Bug 11367 - use after free in source3/auth/auth_domain.c:domain_client_validate
Summary: use after free in source3/auth/auth_domain.c:domain_client_validate
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.2.2
Hardware: All Solaris
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-27 00:10 UTC by Jonathan Matthew
Modified: 2015-07-11 20:03 UTC (History)
1 user (show)

See Also:

Attachments
possible fix (1.14 KB, patch)
2015-06-27 00:10 UTC, Jonathan Matthew 		no flags Details
Patch from master (2.34 KB, patch)
2015-07-03 08:27 UTC, Volker Lendecke 		gd: review+
Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jonathan Matthew 2015-06-27 00:10:34 UTC 
Created attachment 11208 [details]
possible fix

I'm running Samba 4.2.2 on OmniOS r151014 and I find that when samba is joined to one of our domains (we use windows 2012r2 domain controllers) it can't authenticate users in that domain, failing with this error:

[2015/06/24 17:49:52.718039,  0, pid=3060, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_domain.c:302(domain_client_validate)
  domain_client_validate: unable to validate password for user xjono in domain LABS to Domain controller LAVENDER.LABS.EAIT.UQ.EDU.AU. Error was NT_STATUS_LOCK_NOT_GRANTED.

This turns out to be because the struct netlogon_creds_cli_context allocated in connect_to_domain_password_server is allocated in a talloc context that is freed at the end of that function.  The memory allocator on OmniOS seems to reuse freed memory immediately, so in my case the struct netr_NetworkInfo allocated in rpccli_netlogon_network_logon overlaps it, and around line 470 of source3/rpc_client/cli_netlogon.c it writes a pointer where the netlogon_creds_cli_context keeps its locked_state pointer - so netlogon_creds_cli_LogonSamLogon, called immediately afterwards, fails with the LOCK_NOT_GRANTED error because it thinks the context is already locked.

The patch I'm attaching moves the netlogon_creds_cli_context into the talloc context provided to domain_client_validate, which ensures it lives long enough.  I haven't tested this extensively but it fixes the immediate problem for me.
Comment 1 Volker Lendecke 2015-07-01 11:51:45 UTC 
Thanks for the detailed information!

In Samba master, this is already fixed with commit 91e4cbc46f0 in

https://git.samba.org/?p=samba.git;a=commitdiff;h=91e4cbc46f0

Can you confirm this fixes your problem as well?

Thanks,

Volker
Comment 2 Jonathan Matthew 2015-07-03 08:22:28 UTC 
Yes, that commit also fixes the problem I'm seeing.
Comment 3 Volker Lendecke 2015-07-03 08:27:11 UTC 
Created attachment 11226 [details]
Patch from master

Thanks for the confirmation. We're preferring code that already exists in all branches. "Obsoleting" your patch does not mean it's not good, it's just different :-)
Comment 4 Guenther Deschner 2015-07-03 08:57:55 UTC 
Comment on attachment 11226 [details]
Patch from master

LGTM.
Comment 5 Guenther Deschner 2015-07-03 08:58:49 UTC 
Karolin, please add to 4.2 (it is not required for 4.1)
Comment 6 Karolin Seeger 2015-07-05 19:15:26 UTC 
Pushed to autobuild-v4-2-test.
Comment 7 Karolin Seeger 2015-07-11 20:03:48 UTC 
(In reply to Karolin Seeger from comment #6)
Pushed to v4-2-test.
Closing out bug report.

Thanks!