[Samba] Crash in 4.12.10 in (also 4.13.4)
Peter Eriksson
pen at lysator.liu.se
Tue Jan 26 13:32:35 UTC 2021
Added an assert that checks if we over-run the wbc_sids[] array and now 4.13.4 dies immediately when I try it.
Looking at the code, the suspicious code is around line 1277 in source3/passwd/lookup_sid.c:
if (sid_peek_check_rid(&global_sid_Unix_Groups,
&sids[i], &rid)) {
ids[i].type = ID_TYPE_GID;
ids[i].id = rid;
continue;
}
—> if (idmap_cache_find_sid2unixid(&sids[I], &ids[i], &expired)
&& !expired)
{
continue;
}
ids[i].type = ID_TYPE_NOT_SPECIFIED;
memcpy(&wbc_sids[num_not_cached], &sids[i],
ndr_size_dom_sid(&sids[i], 0));
num_not_cached += 1;
If that idmap_cache_find() call, or !expired is true - and ids[I].type happens to already be ID_TYPE_NOT_SPECIFIED then num_not_cached will not be incremented, but the loop further down will detect it and then the buffer overrun will happen…
- Peter
> On 26 Jan 2021, at 13:04, Peter Eriksson via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
> It seems to be crashing in source3/passwd/lookup_sids.c line 1307:
>
>> switch (wbc_ids[num_not_cached].type) {
>
> Due it trying to access outside the allocated data area…
>
> (gdb) print num_not_cached
> $23 = 68
> (gdb) print num_sids
> $24 = 245
> (gdb) print wbc_ids[66]
> $21 = {type = WBC_ID_TYPE_NOT_SPECIFIED, id = {uid = 0, gid = 0}}
> (gdb) print wbc_ids[67]
> $22 = {type = WBC_ID_TYPE_NOT_SPECIFIED, id = {uid = 48, gid = 48}}
> (gdb) print wbc_ids[68]
> Cannot access memory at address 0x81b339000
>
> wbc_ids is talloc_array():n at line 1290, but unfortunately the num_not_cached variable is reused so I can’t in the core dump see how many entries actually was allocated there. I’ll recompile add a debugging assertion check to see what’s happening there.
>
> The user that was connected to the smbd at the time of the crash is a member of some 90 AD groups, of which 24 has gidNumber set. Dunno if that’s relevant for this case but anyway.
>
> I’ll try to do some more debugging.
>
> https://bugzilla.samba.org/show_bug.cgi?id=14571 <https://bugzilla.samba.org/show_bug.cgi?id=14571> <https://bugzilla.samba.org/show_bug.cgi?id=14571 <https://bugzilla.samba.org/show_bug.cgi?id=14571>>
>
> - Peter
>
>
>
>> On 11 Nov 2020, at 12:43, Andrew Walker via samba <samba at lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>> wrote:
>
>> On Tue, Nov 10, 2020 at 5:01 PM Peter Eriksson via samba <
>> samba at lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>> wrote:
>>
>>> I just got an INTERNAL ERROR: Signal 11 in smbd (4.12.10) in something
>>> that sids_to_unixids() in source3/winbindd/idmap_hash/idmap_has.c calls and
>>> 3 levels down - unfortunately the stack trace doesn’t say what it is -
>>> probably optimised into inline code or something.
>>>
>>> Recently upgraded from Samba 4.12.5 to 4.12.10 (self-compiled). FreeBSD
>>> 12.2
>>>
>>> It happened right after 10 hours since that smbd processes started so the
>>> 10 hours Kerberos ticket lifetime is probably involved somehow…
>>>
>>> Nov 10 21:39:11 runur01 smbd_audit[23768]: #3 sig_fault + 0x6c
>>> [ip=0x80129a7a9] [sp=0x7fffffffcbb0]
>>> Nov 10 21:39:11 runur01 smbd_audit[23768]: #4 <unknown symbol>
>>> [ip=0x801517b70] [sp=0x7fffffffcbc0]
>>> Nov 10 21:39:12 runur01 smbd_audit[23768]: #5 <unknown symbol>
>>> [ip=0x80151713f] [sp=0x7fffffffcf80]
>>> Nov 10 21:39:12 runur01 smbd_audit[23768]: #6 <unknown symbol>
>>> [ip=0x7ffffffff003] [sp=0x7fffffffcff0]
>>> Nov 10 21:39:12 runur01 smbd_audit[23768]: #7 sids_to_unixids + 0x25d
>>>
>>> Unfortunately no core dump :-(
>>>
>> You may need to run the command "sysctl kern.sugid_coredump=1" and also set
>> kern.corefile to an appropriate path (for example /tmp/%N_%P.core -- this
>> ensures program name and pid are in corefile name). If possible compile
>> without optimizations and with debugging symbols (this will improve
>> visibility of error).
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> <https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>
More information about the samba
mailing list