Bug 1334356
| Summary: | ntlm_auth SEGV | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> | ||||
| Component: | samba | Assignee: | Guenther Deschner <gdeschner> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 23 | CC: | abokovoy, asn, dwmw2, gdeschner, jarrpa, jlayton, lmohanty, madam, metze, sbose, ssorce | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | samba-4.3.10-0.fc23 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-06-19 07:24:33 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Hello David, I tried to reproduce this today (with samba-4.3.8-0.fc23.x86_64) but I couldn't. Can you share your config and describe briefly your setup? Thanks! Guenther client NTLMv2 auth = no Here's 4.3.8-0.fc23 (the above was 4.3.9-0.fc23) with debuginfo:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60,
format=<optimized out>,
format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631
1631 process_string_arg (((struct printf_spec *) NULL));
(gdb) bt
#0 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60,
format=<optimized out>,
format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631
#1 0x00007ffff51e3e76 in ___vsnprintf_chk (
s=s@entry=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end", maxlen=<optimized out>, maxlen@entry=1024,
flags=flags@entry=1, slen=slen@entry=1024,
format=format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", args=args@entry=0x7fffffffcbf8) at vsnprintf_chk.c:63
#2 0x00007ffff56a8dbe in vsnprintf (__ap=0x7fffffffcbf8,
__fmt=<optimized out>, __n=1024,
__s=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end") at /usr/include/bits/stdio2.h:77
#3 talloc_vasprintf (t=t@entry=0x0,
fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffd068) at ../talloc.c:2440
#4 0x00007ffff56a477c in talloc_log (
fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n") at ../talloc.c:370
#5 0x00007ffff56aab5a in talloc_chunk_from_ptr (ptr=0x7ffff673d9c3)
at ../talloc.c:432
#6 _talloc_steal_loc (new_ctx=new_ctx@entry=0x5555557928b0,
---Type <return> to continue, or q <return> to quit---
ptr=0x7ffff673d9c3,
location=location@entry=0x7ffff56b0cef "../talloc.c:1927")
at ../talloc.c:1219
#7 0x00007ffff56aab93 in _talloc_move (new_ctx=new_ctx@entry=0x5555557928b0,
_pptr=_pptr@entry=0x7fffffffd218) at ../talloc.c:1927
#8 0x00007ffff7374cfe in ntlmssp_client_challenge (
gensec_security=0x555555792310, out_mem_ctx=0x555555791c40, in=...,
out=0x7fffffffd580) at ../auth/ntlmssp/ntlmssp_client.c:354
#9 0x00007ffff737360f in gensec_ntlmssp_update (
gensec_security=0x555555792310, out_mem_ctx=0x555555791c40,
ev=<optimized out>, input=..., out=0x7fffffffd580)
at ../auth/ntlmssp/ntlmssp.c:176
#10 0x00007ffff737d612 in gensec_update_ev (gensec_security=0x555555792310,
out_mem_ctx=0x555555791c40, ev=0x555555792dc0, ev@entry=0x0, in=...,
out=0x7fffffffd580) at ../auth/gensec/gensec.c:303
#11 0x00007ffff737d657 in gensec_update (gensec_security=<optimized out>,
out_mem_ctx=<optimized out>, in=..., out=<optimized out>)
at ../auth/gensec/gensec.c:372
#12 0x000055555555bbfe in manage_gensec_request (
stdio_helper_mode=NTLMSSP_CLIENT_1, lp_ctx=<optimized out>,
buf=<optimized out>, private1=<optimized out>, length=<optimized out>)
at ../source3/utils/ntlm_auth.c:1467
#13 0x00005555555593b3 in manage_squid_request (
---Type <return> to continue, or q <return> to quit---
stdio_helper_mode=NTLMSSP_CLIENT_1, lp_ctx=0x555555784050,
state=0x555555791800, fn=0x55555555c8d0 <manage_client_ntlmssp_request>,
private2=0x0) at ../source3/utils/ntlm_auth.c:2040
#14 0x0000555555558d5b in squid_stream (
fn=0x55555555c8d0 <manage_client_ntlmssp_request>, lp_ctx=0x555555784050,
stdio_mode=NTLMSSP_CLIENT_1) at ../source3/utils/ntlm_auth.c:2074
#15 main (argc=<optimized out>, argv=<optimized out>)
at ../source3/utils/ntlm_auth.c:2317
(Not the same run...)
#8 0x00007ffff7374cfe in ntlmssp_client_challenge (
gensec_security=0x555555792360, out_mem_ctx=0x555555791470, in=...,
out=0x7fffffffd570) at ../auth/ntlmssp/ntlmssp_client.c:354
354 ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain);
(gdb) p server_domain
$3 = 0x7ffff673d9c3 ""
In /proc/$pid/maps it seems that server_domain is pointing to a static "" string in libcliauth-samba4.so, instead of something that was allocated. We probably weren't expecting msrpc_parse() to do that?
The talloc library crapping itself when trying to report this, is obviously a separate issue.
Right, have it reproduced and a possible fix, hold on. Created attachment 1155392 [details]
possible fix
The upstream bug is https://bugzilla.samba.org/show_bug.cgi?id=11912 Thanks Stefan, just saw I came up with the exact same patch 45 minutes later than yours :-) Scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=13991277 And for f24 at http://koji.fedoraproject.org/koji/taskinfo?taskID=14166983 samba-4.3.10-0.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-de8ba50085 samba-4.3.10-0.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-de8ba50085 samba-4.3.10-0.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |
Here's Samba 4.3.6-0.fc23 successfully authenticating: $ /usr/bin/ntlm_auth --helper-protocol ntlmssp-client-1 --use-cached-creds --username dwoodhou YR Got 'YR' from squid (length: 2). got NTLMSSP packet: YR TlRMTVNTUAABAAAABYIIYAMAAwAgAAAADgAOACMAAABHRVJEV09PREhPVS1MSU5VWA== NTLMSSP challenge TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA== Got 'TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA==' from squid (length: 59). got NTLMSSP packet: KK TlRMTVNTUAADAAAAAAAAAEAAAAAYABgAQAAAAAYABgBYAAAAEAAQAF4AAAAcABwAbgAAAAAAAACKAAAABYIAAB9CuUv36kuvVB4Lg+72fp/DAzZlrNntekcARQBSAGQAdwBvAG8AZABoAG8AdQBEAFcATwBPAEQASABPAFUALQBMAEkATgBVAFgA NTLMSSP challenge Here's 4.3.[89]: YR Got 'YR' from squid (length: 2). YR TlRMTVNTUAABAAAABYIIYgAAAAAoAAAAAAAAACgAAAAGAQAAAAAADw== TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA== Got 'TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA==' from squid (length: 59). Program received signal SIGSEGV, Segmentation fault. 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, format=<optimized out>, format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631 1631 process_string_arg (((struct printf_spec *) NULL)); (gdb) (gdb) bt #0 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, format=<optimized out>, format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631 #1 0x00007ffff51e3e76 in ___vsnprintf_chk ( s=s@entry=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end", maxlen=<optimized out>, maxlen@entry=1024, flags=flags@entry=1, slen=slen@entry=1024, format=format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", args=args@entry=0x7fffffffcbf8) at vsnprintf_chk.c:63 #2 0x00007ffff56a8dbe in vsnprintf (__ap=0x7fffffffcbf8, __fmt=<optimized out>, __n=1024, __s=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end") at /usr/include/bits/stdio2.h:77 #3 talloc_vasprintf (t=t@entry=0x0, fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffd068) at ../talloc.c:2440 #4 0x00007ffff56a477c in talloc_log ( fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n") at ../talloc.c:370 #5 0x00007ffff56aab5a in talloc_chunk_from_ptr (ptr=0x7ffff673d9c3) at ../talloc.c:432 #6 _talloc_steal_loc (new_ctx=0x5555557928b0, ptr=0x7ffff673d9c3, ---Type <return> to continue, or q <return> to quit--- location=location@entry=0x7ffff56b0cef "../talloc.c:1927") at ../talloc.c:1219 #7 0x00007ffff56aab93 in _talloc_move (new_ctx=<optimized out>, _pptr=0x7fffffffd218) at ../talloc.c:1927 #8 0x00007ffff7374e2e in ntlmssp_client_challenge () from /lib64/libgensec.so.0 #9 0x00007ffff737375f in gensec_ntlmssp_update () from /lib64/libgensec.so.0 #10 0x00007ffff737d7f2 in gensec_update_ev () from /lib64/libgensec.so.0 #11 0x00007ffff737d837 in gensec_update () from /lib64/libgensec.so.0 #12 0x000055555555bbfe in manage_gensec_request.isra () #13 0x00005555555593b3 in manage_squid_request () #14 0x0000555555558d5b in main ()