The Samba-Bugzilla – Attachment 15129 Details for
Bug 13932
ASAN detected use after free dcerpc_interface_dealloc
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
ASAN error report
asan_008.txt (text/plain), 10.47 KB, created by
Gary Lockyer
on 2019-05-07 23:25:45 UTC
(
hide
)
Description:
ASAN error report
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2019-05-07 23:25:45 UTC
Size:
10.47 KB
patch
obsolete
>[153(1098)/354 at 36m33s] samba4.rpc.echo on ncacn_ip_tcp with bigendian and --option=socket:testnonblock=True --option=torture:quick=yes -k yes(fl2000dc) >[154(1107)/354 at 36m33s] samba4.rpc.echo on ncacn_ip_tcp with bigendian,seal and --option=socket:testnonblock=True --option=torture:quick=yes -k yes(fl2000dc) >Doing a full scan on CN=Configuration,DC=samba2000,DC=example,DC=com and looking for deleted objects >Doing a full scan on DC=samba2000,DC=example,DC=com and looking for deleted objects >python3: WARNING: The "server schannel" option is deprecated >samba version 4.11.0pre1-DEVELOPERBUILD started. >Copyright Andrew Tridgell and the Samba Team 1992-2019 >binary_smbd_main: samba PID 30998 was called with maxruntime 18000 - current ts 1557200411 >binary_smbd_main: samba: using 'standard' process model >Attempting to autogenerate TLS self-signed keys for https for hostname 'DC6.samba2003.example.com' >/home/gary/projects/samba04/bin/winbindd: Failed to create /usr/local/samba/var/cores for user 0 with mode 0700 >/home/gary/projects/samba04/bin/winbindd: Unable to setup corepath for winbindd: No such file or directory >/home/gary/projects/samba04/bin/winbindd: Failed to create /usr/local/samba/var/cores for user 0 with mode 0700 >/home/gary/projects/samba04/bin/winbindd: Unable to setup corepath for winbindd: No such file or directory >/home/gary/projects/samba04/bin/winbindd: winbindd version 4.11.0pre1-DEVELOPERBUILD started. >/home/gary/projects/samba04/bin/winbindd: Copyright Andrew Tridgell and the Samba Team 1992-2019 >/home/gary/projects/samba04/bin/winbindd: initialize_winbindd_cache: clearing cache and re-creating with version number 2 >/home/gary/projects/samba04/bin/winbindd: daemon_ready: daemon 'winbindd' finished starting up and ready to serve connections >TLS self-signed keys generated OK > >================================================================= >==31047==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200000a5a0 at pc 0x7f07b384fa93 bp 0x7fffa7325120 sp 0x7fffa7325110 >READ of size 8 at 0x61200000a5a0 thread T0 >Doing a full scan on DC=ForestDnsZones,DC=samba2003,DC=example,DC=com and looking for deleted objects >Doing a full scan on DC=DomainDnsZones,DC=samba2003,DC=example,DC=com and looking for deleted objects >Doing a full scan on CN=Configuration,DC=samba2003,DC=example,DC=com and looking for deleted objects >Doing a full scan on DC=samba2003,DC=example,DC=com and looking for deleted objects > #0 0x7f07b384fa92 in _tevent_schedule_immediate ../../lib/tevent/tevent.c:670 > #1 0x7f07b3853ef9 in tevent_req_post ../../lib/tevent/tevent_req.c:257 > #2 0x7f07b3853f7b in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:136 > #3 0x7f07b3854179 in tevent_req_finish ../../lib/tevent/tevent_req.c:193 > #4 0x7f07b3854215 in _tevent_req_error ../../lib/tevent/tevent_req.c:211 > #5 0x7f07a9e16581 in writev_cancel ../../lib/async_req/async_sock.c:331 > #6 0x7f07b385486a in _tevent_req_cancel ../../lib/tevent/tevent_req.c:389 > #7 0x7f07ae28fa38 in smbXcli_req_cancel_write_req ../../libcli/smb/smbXcli_base.c:902 > #8 0x7f07ae2992ca in smbXcli_req_unset_pending ../../libcli/smb/smbXcli_base.c:956 > #9 0x7f07ae29e6ac in smbXcli_req_cleanup ../../libcli/smb/smbXcli_base.c:1064 > #10 0x7f07b3853957 in tevent_req_cleanup ../../lib/tevent/tevent_req.c:160 > #11 0x7f07b38544a9 in tevent_req_received ../../lib/tevent/tevent_req.c:289 > #12 0x7f07b3854537 in tevent_req_destructor ../../lib/tevent/tevent_req.c:128 > #13 0x7f07b436f5f8 in _tc_free_internal ../../lib/talloc/talloc.c:1157 > #14 0x7f07b435dbaf in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #15 0x7f07b435dbaf in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #16 0x7f07b435dbaf in _talloc_free_internal ../../lib/talloc/talloc.c:1247 > #17 0x7f07b435dbaf in _talloc_free ../../lib/talloc/talloc.c:1789 > #18 0x7f07b38544d2 in tevent_req_received ../../lib/tevent/tevent_req.c:291 > #19 0x7f07b3854537 in tevent_req_destructor ../../lib/tevent/tevent_req.c:128 > #20 0x7f07b436f5f8 in _tc_free_internal ../../lib/talloc/talloc.c:1157 > #21 0x7f07b436f4ca in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #22 0x7f07b436f4ca in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #23 0x7f07b436f4ca in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #24 0x7f07b436f4ca in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #25 0x7f07b436f4ca in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #26 0x7f07b436f4ca in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #27 0x7f07b436f4ca in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #28 0x7f07b436f4ca in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #29 0x7f07b435dbaf in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #30 0x7f07b435dbaf in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #31 0x7f07b435dbaf in _talloc_free_internal ../../lib/talloc/talloc.c:1247 > #32 0x7f07b435dbaf in _talloc_free ../../lib/talloc/talloc.c:1789 > #33 0x7f079d90aab7 in dcerpc_interface_dealloc ../../source4/librpc/rpc/pyrpc.c:305 > #34 0x504f97 (/usr/bin/python3.6+0x504f97) > #35 0x501b2d in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501b2d) > #36 0x591460 (/usr/bin/python3.6+0x591460) > #37 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) > #38 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) > #39 0x504c27 (/usr/bin/python3.6+0x504c27) > #40 0x501b2d in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501b2d) > #41 0x591460 (/usr/bin/python3.6+0x591460) > #42 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) > #43 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) > #44 0x504c27 (/usr/bin/python3.6+0x504c27) > #45 0x501ba6 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501ba6) > #46 0x591460 (/usr/bin/python3.6+0x591460) > #47 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) > #48 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) > #49 0x504c27 (/usr/bin/python3.6+0x504c27) > #50 0x501ba6 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501ba6) > #51 0x591460 (/usr/bin/python3.6+0x591460) > #52 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) > #53 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) > #54 0x504c27 (/usr/bin/python3.6+0x504c27) > #55 0x501ba6 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x501ba6) > #56 0x591460 (/usr/bin/python3.6+0x591460) > #57 0x59ebbd in PyObject_Call (/usr/bin/python3.6+0x59ebbd) > #58 0x507c16 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x507c16) > #59 0x504c27 (/usr/bin/python3.6+0x504c27) > #60 0x506392 in PyEval_EvalCode (/usr/bin/python3.6+0x506392) > #61 0x634d51 (/usr/bin/python3.6+0x634d51) > #62 0x634e09 in PyRun_FileExFlags (/usr/bin/python3.6+0x634e09) > #63 0x6385c7 in PyRun_SimpleFileExFlags (/usr/bin/python3.6+0x6385c7) > #64 0x639159 in Py_Main (/usr/bin/python3.6+0x639159) > #65 0x4a6f0f in main (/usr/bin/python3.6+0x4a6f0f) > #66 0x7f07b8b8db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) > #67 0x5afa09 in _start (/usr/bin/python3.6+0x5afa09) > >0x61200000a5a0 is located 96 bytes inside of 312-byte region [0x61200000a540,0x61200000a678) >freed by thread T0 here: > #0 0x7f07b989f7b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) > #1 0x7f07b436fe6d in _tc_free_internal ../../lib/talloc/talloc.c:1221 > #2 0x7f07b436f4ca in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #3 0x7f07b436f4ca in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #4 0x7f07b436f4ca in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #5 0x7f07b436f4ca in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #6 0x7f07b435dbaf in _tc_free_children_internal ../../lib/talloc/talloc.c:1666 > #7 0x7f07b435dbaf in _tc_free_internal ../../lib/talloc/talloc.c:1183 > #8 0x7f07b435dbaf in _talloc_free_internal ../../lib/talloc/talloc.c:1247 > #9 0x7f07b435dbaf in _talloc_free ../../lib/talloc/talloc.c:1789 > #10 0x7f079d90aab7 in dcerpc_interface_dealloc ../../source4/librpc/rpc/pyrpc.c:305 > #11 0x504f97 (/usr/bin/python3.6+0x504f97) > >previously allocated by thread T0 here: > #0 0x7f07b989fb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) > #1 0x7f07b4365448 in __talloc_with_prefix ../../lib/talloc/talloc.c:782 > #2 0x7f07b4365448 in __talloc ../../lib/talloc/talloc.c:824 > #3 0x7f07b4365448 in _talloc_named_const ../../lib/talloc/talloc.c:981 > #4 0x7f07b4365448 in _talloc_zero ../../lib/talloc/talloc.c:2422 > #5 0x7f07b384dea4 in tevent_context_init_ops ../../lib/tevent/tevent.c:487 > #6 0x7f07b384df76 in tevent_context_init_byname ../../lib/tevent/tevent.c:523 > #7 0x7f07b0b0c99c in s4_event_context_init ../../source4/lib/events/tevent_s4.c:34 > #8 0x7f07b183dafa in py_dcerpc_interface_init_helper ../../source4/librpc/rpc/pyrpc_util.c:219 > #9 0x7f07960bb30a in interface_lsarpc_new librpc/gen_ndr/py_lsa.c:48556 > #10 0x5553b4 (/usr/bin/python3.6+0x5553b4) > >SUMMARY: AddressSanitizer: heap-use-after-free ../../lib/tevent/tevent.c:670 in _tevent_schedule_immediate >Shadow bytes around the buggy address: > 0x0c247fff9460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c247fff9470: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c247fff9480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c247fff9490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c247fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd >=>0x0c247fff94b0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd > 0x0c247fff94c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > 0x0c247fff94d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c247fff94e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c247fff94f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa > 0x0c247fff9500: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb >==31047==ABORTING >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15129">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13932
: 15129 |
15164
|
15181