Bug 12795 - Remote crash after adding NS or MX records using samba-tool
Remote crash after adding NS or MX records using samba-tool
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server
4.6.2
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-19 19:01 UTC by Francis Brosnan Blázquez
Modified: 2017-06-21 08:16 UTC (History)
2 users (show)

See Also:


Attachments
Patch to fix the problem and make it work MX and NS records (1.49 KB, patch)
2017-05-20 17:47 UTC, Francis Brosnan Blázquez
no flags Details
git-am fix for master. (2.58 KB, patch)
2017-05-22 18:39 UTC, Jeremy Allison
no flags Details
Latest patch fixing res->msgs[0] reference (1.69 KB, patch)
2017-06-19 14:48 UTC, Francis Brosnan Blázquez
no flags Details
Latest patch fixing res->msgs[0] reference (Right direction) (1.69 KB, patch)
2017-06-19 14:51 UTC, Francis Brosnan Blázquez
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Francis Brosnan Blázquez 2017-05-19 19:01:14 UTC
Hello,

With a samba 4.6.2, running in a Debian Jessie (all updated), 
if you run the following commands to create a DNS zone with 
an MX (or an NS too):

     >> samba-tool dns zonecreate 127.0.0.1 testprueba.aspl.es -P

..then add NS or MX record with any of the following examples:

     >> samba-tool dns add 127.0.0.1 testprueba.aspl.es @ MX 'mail.aspl.es 10' -P
     >> samba-tool dns add 127.0.0.1 testprueba.aspl.es testprueba MX 'mail.aspl.es 10' -P
     >> samba-tool dns add 127.0.0.1 testprueba.aspl.es 'testprueba.aspl.es' NS 'ns1.cuentadns.com' -P
     >> samba-tool dns add 127.0.0.1 testprueba.aspl.es @ NS 'ns1.cuentadns.com' -P

...all of them reporting:

   Record added successfully  (exit 0)

Then, you query locally or remotely the server with the following:

   >> samba-tool dns query 192.168.40.75 testprueba.aspl.es @ ALL -P --additional --authority
   # also with:
   >> samba-tool dns query 127.0.0.1 testprueba.aspl.es @ ALL -P --additional --authority

You crash the samba internal DNS server with the following error:

     May 19 20:55:00 server04 samba[20484]: [2017/05/19 20:55:00.113275,  0] ../lib/util/fault.c:78(fault_report)
     May 19 20:55:00 server04 samba[20484]:   ===============================================================
     May 19 20:55:00 server04 samba[20484]: [2017/05/19 20:55:00.116269,  0] ../lib/util/fault.c:79(fault_report)
     May 19 20:55:00 server04 samba[20484]:   INTERNAL ERROR: Signal 11 in pid 20484 (4.6.1)
     May 19 20:55:00 server04 samba[20484]:   Please read the Trouble-Shooting section of the Samba HOWTO
     May 19 20:55:00 server04 samba[20484]: [2017/05/19 20:55:00.118832,  0] ../lib/util/fault.c:81(fault_report)
     May 19 20:55:00 server04 samba[20484]:   ===============================================================
     May 19 20:55:00 server04 samba[20484]: [2017/05/19 20:55:00.120235,  0] ../lib/util/fault.c:151(smb_panic_default)
     May 19 20:55:00 server04 samba[20484]:   PANIC: internal error
     May 19 20:55:00 server04 samba[20465]: [2017/05/19 20:55:00.126508,  0] ../source4/smbd/process_standard.c:127(standard_child_pipe_handler)
     May 19 20:55:00 server04 samba[20465]:   Child 20484 (rpc) terminated with signal 6

The only way to recover from this error is to completely restart Samba:

>> /etc/init.d/samba restart

I'm investigating the bug to see if it happens the same with Samba 4.6.3
and latest components.

Best Regards,
Comment 1 Francis Brosnan Blázquez 2017-05-20 14:33:32 UTC
Hello,

Just confirm same happens with latest samba 4.6.3 (with tdb 1.3.13, talloc 2.1.9, tevent 0.9.31, ldb 1.1.29).

Best Regards,
Comment 2 Francis Brosnan Blázquez 2017-05-20 14:43:34 UTC
Here is the backtrace where the segfault happens upon sending
zone list request.

The process that is failing is the one holding 135/tcp, 1024/tcp
and 1025/tcp ports:

tcp        0      0 0.0.0.0:1024            0.0.0.0:*               LISTEN      385/samba       <---
tcp        0      0 0.0.0.0:1025            0.0.0.0:*               LISTEN      385/samba       <---
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      385/samba       <---


Program received signal SIGSEGV, Segmentation fault.
0x00007f71d8de6df9 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0
(gdb) thread apply all bt


Thread 1 (Thread 0x7f71e8f2d700 (LWP 2019)):
#0  0x00007f71d8de6df9 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0
#1  0x00007f71d8de7dbe in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0
#2  0x00007f71d8de8798 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0
#3  0x00007f71d8db1517 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0
#4  0x00007f71d8db1fa4 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0
#5  0x00007f71d8db3918 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0
#6  0x00007f71e658854e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#7  0x00007f71e6588621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#8  0x00007f71e6588648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#9  0x00007f71e39ddaa3 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-binding.so.0
#10 0x00007f71e658854e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#11 0x00007f71e6588621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#12 0x00007f71e6588648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#13 0x00007f71e3bf7234 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so
#14 0x00007f71e3bf745e in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so
#15 0x00007f71e658854e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#16 0x00007f71e6588621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#17 0x00007f71e6588648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#18 0x00007f71e3bf6784 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so
#19 0x00007f71e658854e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#20 0x00007f71e6588621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#21 0x00007f71e6588746 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#22 0x00007f71e658795b in tevent_common_loop_immediate () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#23 0x00007f71e6590bce in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#24 0x00007f71e658d971 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#25 0x00007f71e6586805 in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#26 0x00007f71e6586b15 in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#27 0x00007f71e658da13 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#28 0x00007f71e6586bb8 in _tevent_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#29 0x00007f71dc40ef1a in ?? () from /usr/lib/x86_64-linux-gnu/samba/process_model/standard.so
#30 0x00007f71e7e4e6a0 in task_server_startup () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so
#31 0x00007f71e7e4cacd in ?? () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so
#32 0x00007f71e7e4cc10 in server_service_startup () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so
#33 0x00007f71e8d60d64 in _start ()
Comment 3 Francis Brosnan Blázquez 2017-05-20 17:03:31 UTC
Adding full stack trace with debugging symbols where the crash happens:

Program received signal SIGSEGV, Segmentation fault.
dnsserver_enumerate_records (dsstate=0x7f863a066fa0, mem_ctx=0x7f8639a00320, z=0x7f863a2626c0, client_version=458752, node_name=0x7f8639d25e00 "@", start_child=0x0, record_type=DNS_TYPE_ALL, select_flag=17, filter_start=0x0, 
    filter_stop=0x0, buffer_length=0x7f8639deadb0, buffer=0x7f8639efad10) at ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1844
1844	../source4/rpc_server/dnsserver/dcerpc_dnsserver.c: No existe el fichero o el directorio.
(gdb) thread apply all bt

Thread 1 (Thread 0x7f8637fd0700 (LWP 26768)):
#0  dnsserver_enumerate_records (dsstate=0x7f863a066fa0, mem_ctx=0x7f8639a00320, z=0x7f863a2626c0, client_version=458752, node_name=0x7f8639d25e00 "@", start_child=0x0, record_type=DNS_TYPE_ALL, select_flag=17, filter_start=0x0, 
    filter_stop=0x0, buffer_length=0x7f8639deadb0, buffer=0x7f8639efad10) at ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1844
#1  0x00007f8627e8bd9e in dcesrv_DnssrvEnumRecords2 (dce_call=0x7f8639a00320, mem_ctx=0x7f8639a00320, r=0x7f863a0440d0) at ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:2285
#2  0x00007f8627e8c778 in dnsserver__op_dispatch (dce_call=0x7f8639a00320, mem_ctx=0x7f8639a00320, r=0x7f863a0440d0) at default/librpc/gen_ndr/ndr_dnsserver_s.c:157
#3  0x00007f8627e554f7 in dcesrv_request (call=0x7f8639a00320) at ../source4/rpc_server/dcerpc_server.c:1648
#4  0x00007f8627e55f84 in dcesrv_process_ncacn_packet (dce_conn=0x7f863a1f2960, pkt=0x7f863a560730, blob=...) at ../source4/rpc_server/dcerpc_server.c:1970
#5  0x00007f8627e578f8 in dcesrv_read_fragment_done (subreq=0x0) at ../source4/rpc_server/dcerpc_server.c:2542
#6  0x00007f863562c54e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#7  0x00007f863562c621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#8  0x00007f863562c648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#9  0x00007f8632a81aa3 in ?? () from /usr/lib/x86_64-linux-gnu/libdcerpc-binding.so.0
#10 0x00007f863562c54e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#11 0x00007f863562c621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#12 0x00007f863562c648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#13 0x00007f8632c9b234 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so
#14 0x00007f8632c9b45e in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so
#15 0x00007f863562c54e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#16 0x00007f863562c621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#17 0x00007f863562c648 in _tevent_req_done () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#18 0x00007f8632c9a784 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets-samba4.so
#19 0x00007f863562c54e in _tevent_req_notify_callback () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#20 0x00007f863562c621 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#21 0x00007f863562c746 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#22 0x00007f863562b95b in tevent_common_loop_immediate () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#23 0x00007f8635634bce in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#24 0x00007f8635631971 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#25 0x00007f863562a805 in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#26 0x00007f863562ab15 in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#27 0x00007f8635631a13 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#28 0x00007f863562abb8 in _tevent_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#29 0x00007f862b4b1f1a in ?? () from /usr/lib/x86_64-linux-gnu/samba/process_model/standard.so
#30 0x00007f8636ef26a0 in task_server_startup () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so
#31 0x00007f8636ef0acd in ?? () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so
#32 0x00007f8636ef0c10 in server_service_startup () from /usr/lib/x86_64-linux-gnu/samba/libservice-samba4.so
#33 0x00007f8637e04d64 in _start ()
(gdb)
Comment 4 Francis Brosnan Blázquez 2017-05-20 17:47:32 UTC
Created attachment 13228 [details]
Patch to fix the problem and make it work MX and NS records

Patch against ./source4/rpc_server/dnsserver/dcerpc_dnsserver.c
as released by Samba 4.6.3
Comment 5 Francis Brosnan Blázquez 2017-05-20 17:56:25 UTC
Hello,

I've attached a patch that fixes reported issue. 

In short, dnsserver_enumarate_records () implementation has 
several bugs around res variable usage. It calls in several 
places to:

   talloc_free (res);

..but without nullifying it. This causes that next iterations 
or usages of res reference causes double deallocation or wrong 
memory access reference.

Patch only nullifies after talloc_free ():

   talloc_free (res);
   res = NULL;

..and also, makes sure dns_fill_records_array () does not receive 
a pointer to unavailable records by changing:

   res->msgs[0], 0, recs,

by:

   (res && res->count > 0) ? res->msgs[0] : NULL, 0, recs,

I can confirm after applying this patch, you can create NS and 
MX records and the call to:

>> samba-tool dns query 127.0.0.1 testprueba.aspl.es @ ALL -P --additional --authority

...and it reports all records without breaking samba.

Best Regards,
Comment 6 Jeremy Allison 2017-05-22 18:39:28 UTC
Created attachment 13229 [details]
git-am fix for master.

We already have a macro, TALLOC_FREE(x) which calls talloc_free(x) and sets x to NULL.

Can you test the attached patch and let me know if it also fixes your bug ?

If so I'll get it into master and get it back ported to supported releases.

Thanks,

Jeremy.
Comment 7 Jeremy Allison 2017-06-01 17:11:45 UTC
Ping. Francis, can you confirm this fixes your problem ?

Thanks.

Jeremy.
Comment 8 Francis Brosnan Blázquez 2017-06-02 09:22:15 UTC
Hello Jeremy,

Sorry for the delay. I'll check proposed patch to let you know 
if it fixes the issue. 

I'll keep you updated,
Best Regards,
Comment 9 Jeremy Allison 2017-06-16 18:57:16 UTC
Ping ! Can you confirm this, I'd like to get this fixed and pushed into release versions.

Thanks,

Jeremy.
Comment 10 Francis Brosnan Blázquez 2017-06-19 14:47:42 UTC
Hello,

Sorry for the delay. Just confirm last patch proposed does not work. 
It misses the following that was included in the first patch:

1848c1846
< 							(res && res->count > 0) ? res->msgs[0] : NULL, 0, recs,
---
> 							res->msgs[0], 0, recs,

In essense, current code assumes res->msgs[0] is always present and has
a valid reference to "res", but that's not the case as described (it might
be NULL or might have res->count == 0).

I'm attaching updated patch based on latest proposed (git-am fix for master)
that includes this fix too.

Best Regargs,
Comment 11 Francis Brosnan Blázquez 2017-06-19 14:48:18 UTC
Created attachment 13290 [details]
Latest patch fixing res->msgs[0] reference
Comment 12 Francis Brosnan Blázquez 2017-06-19 14:50:48 UTC
Sorry, I'm attaching updated patch with the right direction (orig -> modified),
Best Regards,
Comment 13 Francis Brosnan Blázquez 2017-06-19 14:51:34 UTC
Created attachment 13291 [details]
Latest patch fixing res->msgs[0] reference (Right direction)