2028029 – Winbindd crashes after NULL pointer dereference - missing return value check in winbindd_util.c:fill_domain_username_talloc()

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2028029 - Winbindd crashes after NULL pointer dereference - missing return value check in winbindd_util.c:fill_domain_username_talloc()

Summary: Winbindd crashes after NULL pointer dereference - missing return value check ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	samba
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Andreas Schneider
QA Contact:	Denis Karpelevich
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-01 10:52 UTC by Andreas Schneider
Modified:	2022-05-10 16:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:	samba-4.15.4-0.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 15:27:46 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-104431	None	None	None	2021-12-01 10:53:21 UTC
Red Hat Issue Tracker	SSSD-4144	None	None	None	2021-12-06 12:20:46 UTC
Red Hat Product Errata	RHSA-2022:2074	None	None	None	2022-05-10 15:28:17 UTC

Description Andreas Schneider 2021-12-01 10:52:41 UTC

This bug was initially created as a copy of Bug #2019888

I am copying this bug because: 



Winbindd crashes in strlower_m() called from winbindd_util.c:fill_domain_username_talloc() -see the following backtrace:

=============
Program terminated with signal 6, Aborted.
#0 0x00007fab86b09387 in raise () from /lib64/libc.so.6

#0 0x00007fab86b09387 in raise () from /lib64/libc.so.6
#1 0x00007fab86b0aa78 in abort () from /lib64/libc.so.6
#2 0x00007fab91ebc679 in dump_core () at ../../source3/lib/dumpcore.c:338
#3 0x00007fab91ea1ec8 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:847
#4 0x00007fab954cc11d in smb_panic (why=why@entry=0x7fab954dcf39 "internal error") at ../../lib/util/fault.c:174
#5 0x00007fab954cc37e in fault_report (sig=<optimized out>) at ../../lib/util/fault.c:88
#6 sig_fault (sig=11) at ../../lib/util/fault.c:99
#7 <signal handler called>
#8 strlower_m (s=s@entry=0x0) at ../../source3/lib/util_str.c:452
#9 0x000055e7fb359709 in fill_domain_username_talloc (mem_ctx=mem_ctx@entry=0x55e7fcb8a810, domain=0x55e7fcb93d80 "HG", user=<optimized out>, can_assume=can_assume@entry=true) at ../../source3/winbindd/winbindd_util.c:1672
#10 0x000055e7fb391371 in wb_query_user_list_done (subreq=<optimized out>) at ../../source3/winbindd/wb_query_user_list.c:110
#11 0x00007fab92eb3dd1 in dcerpc_binding_handle_call_done (subreq=0x55e7fcb957e0) at ../../librpc/rpc/binding_handle.c:520
#12 0x000055e7fb381fdd in wbint_bh_raw_call_domain_done (subreq=0x55e7fcb966d0) at ../../source3/winbindd/winbindd_dual_ndr.c:204
#13 0x000055e7fb37fa8c in wb_domain_request_done (subreq=0x55e7fcb96a30) at ../../source3/winbindd/winbindd_dual.c:708
#14 0x000055e7fb37dc5d in wb_child_request_done (subreq=0x55e7fcb970a0) at ../../source3/winbindd/winbindd_dual.c:273
#15 0x000055e7fb34e6a7 in wb_simple_trans_read_done (subreq=0x55e7fcb973e0) at ../../nsswitch/wb_reqtrans.c:432
#16 0x000055e7fb34deff in wb_resp_read_done (subreq=0x55e7fcb97710) at ../../nsswitch/wb_reqtrans.c:275
#17 0x00007fab87fcfb13 in tevent_common_invoke_fd_handler () from /lib64/libtevent.so.0
#18 0x00007fab87fd6087 in epoll_event_loop_once () from /lib64/libtevent.so.0
#19 0x00007fab87fd4057 in std_event_loop_once () from /lib64/libtevent.so.0
#20 0x00007fab87fcf25d in _tevent_loop_once () from /lib64/libtevent.so.0
#21 0x000055e7fb3464b8 in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/winbindd/winbindd.c:1912

=============

(gdb) frame 9
#9 0x000055e7fb359709 in fill_domain_username_talloc (mem_ctx=mem_ctx@entry=0x55e7fcb8a810, domain=0x55e7fcb93d80 "HG", user=<optimized out>, can_assume=can_assume@entry=true) at ../../source3/winbindd/winbindd_util.c:1672
1672 if (!strlower_m(tmp_user)) {
(gdb) l
1667 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
1668 can_assume = false;
1669 }
1670
1671 tmp_user = talloc_strdup(mem_ctx, user);
1672 if (!strlower_m(tmp_user)) {
1673 TALLOC_FREE(tmp_user);
1674 return NULL;
1675 }
1676
(gdb) info locals
tmp_user = 0x0
name = <optimized out>

=============

gdb shows that strlower_m() functions gets NULL pointer from tmp_user value, which is returned from talloc_strdup() at LINE 1671
but it is not checked against NULL before passing to strlower_m().

Affected CentOS 7 version:
samba-winbind-4.10.16-15.el7_9.x86_64

NOTE:
The check against NULL value is also absent in the current git sources of winbind_util.c.
Please report upstream.

NOTE:
Reported on CentOS bugzilla.

Comment 3 errata-xmlrpc 2022-05-10 15:27:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: samba security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:2074

Note You need to log in before you can comment on or make changes to this bug.