Bug 1523212
Summary: | Invalid read-after-free in cli_smb2_close_fnum_recv() | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Slebodnik <lslebodn> | ||||||
Component: | samba | Assignee: | Andreas Schneider <asn> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.5 | CC: | adzilsky, asn, gdeschner, grajaiya, jarrpa, jhrozek, lmiksik, lslebodn, mkosek, mzidek, pbrezina, rhack, tscherf | ||||||
Target Milestone: | rc | Keywords: | Regression | ||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:7a2a9ae3e27933637b082d780e72d1ef500ad209 | ||||||||
Fixed In Version: | samba-4.7.1-6.el7 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2018-04-10 17:30:15 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Lukas Slebodnik
2017-12-07 12:09:06 UTC
Created attachment 1364291 [details]
File: abrt_msgs
Created attachment 1364292 [details]
File: backtrace
#0 0x00007f2a3e72f355 in cli_smb2_close_fnum_recv (req=req@entry=0x561f71e192d0) at ../source3/libsmb/cli_smb2_fnum.c:453 453 state->cli->raw_status = status; (gdb) bt #0 0x00007f2a3e72f355 in cli_smb2_close_fnum_recv (req=req@entry=0x561f71e192d0) at ../source3/libsmb/cli_smb2_fnum.c:453 #1 0x00007f2a3e72f414 in cli_smb2_close_fnum (cli=cli@entry=0x561f71e10f90, fnum=<optimized out>) at ../source3/libsmb/cli_smb2_fnum.c:482 #2 0x00007f2a3e7314ef in cli_smb2_get_fs_attr_info (cli=cli@entry=0x561f71e10f90, fs_attr=fs_attr@entry=0x7ffce953ae54) at ../source3/libsmb/cli_smb2_fnum.c:2162 #3 0x00007f2a3e720bab in cli_get_fs_attr_info (cli=0x561f71e10f90, fs_attr=fs_attr@entry=0x7ffce953ae54) at ../source3/libsmb/clifsinfo.c:340 #4 0x00007f2a416a272a in SMBC_server_internal (ctx=ctx@entry=0x561f71e00360, context=context@entry=0x561f71e0e9d0, connect_if_not_found=connect_if_not_found@entry=true, server=server@entry=0x561f71e0fe40 "pluto.sssdad.com", port=<optimized out>, share=<optimized out>, share@entry=0x561f71e0fec0 "sysvol", pp_workgroup=pp_workgroup@entry=0x7ffce953af80, pp_username=pp_username@entry=0x7ffce953af70, pp_password=pp_password@entry=0x7ffce953af78, in_cache=in_cache@entry=0x7ffce953aedf) at ../source3/libsmb/libsmb_server.c:583 #5 0x00007f2a416a2c92 in SMBC_server (ctx=ctx@entry=0x561f71e00360, context=context@entry=0x561f71e0e9d0, connect_if_not_found=connect_if_not_found@entry=true, server=0x561f71e0fe40 "pluto.sssdad.com", port=<optimized out>, share=0x561f71e0fec0 "sysvol", pp_workgroup=pp_workgroup@entry=0x7ffce953af80, pp_username=pp_username@entry=0x7ffce953af70, pp_password=pp_password@entry=0x7ffce953af78) at ../source3/libsmb/libsmb_server.c:689 #6 0x00007f2a4169fda2 in SMBC_open_ctx (context=0x561f71e0e9d0, fname=0x561f71e0e950 "smb://pluto.sssdad.com/sysvol/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}/GPT.INI", flags=0, mode=<optimized out>) at ../source3/libsmb/libsmb_file.c:93 #7 0x0000561f705cfe43 in copy_smb_file_to_gpo_cache (smbc_ctx=smbc_ctx@entry=0x561f71e0e9d0, smb_server=smb_server@entry=0x561f71dff5d0 "smb://pluto.sssdad.com", smb_share=smb_share@entry=0x561f71dff650 "/sysvol", smb_path=smb_path@entry=0x561f71dff6c0 "/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}", smb_cse_suffix=smb_cse_suffix@entry=0x561f705d3999 "/GPT.INI") at src/providers/ad/ad_gpo_child.c:555 #8 0x0000561f705cf1c0 in perform_smb_operations (_sysvol_gpt_version=<synthetic pointer>, smb_cse_suffix=0x561f71dff770 "/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf", smb_path=0x561f71dff6c0 "/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}", smb_share=0x561f71dff650 "/sysvol", smb_server=0x561f71dff5d0 "smb://pluto.sssdad.com", cached_gpt_version=-1) at src/providers/ad/ad_gpo_child.c:647 #9 main (argc=<optimized out>, argv=<optimized out>) at src/providers/ad/ad_gpo_child.c:795 (gdb) p state $1 = (struct cli_smb2_close_fnum_state *) 0x561f71e19460 (gdb) p state->cli $2 = (struct cli_state *) 0xdededededededede (gdb) l 448 NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req) 449 { 450 struct cli_smb2_close_fnum_state *state = tevent_req_data( 451 req, struct cli_smb2_close_fnum_state); 452 NTSTATUS status = tevent_req_simple_recv_ntstatus(req); 453 state->cli->raw_status = status; 454 return status; 455 } 456 457 NTSTATUS cli_smb2_close_fnum(struct cli_state *cli, uint16_t fnum) (gdb) q Already fixed in upstream https://bugzilla.samba.org/show_bug.cgi?id=13171 Sanity only. It did not cause any problem with samba-4.7.1-4.el7.x86_64 and started to fail with samba-4.7.1-5.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0937 |