Bug 12762 - The test for 'follow symlinks = no' fails from time to time
Summary: The test for 'follow symlinks = no' fails from time to time
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.6.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-28 12:00 UTC by Andreas Schneider
Modified: 2022-01-10 11:33 UTC (History)
3 users (show)

See Also:


Attachments
Patch for more debug output (981 bytes, patch)
2017-04-28 12:00 UTC, Andreas Schneider
no flags Details
logs.tar.xz (1.29 MB, application/octet-stream)
2017-04-28 12:01 UTC, Andreas Schneider
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2017-04-28 12:00:14 UTC
The test for 'follow symlinks =  no' (CVE-2017-2619) fails from time to time. The log file reports a DB corruption.

The failing test is:

  samba3.blackbox.smbclient_s3.sign (nt4_dc).follow symlinks = no(nt4_dc)

Failure:

NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \test\foo\bar\testfile

ls -la /home/asn/workspace/projects/samba/st/ad_member/share/nosymlinks/test/
foo/bar/
total 4                                     
drwxrwxrwx 2 asn asn-group 22 Apr 28 11:42 .    
drwxrwxrwx 3 asn asn-group 17 Apr 28 11:42 ..
-rw-rw-rw- 1 asn asn-group 87 Apr 28 11:42 testfile

Domain=[SAMBADOMAIN] OS=[] Server=[]                                    
smb: \> cd test\foo\bar
smb: \test\foo\bar\> ls                             
  .                                   D        0  Fri Apr 28 11:42:55 2017
  ..                                  D        0  Fri Apr 28 11:42:55 2017
  testfile                            D        0  Fri Apr 28 11:42:55 2017  
                                                                           
                976281660 blocks of size 1024. 525524304 blocks available    
smb: \test\foo\bar\> get testfile -                     
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \test\foo\bar\testfile    
smb: \test\foo\bar\> quit                              
failed - NT_STATUS_XXXX doing cd foo\bar; get testfile on \nosymlinks

As you can see, 'ls' tells us 'testfile' is a directory, but it isn't as you 
can see from the local 'ls -la' command. The question is why does it report a 
file as directory?

Log snippet:
streams_depot_stat called for [test/foo/bar/testfile]
[2017/04/28 11:20:10.644377, 10, pid=22257, effective(0, 0), real(0, 0), 
class=vfs] ../source3/lib/xattr_tdb.c:183(xattr_tdb_getattr)
xattr_tdb_getattr called for file fd00:40124b72:0, name security.NTACL
[2017/04/28 11:20:10.644388, 10, pid=22257, effective(0, 0), real(0, 0), 
class=vfs] ../source3/lib/xattr_tdb.c:189(xattr_tdb_getattr)
xattr_tdb_fetch_attrs failed: NT_STATUS_INTERNAL_DB_CORRUPTION
Comment 1 Andreas Schneider 2017-04-28 12:00:45 UTC
Created attachment 13178 [details]
Patch for more debug output
Comment 2 Andreas Schneider 2017-04-28 12:01:36 UTC
Created attachment 13179 [details]
logs.tar.xz
Comment 4 Stefan Metzmacher 2017-04-28 12:23:19 UTC
There're also a lot of flakey test which report corrupted file names.
Comment 6 Stefan Metzmacher 2017-04-28 12:42:12 UTC
(In reply to Andreas Schneider from comment #2)

I can't find 'pid=22257' in any of the attached log files.
Comment 7 Andreas Schneider 2017-04-28 13:48:03 UTC
I reproduced it more than once. Search for 'testfile' in log.client.
Comment 8 Andreas Schneider 2017-04-28 14:03:02 UTC
623227 [2017/04/28 15:56:08.099012, 10, pid=28656, effective(1000, 100), real(1000, 0), class=vfs] ../source3/lib/xattr_tdb.c:184(xattr_tdb_getattr)                                623228   xattr_tdb_getattr called for file fd00:60060dce:0, name user.DOSATTRIB                                                                                                     623229 [2017/04/28 15:56:08.099023,  0, pid=28656, effective(1000, 100), real(1000, 0), class=vfs] ../source3/lib/xattr_tdb.c:118(xattr_tdb_load_attrs)                             623230   xattr_tdb_load_attrs: XXXXXX: status=NT_STATUS_NOT_FOUND                                                                                                                   623231 [2017/04/28 15:56:08.099033, 10, pid=28656, effective(1000, 100), real(1000, 0), class=vfs] ../source3/lib/xattr_tdb.c:190(xattr_tdb_getattr)                                623232   xattr_tdb_fetch_attrs failed: NT_STATUS_INTERNAL_DB_CORRUPTION

With an additional debug line, you can see that NT_STATUS_NOT_FOUND is what dbwrap_fetch() returns in xattr_tdb_load_attrs() but then we return NT_STATUS_INTERNAL_DB_CORRUPTION as the error. Maybe a) either this is the wrong return value or b) there should be an entry. However since the file is created by the test script there cannot be an entry in the DB.

Maybe because we do not have a DB entry we might return uninitialized memory somewhere. valgrind didn't find something.
Comment 9 Andrew Bartlett 2020-11-11 17:32:24 UTC
Should this bug still be embargoed?
Comment 10 Ralph Böhme 2020-11-11 17:44:45 UTC
(In reply to Andrew Bartlett from comment #9)
Hm, I don't see any security implications here.