Bug 10702 - crash / talloc: access after free updating secrets.ldb
Summary: crash / talloc: access after free updating secrets.ldb
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-07-08 14:41 UTC by Samuel Cabrero
Modified: 2016-07-30 01:59 UTC (History)
1 user (show)

See Also:

bt full (4.42 KB, text/plain)
2014-07-08 14:41 UTC, Samuel Cabrero
no flags Details
Patch for 4.1 series (1.45 KB, patch)
2014-07-08 14:46 UTC, Samuel Cabrero
kamenim: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Samuel Cabrero 2014-07-08 14:41:58 UTC
Created attachment 10086 [details]
bt full

How to reproduce it:
* Add an entry to secrets.ldb
* Delete the keytab
* Modify the entry changing the keytab path (outside private directory)

#0  0x00007ffff71e5f79 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff71e9388 in __GI_abort () at abort.c:89
#2  0x00007ffff5a270e9 in smb_panic_default (why=0x7ffff757b620 "Bad talloc magic value - access after free") at ../lib/util/fault.c:149
#3  0x00007ffff5a27127 in smb_panic (why=0x7ffff757b620 "Bad talloc magic value - access after free") at ../lib/util/fault.c:162
#4  0x00007ffff75771d2 in talloc_abort (reason=0x7ffff757b620 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:341
#5  0x00007ffff757724e in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:357
#6  0x00007ffff75772cb in talloc_chunk_from_ptr (ptr=0x5555557d71f0) at ../lib/talloc/talloc.c:378
#7  0x00007ffff75787c6 in _talloc_steal_loc (new_ctx=0x5555557d4ac0, ptr=0x5555557d71f0, location=0x7fffed6bddf8 "../source4/auth/kerberos/srv_keytab.c:526") at ../lib/talloc/talloc.c:1072
#8  0x00007fffed6b6d0e in smb_krb5_update_keytab (parent_ctx=0x5555557d4ac0, context=0x5555557d3930, keytab_name=0x5555557da690 "FILE:./private//etc/mail.keytab", samAccountName=0x5555557da040 "mail-z35", 
    realm=0x5555557d74c0 "KERNEVIL.LAN", SPNs=0x5555557da140, num_SPNs=6, saltPrincipal=0x0, new_secret=0x5555557dc830 "foobar", old_secret=0x0, kvno=1, supp_enctypes=31, delete_all_kvno=false, 
    _keytab=0x0, error_string=0x7fffffffe0f8) at ../source4/auth/kerberos/srv_keytab.c:526
#9  0x00007fffe3c5b686 in update_kt_prepare_commit (module=0x5555557b04f0) at ../source4/dsdb/samdb/ldb_modules/update_keytab.c:432
#10 0x00007ffff79aab72 in ldb_transaction_prepare_commit (ldb=0x555555760ee0) at ../lib/ldb/common/ldb.c:409
#11 0x00007ffff79aace1 in ldb_transaction_commit (ldb=0x555555760ee0) at ../lib/ldb/common/ldb.c:441
#12 0x0000555555555b8e in merge_edits (ldb=0x555555760ee0, msgs1=0x5555557bcb40, count1=5, msgs2=0x5555557c1ca0, count2=5) at ../lib/ldb/tools/ldbedit.c:179
#13 0x0000555555555fb5 in do_edit (ldb=0x555555760ee0, msgs1=0x5555557bcb40, count1=5, editor=0x7ffff7781a39 "vi") at ../lib/ldb/tools/ldbedit.c:303
#14 0x0000555555556294 in main (argc=3, argv=0x7fffffffe438) at ../lib/ldb/tools/ldbedit.c:368
Comment 1 Samuel Cabrero 2014-07-08 14:46:49 UTC
Created attachment 10087 [details]
Patch for 4.1 series
Comment 2 Andrew Bartlett 2016-07-30 01:59:34 UTC
Fixed in Samba 4.2 with caa42ed385dc174d9529407d128424c37cff8e9c