The Samba-Bugzilla – Attachment 14174 Details for
Bug 13420
Use after free in AD DC LSA server (inter-forest trust changes)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
backtrace from addressanitiser
buf (text/plain), 25.15 KB, created by
Andrew Bartlett
on 2018-05-03 08:13:41 UTC
(
hide
)
Description:
backtrace from addressanitiser
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-05-03 08:13:41 UTC
Size:
25.15 KB
patch
obsolete
>[2(1)/95 at 9s] samba3.rpc.lsa.lookupsids(ad_dc) >================================================================= >==11696==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0008b5f20 at pc 0x7fc103909695 bp 0x7fff109547c0 sp 0x7fff109547b8 >READ of size 1 at 0x60d0008b5f20 thread T0 > #0 0x7fc103909694 in strlen_m_ext_handle ../lib/util/charset/util_str.c:226 > #1 0x7fc10390988d in strlen_m_ext ../lib/util/charset/util_str.c:290 > #2 0x7fc1039098e3 in strlen_m ../lib/util/charset/util_str.c:327 > #3 0x7fc0fca617f0 in ndr_push_lsa_String default/librpc/gen_ndr/ndr_lsa.c:13 > #4 0x7fc0fca885c2 in ndr_push_lsa_TranslatedName default/librpc/gen_ndr/ndr_lsa.c:2478 > #5 0x7fc0fca982f4 in ndr_push_lsa_TransNameArray default/librpc/gen_ndr/ndr_lsa.c:2529 > #6 0x7fc0fca98666 in ndr_push_lsa_LookupSids default/librpc/gen_ndr/ndr_lsa.c:7302 > #7 0x7fc0f028d4d6 in lsarpc__op_ndr_push default/librpc/gen_ndr/ndr_lsa_s.c:2074 > #8 0x7fc0f01ad4d2 in dcesrv_reply ../source4/rpc_server/common/reply.c:183 > #9 0x7fc0f027bccc in dcesrv_request ../source4/rpc_server/dcerpc_server.c:1890 > #10 0x7fc0f027bccc in dcesrv_process_ncacn_packet ../source4/rpc_server/dcerpc_server.c:2196 > #11 0x7fc0f027bccc in dcesrv_read_fragment_done ../source4/rpc_server/dcerpc_server.c:2774 > #12 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #13 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #14 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #15 0x7fc0fe93b0ce in dcerpc_read_ncacn_packet_done ../librpc/rpc/dcerpc_util.c:835 > #16 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #17 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #18 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #19 0x7fc0feb79fbd in tstream_readv_pdu_ask_for_next_vector ../lib/tsocket/tsocket_helpers.c:245 > #20 0x7fc0feb7a2a8 in tstream_readv_pdu_readv_done ../lib/tsocket/tsocket_helpers.c:319 > #21 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #22 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #23 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #24 0x7fc0feb77b1b in tstream_readv_done ../lib/tsocket/tsocket.c:604 > #25 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #26 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #27 0x7fc1036c15c9 in tevent_req_trigger ../lib/tevent/tevent_req.c:219 > #28 0x7fc1036bfd83 in tevent_common_loop_immediate ../lib/tevent/tevent_immediate.c:135 > #29 0x7fc1036cf591 in epoll_event_loop_once ../lib/tevent/tevent_epoll.c:911 > #30 0x7fc1036c935b in std_event_loop_once ../lib/tevent/tevent_standard.c:114 > #31 0x7fc1036bdddb in _tevent_loop_once ../lib/tevent/tevent.c:725 > #32 0x7fc1036be45e in tevent_common_loop_wait ../lib/tevent/tevent.c:848 > #33 0x7fc1036c926e in std_event_loop_wait ../lib/tevent/tevent_standard.c:145 > #34 0x7fc1036be50f in _tevent_loop_wait ../lib/tevent/tevent.c:867 > #35 0x563dc39b86ee in binary_smbd_main ../source4/smbd/server.c:700 > #36 0x563dc39b93cd in main ../source4/smbd/server.c:713 > #37 0x7fc101ca22e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) > #38 0x563dc39b6499 in _start (/data/samba/git/samba8/bin/default/source4/smbd/samba+0x7499) > >0x60d0008b5f20 is located 96 bytes inside of 142-byte region [0x60d0008b5ec0,0x60d0008b5f4e) >freed by thread T0 here: > #0 0x7fc10561aa10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) > #1 0x7fc10349d56a in _tc_free_internal ../lib/talloc/talloc.c:1201 > #2 0x7fc10349d11a in _tc_free_children_internal ../lib/talloc/talloc.c:1646 > #3 0x7fc10349d11a in _tc_free_internal ../lib/talloc/talloc.c:1163 > #4 0x7fc10348db70 in _tc_free_children_internal ../lib/talloc/talloc.c:1646 > #5 0x7fc10348db70 in _tc_free_internal ../lib/talloc/talloc.c:1163 > #6 0x7fc10348db70 in _talloc_free_internal ../lib/talloc/talloc.c:1227 > #7 0x7fc10348db70 in _talloc_free ../lib/talloc/talloc.c:1769 > #8 0x7fc0f02c1804 in dcesrv_lsa_LookupSids ../source4/rpc_server/lsa/lsa_lookup.c:808 > #9 0x7fc0f02a965d in lsarpc__op_dispatch default/librpc/gen_ndr/ndr_lsa_s.c:234 > #10 0x7fc0f027bc6d in dcesrv_request ../source4/rpc_server/dcerpc_server.c:1874 > #11 0x7fc0f027bc6d in dcesrv_process_ncacn_packet ../source4/rpc_server/dcerpc_server.c:2196 > #12 0x7fc0f027bc6d in dcesrv_read_fragment_done ../source4/rpc_server/dcerpc_server.c:2774 > #13 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #14 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #15 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #16 0x7fc0fe93b0ce in dcerpc_read_ncacn_packet_done ../librpc/rpc/dcerpc_util.c:835 > #17 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #18 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #19 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #20 0x7fc0feb79fbd in tstream_readv_pdu_ask_for_next_vector ../lib/tsocket/tsocket_helpers.c:245 > #21 0x7fc0feb7a2a8 in tstream_readv_pdu_readv_done ../lib/tsocket/tsocket_helpers.c:319 > #22 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #23 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #24 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #25 0x7fc0feb77b1b in tstream_readv_done ../lib/tsocket/tsocket.c:604 > #26 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #27 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #28 0x7fc1036c15c9 in tevent_req_trigger ../lib/tevent/tevent_req.c:219 > #29 0x7fc1036bfd83 in tevent_common_loop_immediate ../lib/tevent/tevent_immediate.c:135 > #30 0x7fc1036cf591 in epoll_event_loop_once ../lib/tevent/tevent_epoll.c:911 > #31 0x7fc1036c935b in std_event_loop_once ../lib/tevent/tevent_standard.c:114 > #32 0x7fc1036bdddb in _tevent_loop_once ../lib/tevent/tevent.c:725 > #33 0x7fc1036be45e in tevent_common_loop_wait ../lib/tevent/tevent.c:848 > #34 0x7fc1036c926e in std_event_loop_wait ../lib/tevent/tevent_standard.c:145 > #35 0x7fc1036be50f in _tevent_loop_wait ../lib/tevent/tevent.c:867 > >previously allocated by thread T0 here: > #0 0x7fc10561ad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) > #1 0x7fc1034940f0 in __talloc_with_prefix ../lib/talloc/talloc.c:763 > #2 0x7fc1034940f0 in __talloc ../lib/talloc/talloc.c:804 > #3 0x7fc1034940f0 in _talloc_named_const ../lib/talloc/talloc.c:961 > #4 0x7fc1034940f0 in _talloc_memdup ../lib/talloc/talloc.c:2416 > #5 0x7fc0ff407ba3 in dom_sid_string ../libcli/security/dom_sid.c:480 > #6 0x7fc0f02bce54 in dcesrv_lsa_LookupSids_base_call ../source4/rpc_server/lsa/lsa_lookup.c:355 > #7 0x7fc0f02c178e in dcesrv_lsa_LookupSids ../source4/rpc_server/lsa/lsa_lookup.c:800 > #8 0x7fc0f02a965d in lsarpc__op_dispatch default/librpc/gen_ndr/ndr_lsa_s.c:234 > #9 0x7fc0f027bc6d in dcesrv_request ../source4/rpc_server/dcerpc_server.c:1874 > #10 0x7fc0f027bc6d in dcesrv_process_ncacn_packet ../source4/rpc_server/dcerpc_server.c:2196 > #11 0x7fc0f027bc6d in dcesrv_read_fragment_done ../source4/rpc_server/dcerpc_server.c:2774 > #12 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #13 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #14 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #15 0x7fc0fe93b0ce in dcerpc_read_ncacn_packet_done ../librpc/rpc/dcerpc_util.c:835 > #16 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #17 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #18 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #19 0x7fc0feb79fbd in tstream_readv_pdu_ask_for_next_vector ../lib/tsocket/tsocket_helpers.c:245 > #20 0x7fc0feb7a2a8 in tstream_readv_pdu_readv_done ../lib/tsocket/tsocket_helpers.c:319 > #21 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #22 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #23 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #24 0x7fc0feb77b1b in tstream_readv_done ../lib/tsocket/tsocket.c:604 > #25 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #26 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #27 0x7fc1036c15c9 in tevent_req_trigger ../lib/tevent/tevent_req.c:219 > #28 0x7fc1036bfd83 in tevent_common_loop_immediate ../lib/tevent/tevent_immediate.c:135 > #29 0x7fc1036cf591 in epoll_event_loop_once ../lib/tevent/tevent_epoll.c:911 > #30 0x7fc1036c935b in std_event_loop_once ../lib/tevent/tevent_standard.c:114 > #31 0x7fc1036bdddb in _tevent_loop_once ../lib/tevent/tevent.c:725 > #32 0x7fc1036be45e in tevent_common_loop_wait ../lib/tevent/tevent.c:848 > #33 0x7fc1036c926e in std_event_loop_wait ../lib/tevent/tevent_standard.c:145 > #34 0x7fc1036be50f in _tevent_loop_wait ../lib/tevent/tevent.c:867 > >SUMMARY: AddressSanitizer: heap-use-after-free ../lib/util/charset/util_str.c:226 in strlen_m_ext_handle >Shadow bytes around the buggy address: > 0x0c1a8010eb90: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa > 0x0c1a8010eba0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c1a8010ebb0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd > 0x0c1a8010ebc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > 0x0c1a8010ebd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd >=>0x0c1a8010ebe0: fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa fa > 0x0c1a8010ebf0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c1a8010ec00: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00 > 0x0c1a8010ec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa > 0x0c1a8010ec20: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd > 0x0c1a8010ec30: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb >==11696==ABORTING >smbtorture 4.9.0pre1-DEVELOPERBUILD >Using seed 1525334884 >UNEXPECTED(failure): samba3.rpc.lsa.lookupsids.lsa.LookupSidsReply(ad_dc) >REASON: Exception: Exception: ../source4/torture/rpc/lsa_lookup.c:390: dcerpc_lsa_LookupSids_r(b, tctx, &r) was NT_STATUS_CONNECTION_DISCONNECTED, expected NT_STATUS_OK: Lookup >Sids failed >envlog: SAMBA LOG of: ADDC pid 11696 >================================================================= >==11696==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0008b5f20 at pc 0x7fc103909695 bp 0x7fff109547c0 sp 0x7fff109547b8 >READ of size 1 at 0x60d0008b5f20 thread T0 > #0 0x7fc103909694 in strlen_m_ext_handle ../lib/util/charset/util_str.c:226 > #1 0x7fc10390988d in strlen_m_ext ../lib/util/charset/util_str.c:290 > #2 0x7fc1039098e3 in strlen_m ../lib/util/charset/util_str.c:327 > #3 0x7fc0fca617f0 in ndr_push_lsa_String default/librpc/gen_ndr/ndr_lsa.c:13 > #4 0x7fc0fca885c2 in ndr_push_lsa_TranslatedName default/librpc/gen_ndr/ndr_lsa.c:2478 > #5 0x7fc0fca982f4 in ndr_push_lsa_TransNameArray default/librpc/gen_ndr/ndr_lsa.c:2529 > #6 0x7fc0fca98666 in ndr_push_lsa_LookupSids default/librpc/gen_ndr/ndr_lsa.c:7302 > #7 0x7fc0f028d4d6 in lsarpc__op_ndr_push default/librpc/gen_ndr/ndr_lsa_s.c:2074 > #8 0x7fc0f01ad4d2 in dcesrv_reply ../source4/rpc_server/common/reply.c:183 > #9 0x7fc0f027bccc in dcesrv_request ../source4/rpc_server/dcerpc_server.c:1890 > #10 0x7fc0f027bccc in dcesrv_process_ncacn_packet ../source4/rpc_server/dcerpc_server.c:2196 > #11 0x7fc0f027bccc in dcesrv_read_fragment_done ../source4/rpc_server/dcerpc_server.c:2774 > #12 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #13 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #14 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #15 0x7fc0fe93b0ce in dcerpc_read_ncacn_packet_done ../librpc/rpc/dcerpc_util.c:835 > #16 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #17 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #18 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #19 0x7fc0feb79fbd in tstream_readv_pdu_ask_for_next_vector ../lib/tsocket/tsocket_helpers.c:245 > #20 0x7fc0feb7a2a8 in tstream_readv_pdu_readv_done ../lib/tsocket/tsocket_helpers.c:319 > #21 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #22 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #23 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #24 0x7fc0feb77b1b in tstream_readv_done ../lib/tsocket/tsocket.c:604 > #25 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #26 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #27 0x7fc1036c15c9 in tevent_req_trigger ../lib/tevent/tevent_req.c:219 > #28 0x7fc1036bfd83 in tevent_common_loop_immediate ../lib/tevent/tevent_immediate.c:135 > #29 0x7fc1036cf591 in epoll_event_loop_once ../lib/tevent/tevent_epoll.c:911 > #30 0x7fc1036c935b in std_event_loop_once ../lib/tevent/tevent_standard.c:114 > #31 0x7fc1036bdddb in _tevent_loop_once ../lib/tevent/tevent.c:725 > #32 0x7fc1036be45e in tevent_common_loop_wait ../lib/tevent/tevent.c:848 > #33 0x7fc1036c926e in std_event_loop_wait ../lib/tevent/tevent_standard.c:145 > #34 0x7fc1036be50f in _tevent_loop_wait ../lib/tevent/tevent.c:867 > #35 0x563dc39b86ee in binary_smbd_main ../source4/smbd/server.c:700 > #36 0x563dc39b93cd in main ../source4/smbd/server.c:713 > #37 0x7fc101ca22e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) > #38 0x563dc39b6499 in _start (/data/samba/git/samba8/bin/default/source4/smbd/samba+0x7499) > >0x60d0008b5f20 is located 96 bytes inside of 142-byte region [0x60d0008b5ec0,0x60d0008b5f4e) >freed by thread T0 here: > #0 0x7fc10561aa10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) > #1 0x7fc10349d56a in _tc_free_internal ../lib/talloc/talloc.c:1201 > #2 0x7fc10349d11a in _tc_free_children_internal ../lib/talloc/talloc.c:1646 > #3 0x7fc10349d11a in _tc_free_internal ../lib/talloc/talloc.c:1163 > #4 0x7fc10348db70 in _tc_free_children_internal ../lib/talloc/talloc.c:1646 > #5 0x7fc10348db70 in _tc_free_internal ../lib/talloc/talloc.c:1163 > #6 0x7fc10348db70 in _talloc_free_internal ../lib/talloc/talloc.c:1227 > #7 0x7fc10348db70 in _talloc_free ../lib/talloc/talloc.c:1769 > #8 0x7fc0f02c1804 in dcesrv_lsa_LookupSids ../source4/rpc_server/lsa/lsa_lookup.c:808 > #9 0x7fc0f02a965d in lsarpc__op_dispatch default/librpc/gen_ndr/ndr_lsa_s.c:234 > #10 0x7fc0f027bc6d in dcesrv_request ../source4/rpc_server/dcerpc_server.c:1874 > #11 0x7fc0f027bc6d in dcesrv_process_ncacn_packet ../source4/rpc_server/dcerpc_server.c:2196 > #12 0x7fc0f027bc6d in dcesrv_read_fragment_done ../source4/rpc_server/dcerpc_server.c:2774 > #13 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #14 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #15 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #16 0x7fc0fe93b0ce in dcerpc_read_ncacn_packet_done ../librpc/rpc/dcerpc_util.c:835 > #17 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #18 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #19 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #20 0x7fc0feb79fbd in tstream_readv_pdu_ask_for_next_vector ../lib/tsocket/tsocket_helpers.c:245 > #21 0x7fc0feb7a2a8 in tstream_readv_pdu_readv_done ../lib/tsocket/tsocket_helpers.c:319 > #22 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #23 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #24 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #25 0x7fc0feb77b1b in tstream_readv_done ../lib/tsocket/tsocket.c:604 > #26 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #27 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #28 0x7fc1036c15c9 in tevent_req_trigger ../lib/tevent/tevent_req.c:219 > #29 0x7fc1036bfd83 in tevent_common_loop_immediate ../lib/tevent/tevent_immediate.c:135 > #30 0x7fc1036cf591 in epoll_event_loop_once ../lib/tevent/tevent_epoll.c:911 > #31 0x7fc1036c935b in std_event_loop_once ../lib/tevent/tevent_standard.c:114 > #32 0x7fc1036bdddb in _tevent_loop_once ../lib/tevent/tevent.c:725 > #33 0x7fc1036be45e in tevent_common_loop_wait ../lib/tevent/tevent.c:848 > #34 0x7fc1036c926e in std_event_loop_wait ../lib/tevent/tevent_standard.c:145 > #35 0x7fc1036be50f in _tevent_loop_wait ../lib/tevent/tevent.c:867 > >previously allocated by thread T0 here: > #0 0x7fc10561ad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) > #1 0x7fc1034940f0 in __talloc_with_prefix ../lib/talloc/talloc.c:763 > #2 0x7fc1034940f0 in __talloc ../lib/talloc/talloc.c:804 > #3 0x7fc1034940f0 in _talloc_named_const ../lib/talloc/talloc.c:961 > #4 0x7fc1034940f0 in _talloc_memdup ../lib/talloc/talloc.c:2416 > #5 0x7fc0ff407ba3 in dom_sid_string ../libcli/security/dom_sid.c:480 > #6 0x7fc0f02bce54 in dcesrv_lsa_LookupSids_base_call ../source4/rpc_server/lsa/lsa_lookup.c:355 > #7 0x7fc0f02c178e in dcesrv_lsa_LookupSids ../source4/rpc_server/lsa/lsa_lookup.c:800 > #8 0x7fc0f02a965d in lsarpc__op_dispatch default/librpc/gen_ndr/ndr_lsa_s.c:234 > #9 0x7fc0f027bc6d in dcesrv_request ../source4/rpc_server/dcerpc_server.c:1874 > #10 0x7fc0f027bc6d in dcesrv_process_ncacn_packet ../source4/rpc_server/dcerpc_server.c:2196 > #11 0x7fc0f027bc6d in dcesrv_read_fragment_done ../source4/rpc_server/dcerpc_server.c:2774 > #12 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #13 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #14 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #15 0x7fc0fe93b0ce in dcerpc_read_ncacn_packet_done ../librpc/rpc/dcerpc_util.c:835 > #16 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #17 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #18 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #19 0x7fc0feb79fbd in tstream_readv_pdu_ask_for_next_vector ../lib/tsocket/tsocket_helpers.c:245 > #20 0x7fc0feb7a2a8 in tstream_readv_pdu_readv_done ../lib/tsocket/tsocket_helpers.c:319 > #21 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #22 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #23 0x7fc1036c14f7 in _tevent_req_done ../lib/tevent/tevent_req.c:168 > #24 0x7fc0feb77b1b in tstream_readv_done ../lib/tsocket/tsocket.c:604 > #25 0x7fc1036c1417 in _tevent_req_notify_callback ../lib/tevent/tevent_req.c:125 > #26 0x7fc1036c14c3 in tevent_req_finish ../lib/tevent/tevent_req.c:162 > #27 0x7fc1036c15c9 in tevent_req_trigger ../lib/tevent/tevent_req.c:219 > #28 0x7fc1036bfd83 in tevent_common_loop_immediate ../lib/tevent/tevent_immediate.c:135 > #29 0x7fc1036cf591 in epoll_event_loop_once ../lib/tevent/tevent_epoll.c:911 > #30 0x7fc1036c935b in std_event_loop_once ../lib/tevent/tevent_standard.c:114 > #31 0x7fc1036bdddb in _tevent_loop_once ../lib/tevent/tevent.c:725 > #32 0x7fc1036be45e in tevent_common_loop_wait ../lib/tevent/tevent.c:848 > #33 0x7fc1036c926e in std_event_loop_wait ../lib/tevent/tevent_standard.c:145 > #34 0x7fc1036be50f in _tevent_loop_wait ../lib/tevent/tevent.c:867 > >SUMMARY: AddressSanitizer: heap-use-after-free ../lib/util/charset/util_str.c:226 in strlen_m_ext_handle >Shadow bytes around the buggy address: > 0x0c1a8010eb90: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa > 0x0c1a8010eba0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c1a8010ebb0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd > 0x0c1a8010ebc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > 0x0c1a8010ebd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd >=>0x0c1a8010ebe0: fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa fa > 0x0c1a8010ebf0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c1a8010ec00: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00 > 0x0c1a8010ec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa > 0x0c1a8010ec20: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd > 0x0c1a8010ec30: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb >==11696==ABORTING > >command: /data/samba/git/samba8/bin/smbtorture $LOADLIST --configfile=$SMB_CONF_PATH --option='fss:sequence timeout=1' --maximum-runtime=$SELFTEST_MAXTIME --basedir=$SELFTEST_ >TMPDIR --format=subunit --option=torture:progress=no --option=torture:sharedelay=100000 --option=torture:writetimeupdatedelay=500000 --target=samba3 //$SERVER/tmp -U$USERNAME%$ >PASSWORD rpc.lsa.lookupsids 2>&1 | /data/samba/git/samba8/selftest/filter-subunit --fail-on-empty --prefix="samba3.rpc.lsa.lookupsids." --suffix="(ad_dc)" >expanded command: /data/samba/git/samba8/bin/smbtorture $LOADLIST --configfile=/data/samba/git/samba8/st/client/client.conf --option='fss:sequence timeout=1' --maximum-runtime >=1200 --basedir=/data/samba/git/samba8/st/tmp --format=subunit --option=torture:progress=no --option=torture:sharedelay=100000 --option=torture:writetimeupdatedelay=500000 --ta >rget=samba3 //addc/tmp -UAdministrator%locDCpass1 rpc.lsa.lookupsids 2>&1 | /data/samba/git/samba8/selftest/filter-subunit --fail-on-empty --prefix="samba3.rpc.lsa.lookupsids. >" --suffix="(ad_dc)" >ERROR: Testsuite[samba3.rpc.lsa.lookupsids(ad_dc)] >REASON: Exit code was 1 > > >[3(2)/95 at 41s, 1 errors] samba3.rpc.lsa.lookupsids over ncacn_np with [] (nt4_dc) >[4(3)/95 at 41s, 1 errors] samba3.rpc.lsa.lookupsids over ncacn_np with [ntlm] (nt4_dc) >[5(4)/95 at 41s, 1 errors] samba3.rpc.lsa.lookupsids over ncacn_np with [spnego] (nt4_dc) >[6(5)/95 at 41s, 1 errors] samba3.rpc.lsa.lookupsids over ncacn_np with [spnego,ntlm] (nt4_dc) >[7(6)/95 at 41s, 1 errors] samba3.rpc.lsa.lookupsids over ncacn_np with [,bigendian] (nt4_dc) >[8(7)/95 at 42s, 1 errors] samba3.rpc.lsa.lookupsids over ncacn_np with [ntlm,bigendian] (nt4_dc) >[9(8)/95 at 42s, 1 errors] samba3.rpc.lsa.lookupsids over ncacn_np with [spnego,bigendian] (nt4_dc) >[10(9)/95 at 42s, 1 errors] samba3.rpc.lsa.lookupsids over ncacn_np with [spnego,ntlm,bigendian] (nt4_dc) >^@tdbsam_open: Converting version 0.0 database to version 4.0. >tdbsam_convert_backup: updated /data/samba/git/samba8/st/ktest/private/passdb.tdb file. >^C/data/samba/git/samba8/selftest/selftest.pl: PID[11426]: Got SIGINT teardown environments. >teardown_env(nt4_dc) >smbd child process 11464 exited with value 0 >nmbd child process 11462 exited with value 0 >winbindd child process 11463 exited with value 0 >^Csmbd child process 11464 isn't here any more >nmbd child process 11462 isn't here any more >winbindd child process 11463 isn't here any more >teardown_env(ad_dc) >samba child process 11696 isn't here any more >perl(11426),pstree(11846) > sh(11843) >/data/samba/git/samba8/selftest/selftest.pl: PID[11426]: Exiting... >TOP 10 slowest tests >samba3.rpc.lsa.lookupsids over ncacn_np with [spnego,bigendian] (nt4_dc) -> 1 >samba3.rpc.lsa.lookupsids over ncacn_np with [] (nt4_dc) -> 1 >samba3.rpc.lsa.lookupsids(ad_dc) -> 1 >samba3.rpc.lsa.lookupsids over ncacn_np with [spnego,ntlm,bigendian] (nt4_dc) -> 0 >samba3.rpc.lsa.lookupsids over ncacn_np with [ntlm] (nt4_dc) -> 0 >samba3.rpc.lsa.lookupsids over ncacn_np with [spnego,ntlm] (nt4_dc) -> 0 >samba3.rpc.lsa.lookupsids over ncacn_np with [spnego] (nt4_dc) -> 0 >samba3.rpc.lsa.lookupsids over ncacn_np with [,bigendian] (nt4_dc) -> 0 >samba3.rpc.lsa.lookupsids(nt4_dc) -> 0 >samba3.rpc.lsa.lookupsids over ncacn_np with [ntlm,bigendian] (nt4_dc) -> 0 >ERROR: test failed with exit code -2 >Makefile:17: recipe for target 'test' failed >make: *** [test] Interrupt > >abartlet@ruth:/data/samba/git/samba8$ >abartlet@ruth:/data/samba/git/samba8$ >abartlet@ruth:/data/samba/git/samba8$ >abartlet@ruth:/data/samba/git/samba8$ >abartlet@ruth:/data/samba/git/samba8$
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13420
:
14172
| 14174 |
14192
|
14195
|
14196
|
14198