1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/source3
Noel Power 2a104556e8 s3/lib: Prevent use after free of messaging_ctdb_fde_ev structs
In a cluster setup samba-bgqd async callback
cups_pcap_load_async can access messaging_ctdb_fde_ev associated
with already destructed global_ctdb_ctx_destructor

==26053== Invalid read of size 8
==26053==    at 0x71692E1: messaging_ctdb_fde_ev_destructor (messages_ctdb.c:181)
==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
==26053==    by 0x4056BCA: tevent_req_received (tevent_req.c:301)
==26053==    by 0x405673D: tevent_req_destructor (tevent_req.c:135)
==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
==26053==    by 0x1384EF: cups_pcap_load_async (print_cups.c:507)
==26053==    by 0x13894B: cups_cache_reload (print_cups.c:602)
==26053==    by 0x1373AE: pcap_cache_reload (pcap.c:140)
==26053==    by 0x1369D2: register_printing_bq_handlers (queue_process.c:323)
==26053==    by 0x122AD6: main (samba-bgqd.c:316)
==26053==  Address 0xed64d48 is 120 bytes inside a block of size 128 free'd
==26053==    at 0x4C370EB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26053==    by 0x40B25E1: _tc_free_internal (talloc.c:1222)
==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
==26053==    by 0x71691F6: messaging_ctdb_destroy (messages_ctdb.c:141)
==26053==    by 0x7169C21: msg_ctdb_ref_destructor (messages_ctdb_ref.c:142)
==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
==26053==    by 0x4157380: messaging_reinit (messages.c:646)
==26053==    by 0x416C01E: reinit_after_fork (util.c:488)
==26053==    by 0x13844C: cups_pcap_load_async (print_cups.c:498)
==26053==    by 0x13894B: cups_cache_reload (print_cups.c:602)
==26053==    by 0x1373AE: pcap_cache_reload (pcap.c:140)
==26053==    by 0x1369D2: register_printing_bq_handlers (queue_process.c:323)
==26053==    by 0x122AD6: main (samba-bgqd.c:316)
==26053==  Block was alloc'd at
==26053==    at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26053==    by 0x40B1989: __talloc_with_prefix (talloc.c:783)
==26053==    by 0x40B1B23: __talloc (talloc.c:825)
==26053==    by 0x40B1ECC: _talloc_named_const (talloc.c:982)
==26053==    by 0x40B49C3: _talloc_zero (talloc.c:2421)
==26053==    by 0x7168E68: messaging_ctdb_init (messages_ctdb.c:93)
==26053==    by 0x716979D: messaging_ctdb_ref (messages_ctdb_ref.c:75)
==26053==    by 0x415702A: messaging_init_internal (messages.c:563)
==26053==    by 0x41572FD: messaging_init (messages.c:622)
==26053==    by 0x4163ED3: global_messaging_context (global_contexts.c:62)
==26053==    by 0x12273B: main (samba-bgqd.c:271)
==26053==

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15293

Signed-off-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Jan 26 16:03:49 UTC 2023 on atb-devel-224
2023-01-26 16:03:49 +00:00
..
auth s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac() 2023-01-19 18:47:35 +00:00
build
client s3:client: Fix a use-after-free issue in smbclient 2022-12-22 10:52:31 +00:00
exports
groupdb
include lib: Add tdb_data_dbg() 2023-01-10 00:28:37 +00:00
intl
lib s3/lib: Prevent use after free of messaging_ctdb_fde_ev structs 2023-01-26 16:03:49 +00:00
libads lib: Remove unused smb_mkstemp prototype 2023-01-10 00:28:37 +00:00
libgpo/gpext
libnet s3-librpc: add ads.idl and convert ads_struct to talloc. 2022-12-16 20:38:32 +00:00
librpc smbd: Remove smbXsrv_open->db_rec 2023-01-10 00:28:37 +00:00
libsmb s3/libsmb: fix a typo in parameter description 2023-01-17 17:21:38 +00:00
locale spelling: connnect encrytion exisit expection explicit invalide missmatch paramater paramter partion privilige relase reponse seperate unkown verson authencication progagated 2022-06-10 18:12:33 +00:00
locking lib: Use tdb_data_dbg() where appropriate 2023-01-10 00:28:37 +00:00
modules smbd: Implement SET_REPARSE_POINT buffer size checks 2022-12-22 19:50:34 +00:00
nmbd smbd: remove process shortname arg from reinit_after_fork() 2022-12-14 01:38:29 +00:00
param selftest: Only run samba.tests.smb3unix in developer mode 2023-01-26 13:13:50 +00:00
passdb pdb_samba_dsdb: Handle dsdb_search_one() errors 2022-10-05 04:23:32 +00:00
printing s3-librpc: add ads.idl and convert ads_struct to talloc. 2022-12-16 20:38:32 +00:00
profile s3:profile: make use of tevent_cached_getpid() in performance critical code 2022-07-25 18:32:18 +00:00
registry lib: Move tab_depth() to reg_parse_prs.c 2023-01-10 00:28:37 +00:00
rpc_client CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db() 2022-12-13 13:07:29 +00:00
rpc_server s3:rpc_server/mdssvc: don't crash mdssvc_tracker_shutdown with NULL glue 2023-01-19 19:46:01 +00:00
rpcclient s3:rpcclient: Pass salt down to init_samr_CryptPasswordAES() 2022-10-25 09:34:33 +00:00
script s3:test: Test winbind call depth trace 2023-01-26 15:07:57 +00:00
selftest s3:test: Test winbind call depth trace 2023-01-26 15:07:57 +00:00
services s3:services: Disable rcinit-based service control code 2021-12-10 14:02:30 +00:00
smbd smbd: Use smbXsrv_open_global_parse_record() in .._verify_record() 2023-01-24 09:15:26 +00:00
torture build: Don't compile source3/lib/util_sd.c four times 2023-01-12 15:38:30 +00:00
utils lib: Fix a use-after-free in "net vfs getntacl" 2023-01-12 16:41:07 +00:00
web
winbindd s3:winbind: Move tevent_req_create() before debug macros to have the right call depth 2023-01-26 14:10:36 +00:00
.clang_complete
.dmallocrc
.indent.pro
Doxyfile
mainpage.dox
smbadduser.in
wscript selftest: Only run samba.tests.smb3unix in developer mode 2023-01-26 13:13:50 +00:00
wscript_build build: Don't compile source3/lib/util_sd.c four times 2023-01-12 15:38:30 +00:00
wscript_configure_system_ncurses