Bug 1523212
| Summary: | Invalid read-after-free in cli_smb2_close_fnum_recv() | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Slebodnik <lslebodn> | ||||||
| Component: | samba | Assignee: | Andreas Schneider <asn> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.5 | CC: | adzilsky, asn, gdeschner, grajaiya, jarrpa, jhrozek, lmiksik, lslebodn, mkosek, mzidek, pbrezina, rhack, tscherf | ||||||
| Target Milestone: | rc | Keywords: | Regression | ||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | abrt_hash:7a2a9ae3e27933637b082d780e72d1ef500ad209 | ||||||||
| Fixed In Version: | samba-4.7.1-6.el7 | Doc Type: | If docs needed, set a value | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2018-04-10 17:30:15 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Lukas Slebodnik
2017-12-07 12:09:06 UTC
Created attachment 1364291 [details]
File: abrt_msgs
Created attachment 1364292 [details]
File: backtrace
#0 0x00007f2a3e72f355 in cli_smb2_close_fnum_recv (req=req@entry=0x561f71e192d0) at ../source3/libsmb/cli_smb2_fnum.c:453
453 state->cli->raw_status = status;
(gdb) bt
#0 0x00007f2a3e72f355 in cli_smb2_close_fnum_recv (req=req@entry=0x561f71e192d0) at ../source3/libsmb/cli_smb2_fnum.c:453
#1 0x00007f2a3e72f414 in cli_smb2_close_fnum (cli=cli@entry=0x561f71e10f90, fnum=<optimized out>) at ../source3/libsmb/cli_smb2_fnum.c:482
#2 0x00007f2a3e7314ef in cli_smb2_get_fs_attr_info (cli=cli@entry=0x561f71e10f90, fs_attr=fs_attr@entry=0x7ffce953ae54) at ../source3/libsmb/cli_smb2_fnum.c:2162
#3 0x00007f2a3e720bab in cli_get_fs_attr_info (cli=0x561f71e10f90, fs_attr=fs_attr@entry=0x7ffce953ae54) at ../source3/libsmb/clifsinfo.c:340
#4 0x00007f2a416a272a in SMBC_server_internal (ctx=ctx@entry=0x561f71e00360, context=context@entry=0x561f71e0e9d0, connect_if_not_found=connect_if_not_found@entry=true,
server=server@entry=0x561f71e0fe40 "pluto.sssdad.com", port=<optimized out>, share=<optimized out>, share@entry=0x561f71e0fec0 "sysvol",
pp_workgroup=pp_workgroup@entry=0x7ffce953af80, pp_username=pp_username@entry=0x7ffce953af70, pp_password=pp_password@entry=0x7ffce953af78, in_cache=in_cache@entry=0x7ffce953aedf)
at ../source3/libsmb/libsmb_server.c:583
#5 0x00007f2a416a2c92 in SMBC_server (ctx=ctx@entry=0x561f71e00360, context=context@entry=0x561f71e0e9d0, connect_if_not_found=connect_if_not_found@entry=true,
server=0x561f71e0fe40 "pluto.sssdad.com", port=<optimized out>, share=0x561f71e0fec0 "sysvol", pp_workgroup=pp_workgroup@entry=0x7ffce953af80,
pp_username=pp_username@entry=0x7ffce953af70, pp_password=pp_password@entry=0x7ffce953af78) at ../source3/libsmb/libsmb_server.c:689
#6 0x00007f2a4169fda2 in SMBC_open_ctx (context=0x561f71e0e9d0, fname=0x561f71e0e950 "smb://pluto.sssdad.com/sysvol/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}/GPT.INI",
flags=0, mode=<optimized out>) at ../source3/libsmb/libsmb_file.c:93
#7 0x0000561f705cfe43 in copy_smb_file_to_gpo_cache (smbc_ctx=smbc_ctx@entry=0x561f71e0e9d0, smb_server=smb_server@entry=0x561f71dff5d0 "smb://pluto.sssdad.com",
smb_share=smb_share@entry=0x561f71dff650 "/sysvol", smb_path=smb_path@entry=0x561f71dff6c0 "/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}",
smb_cse_suffix=smb_cse_suffix@entry=0x561f705d3999 "/GPT.INI") at src/providers/ad/ad_gpo_child.c:555
#8 0x0000561f705cf1c0 in perform_smb_operations (_sysvol_gpt_version=<synthetic pointer>, smb_cse_suffix=0x561f71dff770 "/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf",
smb_path=0x561f71dff6c0 "/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}", smb_share=0x561f71dff650 "/sysvol", smb_server=0x561f71dff5d0 "smb://pluto.sssdad.com",
cached_gpt_version=-1) at src/providers/ad/ad_gpo_child.c:647
#9 main (argc=<optimized out>, argv=<optimized out>) at src/providers/ad/ad_gpo_child.c:795
(gdb) p state
$1 = (struct cli_smb2_close_fnum_state *) 0x561f71e19460
(gdb) p state->cli
$2 = (struct cli_state *) 0xdededededededede
(gdb) l
448 NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
449 {
450 struct cli_smb2_close_fnum_state *state = tevent_req_data(
451 req, struct cli_smb2_close_fnum_state);
452 NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
453 state->cli->raw_status = status;
454 return status;
455 }
456
457 NTSTATUS cli_smb2_close_fnum(struct cli_state *cli, uint16_t fnum)
(gdb) q
Already fixed in upstream https://bugzilla.samba.org/show_bug.cgi?id=13171 Sanity only. It did not cause any problem with samba-4.7.1-4.el7.x86_64 and started to fail with samba-4.7.1-5.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0937 |