Bug 13003 - SMB_VFS_GET_COMPRESSION causes segfault with macOS 10.12.3 clients
SMB_VFS_GET_COMPRESSION causes segfault with macOS 10.12.3 clients
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.7.0rc5
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-31 00:18 UTC by Justin Maggard
Modified: 2017-09-17 16:53 UTC (History)
2 users (show)

See Also:


Attachments
Patch to fix the segfault (1.31 KB, patch)
2017-08-31 00:40 UTC, Justin Maggard
jra: review-
Details
git-am fix for master. (4.47 KB, patch)
2017-09-08 22:33 UTC, Jeremy Allison
jra: review? (jmaggard)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Justin Maggard 2017-08-31 00:18:24 UTC
If we combine vfs_btrfs with (at least) vfs_catia or vfs_streams_xattr, we hit a NULL pointer in vfs_memctx_fsp_extension().  This appears to be because vfs_btrfs enables compression support, and when macOS connects it calls dos_mode_check_compressed() which calls SMB_VFS_GET_COMPRESSION with a NULL files_struct pointer.  This gets passed around until it finally gets dereferenced in vfs_memctx_fsp_extension().

(gdb) bt full
#0  0x00007fdef8205b3c in __libc_waitpid (pid=17952, stat_loc=stat_loc@entry=0x7ffd20930ed0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
        resultvar = 18446744073709551104
        oldtype = -129026848
#1  0x00007fdef818d12b in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
        __result = <optimized out>
        _buffer = {__routine = 0x7fdef818d3d0 <cancel_handler>, __arg = 0x7ffd20930eac, __canceltype = 0, __prev = 0x0}
        _avail = 1
        status = 546508544
        save = <optimized out>
        pid = 17952
        sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x560aa3468bf0}
        omask = 
            {__val = {7296, 0, 140595621606208, 140595695561192, 140725149962072, 140595648565672, 244831152328, 0, 140725149962272, 140595678175569, 94603662281593, 140595648565672, 72057594037927936, 206158430224, 140725149962288, 140595693416576}}
#2  0x00007fdef9ad09a8 in smb_panic_s3 (why=0x7fdefbfa8865 "internal error") at ../source3/lib/util.c:817
        cmd = 0x560aa3468bf0 "/bin/sleep 999999999"
        result = 0
        __FUNCTION__ = "smb_panic_s3"
#3  0x00007fdefbf5fb62 in smb_panic (why=0x7fdefbfa8865 "internal error") at ../lib/util/fault.c:166
#4  0x00007fdefbf5f83a in fault_report (sig=11) at ../lib/util/fault.c:83
        counter = 1
        __FUNCTION__ = "fault_report"
#5  0x00007fdefbf5f84f in sig_fault (sig=11) at ../lib/util/fault.c:94
#6  0x00007fdefc3c6890 in <signal handler called> () at /lib/x86_64-linux-gnu/libpthread.so.0
#7  0x00007fdefbb38032 in vfs_memctx_fsp_extension (handle=0x560aa3465db0, fsp=0x0) at ../source3/smbd/vfs.c:296
        head = 0x5b
#8  0x00007fdefbb3808f in vfs_fetch_fsp_extension (handle=0x560aa3465db0, fsp=0x0) at ../source3/smbd/vfs.c:309
        head = 0x7fdef84f1620 <main_arena>
#9  0x00007fdee7a8a6be in streams_xattr_get_compression (handle=0x560aa3465db0, mem_ctx=0x560aa3468b80, fsp=0x0, smb_fname=0x560aa3463730, _compression_fmt=0x7ffd2093187e) at ../source3/modules/vfs_streams_xattr.c:1662
        sio = 0x560aa3465830
#10 0x00007fdefbb3cf9c in smb_vfs_call_get_compression (handle=0x560aa3465db0, mem_ctx=0x560aa3468b80, fsp=0x0, smb_fname=0x560aa3463730, _compression_fmt=0x7ffd2093187e) at ../source3/smbd/vfs.c:2400
#11 0x00007fdefbb20d92 in dos_mode_check_compressed (conn=0x560aa345f790, smb_fname=0x560aa3463730, is_compressed=0x7ffd209318bf) at ../source3/smbd/dosmode.c:588
        status = {v = 2739287856}
        compression_fmt = 0
        tmp_ctx = 0x560aa3468b80
#12 0x00007fdefbb20fa7 in dos_mode (conn=0x560aa345f790, smb_fname=0x560aa3463730) at ../source3/smbd/dosmode.c:671
        compressed = false
        result = 0
        status = {v = 3221226021}
        __func__ = "dos_mode"
#13 0x00007fdefbb7f468 in smbd_smb2_create_send (mem_ctx=0x560aa3462b10, ev=0x560aa343e670, smb2req=0x560aa3462b10, in_oplock_level=0 '\000', in_impersonation_level=2, in_desired_access=1048705, in_file_attributes=16, in_share_access=7, in_create_disposition=1, in_create_options=1, in_name=0x560aa34622a0 "", in_context_blobs=...) at ../source3/smbd/smb2_create.c:1373
        req = 0x560aa34656a0
        state = 0x560aa3465830
        status = {v = 0}
        smb1req = 0x560aa3461430
        result = 0x560aa3469570
        info = 1
        requested_oplock_level = 0
        dhnc = 0x0
        dh2c = 0x0
        dhnq = 0x0
        dh2q = 0x0
        rqls = 0x0
        replay_operation = false
        __FUNCTION__ = "smbd_smb2_create_send"
        __func__ = "smbd_smb2_create_send"
#14 0x00007fdefbb7ba0e in smbd_smb2_request_process_create (smb2req=0x560aa3462b10) at ../source3/smbd/smb2_create.c:227
        inbody = 0x560aa3469990 "9"
        indyniov = 0x560aa3462c48
        in_oplock_level = 0 '\000'
        in_impersonation_level = 2
        in_desired_access = 1048705
        in_file_attributes = 16
        in_share_access = 7
---Type <return> to continue, or q <return> to quit---
        in_create_disposition = 1
        in_create_options = 1
        in_name_offset = 120
        in_name_length = 0
        in_name_buffer = {data = 0x560aa34699c8 "", length = 0}
        in_name_string = 0x560aa34622a0 ""
        in_name_string_size = 0
        name_offset = 0
        name_available_length = 32
        in_context_offset = 128
        in_context_length = 24
        in_context_buffer = {data = 0x560aa34699d0 "", length = 24}
        in_context_blobs = {num_blobs = 1, blobs = 0x560aa345fb10}
        context_offset = 8
        context_available_length = 24
        dyn_offset = 120
        status = {v = 0}
        ok = true
        tsubreq = 0xaa34423b0
#15 0x00007fdefbb6eee0 in smbd_smb2_request_dispatch (req=0x560aa3462b10) at ../source3/smbd/smb2_server.c:2597
        xconn = 0x560aa3446d40
        call = 0x7fdefbf23278 <smbd_smb2_table+120>
        intf_v = 0x560aa3462c18
        inhdr = 0x560aa3469950 "\376SMB@"
        opcode = 5
        flags = 0
        mid = 4
        status = {v = 0}
        session_status = {v = 0}
        allowed_flags = 805306380
        return_value = {v = 2739262976}
        x = 0x560aa3442140
        signing_required = false
        encryption_desired = false
        encryption_required = false
        __FUNCTION__ = "smbd_smb2_request_dispatch"
#16 0x00007fdefbb72c93 in smbd_smb2_io_handler (xconn=0x560aa3446d40, fde_flags=1) at ../source3/smbd/smb2_server.c:3890
        sconn = 0x560aa3446070
        state = 0x560aa3446e08
        req = 0x560aa3462b10
        min_recvfile_size = 4294967295
        ret = 152
        err = 0
        retry = false
        status = {v = 0}
        now = 131486116510878190
        __FUNCTION__ = "smbd_smb2_io_handler"
#17 0x00007fdefbb72d99 in smbd_smb2_connection_handler (ev=0x560aa343e670, fde=0x560aa3457a60, flags=1, private_data=0x560aa3446d40) at ../source3/smbd/smb2_server.c:3928
        xconn = 0x560aa3446d40
        status = {v = 59}
#18 0x00007fdefb1383c3 in epoll_event_loop (epoll_ev=0x560aa3445030, tvalp=0x7ffd20932090) at ../lib/tevent/tevent_epoll.c:728
        fde = 0x560aa3457a60
        flags = 1
        mpx_fde = 0x0
        ret = 1
        i = 0
        events = {{events = 1, data = {ptr = 0x560aa3457a60, fd = -1555727776, u32 = 2739239520, u64 = 94603688901216}}}
        timeout = 59635
        wait_errno = 0
#19 0x00007fdefb1389f9 in epoll_event_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_epoll.c:930
        epoll_ev = 0x560aa3445030
        tval = {tv_sec = 59, tv_usec = 634948}
        panic_triggered = false
#20 0x00007fdefb135702 in std_event_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_standard.c:114
        glue_ptr = 0x560aa3440020
---Type <return> to continue, or q <return> to quit---
        glue = 0x560aa3440020
        ret = 32734
#21 0x00007fdefb12e515 in _tevent_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:726
        ret = 0
        nesting_stack_ptr = 0x0
#22 0x00007fdefb12e825 in tevent_common_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:849
        ret = 0
#23 0x00007fdefb1357a4 in std_event_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_standard.c:145
        glue_ptr = 0x560aa3440020
        glue = 0x560aa3440020
        ret = 22026
#24 0x00007fdefb12e8c8 in _tevent_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:868
#25 0x00007fdefbb5743f in smbd_process (ev_ctx=0x560aa343e670, msg_ctx=0x560aa3440320, sock_fd=36, interactive=false) at ../source3/smbd/process.c:4126
        trace_state = {ev = 0x560aa343e670, frame = 0x560aa346a230}
        client = 0x560aa3457100
        sconn = 0x560aa3446070
        xconn = 0x560aa3446d40
        locaddr = 0x560aa3457d00 "\300\240E\243\nV"
        remaddr = 0x560aa3457d80 "10.20.0.146"
        ret = 22026
        status = {v = 0}
        tv = {tv_sec = 1504138050, tv_usec = 246828}
        now = 131486116502468280
        chroot_dir = 0x560aa34453f0 "s3fs"
        rc = -1555823840
        __func__ = "smbd_process"
        __FUNCTION__ = "smbd_process"
#26 0x0000560aa1afcc0d in smbd_accept_connection (ev=0x560aa343e670, fde=0x560aa3458ca0, flags=1, private_data=0x560aa3458ba0) at ../source3/smbd/server.c:1026
        status = {v = 0}
        s = 0x0
        msg_ctx = 0x560aa3440320
        addr = 
          {ss_family = 2, __ss_align = 0, __ss_padding = "\360\233\023\373\336\177\000\000p\346C\243\nV\000\000pxE\243\nV\000\000 \026O\370\336\177\000\000`\000\000\000\000\000\000\000p#\223 \375\177\000\000S<\233 \375\177\000\000\063ٯ\241\nV\000\000p%\223 \375\177\000\000\320#\223 \001\000\000\000\220#\223 \375\177\000\000p%\223 \375\177\000\000\220#\223 \375\177\000\000\363\354\022\373\336\177\000"}
        in_addrlen = 16
        fd = 36
        pid = 0
        __FUNCTION__ = "smbd_accept_connection"
#27 0x00007fdefb1383c3 in epoll_event_loop (epoll_ev=0x560aa3445660, tvalp=0x7ffd20932420) at ../lib/tevent/tevent_epoll.c:728
        fde = 0x560aa3458ca0
        flags = 1
        mpx_fde = 0x0
        ret = 1
        i = 0
        events = {{events = 1, data = {ptr = 0x560aa3458ca0, fd = -1555723104, u32 = 2739244192, u64 = 94603688905888}}}
        timeout = 1000
        wait_errno = 0
#28 0x00007fdefb1389f9 in epoll_event_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_epoll.c:930
        epoll_ev = 0x560aa3445660
        tval = {tv_sec = 0, tv_usec = 999990}
        panic_triggered = false
#29 0x00007fdefb135702 in std_event_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_standard.c:114
        glue_ptr = 0x560aa3440020
        glue = 0x560aa3440020
        ret = 32734
#30 0x00007fdefb12e515 in _tevent_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:726
        ret = 0
        nesting_stack_ptr = 0x0
#31 0x00007fdefb12e825 in tevent_common_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:849
        ret = 0
#32 0x00007fdefb1357a4 in std_event_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_standard.c:145
        glue_ptr = 0x560aa3440020
        glue = 0x560aa3440020
        ret = 32765
#33 0x00007fdefb12e8c8 in _tevent_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:868
---Type <return> to continue, or q <return> to quit---
#34 0x0000560aa1afd9d5 in smbd_parent_loop (ev_ctx=0x560aa343e670, parent=0x560aa3446070) at ../source3/smbd/server.c:1393
        trace_state = {frame = 0x560aa3430040}
        ret = 0
        __FUNCTION__ = "smbd_parent_loop"
#35 0x0000560aa1affbf3 in main (argc=1, argv=0x7ffd20932a18) at ../source3/smbd/server.c:2160
        is_daemon = true
        interactive = false
        Fork = true
        no_process_group = false
        log_stdout = false
        ports = 0x0
        profile_level = 0x0
        opt = -1
        pc = 0x560aa342fa70
        print_build_options = false
        main_server_id = {pid = 17945, task_id = 0, vnn = 4294967295, unique_id = 14794411679533500616}
        long_options = 
            {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fdef8918480 <poptHelpOptions>, val = 0, descrip = 0x560aa1b0420b "Help options:", argDescrip = 0x0}, {longName = 0x560aa1b04219 "daemon", shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x560aa1b04220 "Become a daemon (default)", argDescrip = 0x0}, {longName = 0x560aa1b0423a "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1001, descrip = 0x560aa1b04248 "Run interactive (not a daemon)", argDescrip = 0x0}, {longName = 0x560aa1b04267 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, val = 1002, descrip = 0x560aa1b04278 "Run daemon in foreground (for daemontools, etc.)", argDescrip = 0x0}, {longName = 0x560aa1b042a9 "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1003, descrip = 0x560aa1b042c0 "Don't create a new process group", argDescrip = 0x0}, {longName = 0x560aa1b042e1 "log-stdout", shortName = 83 'S', argInfo = 0, arg = 0x0, val = 1004, descrip = 0x560aa1b042ec "Log to stdout", argDescrip = 0x0}, {longName = 0x560aa1b042fa "build-options", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 98, descrip = 0x560aa1b04308 "Print build options", argDescrip = 0x0}, {longName = 0x560aa1b0431c "port", shortName = 112 'p', argInfo = 1, arg = 0x7ffd209325e0, val = 0, descrip = 0x560aa1b04321 "Listen on the specified ports", argDescrip = 0x0}, {longName = 0x560aa1b0433f "profiling-level", shortName = 80 'P', argInfo = 1, arg = 0x7ffd209325e8, val = 0, descrip = 0x560aa1b0434f "Set profiling level", argDescrip = 0x560aa1b04363 "PROFILE_LEVEL"}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fdefc3b6180 <popt_common_samba>, val = 0, descrip = 0x560aa1b04371 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
        parent = 0x560aa3446070
        frame = 0x560aa342d3d0
        status = {v = 0}
        ev_ctx = 0x560aa343e670
        msg_ctx = 0x560aa3440320
        server_id = {pid = 17947, task_id = 0, vnn = 4294967295, unique_id = 7118057808384568755}
        se = 0x560aa3446f80
        profiling_level = 0
        np_dir = 0x560aa34509b0 ""
        smbd_shim_fns = 
          {cancel_pending_lock_requests_by_fid = 0x7fdefbb34e01 <smbd_cancel_pending_lock_requests_by_fid>, send_stat_cache_delete_message = 0x7fdefbb3f0fd <smbd_send_stat_cache_delete_message>, change_to_root_user = 0x7fdefbb1f138 <smbd_change_to_root_user>, become_authenticated_pipe_user = 0x7fdefbb1f1ee <smbd_become_authenticated_pipe_user>, unbecome_authenticated_pipe_user = 0x7fdefbb1f2e0 <smbd_unbecome_authenticated_pipe_user>, contend_level2_oplocks_begin = 0x7fdefbbafd1b <smbd_contend_level2_oplocks_begin>, contend_level2_oplocks_end = 0x7fdefbbafd8e <smbd_contend_level2_oplocks_end>, become_root = 0x7fdefbb1f500 <smbd_become_root>, unbecome_root = 0x7fdefbb1f528 <smbd_unbecome_root>, exit_server = 0x7fdefbba44d4 <smbd_exit_server>, exit_server_cleanly = 0x7fdefbba44f1 <smbd_exit_server_cleanly>}
        __FUNCTION__ = "main"
        __func__ = "main"
Comment 1 Justin Maggard 2017-08-31 00:40:49 UTC
Created attachment 13521 [details]
Patch to fix the segfault
Comment 2 Jeremy Allison 2017-08-31 23:25:00 UTC
Comment on attachment 13521 [details]
Patch to fix the segfault

LGTM. I'll post on samba-technical with your Signed-off and my Reviewed-by.
Comment 3 Justin Maggard 2017-09-07 06:11:47 UTC
FWIW, this isn't just a problem with macOS clients.  Windows and smbclient crash smbd too, given an appropriate array of VFS modules.
Comment 4 Jeremy Allison 2017-09-07 23:39:04 UTC
Justin, this unfortunately causes samba3.smbtorture_s3.plain(nt4_dc).OPLOCK2 to fail. I'll look closely..
Comment 5 Jeremy Allison 2017-09-08 22:30:36 UTC
Comment on attachment 13521 [details]
Patch to fix the segfault

Breaks OPLOCK2 test case :-(.
Comment 6 Jeremy Allison 2017-09-08 22:33:06 UTC
Created attachment 13560 [details]
git-am fix for master.

Justin, I think this might fix it. get/set compression has no place in the streams_xattr module (compression always acts on base file and all contents) and the second patch makes catia cope with fsp == NULL (as the underlying btrfs module already does).

Your patch was more elegant, but I think this might also fix the underlying issue and keep the tests going.
Comment 7 Justin Maggard 2017-09-11 21:53:08 UTC
Yes, your patch is working for me as well.
Comment 8 Stefan Metzmacher 2017-09-17 16:53:42 UTC
Pushed to v4-{6,7}-test with review from slow@samba.org