const uint8_t *msg, size_t msg_len,
@@ -94,6 +109,10 @@ int messaging_ctdb_init(const char *sockname, int timeout, uint64_t unique_id,
 	if (ctx == NULL) {
 		return ENOMEM;
 	}
+
+	talloc_set_destructor(ctx,
+			      global_ctdb_ctx_destructor);
+
 	ctx->recv_cb = recv_cb;
 	ctx->recv_cb_private_data = private_data;
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list