Bug 1892745 - smbclient is segfaulting using tar mode
Summary: smbclient is segfaulting using tar mode
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 33
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1900232 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-29 14:52 UTC by Brent
Modified: 2020-12-17 19:51 UTC (History)
13 users (show)

Fixed In Version: samba-4.13.2-2.fc33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-01 01:27:56 UTC
Type: Bug


Attachments (Terms of Use)
core dump (742.10 KB, application/octet-stream)
2020-11-09 21:01 UTC, Brent
no flags Details

Description Brent 2020-10-29 14:52:55 UTC
Description of problem:

smbclient is segfaulting.  Using "smb" method to backup remote window shares using BackupPC, smbclient is segfaulting and not able to start any backups.  Even using "smb" method to backup the local linux host is also segfaulting smbclient.  Worked fine on Fedora 32.


Version-Release number of selected component (if applicable):

Samba 4.13.0-13

How reproducible:

I'm unclear WHY smbclient is segfaulting, but it is crashing a backup made attempting to use smbclient.

Steps to Reproduce:
1. Setup backuppc to backup a remote windows host using smb
2. Run a backup
3. You'll get an error

Actual results:

dmesg returns:

[2020-10-29 07:02:14]  smbclient[41339]: segfault at 0 ip 0000557efbfd1fb7 sp 00007ffef0f58528 error 4 in smbclient[557efbfc8000+23000]
[2020-10-29 07:02:14]  Code: ff ff 48 8d 3d 15 f1 00 00 48 89 c6 31 c0 e8 a0 d3 ff ff b8 01 00 00 00 eb c2 e8 54 d3 ff ff 0f 1f 40 00 48 8b 15 71 b2 01 00 <48> 8b 3a 48 8b 47 08 48 85 c0 74 2d 48 8b 0f 48 89 08 48 89 02 48

/var/log/messages:

Oct 29 07:02:15 SERVERNAME kernel: smbclient[41339]: segfault at 0 ip 0000557efbfd1fb7 sp 00007ffef0f58528 error 4 in smbclient[557efbfc8000+23000]
Oct 29 07:02:15 SERVERNAME kernel: Code: ff ff 48 8d 3d 15 f1 00 00 48 89 c6 31 c0 e8 a0 d3 ff ff b8 01 00 00 00 eb c2 e8 54 d3 ff ff 0f 1f 40 00 48 8b 15 71 b2 01 00 <48> 8b 3a 48 8b 47 08 48 85 c0 74 2d 48 8b 0f 48 89 08 48 89 02 48
Oct 29 07:02:15 SERVERNAME audit: BPF prog-id=256 op=LOAD
Oct 29 07:02:15 SERVERNAME audit: BPF prog-id=257 op=LOAD
Oct 29 07:02:15 SERVERNAME audit: BPF prog-id=258 op=LOAD
Oct 29 07:02:15 SERVERNAME systemd[1]: Started Process Core Dump (PID 41343/UID 0).
Oct 29 07:02:15 SERVERNAME audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@23-41343-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 29 07:02:15 SERVERNAME systemd-coredump[41344]: Process 41339 (smbclient) of user 48 dumped core.#012#012Stack trace of thread 41339:#012#0  0x0000557efbfd1fb7 remove_do_list_queue_head (smbclient + 0x9fb7)#012#1  0x0000557efbfdbba5 do_list (smbclient + 0x13ba5)#012#2  0x0000557efbfe0df4 get_file_callback (smbclient + 0x18df4)#012#3  0x0000557efbfd2d6f do_list_helper (smbclient + 0xad6f)#012#4  0x00007f7f20898ce1 cli_smb2_list (liblibsmb-samba4.so + 0x3fce1)#012#5  0x00007f7f2088d954 cli_list (liblibsmb-samba4.so + 0x34954)#012#6  0x0000557efbfdbb98 do_list (smbclient + 0x13b98)#012#7  0x0000557efbfe0df4 get_file_callback (smbclient + 0x18df4)#012#8  0x0000557efbfd2d6f do_list_helper (smbclient + 0xad6f)#012#9  0x00007f7f20898ce1 cli_smb2_list (liblibsmb-samba4.so + 0x3fce1)#012#10 0x00007f7f2088d954 cli_list (liblibsmb-samba4.so + 0x34954)#012#11 0x0000557efbfdbb98 do_list (smbclient + 0x13b98)#012#12 0x0000557efbfe024c tar_process (smbclient + 0x1824c)#012#13 0x0000557efbfd0bd9 main (smbclient + 0x8bd9)#012#14 0x00007f7f1fde51a2 __libc_start_main (libc.so.6 + 0x281a2)#012#15 0x0000557efbfd1b3e _start (smbclient + 0x9b3e)
Oct 29 07:02:15 SERVERNAME systemd[1]: systemd-coredump@23-41343-0.service: Succeeded.
Oct 29 07:02:15 SERVERNAME audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@23-41343-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 29 07:02:15 SERVERNAME audit: BPF prog-id=258 op=UNLOAD
Oct 29 07:02:15 SERVERNAME audit: BPF prog-id=257 op=UNLOAD
Oct 29 07:02:15 SERVERNAME audit: BPF prog-id=256 op=UNLOAD
Oct 29 07:02:16 SERVERNAME abrt-server[41350]: Deleting problem directory ccpp-2020-10-29-07:02:15.918821-41339 (dup of ccpp-2020-10-28-14:35:56.168706-12861)
Oct 29 07:02:17 SERVERNAME abrt-notification[41395]: Process 12861 (smbclient) crashed in remove_do_list_queue_head()
Oct 29 07:02:22 SERVERNAME systemd[1]: dbus-:1.5-org.freedesktop.problems@12.service: Succeeded.

Expected results:

Sbmclient should not segfault.

Additional info:

Running BackupPC under the "apache" user.  User 48 = apache.

Comment 1 Brent 2020-10-30 12:09:54 UTC
Additional steps to recreate not using BackupPC:

1)  Create a file (touch /tmp/current-time)
2)  Execute:   /usr/bin/smbclient \\\\server\\share -U Administrator -E -d 1 -c tarmode\ full -TcN /tmp/current-time - /temp
3)  This should backup the c:\temp of a remote windows machine.  
4)  After prompting for password, it returns:

tarmode is now full, system, hidden, noreset, noverbose
Segmentation fault (core dumped)

Comment 2 Brent 2020-10-30 13:06:04 UTC
Compiling myself from source, using tar mode in 4.13.0 or 4.13.1 (latest) returns the segfault.

Compiling samba source from 4.12.9 works.  There is a bug in 4.13.0 and 4.13.1 using tarmode.

Comment 3 Brent 2020-11-04 03:16:10 UTC
Samba just released version 4.13.2.  That version also segfaults using tarmode in smbclient.

Comment 4 Alexander Bokovoy 2020-11-04 10:15:43 UTC
Can you please provide a coredump?

Comment 5 Brent 2020-11-09 21:01:28 UTC
Created attachment 1727927 [details]
core dump

Comment 6 Brent 2020-11-09 21:03:13 UTC
I can use smbclient to backup /tmp on a linux box.  Any attempt made to backup another directory fails.  Can't backup remote systems either.

smbclient \\\\server\\root -U root -E -d 1 -c tarmode\ full -TcN /backupdir/BackupPC/pc/server/timeStamp.level0 - /etc

Segmentation fault.

Comment 7 Alexander Bokovoy 2020-11-25 16:48:40 UTC
*** Bug 1900232 has been marked as a duplicate of this bug. ***

Comment 8 Alexander Bokovoy 2020-11-25 16:49:35 UTC
I am building Samba for F33 and Rawhide with patches from https://bugzilla.samba.org/show_bug.cgi?id=14517
As I understand, this should fix the problem.

Please test the builds once they are ready:
F33: https://koji.fedoraproject.org/koji/taskinfo?taskID=56241974
F34: https://koji.fedoraproject.org/koji/taskinfo?taskID=56241908

Non-x86_64 runners are a bit slow, so the builds are still ongoing. Once they are done, I'll submit an update to F33.

Comment 9 Tim Evans 2020-11-25 20:31:22 UTC
Thanks, Alexander. Afraid I don't know what to do with these.  I downloaded the rpms that match what is installed on my system, but dnf reports all sorts of dependency issues when i try to install them.

Comment 10 Fedora Update System 2020-11-25 20:36:55 UTC
FEDORA-2020-e5062aad76 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e5062aad76

Comment 11 Alexander Bokovoy 2020-11-25 20:39:47 UTC
I've submitted an update to F33. It should appear in updates-testing in a day or so. Simple dnf update will find out then.

Comment 12 Fedora Update System 2020-11-27 02:10:09 UTC
FEDORA-2020-e5062aad76 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e5062aad76`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e5062aad76

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Tim Evans 2020-11-27 14:19:40 UTC
smbclient (version 4.13.2) still segfaults here.

Comment 14 Brent 2020-11-27 14:27:29 UTC
Yep.  Just tried this version.  Still segfaults.

Comment 15 Alexander Bokovoy 2020-11-27 14:37:27 UTC
Is the backtrace the same?

Comment 16 Brent 2020-11-27 14:59:15 UTC
I don't know what you mean by backtrace.

dmesg shows:

smbclient[73274]: segfault at 0 ip 00005567c77faff7 sp 00007ffc8fc9bba8 error 4 in smbclient[5567c77f0000+23000]
Code: 00 48 89 c6 31 c0 e8 48 d4 ff ff b8 01 00 00 00 eb c9 e8 fc d3 ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 8b 15 31 b2 01 00 <48> 8b 3a 48 8b 47 08 48 85 c0 74 2d 48 8b 0f 48 89 08 48 89 02 48

/var/log/messages has:

abrt-notification[73350]: Process 79081 (smbclient) crashed in remove_do_list_queue_head()


I can include a coredump (.zst) file if that needs to be included?

Comment 17 Alexander Bokovoy 2020-11-27 17:51:19 UTC
it looks like the same trace, indeed.

Comment 18 Brent 2020-11-28 04:40:34 UTC
I can actually backup /tmp, but not /etc (or any other directory) if smb.conf shares out "/".  If I compile 4.12.10 and install it, both /tmp and /etc work fine.

smb.conf: relevant section for the share:

[root]
    path = /
    browseable = yes
    valid users = root
    public = no
    writable = yes
    printable = no
    create mask = 0755


This works:

$  touch /tmp/current-time

$  /usr/bin/smbclient \\\\localhost\\root -U root -E -d 1 -c tarmode\ full -TcN /tmp/current-time - /tmp

This segfaults:

$  /usr/bin/smbclient \\\\localhost\\root -U root -E -d 1 -c tarmode\ full -TcN /tmp/current-time - /etc

Comment 19 Fedora Update System 2020-12-01 01:27:56 UTC
FEDORA-2020-e5062aad76 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 20 Alexander Bokovoy 2020-12-01 07:10:40 UTC
Re-opening to work on tar mode fixes.

Comment 21 Tim Evans 2020-12-03 16:19:34 UTC
Samba folks have closed their bugzilla (https://bugzilla.samba.org/show_bug.cgi?id=14581), marking it "FIXED."

Comment 22 Alexander Bokovoy 2020-12-03 16:23:17 UTC
I think that bug is unrelated -- there was hope that the refactoring fixed this issue but apparently it was not. So, back to investigation.

Comment 23 Tim Evans 2020-12-15 15:20:30 UTC
Samba 4.13.3 has been released, with fixes for Samba bugzillas 14517 and 14581. From release notes:

* BUG 14517: smbclient: Fix recursive mget.
* BUG 14581: clitar: Use do_list()'s recursion in clitar.c.

Comment 24 Alexander Bokovoy 2020-12-15 16:03:20 UTC
Samba 4.13.3 build for F33 is coming soon (patches already updated in Fedora dist-git). To build Samba 4.13.3, we need updates for few other components, so a rebuild for Rawhide and F33 will be done in a sidetag first, then submitted for Bodhi.
Hopefully, this will be done in next several days.

Comment 25 Alexander Bokovoy 2020-12-17 19:51:30 UTC
https://bodhi.fedoraproject.org/updates/FEDORA-2020-318f27b02b is the version for Fedora 33


Note You need to log in before you can comment on or make changes to this bug.