The Samba-Bugzilla – Attachment 17574 Details for
Bug 15205
Since popt1.19 various use after free errors using result of poptGetArg are now exposed
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.17
v4.17_bso15206.patch (text/plain), 46.60 KB, created by
Andreas Schneider
on 2022-10-18 12:26:14 UTC
(
hide
)
Description:
patch for 4.17
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2022-10-18 12:26:14 UTC
Size:
46.60 KB
patch
obsolete
>From d816eb947f2862dc7488dc538172c78926e3f16a Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Fri, 14 Oct 2022 10:03:17 +0100 >Subject: [PATCH 1/9] s3/rpcclient: Duplicate string returned from poptGetArg > >popt1.19 fixes a leak that exposes a use as free, >make sure we duplicate return of poptGetArg if >poptFreeContext is called before we use it. > >==4407== Invalid read of size 1 >==4407== at 0x146263: main (rpcclient.c:1262) >==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd >==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x146227: main (rpcclient.c:1251) >==4407== Block was alloc'd at >==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x1461BC: main (rpcclient.c:1219) >==4407== >==4407== Invalid read of size 1 >==4407== at 0x14627D: main (rpcclient.c:1263) >==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd >==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x146227: main (rpcclient.c:1251) >==4407== Block was alloc'd at >==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x1461BC: main (rpcclient.c:1219) >==4407== >==4407== Invalid read of size 1 >==4407== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x4980E1C: talloc_strdup (talloc.c:2470) >==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320) >==4407== by 0x1462B1: main (rpcclient.c:1267) >==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd >==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x146227: main (rpcclient.c:1251) >==4407== Block was alloc'd at >==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x1461BC: main (rpcclient.c:1219) >==4407== >==4407== Invalid read of size 1 >==4407== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x4980E1C: talloc_strdup (talloc.c:2470) >==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320) >==4407== by 0x1462B1: main (rpcclient.c:1267) >==4407== Address 0x7b67cd1 is 1 bytes inside a block of size 10 free'd >==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x146227: main (rpcclient.c:1251) >==4407== Block was alloc'd at >==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x1461BC: main (rpcclient.c:1219) >==4407== >==4407== Invalid read of size 8 >==4407== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x4980DC2: __talloc_strlendup (talloc.c:2457) >==4407== by 0x4980E32: talloc_strdup (talloc.c:2470) >==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320) >==4407== by 0x1462B1: main (rpcclient.c:1267) >==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd >==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x146227: main (rpcclient.c:1251) >==4407== Block was alloc'd at >==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x1461BC: main (rpcclient.c:1219) >==4407== >==4407== Invalid read of size 1 >==4407== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x4980DC2: __talloc_strlendup (talloc.c:2457) >==4407== by 0x4980E32: talloc_strdup (talloc.c:2470) >==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320) >==4407== by 0x1462B1: main (rpcclient.c:1267) >==4407== Address 0x7b67cd8 is 8 bytes inside a block of size 10 free'd >==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x146227: main (rpcclient.c:1251) >==4407== Block was alloc'd at >==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==4407== by 0x1461BC: main (rpcclient.c:1219) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit d26d3d9bff61f796c9c9ab54990ea078f575ab1e) >--- > source3/rpcclient/rpcclient.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c >index 4042d0d60be..27fe5d705c6 100644 >--- a/source3/rpcclient/rpcclient.c >+++ b/source3/rpcclient/rpcclient.c >@@ -1238,7 +1238,7 @@ out_free: > /* Get server as remaining unparsed argument. Print usage if more > than one unparsed argument is present. */ > >- server = poptGetArg(pc); >+ server = talloc_strdup(frame, poptGetArg(pc)); > > if (!server || poptGetArg(pc)) { > poptPrintHelp(pc, stderr, 0); >-- >2.38.0 > > >From 67ec7cd1474d07e799e9e02596152239934f3f98 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Fri, 14 Oct 2022 11:23:37 +0100 >Subject: [PATCH 2/9] s3/param: Fix use after free with popt-1.19 > >popt1.19 fixes a leak that exposes a use as free, >make sure we duplicate return of poptGetArg if >poptFreeContext is called before we use it. > >==5325== Invalid read of size 1 >==5325== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470) >==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303) >==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 1 >==5325== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470) >==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303) >==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 8 >==5325== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457) >==5325== by 0x4859E32: talloc_strdup (talloc.c:2470) >==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303) >==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 2 >==5325== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457) >==5325== by 0x4859E32: talloc_strdup (talloc.c:2470) >==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303) >==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 1 >==5325== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457) >==5325== by 0x4859E32: talloc_strdup (talloc.c:2470) >==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303) >==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 1 >==5325== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470) >==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023) >==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 1 >==5325== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470) >==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023) >==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 8 >==5325== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457) >==5325== by 0x4859E32: talloc_strdup (talloc.c:2470) >==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023) >==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 2 >==5325== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457) >==5325== by 0x4859E32: talloc_strdup (talloc.c:2470) >==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023) >==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== >==5325== Invalid read of size 1 >==5325== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457) >==5325== by 0x4859E32: talloc_strdup (talloc.c:2470) >==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023) >==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011) >==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237) >==5325== by 0x10ABD7: main (test_lp_load.c:98) >==5325== Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd >==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB8E: main (test_lp_load.c:90) >==5325== Block was alloc'd at >==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5325== by 0x10AB49: main (test_lp_load.c:74) >==5325== > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit ff003fc87b8164610dfd6572347c05308c4b2fd7) >--- > source3/param/test_lp_load.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/param/test_lp_load.c b/source3/param/test_lp_load.c >index 2c6a5c8891b..03be4118efd 100644 >--- a/source3/param/test_lp_load.c >+++ b/source3/param/test_lp_load.c >@@ -82,7 +82,7 @@ int main(int argc, const char **argv) > } > > if (poptPeekArg(pc)) { >- config_file = poptGetArg(pc); >+ config_file = talloc_strdup(frame, poptGetArg(pc)); > } else { > config_file = get_dyn_CONFIGFILE(); > } >-- >2.38.0 > > >From 9e1cf581f460c5f0b185fe064811a88ad83e39bd Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Fri, 14 Oct 2022 11:26:24 +0100 >Subject: [PATCH 3/9] s3/utils: Add missing poptFreeContext > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 31d3d10b260f05080ca0a3cf9434aa4704d60739) >--- > source3/utils/mdsearch.c | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/utils/mdsearch.c b/source3/utils/mdsearch.c >index ac0b75fca51..ab48e366a0a 100644 >--- a/source3/utils/mdsearch.c >+++ b/source3/utils/mdsearch.c >@@ -242,6 +242,7 @@ int main(int argc, char **argv) > return 0; > > fail: >+ poptFreeContext(pc); > TALLOC_FREE(frame); > return 1; > } >-- >2.38.0 > > >From 30b00f6c43f45ba9cdf38562d832193206877d64 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Fri, 14 Oct 2022 11:35:51 +0100 >Subject: [PATCH 4/9] s3/utils: Fix use after free with popt 1.19 > >popt1.19 fixes a leak that exposes a use as free, >make sure we duplicate return of poptGetArg if >poptFreeContext is called before we use it. > >==5914== Invalid read of size 1 >==5914== at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6) >==5914== by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583) >==5914== by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340) >==5914== by 0x10DED1: print_user_info (pdbedit.c:372) >==5914== by 0x111413: main (pdbedit.c:1324) >==5914== Address 0x73b6750 is 0 bytes inside a block of size 7 free'd >==5914== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5914== by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==5914== by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==5914== by 0x1113E6: main (pdbedit.c:1323) >==5914== Block was alloc'd at >==5914== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==5914== by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==5914== by 0x110AE5: main (pdbedit.c:1137) >==5914== > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit e82699fcca3716d9ed0450263fd83f948de8ffbe) >--- > source3/utils/pdbedit.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c >index 4fdcc3ee428..eb4f3072df8 100644 >--- a/source3/utils/pdbedit.c >+++ b/source3/utils/pdbedit.c >@@ -1150,7 +1150,7 @@ int main(int argc, const char **argv) > poptGetArg(pc); /* Drop argv[0], the program name */ > > if (user_name == NULL) >- user_name = poptGetArg(pc); >+ user_name = talloc_strdup(frame, poptGetArg(pc)); > > setparms = (backend ? BIT_BACKEND : 0) + > (verbose ? BIT_VERBOSE : 0) + >-- >2.38.0 > > >From 70b9beb28672614059d51f4cb26842cfb27dfe2a Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Fri, 14 Oct 2022 11:45:13 +0100 >Subject: [PATCH 5/9] s3/utils: Fix use after free with popt 1.19 > >popt1.19 fixes a leak that exposes a use as free, >make sure we duplicate return of poptGetArg if >poptFreeContext is called before we use it. > >==6055== Command: ./bin/testparm /etc/samba/smb.conf >==6055== >==6055== Invalid read of size 1 >==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6) >==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6) >==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6) >==6055== by 0x10EBFA: main (testparm.c:862) >==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 1 >==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6) >==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6) >==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6) >==6055== by 0x10EBFA: main (testparm.c:862) >==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 1 >==6055== at 0x4C44DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6) >==6055== by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6) >==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6) >==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6) >==6055== by 0x10EBFA: main (testparm.c:862) >==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 1 >==6055== at 0x4C44DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6) >==6055== by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6) >==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6) >==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6) >==6055== by 0x10EBFA: main (testparm.c:862) >==6055== Address 0x72dab72 is 2 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >Load smb config files from /etc/samba/smb.conf >==6055== Invalid read of size 1 >==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470) >==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303) >==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 1 >==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470) >==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303) >==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 8 >==6055== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457) >==6055== by 0x4927E32: talloc_strdup (talloc.c:2470) >==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303) >==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 2 >==6055== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457) >==6055== by 0x4927E32: talloc_strdup (talloc.c:2470) >==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303) >==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab80 is 16 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 1 >==6055== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457) >==6055== by 0x4927E32: talloc_strdup (talloc.c:2470) >==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303) >==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab82 is 18 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 1 >==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470) >==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023) >==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 1 >==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470) >==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023) >==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 8 >==6055== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457) >==6055== by 0x4927E32: talloc_strdup (talloc.c:2470) >==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023) >==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 2 >==6055== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457) >==6055== by 0x4927E32: talloc_strdup (talloc.c:2470) >==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023) >==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab80 is 16 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== >==6055== Invalid read of size 1 >==6055== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457) >==6055== by 0x4927E32: talloc_strdup (talloc.c:2470) >==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023) >==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011) >==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237) >==6055== by 0x10EC06: main (testparm.c:864) >==6055== Address 0x72dab82 is 18 bytes inside a block of size 20 free'd >==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EBAC: main (testparm.c:854) >==6055== Block was alloc'd at >==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6055== by 0x10EB2E: main (testparm.c:830) >==6055== > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3) >--- > source3/utils/testparm.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c >index 9555b436260..c751c06dcc9 100644 >--- a/source3/utils/testparm.c >+++ b/source3/utils/testparm.c >@@ -843,13 +843,13 @@ static void do_per_share_checks(int s) > } > > if (poptPeekArg(pc)) { >- config_file = poptGetArg(pc); >+ config_file = talloc_strdup(frame, poptGetArg(pc)); > } else { > config_file = get_dyn_CONFIGFILE(); > } > >- cname = poptGetArg(pc); >- caddr = poptGetArg(pc); >+ cname = talloc_strdup(frame, poptGetArg(pc)); >+ caddr = talloc_strdup(frame, poptGetArg(pc)); > > poptFreeContext(pc); > >-- >2.38.0 > > >From 26677b1c7e76ca4f505268e9d09c7848ce2a164d Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Fri, 14 Oct 2022 11:53:53 +0100 >Subject: [PATCH 6/9] s4/lib/registry: Fix use after free with popt 1.19 >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >popt1.19 fixes a leak that exposes a use as free, >make sure we duplicate return of poptGetArg if >poptFreeContext is called before we use it. > >==6357== Command: ./bin/regpatch file >==6357== >Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it >==6357== Syscall param openat(filename) points to unaddressable byte(s) >==6357== at 0x4BFE535: open (in /usr/lib64/libc.so.6) >==6357== by 0x4861432: reg_diff_load (patchfile.c:345) >==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) >==6357== by 0x10ADF9: main (regpatch.c:114) >==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd >==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ADCF: main (regpatch.c:111) >==6357== Block was alloc'd at >==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ACBD: main (regpatch.c:79) >==6357== >==6357== Invalid read of size 1 >==6357== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6) >==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6) >==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904) >==6357== by 0x4AD33F2: dbgtext (debug.c:1925) >==6357== by 0x4861515: reg_diff_load (patchfile.c:353) >==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) >==6357== by 0x10ADF9: main (regpatch.c:114) >==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd >==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ADCF: main (regpatch.c:111) >==6357== Block was alloc'd at >==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ACBD: main (regpatch.c:79) >==6357== >==6357== Invalid read of size 1 >==6357== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6) >==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6) >==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904) >==6357== by 0x4AD33F2: dbgtext (debug.c:1925) >==6357== by 0x4861515: reg_diff_load (patchfile.c:353) >==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) >==6357== by 0x10ADF9: main (regpatch.c:114) >==6357== Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd >==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ADCF: main (regpatch.c:111) >==6357== Block was alloc'd at >==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ACBD: main (regpatch.c:79) >==6357== >==6357== Invalid read of size 1 >==6357== at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6) >==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6) >==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6) >==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904) >==6357== by 0x4AD33F2: dbgtext (debug.c:1925) >==6357== by 0x4861515: reg_diff_load (patchfile.c:353) >==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) >==6357== by 0x10ADF9: main (regpatch.c:114) >==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd >==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ADCF: main (regpatch.c:111) >==6357== Block was alloc'd at >==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ACBD: main (regpatch.c:79) >==6357== >==6357== Invalid read of size 1 >==6357== at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6) >==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6) >==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6) >==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904) >==6357== by 0x4AD33F2: dbgtext (debug.c:1925) >==6357== by 0x4861515: reg_diff_load (patchfile.c:353) >==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542) >==6357== by 0x10ADF9: main (regpatch.c:114) >==6357== Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd >==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ADCF: main (regpatch.c:111) >==6357== Block was alloc'd at >==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) >==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2) >==6357== by 0x10ACBD: main (regpatch.c:79) >==6357== >Error reading registry patch file `file' > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Ralph Boehme <slow@samba.org> > >Autobuild-User(master): Ralph Böhme <slow@samba.org> >Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184 > >(cherry picked from commit 7e0e3f47cd67e4cadc101691cd14837f45d9506a) >--- > source4/lib/registry/tools/regpatch.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/lib/registry/tools/regpatch.c b/source4/lib/registry/tools/regpatch.c >index 2be78d143ef..eafaff6cf99 100644 >--- a/source4/lib/registry/tools/regpatch.c >+++ b/source4/lib/registry/tools/regpatch.c >@@ -101,7 +101,7 @@ int main(int argc, char **argv) > return 1; > } > >- patch = poptGetArg(pc); >+ patch = talloc_strdup(mem_ctx, poptGetArg(pc)); > if (patch == NULL) { > poptPrintUsage(pc, stderr, 0); > TALLOC_FREE(mem_ctx); >-- >2.38.0 > > >From e4b3b60edc81076bb5318aecb7261917af8c1fb7 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 17 Oct 2022 10:17:34 +0100 >Subject: [PATCH 7/9] s3/param: Check return of talloc_strdup > >followup to commit ff003fc87b8164610dfd6572347c05308c4b2fd7 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 19eb88bc53e481327bbd437b0c145d5765c6dcec) >--- > source3/param/test_lp_load.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/param/test_lp_load.c b/source3/param/test_lp_load.c >index 03be4118efd..9f3d5516805 100644 >--- a/source3/param/test_lp_load.c >+++ b/source3/param/test_lp_load.c >@@ -83,6 +83,11 @@ int main(int argc, const char **argv) > > if (poptPeekArg(pc)) { > config_file = talloc_strdup(frame, poptGetArg(pc)); >+ if (config_file == NULL) { >+ DBG_ERR("out of memory\n"); >+ TALLOC_FREE(frame); >+ exit(1); >+ } > } else { > config_file = get_dyn_CONFIGFILE(); > } >-- >2.38.0 > > >From d98c0eb81f15126b67feb631a0063f73732ccaba Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 17 Oct 2022 10:25:00 +0100 >Subject: [PATCH 8/9] s3/utils: Check return of talloc_strdup > >followup to e82699fcca3716d9ed0450263fd83f948de8ffbe > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 972127daddc7a32d23fb84d97102557035b06f5b) >--- > source3/utils/pdbedit.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > >diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c >index eb4f3072df8..ede467108bb 100644 >--- a/source3/utils/pdbedit.c >+++ b/source3/utils/pdbedit.c >@@ -1149,8 +1149,16 @@ int main(int argc, const char **argv) > > poptGetArg(pc); /* Drop argv[0], the program name */ > >- if (user_name == NULL) >- user_name = talloc_strdup(frame, poptGetArg(pc)); >+ if (user_name == NULL) { >+ if (poptPeekArg(pc)) { >+ user_name = talloc_strdup(frame, poptGetArg(pc)); >+ if (user_name == NULL) { >+ fprintf(stderr, "out of memory\n"); >+ TALLOC_FREE(frame); >+ exit(1); >+ } >+ } >+ } > > setparms = (backend ? BIT_BACKEND : 0) + > (verbose ? BIT_VERBOSE : 0) + >-- >2.38.0 > > >From 9703e84a814a9fcd5aba665ffdfd5d033e8ce365 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Mon, 17 Oct 2022 10:27:31 +0100 >Subject: [PATCH 9/9] s3/utils: check result of talloc_strdup > >follow to commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205 > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Mon Oct 17 19:49:37 UTC 2022 on sn-devel-184 > >(cherry picked from commit 0326549a052c22e4929e3760fd5011c35e32fe33) >--- > source3/utils/testparm.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c >index c751c06dcc9..e0455b9d7b6 100644 >--- a/source3/utils/testparm.c >+++ b/source3/utils/testparm.c >@@ -844,6 +844,11 @@ static void do_per_share_checks(int s) > > if (poptPeekArg(pc)) { > config_file = talloc_strdup(frame, poptGetArg(pc)); >+ if (config_file == NULL) { >+ DBG_ERR("out of memory\n"); >+ TALLOC_FREE(frame); >+ exit(1); >+ } > } else { > config_file = get_dyn_CONFIGFILE(); > } >-- >2.38.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
pfilipensky
:
review+
Actions:
View
Attachments on
bug 15205
:
17572
|
17573
| 17574