Bug 1823612

Summary:	Segmentation fault (core dumped) when "net ads dns gethostbyname <server> <name>" with an invalid server specified
Product:	Red Hat Enterprise Linux 8	Reporter:	Yongcheng Yang <yoyang>
Component:	samba	Assignee:	Andreas Schneider <asn>
Status:	CLOSED ERRATA	QA Contact:	sssd-qe <sssd-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	---	CC:	adzilsky, asn, dkarpele, gdeschner, iboukris, jarrpa, xifeng
Target Milestone:	rc	Keywords:	Reopened, Reproducer
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	samba-4.12.3-5.el8.3	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-11-04 01:59:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Yongcheng Yang 2020-04-14 03:19:10 UTC

Description of problem:
It's easy to trigger a coredump when using "net ads dns gethostbyname" if specifying an invalid server name.

Version-Release number of selected component (if applicable):
samba-common-tools-4.11.2-13.el8

How reproducible:
easy

Steps to Reproduce:
1. net ads dns gethostbyname invalid $HOSTNAME
2.
3.

Actual results:
[root@lenovo-sr630-01 ~]# net ads dns gethostbyname
Usage:
    net ads dns gethostbyname <server> <name>

      Look up hostname from the AD
    server      Name server to use
    name        Name to look up

[root@lenovo-sr630-01 ~]# net ads dns gethostbyname no_exist leno-73-224-207
Segmentation fault (core dumped)
[root@lenovo-sr630-01 ~]# coredumpctl list
TIME                            PID   UID   GID SIG COREFILE  EXE
Mon 2020-04-13 22:57:55 EDT   49787     0     0  11 present   /usr/bin/net
Mon 2020-04-13 23:10:11 EDT   50128     0     0  11 present   /usr/bin/net
[root@lenovo-sr630-01 ~]# coredumpctl info
...
           PID: 50128 (net)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 11 (SEGV)
     Timestamp: Mon 2020-04-13 23:10:10 EDT (7min ago)
  Command Line: net ads dns gethostbyname no_exist leno-73-224-207
    Executable: /usr/bin/net
 Control Group: /user.slice/user-0.slice/session-4.scope
          Unit: session-4.scope
         Slice: user-0.slice
       Session: 4
     Owner UID: 0 (root)
       Boot ID: bc945e8ef32c4c8995d518f86fb7d07f
    Machine ID: 060ecf1047054a1c824212273390cbff
      Hostname: leno-73-224-207
       Storage: /var/lib/systemd/coredump/core.net.0.bc945e8ef32c4c8995d518f86fb7d07f.50128.1586833810000000.lz4
       Message: Process 50128 (net) of user 0 dumped core.

                Stack trace of thread 50128:
                #0  0x00007f5794611f7f _talloc_free (libtalloc.so.2)
                #1  0x00007f5797822894 dns_open_connection (libaddns-samba4.so)
                #2  0x000055cb6d9db776 do_gethostbyname (net)
                #3  0x000055cb6d9a1304 net_ads_dns_gethostbyname (net)
                #4  0x000055cb6d99e9bc net_ads_dns (net)
                #5  0x000055cb6d9a700b net_ads (net)
                #6  0x000055cb6d992050 main (net)
                #7  0x00007f57922df6a3 __libc_start_main (libc.so.6)
                #8  0x000055cb6d99237e _start (net)
[root@lenovo-sr630-01 ~]# rpm -qf /usr/bin/net
samba-common-tools-4.11.2-13.el8.x86_64

Expected results:
No coredump

Additional info:
N/A

Comment 1 amitkuma 2020-04-15 07:09:47 UTC

@Yang

This is most recent samba-4.10.4-101.el8_1.x86_64.rpm version I can find for RHEL-8.

But you are using (samba-common-tools-4.11.2). Have you build samba from source?

I can see issue with this version as well.
# rpm -qa|grep samba
samba-common-4.10.4-101.el8_1.noarch
samba-client-libs-4.10.4-101.el8_1.x86_64
samba-4.10.4-101.el8_1.x86_64
samba-common-libs-4.10.4-101.el8_1.x86_64
samba-common-tools-4.10.4-101.el8_1.x86_64
samba-libs-4.10.4-101.el8_1.x86_64

Comment 2 Yongcheng Yang 2020-04-15 10:54:29 UTC

(In reply to amitkuma from comment #1)
...
> But you are using (samba-common-tools-4.11.2). Have you build samba from
> source?
> 

Nope, I didn't build samba and only used the default version in distro RHEL-8.2.0-20200404.0 (RHEL-8.2.0 "RC-1.3"):

[root]# rpm -q samba-common-tools
samba-common-tools-4.11.2-13.el8.x86_64
[root]# dnf list samba-common-tools
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Last metadata expiration check: 0:34:37 ago on Wed 15 Apr 2020 06:14:58 AM EDT.
Installed Packages
samba-common-tools.x86_64                                      4.11.2-13.el8                                      @beaker-BaseOS
[root]# cat /etc/yum.repos.d/beaker-BaseOS.repo
[beaker-BaseOS]
name=beaker-BaseOS
baseurl=http://download.eng.pek2.redhat.com/rhel-8/rel-eng/RHEL-8/RHEL-8.2.0-20200404.0/compose/BaseOS/x86_64/os
enabled=1
gpgcheck=0
skip_if_unavailable=1
[root]# grep DISTRO /etc/motd
                           DISTRO=RHEL-8.2.0-20200404.0
[root]#

Comment 5 Andreas Schneider 2020-04-27 12:51:16 UTC

Did you try running with valgrind?

Comment 6 amitkuma 2020-04-29 12:19:41 UTC

valgrind 

# valgrind --tool=memcheck --log-file=net-crash-report.txt --leak-check=full net ads dns gethostbyname server test.com
do_gethostbyname returned ERROR_DNS_INVALID_NAME_SERVER (5)
# 

==22887== LEAK SUMMARY:
==22887==    definitely lost: 330 bytes in 2 blocks
==22887==    indirectly lost: 208 bytes in 2 blocks
==22887==      possibly lost: 68,968 bytes in 191 blocks
==22887==    still reachable: 4,876 bytes in 17 blocks
==22887==         suppressed: 0 bytes in 0 blocks
==22887== Reachable blocks (those to which a pointer was found) are not shown.
==22887== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==22887==
==22887== Use --track-origins=yes to see where uninitialised values come from
==22887== For lists of detected and suppressed errors, rerun with: -s
==22887== ERROR SUMMARY: 76 errors from 76 contexts (suppressed: 0 from 0)

will be checking

Comment 8 Andreas Schneider 2020-06-26 15:00:40 UTC

This is already fixed in RHEL 8.2 with Samba 4.11. Closing, update to RHEL 8.2.

Comment 9 Yongcheng Yang 2020-06-28 02:00:10 UTC

I haven't tried it recently but RHEL-8.2 is the version this bug reported on:

(In reply to Yongcheng Yang from comment #0)
..
> Version-Release number of selected component (if applicable):
> samba-common-tools-4.11.2-13.el8

(In reply to Yongcheng Yang from comment #2)
..
> Nope, I didn't build samba and only used the default version in distro
> RHEL-8.2.0-20200404.0 (RHEL-8.2.0 "RC-1.3")

Comment 10 Andreas Schneider 2020-06-29 11:56:57 UTC

Sorry, I was wrong. This has only be fixed in Samba 4.12 with 849ffbc8251aa193cfcab043ab7c818a666a4a68.

As conn is not initialized with NULL, we call TALLOC_FREE() on an invalid pointer.

Comment 17 errata-xmlrpc 2020-11-04 01:59:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (samba bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4543