The Samba-Bugzilla – Attachment 15684 Details for
Bug 14050
[SECURITY] CVE-2019-19344 server crash with dns zone scavenging = yes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
ASAN output
dns.asan (text/plain), 9.15 KB, created by
Gary Lockyer
on 2019-12-15 20:16:47 UTC
(
hide
)
Description:
ASAN output
Filename:
MIME Type:
Creator:
Gary Lockyer
Created:
2019-12-15 20:16:47 UTC
Size:
9.15 KB
patch
obsolete
>time: 2019-12-15 20:08:27.267522Z >test: samba.tests.dns.__main__.TestZones.test_basic_scavenging(fl2003dc:local) >WARNING: The "lanman auth" option is deprecated >WARNING: The "lanman auth" option is deprecated >WARNING: The "lanman auth" option is deprecated >WARNING: The "lanman auth" option is deprecated >================================================================= >==3451==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000189cd0 at pc 0x7fe9332d92ad bp 0x7ffd4e672800 sp 0x7ffd4e6727f0 >READ of size 4 at 0x610000189cd0 thread T0 > #0 0x7fe9332d92ac in dns_tombstone_records_zone ../../source4/dsdb/kcc/scavenge_dns_records.c:196 > #1 0x7fe9332da19a in dns_tombstone_records ../../source4/dsdb/kcc/scavenge_dns_records.c:323 > #2 0x7fe93350f9a2 in py_scavenge_dns_records ../../source4/dsdb/pydsdb.c:1222 > #3 0x50a8ae (/usr/bin/python3.6+0x50a8ae) > #4 0x50c5b8 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50c5b8) > #5 0x508244 (/usr/bin/python3.6+0x508244) > #6 0x50a07f (/usr/bin/python3.6+0x50a07f) > #7 0x50aa7c (/usr/bin/python3.6+0x50aa7c) > #8 0x50c5b8 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50c5b8) > #9 0x508244 (/usr/bin/python3.6+0x508244) > #10 0x509641 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x509641) > #11 0x595310 (/usr/bin/python3.6+0x595310) > #12 0x5a067d in PyObject_Call (/usr/bin/python3.6+0x5a067d) > #13 0x50d965 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50d965) > #14 0x508244 (/usr/bin/python3.6+0x508244) > #15 0x509641 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x509641) > #16 0x595310 (/usr/bin/python3.6+0x595310) > #17 0x54b1e0 (/usr/bin/python3.6+0x54b1e0) > #18 0x5aa6eb in _PyObject_FastCallKeywords (/usr/bin/python3.6+0x5aa6eb) > #19 0x50abb2 (/usr/bin/python3.6+0x50abb2) > #20 0x50c5b8 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50c5b8) > #21 0x508244 (/usr/bin/python3.6+0x508244) > #22 0x509641 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x509641) > #23 0x595310 (/usr/bin/python3.6+0x595310) > #24 0x5a067d in PyObject_Call (/usr/bin/python3.6+0x5a067d) > #25 0x50d965 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50d965) > #26 0x508244 (/usr/bin/python3.6+0x508244) > #27 0x509641 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x509641) > #28 0x595310 (/usr/bin/python3.6+0x595310) > #29 0x54b1e0 (/usr/bin/python3.6+0x54b1e0) > #30 0x5aa6eb in _PyObject_FastCallKeywords (/usr/bin/python3.6+0x5aa6eb) > #31 0x50abb2 (/usr/bin/python3.6+0x50abb2) > #32 0x50c5b8 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50c5b8) > #33 0x508244 (/usr/bin/python3.6+0x508244) > #34 0x509641 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x509641) > #35 0x595310 (/usr/bin/python3.6+0x595310) > #36 0x5a067d in PyObject_Call (/usr/bin/python3.6+0x5a067d) > #37 0x50d965 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50d965) > #38 0x508244 (/usr/bin/python3.6+0x508244) > #39 0x509641 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x509641) > #40 0x595310 (/usr/bin/python3.6+0x595310) > #41 0x54b1e0 (/usr/bin/python3.6+0x54b1e0) > #42 0x5aa6eb in _PyObject_FastCallKeywords (/usr/bin/python3.6+0x5aa6eb) > #43 0x50abb2 (/usr/bin/python3.6+0x50abb2) > #44 0x50c5b8 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50c5b8) > #45 0x509d47 (/usr/bin/python3.6+0x509d47) > #46 0x50aa7c (/usr/bin/python3.6+0x50aa7c) > #47 0x50c5b8 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50c5b8) > #48 0x509d47 (/usr/bin/python3.6+0x509d47) > #49 0x50aa7c (/usr/bin/python3.6+0x50aa7c) > #50 0x50c5b8 in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50c5b8) > #51 0x508244 (/usr/bin/python3.6+0x508244) > #52 0x50a07f (/usr/bin/python3.6+0x50a07f) > #53 0x50aa7c (/usr/bin/python3.6+0x50aa7c) > #54 0x50d38f in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50d38f) > #55 0x508244 (/usr/bin/python3.6+0x508244) > #56 0x509641 in _PyFunction_FastCallDict (/usr/bin/python3.6+0x509641) > #57 0x595310 (/usr/bin/python3.6+0x595310) > #58 0x54a6fe (/usr/bin/python3.6+0x54a6fe) > #59 0x551b80 (/usr/bin/python3.6+0x551b80) > #60 0x5aa6eb in _PyObject_FastCallKeywords (/usr/bin/python3.6+0x5aa6eb) > #61 0x50abb2 (/usr/bin/python3.6+0x50abb2) > #62 0x50d38f in _PyEval_EvalFrameDefault (/usr/bin/python3.6+0x50d38f) > #63 0x508244 (/usr/bin/python3.6+0x508244) > #64 0x50b402 in PyEval_EvalCode (/usr/bin/python3.6+0x50b402) > #65 0x635221 (/usr/bin/python3.6+0x635221) > #66 0x6352d6 in PyRun_FileExFlags (/usr/bin/python3.6+0x6352d6) > #67 0x638a8e in PyRun_SimpleFileExFlags (/usr/bin/python3.6+0x638a8e) > #68 0x639630 in Py_Main (/usr/bin/python3.6+0x639630) > #69 0x4b0f3f in main (/usr/bin/python3.6+0x4b0f3f) > #70 0x7fe94b89ab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) > #71 0x5b2fd9 in _start (/usr/bin/python3.6+0x5b2fd9) > >0x610000189cd0 is located 144 bytes inside of 192-byte region [0x610000189c40,0x610000189d00) >freed by thread T0 here: > #0 0x7fe94c5acf40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40) > #1 0x7fe946ebce8d in _talloc_realloc ../../lib/talloc/talloc.c:2036 > #2 0x7fe946ebd3d2 in _talloc_realloc_array ../../lib/talloc/talloc.c:2786 > #3 0x7fe947304965 in _ldb_msg_add_el ../../lib/ldb/common/ldb_msg.c:343 > #4 0x7fe947305917 in ldb_msg_add_empty ../../lib/ldb/common/ldb_msg.c:370 > #5 0x7fe9332d97c0 in dns_tombstone_records_zone ../../source4/dsdb/kcc/scavenge_dns_records.c:190 > #6 0x7fe9332da19a in dns_tombstone_records ../../source4/dsdb/kcc/scavenge_dns_records.c:323 > #7 0x7fe93350f9a2 in py_scavenge_dns_records ../../source4/dsdb/pydsdb.c:1222 > #8 0x50a8ae (/usr/bin/python3.6+0x50a8ae) > >previously allocated by thread T0 here: > #0 0x7fe94c5acb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) > #1 0x7fe946eaf15b in __talloc_with_prefix ../../lib/talloc/talloc.c:782 > #2 0x7fe946eaf15b in __talloc ../../lib/talloc/talloc.c:824 > #3 0x7fe946eaf15b in _talloc_named_const ../../lib/talloc/talloc.c:981 > #4 0x7fe946eaf15b in _talloc_array ../../lib/talloc/talloc.c:2764 > #5 0x7fe94731d59c in ldb_filter_attrs ../../lib/ldb/common/ldb_pack.c:1174 > #6 0x7fe92896f715 in ldb_kv_filter_attrs ../../lib/ldb/ldb_key_value/ldb_kv_search.c:303 > #7 0x7fe92897b23e in ldb_kv_index_filter ../../lib/ldb/ldb_key_value/ldb_kv_index.c:2397 > #8 0x7fe92897b23e in ldb_kv_search_indexed ../../lib/ldb/ldb_key_value/ldb_kv_index.c:2608 > #9 0x7fe928970138 in ldb_kv_search ../../lib/ldb/ldb_key_value/ldb_kv_search.c:678 > #10 0x7fe92896d017 in ldb_kv_callback ../../lib/ldb/ldb_key_value/ldb_kv.c:1975 > #11 0x7fe9463cc2e0 in tevent_common_invoke_timer_handler ../../lib/tevent/tevent_timed.c:370 > #12 0x7fe9463cc955 in tevent_common_loop_timer_delay ../../lib/tevent/tevent_timed.c:442 > #13 0x7fe9463d12ae in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:922 > #14 0x7fe9463ca519 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 > #15 0x7fe9463bbe63 in _tevent_loop_once ../../lib/tevent/tevent.c:772 > #16 0x7fe9472f2278 in ldb_wait ../../lib/ldb/common/ldb.c:648 > #17 0x7fe9472f57e1 in ldb_search ../../lib/ldb/common/ldb.c:1773 > #18 0x7fe9332d911c in dns_tombstone_records_zone ../../source4/dsdb/kcc/scavenge_dns_records.c:158 > #19 0x7fe9332da19a in dns_tombstone_records ../../source4/dsdb/kcc/scavenge_dns_records.c:323 > #20 0x7fe93350f9a2 in py_scavenge_dns_records ../../source4/dsdb/pydsdb.c:1222 > #21 0x50a8ae (/usr/bin/python3.6+0x50a8ae) > >SUMMARY: AddressSanitizer: heap-use-after-free ../../source4/dsdb/kcc/scavenge_dns_records.c:196 in dns_tombstone_records_zone >Shadow bytes around the buggy address: > 0x0c2080029340: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c2080029350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > 0x0c2080029360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c2080029370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 > 0x0c2080029380: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd >=>0x0c2080029390: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd > 0x0c20800293a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c20800293b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > 0x0c20800293c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c20800293d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > 0x0c20800293e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb >==3451==ABORTING >error: samba.tests.dns.__main__.TestZones.test_basic_scavenging (samba.subunit.RemotedTestCase)(fl2003dc:local) [ >Exception: Exception: was started but never finished! > >] >time: 2019-12-15 20:08:27.874446Z
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15684">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14050
:
15325
| 15684 |
15691
|
15692
|
15693
|
15694
|
15696
|
15697
|
15698
|
15699
|
15700
|
15739
|
15740