[URGENT][PATCH] Re: Possible issue in AD DC LSA server in master (was: Re: [PATCH] LMDB ...)

Andrew Bartlett abartlet at samba.org
Thu May 3 04:29:06 UTC 2018 

On Sat, 2018-04-14 at 07:07 +1200, Andrew Bartlett via samba-technical
wrote:
> So, that autobuild failed with:
> 
> > [133(711)/525 at 10m56s] samba3.rpc.lsa.lookupsids(ad_dc)
> > smbtorture 4.9.0pre1-DEVELOPERBUILD
> > Using seed 1523610756
> > UNEXPECTED(failure): samba3.rpc.lsa.lookupsids.lsa.LookupSidsReply(ad_dc)
> > REASON: Exception: Exception: ../source4/torture/rpc/lsa_lookup.c:400: names.names[0].name.string was , expected S-1-5-21-1111111111-2222222222-3333333333-512: unexpected names[0].string
> > 
> > FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
> 
> And I mentioned before that I got one LSA failure on the branch up to:
> 
> commit cb607346d3c7c662343b0eae69e43eaa6358c188
> Author: Gary Lockyer <gary at catalyst.net.nz>
> Date:   Tue Mar 13 16:43:54 2018 +1300
> 
>     ldb-samba: require pid match for cached ldb
>     
>     Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
>     Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> 
> > Testing OpenPolicy2
> > UNEXPECTED(failure): samba4.rpc.altercontext on ncalrpc with seal,padcheck.altercontext(ad_dc_ntvfs:local)
> > REASON: Exception: Exception: ../source4/torture/rpc/lsa.c:188: status was NT_STATUS_CONNECTION_RESET, expected NT_STATUS_CONNECTION_DISCONNECTED: OpenPolicy2 failed
> 
> (but wrote it off as I also got about 10 successes on branches with
> that series in it). 
> 
> This is fishy, as Joe yesterday got this in travis CI on master:
> 
> > Testing LookupSids
> > ndr_pull_error(1): Bad array size - got 0 expected 8
> > 
> > UNEXPECTED(failure): samba3.rpc.lsa.privileges.lsa.Privileges(ad_dc)
> > REASON: Exception: Exception: ../source4/torture/rpc/lsa.c:774: dcerpc_lsa_LookupSids_r(b, tctx, &r) was NT_STATUS_ARRAY_BOUNDS_EXCEEDED, expected NT_STATUS_OK: LookupSids failed
> > 
> > FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
> 
> If anybody has any insights or suggestions please don't hesitate to
> investigate.

It turned out to be an unrelated use-after-free in the LSA server after
the trusts changes recently. 

The issue was found fairly easily with address-sanitizer and is fixed
in the attached.  This needs to be in 4.8.2 the regression was shipped
with 4.8.0.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-lsa-Fix-use-after-free-in-LSA-server.patch
Type: text/x-patch
Size: 1511 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180503/63f94876/0001-s4-lsa-Fix-use-after-free-in-LSA-server.bin>

More information about the samba-technical mailing list