Bug 1523212 - Invalid read-after-free in cli_smb2_close_fnum_recv()
Summary: Invalid read-after-free in cli_smb2_close_fnum_recv()
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.5
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Robin Hack
URL:
Whiteboard: abrt_hash:7a2a9ae3e27933637b082d780e7...
Keywords: Regression
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-07 12:09 UTC by Lukas Slebodnik
Modified: 2018-04-10 17:31 UTC (History)
13 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-04-10 17:30:15 UTC

Attachments (Terms of Use)
File: abrt_msgs (34.17 KB, text/plain)
2017-12-07 12:09 UTC, Lukas Slebodnik 		no flags Details
File: backtrace (20.63 KB, text/plain)
2017-12-07 12:09 UTC, Lukas Slebodnik 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0937 None None None 2018-04-10 17:31 UTC
Samba Project 13171 None None None 2019-01-18 13:59 UTC

Description Lukas Slebodnik 2017-12-07 12:09:06 UTC 
Version-Release number of selected component:
sssd-ad-1.16.1-0.20171206.2209.gita72919af8.push.el7

Additional info:
reporter:       libreport-2.1.11.1
backtrace_rating: 4
cmdline:        /usr/libexec/sssd/gpo_child --debug-microseconds=0 --debug-timestamps=1 --debug-fd=23 --debug-level=0xfff0
crash_function: cli_smb2_close_fnum_recv
executable:     /usr/libexec/sssd/gpo_child
global_pid:     30333
kernel:         3.10.0-801.el7.x86_64
pkg_vendor:     Red Hat Copr
runlevel:       N 3
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (9 frames)
 #0 cli_smb2_close_fnum_recv at ../source3/libsmb/cli_smb2_fnum.c:453
 #1 cli_smb2_close_fnum at ../source3/libsmb/cli_smb2_fnum.c:482
 #2 cli_smb2_get_fs_attr_info at ../source3/libsmb/cli_smb2_fnum.c:2162
 #3 cli_get_fs_attr_info at ../source3/libsmb/clifsinfo.c:340
 #4 SMBC_server_internal at ../source3/libsmb/libsmb_server.c:583
 #5 SMBC_server at ../source3/libsmb/libsmb_server.c:689
 #6 SMBC_open_ctx at ../source3/libsmb/libsmb_file.c:93
 #7 copy_smb_file_to_gpo_cache at src/providers/ad/ad_gpo_child.c:555
 #8 perform_smb_operations at src/providers/ad/ad_gpo_child.c:647
Comment 1 Lukas Slebodnik 2017-12-07 12:09:11 UTC 
Created attachment 1364291 [details]
File: abrt_msgs
Comment 2 Lukas Slebodnik 2017-12-07 12:09:12 UTC 
Created attachment 1364292 [details]
File: backtrace
Comment 4 Lukas Slebodnik 2017-12-07 12:10:31 UTC 
#0  0x00007f2a3e72f355 in cli_smb2_close_fnum_recv (req=req@entry=0x561f71e192d0) at ../source3/libsmb/cli_smb2_fnum.c:453
453             state->cli->raw_status = status;
(gdb) bt
#0  0x00007f2a3e72f355 in cli_smb2_close_fnum_recv (req=req@entry=0x561f71e192d0) at ../source3/libsmb/cli_smb2_fnum.c:453
#1  0x00007f2a3e72f414 in cli_smb2_close_fnum (cli=cli@entry=0x561f71e10f90, fnum=<optimized out>) at ../source3/libsmb/cli_smb2_fnum.c:482
#2  0x00007f2a3e7314ef in cli_smb2_get_fs_attr_info (cli=cli@entry=0x561f71e10f90, fs_attr=fs_attr@entry=0x7ffce953ae54) at ../source3/libsmb/cli_smb2_fnum.c:2162
#3  0x00007f2a3e720bab in cli_get_fs_attr_info (cli=0x561f71e10f90, fs_attr=fs_attr@entry=0x7ffce953ae54) at ../source3/libsmb/clifsinfo.c:340
#4  0x00007f2a416a272a in SMBC_server_internal (ctx=ctx@entry=0x561f71e00360, context=context@entry=0x561f71e0e9d0, connect_if_not_found=connect_if_not_found@entry=true,
    server=server@entry=0x561f71e0fe40 "pluto.sssdad.com", port=<optimized out>, share=<optimized out>, share@entry=0x561f71e0fec0 "sysvol",
    pp_workgroup=pp_workgroup@entry=0x7ffce953af80, pp_username=pp_username@entry=0x7ffce953af70, pp_password=pp_password@entry=0x7ffce953af78, in_cache=in_cache@entry=0x7ffce953aedf)
    at ../source3/libsmb/libsmb_server.c:583
#5  0x00007f2a416a2c92 in SMBC_server (ctx=ctx@entry=0x561f71e00360, context=context@entry=0x561f71e0e9d0, connect_if_not_found=connect_if_not_found@entry=true,
    server=0x561f71e0fe40 "pluto.sssdad.com", port=<optimized out>, share=0x561f71e0fec0 "sysvol", pp_workgroup=pp_workgroup@entry=0x7ffce953af80,
    pp_username=pp_username@entry=0x7ffce953af70, pp_password=pp_password@entry=0x7ffce953af78) at ../source3/libsmb/libsmb_server.c:689
#6  0x00007f2a4169fda2 in SMBC_open_ctx (context=0x561f71e0e9d0, fname=0x561f71e0e950 "smb://pluto.sssdad.com/sysvol/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}/GPT.INI",
    flags=0, mode=<optimized out>) at ../source3/libsmb/libsmb_file.c:93
#7  0x0000561f705cfe43 in copy_smb_file_to_gpo_cache (smbc_ctx=smbc_ctx@entry=0x561f71e0e9d0, smb_server=smb_server@entry=0x561f71dff5d0 "smb://pluto.sssdad.com",
    smb_share=smb_share@entry=0x561f71dff650 "/sysvol", smb_path=smb_path@entry=0x561f71dff6c0 "/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}",
    smb_cse_suffix=smb_cse_suffix@entry=0x561f705d3999 "/GPT.INI") at src/providers/ad/ad_gpo_child.c:555
#8  0x0000561f705cf1c0 in perform_smb_operations (_sysvol_gpt_version=<synthetic pointer>, smb_cse_suffix=0x561f71dff770 "/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf",
    smb_path=0x561f71dff6c0 "/sssdad.com/Policies/{2BCD41F6-E5B9-44FB-A937-6E3CAB8B0896}", smb_share=0x561f71dff650 "/sysvol", smb_server=0x561f71dff5d0 "smb://pluto.sssdad.com",
    cached_gpt_version=-1) at src/providers/ad/ad_gpo_child.c:647
#9  main (argc=<optimized out>, argv=<optimized out>) at src/providers/ad/ad_gpo_child.c:795
(gdb) p state
$1 = (struct cli_smb2_close_fnum_state *) 0x561f71e19460
(gdb) p state->cli
$2 = (struct cli_state *) 0xdededededededede
(gdb) l
448     NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
449     {
450             struct cli_smb2_close_fnum_state *state = tevent_req_data(
451                     req, struct cli_smb2_close_fnum_state);
452             NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
453             state->cli->raw_status = status;
454             return status;
455     }
456
457     NTSTATUS cli_smb2_close_fnum(struct cli_state *cli, uint16_t fnum)
(gdb) q
Comment 5 Lukas Slebodnik 2017-12-07 12:10:59 UTC 
Already fixed in upstream
https://bugzilla.samba.org/show_bug.cgi?id=13171
Comment 6 Andrej Dzilský 2017-12-07 12:17:01 UTC 
Sanity only.
Comment 7 Lukas Slebodnik 2017-12-07 15:03:09 UTC 
It did not cause any problem with samba-4.7.1-4.el7.x86_64 and started to fail with samba-4.7.1-5.el7.x86_64
Comment 15 errata-xmlrpc 2018-04-10 17:30:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0937
Note You need to log in before you can comment on or make changes to this bug.