[URGENT][PATCH] Re: Possible issue in AD DC LSA server in master

Stefan Metzmacher metze at samba.org
Thu May 3 07:43:04 UTC 2018 

Am 03.05.2018 um 06:29 schrieb Andrew Bartlett via samba-technical:
> On Sat, 2018-04-14 at 07:07 +1200, Andrew Bartlett via samba-technical
> wrote:
>> So, that autobuild failed with:
>>
>>> [133(711)/525 at 10m56s] samba3.rpc.lsa.lookupsids(ad_dc)
>>> smbtorture 4.9.0pre1-DEVELOPERBUILD
>>> Using seed 1523610756
>>> UNEXPECTED(failure): samba3.rpc.lsa.lookupsids.lsa.LookupSidsReply(ad_dc)
>>> REASON: Exception: Exception: ../source4/torture/rpc/lsa_lookup.c:400: names.names[0].name.string was , expected S-1-5-21-1111111111-2222222222-3333333333-512: unexpected names[0].string
>>>
>>> FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
>>
>> And I mentioned before that I got one LSA failure on the branch up to:
>>
>> commit cb607346d3c7c662343b0eae69e43eaa6358c188
>> Author: Gary Lockyer <gary at catalyst.net.nz>
>> Date:   Tue Mar 13 16:43:54 2018 +1300
>>
>>     ldb-samba: require pid match for cached ldb
>>     
>>     Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>>     Reviewed-by: Andrew Bartlett <abartlet at samba.org>
>>
>>> Testing OpenPolicy2
>>> UNEXPECTED(failure): samba4.rpc.altercontext on ncalrpc with seal,padcheck.altercontext(ad_dc_ntvfs:local)
>>> REASON: Exception: Exception: ../source4/torture/rpc/lsa.c:188: status was NT_STATUS_CONNECTION_RESET, expected NT_STATUS_CONNECTION_DISCONNECTED: OpenPolicy2 failed
>>
>> (but wrote it off as I also got about 10 successes on branches with
>> that series in it). 
>>
>> This is fishy, as Joe yesterday got this in travis CI on master:
>>
>>> Testing LookupSids
>>> ndr_pull_error(1): Bad array size - got 0 expected 8
>>>
>>> UNEXPECTED(failure): samba3.rpc.lsa.privileges.lsa.Privileges(ad_dc)
>>> REASON: Exception: Exception: ../source4/torture/rpc/lsa.c:774: dcerpc_lsa_LookupSids_r(b, tctx, &r) was NT_STATUS_ARRAY_BOUNDS_EXCEEDED, expected NT_STATUS_OK: LookupSids failed
>>>
>>> FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
>>
>> If anybody has any insights or suggestions please don't hesitate to
>> investigate.
> 
> It turned out to be an unrelated use-after-free in the LSA server after
> the trusts changes recently. 
> 
> The issue was found fairly easily with address-sanitizer and is fixed
> in the attached.  This needs to be in 4.8.2 the regression was shipped
> with 4.8.0.

Do you have more detailed information on what memory is used after free?
I'd prefer to do the correct talloc_move() calls in order to get a sane
memory tree instead of being lazy.

metze


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180503/be51a155/signature.sig>

More information about the samba-technical mailing list