One simple stupid users trick owns all your bases ...

Fri Sep 1 17:15:22 UTC 2023

On Fri, Sep 1, 2023 at 10:04 AM Jeremy Allison <jra at samba.org> wrote:
>
> On Fri, Sep 01, 2023 at 09:21:09AM -0700, Richard Sharpe via samba-technical wrote:
> >Hi folks,
> >
> >I didn't follow the instructions carefully enough.
> >
> >I set up resolv.conf to point at 127.0.0.1 and an upstream nameserver
> >(10.20.1.100).
> >
> >During provisioning that created an entry of 'dns resolver = 127.0.0.1'.
> >
> >That resulted in the following crash. Looks like a bug.
> >
> >Provisioning should not use any of the aliases for the current system
> >as forwarders.
> >
> >In addition, perhaps the code should not crash if it gets a timeout.
> >
> >4.19.0rc4.
>
> Can you add a "panic action = /bin/sleep 99999999"
> and catch it in gdb. Knowing *exactly* what line
> it goes down on will help. A lot :-).

OK:

#0  0x00007fa0f256dd98 in nanosleep () from /lib64/libc.so.6
#1  0x00007fa0f256dc9e in sleep () from /lib64/libc.so.6
#2  0x00007fa0f8e1c13b in log_stack_trace () at ../../lib/util/fault.c:306
#3  0x00007fa0f8e1c33f in smb_panic_log (
    why=why at entry=0x7ffc3acd6050 "Signal 11: Segmentation fault")
    at ../../lib/util/fault.c:195
#4  0x00007fa0f8e1c4b3 in smb_panic (
    why=why at entry=0x7ffc3acd6050 "Signal 11: Segmentation fault")
    at ../../lib/util/fault.c:206
#5  0x00007fa0f8e1c619 in fault_report (sig=11) at ../../lib/util/fault.c:83
#6  sig_fault (sig=11) at ../../lib/util/fault.c:94
#7  <signal handler called>
#8  0x00007fa0f7b90049 in dns_cli_request_udp_done (subreq=<optimized out>)
    at ../../libcli/dns/dns.c:497
#9  0x00007fa0f7b9134d in dns_udp_request_done (subreq=0x618001b18900)
    at ../../libcli/dns/dns.c:157
#10 0x00007fa0f9764929 in tdgram_recvfrom_done (subreq=0x61800533cd00)
    at ../../lib/tsocket/tsocket.c:239
#11 0x00007fa0f976b1f7 in tdgram_bsd_recvfrom_handler (
    private_data=<optimized out>) at ../../lib/tsocket/tsocket_bsd.c:1186
#12 0x00007fa0f9769c18 in tdgram_bsd_fde_handler (ev=<optimized out>,
    fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>)
    at ../../lib/tsocket/tsocket_bsd.c:910
#13 0x00007fa0f3dc53a7 in tevent_common_invoke_fd_handler ()

Here is the code:

(gdb) frame 8
#8  0x00007fa0f7b90049 in dns_cli_request_udp_done (subreq=<optimized out>)
    at ../../libcli/dns/dns.c:497
497                     tevent_req_error(req, ENOMSG);
(gdb) list
492
493             reply_id = PULL_BE_U16(reply.data, 0);
494             if (reply_id != state->req_id) {
495                     DBG_DEBUG("Got id %"PRIu16", expected %"PRIu16"\n",
496                               state->reply->id, state->req_id);
497                     tevent_req_error(req, ENOMSG);
498                     return;
499             }
500
501             operation = PULL_BE_U16(reply.data, 2);

I still think provision should not allow this but it should also not crash.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)