Bug 11799 - use after free in smbd in durable reconnect
use after free in smbd in durable reconnect
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
unspecified
All All
: P5 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-16 23:45 UTC by Michael Adam
Modified: 2016-03-17 10:25 UTC (History)
2 users (show)

See Also:


Attachments
Test git-am patch. (1.24 KB, patch)
2016-03-16 23:54 UTC, Jeremy Allison
jra: review? (obnox)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Adam 2016-03-16 23:45:18 UTC
There is a random crash bug that is hit from time to time in the durable reconnect code due to a use-after-free.

vfs_default_durable_reconnect():
  fsp_new() ==> this does DLIST_ADD(fsp->conn->sconn->files, fsp)
  if (fsp->oplock_type == LEASE_OPLOCK) {
    find_fsp_lease(fsp, &key, l) ==> this fills conn->fsp_fi_cache
    if (client guids not equal) {
      fsp_free(fsp) ==> this does DLIST_REMOVE(fsp->conn->sconn->files, fsp)
  }

so after this code we have the fsp_fi_cache still pointing to the
free'd memory. The next call to find_fsp_lease will use the cache
and hence access the freed memory.

Depending on whether (and how) the memory has been re-used, smbd will segfault.
Comment 1 Jeremy Allison 2016-03-16 23:54:17 UTC
Created attachment 11926 [details]
Test git-am patch.

Michael, does this fix it (currently untested).
Comment 2 Michael Adam 2016-03-17 00:04:27 UTC
(In reply to Jeremy Allison from comment #1)
> Created attachment 11926 [details]
> Test git-am patch.
> 
> Michael, does this fix it (currently untested).

Gosh Jeremy, could you be a little more patient... ;-)

I spent half a day or a day to hunt this down.
As you could tell from the dscription, I already had the fix.

And I created the bug so that I could flag the patch
I was about to send to samba-technical with a "BUG:..." line
But yes, that patch should fix it.

;-)
Comment 3 Jeremy Allison 2016-03-17 00:05:57 UTC
Oh, no worries. Please overwrite my patch with yours + cherry-pick once I've pushed it :-).
Comment 4 Michael Adam 2016-03-17 00:07:09 UTC
(In reply to Jeremy Allison from comment #3)
> Oh, no worries. Please overwrite my patch with yours + cherry-pick once I've
> pushed it :-).

Will do, thanks. :-)