Bug 12713 - samba-tool classicupgrade segmentation fault from py_dom_sid_ndr_unpack
Summary: samba-tool classicupgrade segmentation fault from py_dom_sid_ndr_unpack
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python (show other bugs)
Version: 4.4.8
Hardware: x64 FreeBSD
: P5 major (vote)
Target Milestone: ---
Assignee: Jelmer Vernooij
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-03-22 20:55 UTC by Marcin Gryszkalis
Modified: 2020-03-31 13:02 UTC (History)
1 user (show)

See Also:

patch that shouldn't make a difference (1.02 KB, patch)
2019-02-24 06:35 UTC, Douglas Bagnall
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Gryszkalis 2017-03-22 20:55:16 UTC
I'm getting segmentation fault in ndr lib when trying to run classicupgrade:

Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
zsh: segmentation fault (core dumped)  samba-tool domain classicupgrade --verbose --dbdir=/var/db/samba4/dbdir/

(gdb) bt full
#0  0x0000000806e5ba6e in ndr_pull_uint8 (ndr=0x825e78e20, ndr_flags=256, v=0x825e78d60 "") at ../librpc/ndr/ndr_basic.c:82
No locals.
#1  0x0000000807092483 in ndr_pull_dom_sid (ndr=0x825e78e20, ndr_flags=768, r=0x825e78d60) at ../librpc/ndr/ndr_sec_helper.c:332
        _status = 32767
        cntr_sub_auths_0 = 8
#2  0x0000000806e692f6 in ndr_pull_struct_blob_all (blob=0x7fffffffcb68, mem_ctx=0x814e0aaa0, p=0x825e78d60, fn=0x8070923f0 <ndr_pull_dom_sid>) at ../librpc/ndr/ndr.c:1133
        _status = 410305712
        ndr = (struct ndr_pull *) 0x825e78e20
        highest_ofs = 8
#3  0x000000081209aba4 in py_dom_sid_ndr_unpack (py_obj=0x8187b0b50, args=0x814b3ec10, kwargs=0x81874c4b0) at default/librpc/gen_ndr/py_security.c:360
        kwnames = {0x81209e411 "data_blob", 0x81209e41b "allow_remaining", 0x0}
        object = (struct dom_sid *) 0x825e78d60
        blob = {data = 0x800000000 <Address 0x800000000 out of bounds>, length = 28}
        blob_length = 28
        err = 4294953888
        allow_remaining_obj = (PyObject *) 0x800dc1fe8
        allow_remaining = false

(gdb) p *ndr
$1 = {flags = 0, data = 0x800000000 <Address 0x800000000 out of bounds>, data_size = 28, offset = 0, relative_highest_offset = 0, relative_base_offset = 0, relative_rap_convert = 0, relative_base_list = 0x0, relative_list = 0x0, array_size_list = 0x0,
  array_length_list = 0x0, switch_list = 0x0, current_mem_ctx = 0x814e0aaa0, ptr_count = 0}

(gdb) p *v
$2 = 0 '\0'
Comment 1 Douglas Bagnall 2019-02-24 06:35:52 UTC
Created attachment 14866 [details]
patch that shouldn't make a difference

Can you reproduce this with master?

The datablob is not initialised (see patch), but it should not matter because the ParseTuple() call should fail if it doesn't initialise the data_blob.

So I suspect something has changed in the meantime.
Comment 2 Marcin Gryszkalis 2020-03-31 13:02:09 UTC
moved to higher version, cannot reproduce anymore (not tried recently though).