10702 – crash / talloc: access after free updating secrets.ldb

Bug 10702 - crash / talloc: access after free updating secrets.ldb

Summary: crash / talloc: access after free updating secrets.ldb

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-08 14:41 UTC by Samuel Cabrero
Modified:	2016-07-30 01:59 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
bt full (4.42 KB, text/plain) 2014-07-08 14:41 UTC, Samuel Cabrero	no flags	Details
Patch for 4.1 series (1.45 KB, patch) 2014-07-08 14:46 UTC, Samuel Cabrero	kamenim: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Samuel Cabrero 2014-07-08 14:41:58 UTC

Created attachment 10086 [details]
bt full

How to reproduce it:
* Add an entry to secrets.ldb
* Delete the keytab
* Modify the entry changing the keytab path (outside private directory)

Backtrace:
#0  0x00007ffff71e5f79 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff71e9388 in __GI_abort () at abort.c:89
#2  0x00007ffff5a270e9 in smb_panic_default (why=0x7ffff757b620 "Bad talloc magic value - access after free") at ../lib/util/fault.c:149
#3  0x00007ffff5a27127 in smb_panic (why=0x7ffff757b620 "Bad talloc magic value - access after free") at ../lib/util/fault.c:162
#4  0x00007ffff75771d2 in talloc_abort (reason=0x7ffff757b620 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:341
#5  0x00007ffff757724e in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:357
#6  0x00007ffff75772cb in talloc_chunk_from_ptr (ptr=0x5555557d71f0) at ../lib/talloc/talloc.c:378
#7  0x00007ffff75787c6 in _talloc_steal_loc (new_ctx=0x5555557d4ac0, ptr=0x5555557d71f0, location=0x7fffed6bddf8 "../source4/auth/kerberos/srv_keytab.c:526") at ../lib/talloc/talloc.c:1072
#8  0x00007fffed6b6d0e in smb_krb5_update_keytab (parent_ctx=0x5555557d4ac0, context=0x5555557d3930, keytab_name=0x5555557da690 "FILE:./private//etc/mail.keytab", samAccountName=0x5555557da040 "mail-z35", 
    realm=0x5555557d74c0 "KERNEVIL.LAN", SPNs=0x5555557da140, num_SPNs=6, saltPrincipal=0x0, new_secret=0x5555557dc830 "foobar", old_secret=0x0, kvno=1, supp_enctypes=31, delete_all_kvno=false, 
    _keytab=0x0, error_string=0x7fffffffe0f8) at ../source4/auth/kerberos/srv_keytab.c:526
#9  0x00007fffe3c5b686 in update_kt_prepare_commit (module=0x5555557b04f0) at ../source4/dsdb/samdb/ldb_modules/update_keytab.c:432
#10 0x00007ffff79aab72 in ldb_transaction_prepare_commit (ldb=0x555555760ee0) at ../lib/ldb/common/ldb.c:409
#11 0x00007ffff79aace1 in ldb_transaction_commit (ldb=0x555555760ee0) at ../lib/ldb/common/ldb.c:441
#12 0x0000555555555b8e in merge_edits (ldb=0x555555760ee0, msgs1=0x5555557bcb40, count1=5, msgs2=0x5555557c1ca0, count2=5) at ../lib/ldb/tools/ldbedit.c:179
#13 0x0000555555555fb5 in do_edit (ldb=0x555555760ee0, msgs1=0x5555557bcb40, count1=5, editor=0x7ffff7781a39 "vi") at ../lib/ldb/tools/ldbedit.c:303
#14 0x0000555555556294 in main (argc=3, argv=0x7fffffffe438) at ../lib/ldb/tools/ldbedit.c:368

Comment 1 Samuel Cabrero 2014-07-08 14:46:49 UTC

Created attachment 10087 [details]
Patch for 4.1 series

Comment 2 Andrew Bartlett 2016-07-30 01:59:34 UTC

Fixed in Samba 4.2 with caa42ed385dc174d9529407d128424c37cff8e9c