11653 – smb_panic in netlogon_creds_cli_lock_fetch

Bug 11653 - smb_panic in netlogon_creds_cli_lock_fetch

Summary: smb_panic in netlogon_creds_cli_lock_fetch

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.3.0
Hardware:	All Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-12-28 20:20 UTC by Shyam Rathi
Modified:	2016-01-07 13:13 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Shyam Rathi 2015-12-28 20:20:57 UTC

We are having an smb_panic due to a possible talloc related memory corruption.

Backtrace from GDB:
(gdb) bt
#0  0x00007f5bba90265e in waitpid () from /lib64/libc.so.6
#1  0x00007f5bba894609 in do_system () from /lib64/libc.so.6
#2  0x00007f5bbc36f06c in smb_panic_s3 (why=0x7f5bbe323fbd "internal error") at ../source3/lib/util.c:803
#3  0x00007f5bbe313839 in smb_panic (why=0x7f5bbe323fbd "internal error") at ../lib/util/fault.c:166
#4  0x00007f5bbe313513 in fault_report (sig=11) at ../lib/util/fault.c:83
#5  0x00007f5bbe313528 in sig_fault (sig=11) at ../lib/util/fault.c:94
#6  <signal handler called>
#7  0x00007f5bb8ac65df in dbwrap_parse_record (db=0x7f5be8150c73, key=..., parser=0x7f5bb8eed858 <netlogon_creds_cli_fetch_parser>, private_data=0x7ffd96fc6a90)
    at ../lib/dbwrap/dbwrap.c:387
#8  0x00007f5bb8eee2f0 in netlogon_creds_cli_lock_fetch (req=0x7f5bc0b40160) at ../libcli/auth/netlogon_creds_cli.c:849
#9  0x00007f5bb8eee0da in netlogon_creds_cli_lock_send (mem_ctx=0x7f5bc0b40a90, ev=0x7f5bc0b3bb30, context=0x7f5bc0b3c800) at ../libcli/auth/netlogon_creds_cli.c:796
#10 0x00007f5bb8ef14be in netlogon_creds_cli_LogonSamLogon_start (req=0x7f5bc0b40900) at ../libcli/auth/netlogon_creds_cli.c:2292
#11 0x00007f5bb8ef19c8 in netlogon_creds_cli_LogonSamLogon_done (subreq=0x0) at ../libcli/auth/netlogon_creds_cli.c:2403
#12 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#13 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0
#14 0x00007f5bbabf00f4 in _tevent_req_done () from /usr/lib/libtevent.so.0
#15 0x00007f5bb857b8bd in dcerpc_netr_LogonSamLogonEx_done (subreq=0x0) at default/librpc/gen_ndr/ndr_netlogon_c.c:8307
#16 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#17 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0
#18 0x00007f5bbabf00f4 in _tevent_req_done () from /usr/lib/libtevent.so.0
#19 0x00007f5bb857b450 in dcerpc_netr_LogonSamLogonEx_r_done (subreq=0x0) at default/librpc/gen_ndr/ndr_netlogon_c.c:8179
#20 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#21 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0
#22 0x00007f5bbabf00f4 in _tevent_req_done () from /usr/lib/libtevent.so.0
#23 0x00007f5bb6e1579f in dcerpc_binding_handle_call_done (subreq=0x0) at ../librpc/rpc/binding_handle.c:514
#24 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#25 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0
#26 0x00007f5bbabf00f4 in _tevent_req_done () from /usr/lib/libtevent.so.0
#27 0x00007f5bb6e14c59 in dcerpc_binding_handle_raw_call_done (subreq=0x0) at ../librpc/rpc/binding_handle.c:187
#28 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#29 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0
#30 0x00007f5bbabf00f4 in _tevent_req_done () from /usr/lib/libtevent.so.0
#31 0x00007f5bb8ef88a9 in rpccli_bh_raw_call_done (subreq=0x0) at ../source3/rpc_client/cli_pipe.c:2143
#32 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#33 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0
#34 0x00007f5bbabf00f4 in _tevent_req_done () from /usr/lib/libtevent.so.0
#35 0x00007f5bb8ef7591 in rpc_api_pipe_req_done (subreq=0x0) at ../source3/rpc_client/cli_pipe.c:1561
#36 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#37 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0
#38 0x00007f5bbabf00f4 in _tevent_req_done () from /usr/lib/libtevent.so.0
#39 0x00007f5bb8ef6170 in rpc_api_pipe_got_pdu (subreq=0x0) at ../source3/rpc_client/cli_pipe.c:957
#40 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#41 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0
#42 0x00007f5bbabf00f4 in _tevent_req_done () from /usr/lib/libtevent.so.0
#43 0x00007f5bb8ef49da in get_complete_frag_got_rest (subreq=0x0) at ../source3/rpc_client/cli_pipe.c:373
#44 0x00007f5bbabefff8 in _tevent_req_notify_callback () from /usr/lib/libtevent.so.0
#45 0x00007f5bbabf00cd in tevent_req_finish () from /usr/lib/libtevent.so.0


I've got ASCII representation of relevant memory locations. As seen below, the 'key' has size of 8, but the value is of a longer size. Also, the value seems to be coming from a talloc-freed memory location.

(gdb) p key
$2 = {dptr = 0x7f5bb8f00ae0 "../libcli/auth/netlogon_creds_cli.c:2220", dsize = 8}
(gdb)

(gdb) xxd 0x7f5bb8f007e0 2000
0000000: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000010: 692e 633a 3139 3739 0000 0000 0000 0000  i.c:1979........
0000020: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000030: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000040: 692e 633a 3139 3830 0000 0000 0000 0000  i.c:1980........
0000050: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000060: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000070: 692e 633a 3139 3930 0000 0000 0000 0000  i.c:1990........
0000080: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000090: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00000a0: 692e 633a 3139 3935 0000 0000 0000 0000  i.c:1995........
00000b0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00000c0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00000d0: 692e 633a 3230 3036 0000 0000 0000 0000  i.c:2006........
00000e0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00000f0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000100: 692e 633a 3230 3131 0000 0000 0000 0000  i.c:2011........
0000110: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000120: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000130: 692e 633a 3230 3334 0000 0000 0000 0000  i.c:2034........
0000140: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000150: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000160: 692e 633a 3230 3534 0000 0000 0000 0000  i.c:2054........
0000170: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000180: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000190: 692e 633a 3231 3039 0000 0000 0000 0000  i.c:2109........
00001a0: 7374 7275 6374 206e 6574 6c6f 676f 6e5f  struct netlogon_
00001b0: 6372 6564 735f 636c 695f 4c6f 676f 6e53  creds_cli_LogonS
00001c0: 616d 4c6f 676f 6e5f 7374 6174 6500 0000  amLogon_state...
00001d0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00001e0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00001f0: 692e 633a 3231 3234 0075 6e69 6f6e 206e  i.c:2124.union n
0000200: 6574 725f 5661 6c69 6461 7469 6f6e 0000  etr_Validation..
0000210: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000220: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000230: 692e 633a 3231 3433 0000 0000 0000 0000  i.c:2143........
0000240: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000250: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000260: 692e 633a 3231 3635 0000 0000 0000 0000  i.c:2165........
0000270: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000280: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000290: 692e 633a 3232 3030 0000 0000 0000 0000  i.c:2200........
00002a0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00002b0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00002c0: 692e 633a 3232 3133 0000 0000 0000 0000  i.c:2213........
00002d0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00002e0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00002f0: 692e 633a 3232 3139 0000 0000 0000 0000  i.c:2219........
0000300: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000310: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000320: 692e 633a 3232 3230 0000 0000 0000 0000  i.c:2220........
0000330: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000340: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000350: 692e 633a 3232 3438 0000 0000 0000 0000  i.c:2248........
0000360: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000370: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000380: 692e 633a 3232 3630 0000 0000 0000 0000  i.c:2260........
0000390: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00003a0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00003b0: 692e 633a 3232 3830 0000 0000 0000 0000  i.c:2280........
00003c0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00003d0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00003e0: 692e 633a 3232 3934 0000 0000 0000 0000  i.c:2294........
00003f0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000400: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000410: 692e 633a 3233 3133 0000 0000 0000 0000  i.c:2313........
0000420: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000430: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000440: 692e 633a 3233 3338 0000 0000 0000 0000  i.c:2338........
0000450: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000460: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000470: 692e 633a 3233 3537 0000 0000 0000 0000  i.c:2357........
0000480: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000490: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00004a0: 692e 633a 3233 3733 0000 0000 0000 0000  i.c:2373........
00004b0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00004c0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00004d0: 692e 633a 3233 3736 0000 0000 0000 0000  i.c:2376........
00004e0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00004f0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000500: 692e 633a 3233 3835 0000 0000 0000 0000  i.c:2385........
0000510: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000520: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000530: 692e 633a 3233 3932 0000 0000 0000 0000  i.c:2392........
0000540: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000550: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000560: 692e 633a 3234 3037 0000 0000 0000 0000  i.c:2407........
0000570: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000580: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000590: 692e 633a 3234 3133 0000 0000 0000 0000  i.c:2413........
00005a0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00005b0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00005c0: 692e 633a 3234 3233 0000 0000 0000 0000  i.c:2423........
00005d0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00005e0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00005f0: 692e 633a 3234 3333 0000 0000 0000 0000  i.c:2433........
0000600: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000610: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000620: 692e 633a 3234 3430 0000 0000 0000 0000  i.c:2440........
0000630: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000640: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000650: 692e 633a 3234 3431 0000 0000 0000 0000  i.c:2441........
0000660: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000670: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000680: 692e 633a 3234 3534 0000 0000 0000 0000  i.c:2454........
0000690: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00006a0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00006b0: 692e 633a 3234 3630 0000 0000 0000 0000  i.c:2460........
00006c0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00006d0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00006e0: 692e 633a 3234 3638 0000 0000 0000 0000  i.c:2468........
00006f0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000700: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000710: 692e 633a 3234 3639 0000 0000 0000 0000  i.c:2469........
0000720: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000730: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000740: 692e 633a 3234 3739 0000 0000 0000 0000  i.c:2479........
0000750: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000760: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
0000770: 692e 633a 3234 3837 0000 0000 0000 0000  i.c:2487........
0000780: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
0000790: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl
00007a0: 692e 633a 3234 3932 0000 0000 0000 0000  i.c:2492........
00007b0: 2e2e 2f6c 6962 636c 692f 6175 7468 2f6e  ../libcli/auth/n
00007c0: 6574 6c6f 676f 6e5f 6372 6564 735f 636c  etlogon_creds_cl

Comment 1 Shyam Rathi 2015-12-28 23:56:23 UTC

Version 4.3.0pre1-GIT-1337909

Comment 2 Volker Lendecke 2016-01-07 13:13:59 UTC

Can you run this under valgrind?