The Samba-Bugzilla – Attachment 15144 Details for
Bug 13942
ASAN detected use after free samldb_rename_search_base_callback
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
ASAN error report
asan_014.txt (text/plain), 12.57 KB, created by
Gary Lockyer
on 2019-05-13 01:48:57 UTC
(
hide
)
Description:
ASAN error report
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2019-05-13 01:48:57 UTC
Size:
12.57 KB
patch
obsolete
>To reproduce: >* configure with address_sanitizer enabled >* make TESTS="ldap.sites" test > >================================================================= >==6065==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0002b2738 at pc 0x7fcce80fb3b5 bp 0x7ffd61798410 sp 0x7ffd61798400 >READ of size 8 at 0x60f0002b2738 thread T0 > #0 0x7fcce80fb3b4 in samldb_rename_search_base_callback ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203 > #1 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #2 0x7fcced601356 in es_callback ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418 > #3 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #4 0x7fccea6d01b4 in operational_callback ../../source4/dsdb/samdb/ldb_modules/operational.c:1564 > #5 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #6 0x7fcced1eab67 in extended_callback ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:657 > #7 0x7fcced1eaf34 in extended_callback_ldb ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:662 > #8 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #9 0x7fccf920ba3a in dsdb_next_callback ../../source4/dsdb/samdb/ldb_modules/util.c:895 > #10 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #11 0x7fccea0a6d2b in partition_req_callback ../../source4/dsdb/samdb/ldb_modules/partition.c:179 > #12 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #13 0x7fccebd81ddc in ldb_kv_search_and_return_base ../../lib/ldb/ldb_key_value/ldb_kv_search.c:736 > #14 0x7fccebd81ddc in ldb_kv_search ../../lib/ldb/ldb_key_value/ldb_kv_search.c:813 > #15 0x7fccebd7dc33 in ldb_kv_callback ../../lib/ldb/ldb_key_value/ldb_kv.c:1720 > #16 0x7fcd0a5953ff in tevent_common_invoke_timer_handler ../../lib/tevent/tevent_timed.c:370 > #17 0x7fcd0a595a8f in tevent_common_loop_timer_delay ../../lib/tevent/tevent_timed.c:442 > #18 0x7fcd0a59a487 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:922 > #19 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 > #20 0x7fcd0a584e16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 > #21 0x7fcd0a0dfe48 in ldb_wait ../../lib/ldb/common/ldb.c:639 > #22 0x7fccf74c0db1 in ldapsrv_rename_with_controls ../../source4/ldap_server/ldap_backend.c:491 > #23 0x7fccf74c0db1 in ldapsrv_ModifyDNRequest ../../source4/ldap_server/ldap_backend.c:1108 > #24 0x7fccf74c0db1 in ldapsrv_do_call ../../source4/ldap_server/ldap_backend.c:1321 > #25 0x7fccf74b4635 in ldapsrv_process_call_trigger ../../source4/ldap_server/ldap_server.c:955 > #26 0x7fcd0a58829d in tevent_queue_immediate_trigger ../../lib/tevent/tevent_queue.c:149 > #27 0x7fcd0a587857 in tevent_common_invoke_immediate_handler ../../lib/tevent/tevent_immediate.c:166 > #28 0x7fcd0a587894 in tevent_common_loop_immediate ../../lib/tevent/tevent_immediate.c:203 > #29 0x7fcd0a59a45e in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:918 > #30 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 > #31 0x7fcd0a584e16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 > #32 0x7fcd0a5854da in tevent_common_loop_wait ../../lib/tevent/tevent.c:895 > #33 0x7fcd0a593527 in std_event_loop_wait ../../lib/tevent/tevent_standard.c:141 > #34 0x7fcd0a58558b in _tevent_loop_wait ../../lib/tevent/tevent.c:914 > #35 0x7fccf9875078 in standard_accept_connection ../../source4/smbd/process_standard.c:411 > #36 0x7fcd09eb4e26 in stream_accept_handler ../../source4/smbd/service_stream.c:267 > #37 0x7fcd0a5867d3 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:138 > #38 0x7fcd0a59ac65 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:736 > #39 0x7fcd0a59ac65 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:937 > #40 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 > #41 0x7fcd0a584e16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 > #42 0x7fcd0a5854da in tevent_common_loop_wait ../../lib/tevent/tevent.c:895 > #43 0x7fcd0a593527 in std_event_loop_wait ../../lib/tevent/tevent_standard.c:141 > #44 0x7fcd0a58558b in _tevent_loop_wait ../../lib/tevent/tevent.c:914 > #45 0x7fccf9874170 in standard_new_task ../../source4/smbd/process_standard.c:534 > #46 0x7fcd09eb7c55 in task_server_startup ../../source4/smbd/service_task.c:127 > #47 0x7fcd09eb4c08 in server_service_init ../../source4/smbd/service.c:67 > #48 0x7fcd09eb4c08 in server_service_startup ../../source4/smbd/service.c:104 > #49 0x5643432a0ef5 in binary_smbd_main ../../source4/smbd/server.c:848 > #50 0x5643432a1f7e in main ../../source4/smbd/server.c:879 > #51 0x7fcd075c3b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) > #52 0x56434329e2e9 in _start (/home/gary/projects/samba04/bin/default/source4/smbd/samba+0x82e9) > >0x60f0002b2738 is located 104 bytes inside of 168-byte region [0x60f0002b26d0,0x60f0002b2778) >freed by thread T0 here: > #0 0x7fcd0b4f07b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) > #1 0x7fcd0a351756 in _tc_free_internal ../../lib/talloc/talloc.c:1221 > #2 0x7fcd0a351756 in _talloc_free_internal ../../lib/talloc/talloc.c:1247 > #3 0x7fcd0a351756 in _talloc_free ../../lib/talloc/talloc.c:1789 > #4 0x7fcce80fae4a in check_rename_constraints ../../source4/dsdb/samdb/ldb_modules/samldb.c:4067 > #5 0x7fcce80fae4a in samldb_rename_search_base_callback ../../source4/dsdb/samdb/ldb_modules/samldb.c:4199 > #6 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #7 0x7fcced601356 in es_callback ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418 > #8 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #9 0x7fccea6d01b4 in operational_callback ../../source4/dsdb/samdb/ldb_modules/operational.c:1564 > #10 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #11 0x7fcced1eab67 in extended_callback ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:657 > #12 0x7fcced1eaf34 in extended_callback_ldb ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:662 > #13 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #14 0x7fccf920ba3a in dsdb_next_callback ../../source4/dsdb/samdb/ldb_modules/util.c:895 > #15 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #16 0x7fccea0a6d2b in partition_req_callback ../../source4/dsdb/samdb/ldb_modules/partition.c:179 > #17 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793 > #18 0x7fccebd81ddc in ldb_kv_search_and_return_base ../../lib/ldb/ldb_key_value/ldb_kv_search.c:736 > #19 0x7fccebd81ddc in ldb_kv_search ../../lib/ldb/ldb_key_value/ldb_kv_search.c:813 > #20 0x7fccebd7dc33 in ldb_kv_callback ../../lib/ldb/ldb_key_value/ldb_kv.c:1720 > #21 0x7fcd0a5953ff in tevent_common_invoke_timer_handler ../../lib/tevent/tevent_timed.c:370 > #22 0x7fcd0a595a8f in tevent_common_loop_timer_delay ../../lib/tevent/tevent_timed.c:442 > #23 0x7fcd0a59a487 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:922 > #24 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 > #25 0x7fcd0a584e16 in _tevent_loop_once ../../lib/tevent/tevent.c:772 > #26 0x7fcd0a0dfe48 in ldb_wait ../../lib/ldb/common/ldb.c:639 > #27 0x7fccf74c0db1 in ldapsrv_rename_with_controls ../../source4/ldap_server/ldap_backend.c:491 > #28 0x7fccf74c0db1 in ldapsrv_ModifyDNRequest ../../source4/ldap_server/ldap_backend.c:1108 > #29 0x7fccf74c0db1 in ldapsrv_do_call ../../source4/ldap_server/ldap_backend.c:1321 > #30 0x7fccf74b4635 in ldapsrv_process_call_trigger ../../source4/ldap_server/ldap_server.c:955 > #31 0x7fcd0a58829d in tevent_queue_immediate_trigger ../../lib/tevent/tevent_queue.c:149 > #32 0x7fcd0a587857 in tevent_common_invoke_immediate_handler ../../lib/tevent/tevent_immediate.c:166 > #33 0x7fcd0a587894 in tevent_common_loop_immediate ../../lib/tevent/tevent_immediate.c:203 > #34 0x7fcd0a59a45e in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:918 > #35 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 > >previously allocated by thread T0 here: > #0 0x7fcd0b4f0b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) > #1 0x7fcd0a358448 in __talloc_with_prefix ../../lib/talloc/talloc.c:782 > #2 0x7fcd0a358448 in __talloc ../../lib/talloc/talloc.c:824 > #3 0x7fcd0a358448 in _talloc_named_const ../../lib/talloc/talloc.c:981 > #4 0x7fcd0a358448 in _talloc_zero ../../lib/talloc/talloc.c:2422 > #5 0x7fcce80fb457 in samldb_ctx_init ../../source4/dsdb/samdb/ldb_modules/samldb.c:93 > #6 0x7fcce80fb599 in samldb_rename ../../source4/dsdb/samdb/ldb_modules/samldb.c:4244 > #7 0x7fcd0a0e9000 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:549 > #8 0x7fcceea85a33 in acl_rename ../../source4/dsdb/samdb/ldb_modules/acl.c:1892 > #9 0x7fcd0a0e9000 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:549 > #10 0x7fccede412f5 in descriptor_rename ../../source4/dsdb/samdb/ldb_modules/descriptor.c:976 > #11 0x7fcd0a0e9000 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:549 > #12 0x7fcceacf47ff in objectclass_do_rename2 ../../source4/dsdb/samdb/ldb_modules/objectclass.c:1217 > #13 0x7fcceacf4aed in get_search_callback ../../source4/dsdb/samdb/ldb_modules/objectclass.c:179 > #14 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 > #15 0x7fcceea8b346 in acl_search_callback ../../source4/dsdb/samdb/ldb_modules/acl.c:2111 > #16 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 > #17 0x7fcced602379 in es_callback ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1426 > #18 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 > #19 0x7fccea6d04a8 in operational_callback ../../source4/dsdb/samdb/ldb_modules/operational.c:1571 > #20 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 > #21 0x7fcced1e93e1 in extended_callback ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:424 > #22 0x7fcced1eaf34 in extended_callback_ldb ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:662 > #23 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 > #24 0x7fccf920b9f1 in dsdb_next_callback ../../source4/dsdb/samdb/ldb_modules/util.c:888 > #25 0x7fcd0a0e82c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 > #26 0x7fccea0a6ec2 in partition_req_callback ../../source4/dsdb/samdb/ldb_modules/partition.c:213 > #27 0x7fccebd7a4be in ldb_kv_request_done ../../lib/ldb/ldb_key_value/ldb_kv.c:1634 > #28 0x7fccebd7ec7b in ldb_kv_callback ../../lib/ldb/ldb_key_value/ldb_kv.c:1744 > #29 0x7fcd0a5953ff in tevent_common_invoke_timer_handler ../../lib/tevent/tevent_timed.c:370 > #30 0x7fcd0a595a8f in tevent_common_loop_timer_delay ../../lib/tevent/tevent_timed.c:442 > #31 0x7fcd0a59a487 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:922 > #32 0x7fcd0a593612 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 > >SUMMARY: AddressSanitizer: heap-use-after-free ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203 in samldb_rename_search_base_callback >Shadow bytes around the buggy address: > 0x0c1e8004e490: fd fd fd fd fd fd fa fa fa fa fa fa fa fa 00 00 > 0x0c1e8004e4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c1e8004e4b0: 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 00 00 > 0x0c1e8004e4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c1e8004e4d0: 04 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd >=>0x0c1e8004e4e0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fa > 0x0c1e8004e4f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c1e8004e500: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa > 0x0c1e8004e510: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 > 0x0c1e8004e520: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa > 0x0c1e8004e530: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb >==6065==ABORTING
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15144">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13942
: 15144 |
15157