leases_db_del() can crash smbd when there's no record to delete

Youzhong Yang Youzhong.Yang at mathworks.com
Tue Jan 3 18:21:47 UTC 2017 

Hi Volker,

As I mentioned, in reality, it will never hit the crash condition of having nothing to delete from the db. We were testing something else which was able to crash smbd:

   #0 /tmw-nas-3p/samba/lib/libsmbconf.so.0'log_stack_trace+0x1f [0xfffffd7fb937bfe6]
   #1 /tmw-nas-3p/samba/lib/libsmbconf.so.0'smb_panic_s3+0x6f [0xfffffd7fb937be5a]
   #2 /tmw-nas-3p/samba/lib/libsamba-util.so.0.0.1'smb_panic+0x28 [0xfffffd7fb8b57aa8]
   #3 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_abort+0x45 [0xfffffd7fc21f4b43]
   #4 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_abort_unknown_value+0x10 [0xfffffd7fc21f4bd1]
   #5 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'talloc_chunk_from_ptr+0x75 [0xfffffd7fc21f4c48]
   #6 /tmw-nas-3p/samba/lib/private/libtalloc.so.2.1.2'_talloc_free+0x36 [0xfffffd7fc21f6ea3]
   #7 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'leases_db_del+0x58a [0xfffffd7fb90cee18]
   #8 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'remove_share_mode_lease+0x262 [0xfffffd7fb9070d6d]
   #9 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'remove_share_oplock+0x53 [0xfffffd7fb907173d]
   #10 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'remove_oplock+0x133 [0xfffffd7fb902486a]
   #11 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'close_normal_file+0x4c9 [0xfffffd7fb8fac551]
   #12 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'close_file+0x8a [0xfffffd7fb8fadd89]
   #13 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'smbd_smb2_close+0x269 [0xfffffd7fb8ffd5e3]
   #14 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'smbd_smb2_close_send+0x18e [0xfffffd7fb8ffd88c]
   #15 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'smbd_smb2_request_process_close+0x24d [0xfffffd7fb8ffcc84]
   #16 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'smbd_smb2_request_dispatch+0x14d7 [0xfffffd7fb8fed4d2]
   #17 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'smbd_smb2_io_handler+0x745 [0xfffffd7fb8ff1cf7]
   #18 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'smbd_smb2_connection_handler+0x4a [0xfffffd7fb8ff1dfe]
   #19 /tmw-nas-3p/samba/lib/libsmbconf.so.0'run_events_poll+0x54f [0xfffffd7fb9397fe6]
   #20 /tmw-nas-3p/samba/lib/libsmbconf.so.0's3_event_loop_once+0x18e [0xfffffd7fb9398290]
   #21 /tmw-nas-3p/samba/lib/private/libtevent.so.0.9.28'_tevent_loop_once+0xf9 [0xfffffd7fc2019428]
   #22 /tmw-nas-3p/samba/lib/private/libtevent.so.0.9.28'tevent_common_loop_wait+0x25 [0xfffffd7fc2019677]
   #23 /tmw-nas-3p/samba/lib/private/libtevent.so.0.9.28'_tevent_loop_wait+0x2b [0xfffffd7fc201974b]
   #24 /tmw-nas-3p/samba/lib/private/libsmbd-base-samba4.so'smbd_process+0xb22 [0xfffffd7fb8fd3999]
   #25 /tmw-nas-3p/samba/sbin/smbd'smbd_accept_connection+0x3e6 [0x40d39b]
   #26 /tmw-nas-3p/samba/lib/libsmbconf.so.0'run_events_poll+0x54f [0xfffffd7fb9397fe6]
   #27 /tmw-nas-3p/samba/lib/libsmbconf.so.0's3_event_loop_once+0x18e [0xfffffd7fb9398290]
   #28 /tmw-nas-3p/samba/lib/private/libtevent.so.0.9.28'_tevent_loop_once+0xf9 [0xfffffd7fc2019428]
   #29 /tmw-nas-3p/samba/lib/private/libtevent.so.0.9.28'tevent_common_loop_wait+0x25 [0xfffffd7fc2019677]
   #30 /tmw-nas-3p/samba/lib/private/libtevent.so.0.9.28'_tevent_loop_wait+0x2b [0xfffffd7fc201974b]
   #31 /tmw-nas-3p/samba/sbin/smbd'smbd_parent_loop+0x9a [0x40e141]
   #32 /tmw-nas-3p/samba/sbin/smbd'main+0x1856 [0x40fb53]
   #33 /tmw-nas-3p/samba/sbin/smbd'_start+0x6c [0x4088ac]

Regards,

--Youzhong

-----Original Message-----
From: vlendec at samba.org [mailto:vlendec at samba.org] On Behalf Of Volker Lendecke
Sent: Tuesday, January 03, 2017 11:52 AM
To: Youzhong Yang <Youzhong.Yang at mathworks.com>
Cc: samba-technical at lists.samba.org
Subject: Re: leases_db_del() can crash smbd when there's no record to delete

On Tue, Jan 03, 2017 at 03:37:08PM +0000, Youzhong Yang wrote:
> Hi all,
> 
> I am proposing a patch fixing the following issue:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=12495
> 
> In reality, we may never hit it, but it needs to be fixed.
> 
> Attached please review the patch.

Can you explain where it crashes without this patch? I took a look, but I don't see it.

Thanks,

Volker

More information about the samba-technical mailing list