help on TSIGs

Matthieu Patou mat at samba.org
Wed Oct 8 20:00:31 MDT 2014 

Amitay, Kai


I'm trying to fix a bug that was found by address sanitizer:

=================================================================
==31841==ERROR: AddressSanitizer: heap-use-after-free on address 
0x60d000319b30 at pc 0x7fb0b7544498 bp 0x7fff767c3070 sp 0x7fff767c3048
READ of size 42 at 0x60d000319b30 thread T0
     #0 0x7fb0b7544497 in strlen 
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x31497)
     #1 0x7fb0b15a6f81 in dns_name_match 
../source4/dns_server/dns_utils.c:38
     #2 0x7fb0b15a709b in dns_name_equal 
../source4/dns_server/dns_utils.c:81
     #3 0x7fb0b15a79a9 in dns_find_tkey 
../source4/dns_server/dns_crypto.c:85
     #4 0x7fb0b15a81f6 in dns_sign_tsig 
../source4/dns_server/dns_crypto.c:264
     #5 0x7fb0b15a0f6b in dns_process_recv 
../source4/dns_server/dns_server.c:240
     #6 0x7fb0b15a1412 in dns_tcp_call_process_done 
../source4/dns_server/dns_server.c:361
     #7 0x7fb0b84ba105 in _tevent_req_notify_callback 
../lib/tevent/tevent_req.c:112
     #8 0x7fb0b84ba1d8 in tevent_req_finish ../lib/tevent/tevent_req.c:149
     #9 0x7fb0b84ba1ff in _tevent_req_done ../lib/tevent/tevent_req.c:155
     #10 0x7fb0b15a0eae in dns_process_done 
../source4/dns_server/dns_server.c:220
     #11 0x7fb0b84ba105 in _tevent_req_notify_callback 
../lib/tevent/tevent_req.c:112
     #12 0x7fb0b84ba1d8 in tevent_req_finish ../lib/tevent/tevent_req.c:149
     #13 0x7fb0b84ba2fd in tevent_req_trigger ../lib/tevent/tevent_req.c:206
     #14 0x7fb0b84b94e1 in tevent_common_loop_immediate 
../lib/tevent/tevent_immediate.c:135
     #15 0x7fb0b84c14bb in epoll_event_loop_once 
../lib/tevent/tevent_epoll.c:907
     #16 0x7fb0b84be441 in std_event_loop_once 
../lib/tevent/tevent_standard.c:114
     #17 0x7fb0b84b8628 in _tevent_loop_once ../lib/tevent/tevent.c:530
     #18 0x7fb0b84b8872 in tevent_common_loop_wait 
../lib/tevent/tevent.c:634
     #19 0x7fb0b84be4e3 in std_event_loop_wait 
../lib/tevent/tevent_standard.c:140
     #20 0x7fb0b84b893d in _tevent_loop_wait ../lib/tevent/tevent.c:653
     #21 0x7fb0b392c6aa in standard_new_task 
../source4/smbd/process_standard.c:186
     #22 0x7fb0b8535ae9 in task_server_startup 
../source4/smbd/service_task.c:114
     #23 0x7fb0b8533f7c in server_service_init ../source4/smbd/service.c:63
     #24 0x7fb0b85340bf in server_service_startup 
../source4/smbd/service.c:95
     #25 0x7fb0b8619eba in binary_smbd_main ../source4/smbd/server.c:490
     #26 0x7fb0b8619f57 in main ../source4/smbd/server.c:513
     #27 0x7fb0b6537b44 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
     #28 0x7fb0b8613f88 
(/usr/local/src/samba/bin/default/source4/smbd/samba+0x5f88)

0x60d000319b30 is located 96 bytes inside of 138-byte region 
[0x60d000319ad0,0x60d000319b5a)
freed by thread T0 here:
     #0 0x7fb0b7567887 in __interceptor_free 
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54887)
     #1 0x7fb0b84ac579 in _talloc_free_internal ../lib/talloc/talloc.c:1057
     #2 0x7fb0b84ad3d4 in _talloc_free_children_internal 
../lib/talloc/talloc.c:1466
     #3 0x7fb0b84ac44e in _talloc_free_internal ../lib/talloc/talloc.c:1013
     #4 0x7fb0b84ad7cd in _talloc_free ../lib/talloc/talloc.c:1581
     #5 0x7fb0b84ba45b in tevent_req_received ../lib/tevent/tevent_req.c:247
     #6 0x7fb0b84ba094 in tevent_req_destructor 
../lib/tevent/tevent_req.c:99
     #7 0x7fb0b84ac2ab in _talloc_free_internal ../lib/talloc/talloc.c:993
     #8 0x7fb0b84ad7cd in _talloc_free ../lib/talloc/talloc.c:1581
     #9 0x7fb0b15a0e77 in dns_process_done 
../source4/dns_server/dns_server.c:215
     #10 0x7fb0b84ba105 in _tevent_req_notify_callback 
../lib/tevent/tevent_req.c:112
     #11 0x7fb0b84ba1d8 in tevent_req_finish ../lib/tevent/tevent_req.c:149
     #12 0x7fb0b84ba2fd in tevent_req_trigger ../lib/tevent/tevent_req.c:206
     #13 0x7fb0b84b94e1 in tevent_common_loop_immediate 
../lib/tevent/tevent_immediate.c:135
     #14 0x7fb0b84c14bb in epoll_event_loop_once 
../lib/tevent/tevent_epoll.c:907
     #15 0x7fb0b84be441 in std_event_loop_once 
../lib/tevent/tevent_standard.c:114
     #16 0x7fb0b84b8628 in _tevent_loop_once ../lib/tevent/tevent.c:530
     #17 0x7fb0b84b8872 in tevent_common_loop_wait 
../lib/tevent/tevent.c:634
     #18 0x7fb0b84be4e3 in std_event_loop_wait 
../lib/tevent/tevent_standard.c:140
     #19 0x7fb0b84b893d in _tevent_loop_wait ../lib/tevent/tevent.c:653
     #20 0x7fb0b392c6aa in standard_new_task 
../source4/smbd/process_standard.c:186
     #21 0x7fb0b8535ae9 in task_server_startup 
../source4/smbd/service_task.c:114
     #22 0x7fb0b8533f7c in server_service_init ../source4/smbd/service.c:63
     #23 0x7fb0b85340bf in server_service_startup 
../source4/smbd/service.c:95
     #24 0x7fb0b8619eba in binary_smbd_main ../source4/smbd/server.c:490
     #25 0x7fb0b8619f57 in main ../source4/smbd/server.c:513
     #26 0x7fb0b6537b44 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

previously allocated by thread T0 here:
     #0 0x7fb0b7567a9f in malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54a9f)
     #1 0x7fb0b84ab8cd in __talloc_with_prefix ../lib/talloc/talloc.c:615
     #2 0x7fb0b84aba57 in __talloc ../lib/talloc/talloc.c:655
     #3 0x7fb0b84aea08 in __talloc_strlendup ../lib/talloc/talloc.c:2233
     #4 0x7fb0b84aeaaa in talloc_strdup ../lib/talloc/talloc.c:2249
     #5 0x7fb0b15a45d0 in handle_tkey ../source4/dns_server/dns_query.c:532
     #6 0x7fb0b15a4870 in dns_server_process_query_send 
../source4/dns_server/dns_query.c:604
     #7 0x7fb0b15a0c97 in dns_process_send 
../source4/dns_server/dns_server.c:177
     #8 0x7fb0b15a1312 in dns_tcp_call_loop 
../source4/dns_server/dns_server.c:326
     #9 0x7fb0b84ba105 in _tevent_req_notify_callback 
../lib/tevent/tevent_req.c:112
     #10 0x7fb0b84ba1d8 in tevent_req_finish ../lib/tevent/tevent_req.c:149
     #11 0x7fb0b84ba1ff in _tevent_req_done ../lib/tevent/tevent_req.c:155
     #12 0x7fb0b8535e0c in tstream_read_pdu_blob_done 
../libcli/util/tstream.c:117
     #13 0x7fb0b84ba105 in _tevent_req_notify_callback 
../lib/tevent/tevent_req.c:112
     #14 0x7fb0b84ba1d8 in tevent_req_finish ../lib/tevent/tevent_req.c:149
     #15 0x7fb0b84ba1ff in _tevent_req_done ../lib/tevent/tevent_req.c:155
     #16 0x7fb0b561a468 in tstream_readv_done ../lib/tsocket/tsocket.c:604
     #17 0x7fb0b84ba105 in _tevent_req_notify_callback 
../lib/tevent/tevent_req.c:112
     #18 0x7fb0b84ba1d8 in tevent_req_finish ../lib/tevent/tevent_req.c:149
     #19 0x7fb0b84ba1ff in _tevent_req_done ../lib/tevent/tevent_req.c:155
     #20 0x7fb0b561e6a4 in tstream_bsd_readv_handler 
../lib/tsocket/tsocket_bsd.c:1801
     #21 0x7fb0b561dd7f in tstream_bsd_fde_handler 
../lib/tsocket/tsocket_bsd.c:1519
     #22 0x7fb0b84c0f38 in epoll_event_loop ../lib/tevent/tevent_epoll.c:728
     #23 0x7fb0b84c1555 in epoll_event_loop_once 
../lib/tevent/tevent_epoll.c:926
     #24 0x7fb0b84be441 in std_event_loop_once 
../lib/tevent/tevent_standard.c:114
     #25 0x7fb0b84b8628 in _tevent_loop_once ../lib/tevent/tevent.c:530
     #26 0x7fb0b84b8872 in tevent_common_loop_wait 
../lib/tevent/tevent.c:634
     #27 0x7fb0b84be4e3 in std_event_loop_wait 
../lib/tevent/tevent_standard.c:140
     #28 0x7fb0b84b893d in _tevent_loop_wait ../lib/tevent/tevent.c:653
     #29 0x7fb0b392c6aa in standard_new_task 
../source4/smbd/process_standard.c:186

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 strlen

This errors occurs if you have (at least ?) 2 nic on the Samba DC box

The problem seems to be that the context where tkey_name is allocated is 
freed as the update request seems to have multiple steps.
So I tried to fix it with the attached patch, the use after free is gone 
and it seems that the update are ok but I get this kind of errors:


Tkey handshake completed
update count is 1
/usr/local/src/samba/source4/scripting/bin/samba_dnsupdate: ; TSIG error 
with server: tsig verify failure
Tkey handshake completed
update count is 1
/usr/local/src/samba/source4/scripting/bin/samba_dnsupdate: ; TSIG error 
with server: tsig verify failure
Tkey handshake completed
update count is 1
/usr/local/src/samba/source4/scripting/bin/samba_dnsupdate: ; TSIG error 
with server: tsig verify failure
Tkey handshake completed
update count is 1
/usr/local/src/samba/source4/scripting/bin/samba_dnsupdate: ; TSIG error 
with server: tsig verify failure
Tkey handshake completed
update count is 1
/usr/local/src/samba/source4/scripting/bin/samba_dnsupdate: ; TSIG error 
with server: tsig verify failure
Tkey handshake completed
update count is 1
/usr/local/src/samba/source4/scripting/bin/samba_dnsupdate: ; TSIG error 
with server: tsig verify failure
Tkey handshake completed
update count is 1
/usr/local/src/samba/source4/scripting/bin/samba_dnsupdate: ; TSIG error 
with server: tsig verify failure


Can you help me ?

Thanks.

Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-WIP-patch-to-fix-the-use-after-free-in-the-DNS-serve.patch
Type: text/x-diff
Size: 4465 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20141008/29fa7c21/attachment.patch>

More information about the samba-technical mailing list