Bug 11308 - tevent signal - access after free?
tevent signal - access after free?
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
4.2.0
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
:
Depends on: 11330
Blocks:
  Show dependency treegraph
 
Reported: 2015-06-02 10:24 UTC by Stefan Metzmacher
Modified: 2015-06-15 08:50 UTC (History)
4 users (show)

See Also:


Attachments
git-am cherry-pick from master for 4.2.next, 4.1.next. (5.46 KB, patch)
2015-06-05 23:21 UTC, Jeremy Allison
obnox: review+
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2015-06-02 10:24:28 UTC
The following was reported by Pavel Březina <pbrezina@redhat.com>:

We found a crash in SSSD when a tevent signal is freed in its handler, tevent than crashes when it access siginfo.

sig_info is freed in signal destructor:

> #ifdef SA_SIGINFO
>         if (se->sa_flags & SA_SIGINFO) {
>             if (sig_state->sig_info[se->signum]) {
>                 talloc_free(sig_state->sig_info[se->signum]);
>                 sig_state->sig_info[se->signum] = NULL;
>             }
>         }
> #endif

(gdb) bt
#0  0x00007f5d4d86cc74 in tevent_signal_destructor (se=0x7f5d5370f920) at ../tevent_signal.c:213
#1  0x00007f5d4d65f233 in _talloc_free_internal () from /lib64/libtalloc.so.2
#2  0x00007f5d4d6593a3 in _talloc_free () from /lib64/libtalloc.so.2
#3  0x00007f5d4342f3d4 in proxy_child_init_done (subreq=0x7f5d5370f600) at src/providers/proxy/proxy_auth.c:436
#4  0x00007f5d4d86b0c2 in _tevent_req_error (req=req@entry=0x7f5d5370f600, error=error@entry=5, location=location@entry=0x7f5d43433010 "src/providers/proxy/proxy_auth.c:356")
    at ../tevent_req.c:167
#5  0x00007f5d4342ef5e in pc_init_sig_handler (ev=<optimized out>, sige=<optimized out>, signum=<optimized out>, count=<optimized out>, __siginfo=<optimized out>, pvt=<optimized out>)
    at src/providers/proxy/proxy_auth.c:356
#6  0x00007f5d4d86d48c in tevent_common_check_signal (ev=0x7f5d536de670) at ../tevent_signal.c:428
#7  0x00007f5d4d86f28c in epoll_event_loop (tvalp=0x7fff7b568490, epoll_ev=0x7f5d536de8b0) at ../tevent_epoll.c:647
#8  epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926
#9  0x00007f5d4d86d7d7 in std_event_loop_once (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:114
#10 0x00007f5d4d869fbd in _tevent_loop_once (ev=ev@entry=0x7f5d536de670, location=location@entry=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:530
#11 0x00007f5d4d86a15b in tevent_common_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:634
#12 0x00007f5d4d86d777 in std_event_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:140
#13 0x00007f5d50f96863 in server_loop (main_ctx=0x7f5d536dfac0) at src/util/server.c:668
#14 0x00007f5d5180aa42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909

But then it is accessed again in tevent_common_check_signal:

> #ifdef SA_SIGINFO
>         if (clear_processed_siginfo) {
>             uint32_t j;
>             for (j=0;j<count;j++) {
>                 uint32_t ofs = (counter.seen + j)
>                     % TEVENT_SA_INFO_QUEUE_COUNT;
>                 memset((void*)&sig_state->sig_info[i][ofs],
>                     '\0',
>                     sizeof(siginfo_t));
>             }
>         }
> #endif

(gdb) bt
#0  0x00007fd7ba400505 in memset (__len=<optimized out>, __ch=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:84
#1  tevent_common_check_signal (ev=0x7fd7bfddf670) at ../tevent_signal.c:459
#2  0x00007fd7ba40228c in epoll_event_loop (tvalp=0x7fff85536430, epoll_ev=0x7fd7bfddf8b0) at ../tevent_epoll.c:647
#3  epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926
#4  0x00007fd7ba4007d7 in std_event_loop_once (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:114
#5  0x00007fd7ba3fcfbd in _tevent_loop_once (ev=ev@entry=0x7fd7bfddf670, location=location@entry=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:530
#6  0x00007fd7ba3fd15b in tevent_common_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:634
#7  0x00007fd7ba400777 in std_event_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:140
#8  0x00007fd7bdb29343 in server_loop (main_ctx=0x7fd7bfde0ac0) at src/util/server.c:668
#9  0x00007fd7be39ca42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909
Comment 1 Jeremy Allison 2015-06-05 23:21:24 UTC
Created attachment 11125 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next.
Comment 2 Jeremy Allison 2015-06-11 17:48:19 UTC
Comment on attachment 11125 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next.

Expanding out review list. We should get this into v4.x.next.
Comment 3 Jeremy Allison 2015-06-11 19:03:24 UTC
Reassigning to Karolin for inclusion in 4.2.next, 4.1.next.
Comment 4 Stefan Metzmacher 2015-06-12 06:36:47 UTC
I'll do a new tevent release with the fixes included, we need to backport the
whole tevent release in order to make sure that we require the fixed version
when using a system tevent library.
Comment 5 Stefan Metzmacher 2015-06-15 08:49:32 UTC
Comment on attachment 11125 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next.

This code path is not triggered by Samba, so there's no strict need to backport this fix. We may backport it for other reasons via bug #11330...
Comment 6 Stefan Metzmacher 2015-06-15 08:50:24 UTC
Fixed in tevent-0.9.25