13003 – SMB_VFS_GET_COMPRESSION causes segfault with macOS 10.12.3 clients

Bug 13003 - SMB_VFS_GET_COMPRESSION causes segfault with macOS 10.12.3 clients

Summary: SMB_VFS_GET_COMPRESSION causes segfault with macOS 10.12.3 clients

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.7.0rc5
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jeremy Allison
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-08-31 00:18 UTC by Justin Maggard
Modified:	2020-12-11 09:42 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Patch to fix the segfault (1.31 KB, patch) 2017-08-31 00:40 UTC, Justin Maggard	jra: review-	Details
git-am fix for master. (4.47 KB, patch) 2017-09-08 22:33 UTC, Jeremy Allison	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Justin Maggard 2017-08-31 00:18:24 UTC

If we combine vfs_btrfs with (at least) vfs_catia or vfs_streams_xattr, we hit a NULL pointer in vfs_memctx_fsp_extension().  This appears to be because vfs_btrfs enables compression support, and when macOS connects it calls dos_mode_check_compressed() which calls SMB_VFS_GET_COMPRESSION with a NULL files_struct pointer.  This gets passed around until it finally gets dereferenced in vfs_memctx_fsp_extension().

(gdb) bt full
#0  0x00007fdef8205b3c in __libc_waitpid (pid=17952, stat_loc=stat_loc@entry=0x7ffd20930ed0, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
        resultvar = 18446744073709551104
        oldtype = -129026848
#1  0x00007fdef818d12b in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
        __result = <optimized out>
        _buffer = {__routine = 0x7fdef818d3d0 <cancel_handler>, __arg = 0x7ffd20930eac, __canceltype = 0, __prev = 0x0}
        _avail = 1
        status = 546508544
        save = <optimized out>
        pid = 17952
        sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0, sa_restorer = 0x560aa3468bf0}
        omask = 
            {__val = {7296, 0, 140595621606208, 140595695561192, 140725149962072, 140595648565672, 244831152328, 0, 140725149962272, 140595678175569, 94603662281593, 140595648565672, 72057594037927936, 206158430224, 140725149962288, 140595693416576}}
#2  0x00007fdef9ad09a8 in smb_panic_s3 (why=0x7fdefbfa8865 "internal error") at ../source3/lib/util.c:817
        cmd = 0x560aa3468bf0 "/bin/sleep 999999999"
        result = 0
        __FUNCTION__ = "smb_panic_s3"
#3  0x00007fdefbf5fb62 in smb_panic (why=0x7fdefbfa8865 "internal error") at ../lib/util/fault.c:166
#4  0x00007fdefbf5f83a in fault_report (sig=11) at ../lib/util/fault.c:83
        counter = 1
        __FUNCTION__ = "fault_report"
#5  0x00007fdefbf5f84f in sig_fault (sig=11) at ../lib/util/fault.c:94
#6  0x00007fdefc3c6890 in <signal handler called> () at /lib/x86_64-linux-gnu/libpthread.so.0
#7  0x00007fdefbb38032 in vfs_memctx_fsp_extension (handle=0x560aa3465db0, fsp=0x0) at ../source3/smbd/vfs.c:296
        head = 0x5b
#8  0x00007fdefbb3808f in vfs_fetch_fsp_extension (handle=0x560aa3465db0, fsp=0x0) at ../source3/smbd/vfs.c:309
        head = 0x7fdef84f1620 <main_arena>
#9  0x00007fdee7a8a6be in streams_xattr_get_compression (handle=0x560aa3465db0, mem_ctx=0x560aa3468b80, fsp=0x0, smb_fname=0x560aa3463730, _compression_fmt=0x7ffd2093187e) at ../source3/modules/vfs_streams_xattr.c:1662
        sio = 0x560aa3465830
#10 0x00007fdefbb3cf9c in smb_vfs_call_get_compression (handle=0x560aa3465db0, mem_ctx=0x560aa3468b80, fsp=0x0, smb_fname=0x560aa3463730, _compression_fmt=0x7ffd2093187e) at ../source3/smbd/vfs.c:2400
#11 0x00007fdefbb20d92 in dos_mode_check_compressed (conn=0x560aa345f790, smb_fname=0x560aa3463730, is_compressed=0x7ffd209318bf) at ../source3/smbd/dosmode.c:588
        status = {v = 2739287856}
        compression_fmt = 0
        tmp_ctx = 0x560aa3468b80
#12 0x00007fdefbb20fa7 in dos_mode (conn=0x560aa345f790, smb_fname=0x560aa3463730) at ../source3/smbd/dosmode.c:671
        compressed = false
        result = 0
        status = {v = 3221226021}
        __func__ = "dos_mode"
#13 0x00007fdefbb7f468 in smbd_smb2_create_send (mem_ctx=0x560aa3462b10, ev=0x560aa343e670, smb2req=0x560aa3462b10, in_oplock_level=0 '\000', in_impersonation_level=2, in_desired_access=1048705, in_file_attributes=16, in_share_access=7, in_create_disposition=1, in_create_options=1, in_name=0x560aa34622a0 "", in_context_blobs=...) at ../source3/smbd/smb2_create.c:1373
        req = 0x560aa34656a0
        state = 0x560aa3465830
        status = {v = 0}
        smb1req = 0x560aa3461430
        result = 0x560aa3469570
        info = 1
        requested_oplock_level = 0
        dhnc = 0x0
        dh2c = 0x0
        dhnq = 0x0
        dh2q = 0x0
        rqls = 0x0
        replay_operation = false
        __FUNCTION__ = "smbd_smb2_create_send"
        __func__ = "smbd_smb2_create_send"
#14 0x00007fdefbb7ba0e in smbd_smb2_request_process_create (smb2req=0x560aa3462b10) at ../source3/smbd/smb2_create.c:227
        inbody = 0x560aa3469990 "9"
        indyniov = 0x560aa3462c48
        in_oplock_level = 0 '\000'
        in_impersonation_level = 2
        in_desired_access = 1048705
        in_file_attributes = 16
        in_share_access = 7
---Type <return> to continue, or q <return> to quit---
        in_create_disposition = 1
        in_create_options = 1
        in_name_offset = 120
        in_name_length = 0
        in_name_buffer = {data = 0x560aa34699c8 "", length = 0}
        in_name_string = 0x560aa34622a0 ""
        in_name_string_size = 0
        name_offset = 0
        name_available_length = 32
        in_context_offset = 128
        in_context_length = 24
        in_context_buffer = {data = 0x560aa34699d0 "", length = 24}
        in_context_blobs = {num_blobs = 1, blobs = 0x560aa345fb10}
        context_offset = 8
        context_available_length = 24
        dyn_offset = 120
        status = {v = 0}
        ok = true
        tsubreq = 0xaa34423b0
#15 0x00007fdefbb6eee0 in smbd_smb2_request_dispatch (req=0x560aa3462b10) at ../source3/smbd/smb2_server.c:2597
        xconn = 0x560aa3446d40
        call = 0x7fdefbf23278 <smbd_smb2_table+120>
        intf_v = 0x560aa3462c18
        inhdr = 0x560aa3469950 "\376SMB@"
        opcode = 5
        flags = 0
        mid = 4
        status = {v = 0}
        session_status = {v = 0}
        allowed_flags = 805306380
        return_value = {v = 2739262976}
        x = 0x560aa3442140
        signing_required = false
        encryption_desired = false
        encryption_required = false
        __FUNCTION__ = "smbd_smb2_request_dispatch"
#16 0x00007fdefbb72c93 in smbd_smb2_io_handler (xconn=0x560aa3446d40, fde_flags=1) at ../source3/smbd/smb2_server.c:3890
        sconn = 0x560aa3446070
        state = 0x560aa3446e08
        req = 0x560aa3462b10
        min_recvfile_size = 4294967295
        ret = 152
        err = 0
        retry = false
        status = {v = 0}
        now = 131486116510878190
        __FUNCTION__ = "smbd_smb2_io_handler"
#17 0x00007fdefbb72d99 in smbd_smb2_connection_handler (ev=0x560aa343e670, fde=0x560aa3457a60, flags=1, private_data=0x560aa3446d40) at ../source3/smbd/smb2_server.c:3928
        xconn = 0x560aa3446d40
        status = {v = 59}
#18 0x00007fdefb1383c3 in epoll_event_loop (epoll_ev=0x560aa3445030, tvalp=0x7ffd20932090) at ../lib/tevent/tevent_epoll.c:728
        fde = 0x560aa3457a60
        flags = 1
        mpx_fde = 0x0
        ret = 1
        i = 0
        events = {{events = 1, data = {ptr = 0x560aa3457a60, fd = -1555727776, u32 = 2739239520, u64 = 94603688901216}}}
        timeout = 59635
        wait_errno = 0
#19 0x00007fdefb1389f9 in epoll_event_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_epoll.c:930
        epoll_ev = 0x560aa3445030
        tval = {tv_sec = 59, tv_usec = 634948}
        panic_triggered = false
#20 0x00007fdefb135702 in std_event_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_standard.c:114
        glue_ptr = 0x560aa3440020
---Type <return> to continue, or q <return> to quit---
        glue = 0x560aa3440020
        ret = 32734
#21 0x00007fdefb12e515 in _tevent_loop_once (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:726
        ret = 0
        nesting_stack_ptr = 0x0
#22 0x00007fdefb12e825 in tevent_common_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:849
        ret = 0
#23 0x00007fdefb1357a4 in std_event_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent_standard.c:145
        glue_ptr = 0x560aa3440020
        glue = 0x560aa3440020
        ret = 22026
#24 0x00007fdefb12e8c8 in _tevent_loop_wait (ev=0x560aa343e670, location=0x7fdefbca7f30 "../source3/smbd/process.c:4126") at ../lib/tevent/tevent.c:868
#25 0x00007fdefbb5743f in smbd_process (ev_ctx=0x560aa343e670, msg_ctx=0x560aa3440320, sock_fd=36, interactive=false) at ../source3/smbd/process.c:4126
        trace_state = {ev = 0x560aa343e670, frame = 0x560aa346a230}
        client = 0x560aa3457100
        sconn = 0x560aa3446070
        xconn = 0x560aa3446d40
        locaddr = 0x560aa3457d00 "\300\240E\243\nV"
        remaddr = 0x560aa3457d80 "10.20.0.146"
        ret = 22026
        status = {v = 0}
        tv = {tv_sec = 1504138050, tv_usec = 246828}
        now = 131486116502468280
        chroot_dir = 0x560aa34453f0 "s3fs"
        rc = -1555823840
        __func__ = "smbd_process"
        __FUNCTION__ = "smbd_process"
#26 0x0000560aa1afcc0d in smbd_accept_connection (ev=0x560aa343e670, fde=0x560aa3458ca0, flags=1, private_data=0x560aa3458ba0) at ../source3/smbd/server.c:1026
        status = {v = 0}
        s = 0x0
        msg_ctx = 0x560aa3440320
        addr = 
          {ss_family = 2, __ss_align = 0, __ss_padding = "\360\233\023\373\336\177\000\000p\346C\243\nV\000\000pxE\243\nV\000\000 \026O\370\336\177\000\000`\000\000\000\000\000\000\000p#\223 \375\177\000\000S<\233 \375\177\000\000\063ٯ\241\nV\000\000p%\223 \375\177\000\000\320#\223 \001\000\000\000\220#\223 \375\177\000\000p%\223 \375\177\000\000\220#\223 \375\177\000\000\363\354\022\373\336\177\000"}
        in_addrlen = 16
        fd = 36
        pid = 0
        __FUNCTION__ = "smbd_accept_connection"
#27 0x00007fdefb1383c3 in epoll_event_loop (epoll_ev=0x560aa3445660, tvalp=0x7ffd20932420) at ../lib/tevent/tevent_epoll.c:728
        fde = 0x560aa3458ca0
        flags = 1
        mpx_fde = 0x0
        ret = 1
        i = 0
        events = {{events = 1, data = {ptr = 0x560aa3458ca0, fd = -1555723104, u32 = 2739244192, u64 = 94603688905888}}}
        timeout = 1000
        wait_errno = 0
#28 0x00007fdefb1389f9 in epoll_event_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_epoll.c:930
        epoll_ev = 0x560aa3445660
        tval = {tv_sec = 0, tv_usec = 999990}
        panic_triggered = false
#29 0x00007fdefb135702 in std_event_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_standard.c:114
        glue_ptr = 0x560aa3440020
        glue = 0x560aa3440020
        ret = 32734
#30 0x00007fdefb12e515 in _tevent_loop_once (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:726
        ret = 0
        nesting_stack_ptr = 0x0
#31 0x00007fdefb12e825 in tevent_common_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:849
        ret = 0
#32 0x00007fdefb1357a4 in std_event_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent_standard.c:145
        glue_ptr = 0x560aa3440020
        glue = 0x560aa3440020
        ret = 32765
#33 0x00007fdefb12e8c8 in _tevent_loop_wait (ev=0x560aa343e670, location=0x560aa1b03e54 "../source3/smbd/server.c:1393") at ../lib/tevent/tevent.c:868
---Type <return> to continue, or q <return> to quit---
#34 0x0000560aa1afd9d5 in smbd_parent_loop (ev_ctx=0x560aa343e670, parent=0x560aa3446070) at ../source3/smbd/server.c:1393
        trace_state = {frame = 0x560aa3430040}
        ret = 0
        __FUNCTION__ = "smbd_parent_loop"
#35 0x0000560aa1affbf3 in main (argc=1, argv=0x7ffd20932a18) at ../source3/smbd/server.c:2160
        is_daemon = true
        interactive = false
        Fork = true
        no_process_group = false
        log_stdout = false
        ports = 0x0
        profile_level = 0x0
        opt = -1
        pc = 0x560aa342fa70
        print_build_options = false
        main_server_id = {pid = 17945, task_id = 0, vnn = 4294967295, unique_id = 14794411679533500616}
        long_options = 
            {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fdef8918480 <poptHelpOptions>, val = 0, descrip = 0x560aa1b0420b "Help options:", argDescrip = 0x0}, {longName = 0x560aa1b04219 "daemon", shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x560aa1b04220 "Become a daemon (default)", argDescrip = 0x0}, {longName = 0x560aa1b0423a "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1001, descrip = 0x560aa1b04248 "Run interactive (not a daemon)", argDescrip = 0x0}, {longName = 0x560aa1b04267 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, val = 1002, descrip = 0x560aa1b04278 "Run daemon in foreground (for daemontools, etc.)", argDescrip = 0x0}, {longName = 0x560aa1b042a9 "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1003, descrip = 0x560aa1b042c0 "Don't create a new process group", argDescrip = 0x0}, {longName = 0x560aa1b042e1 "log-stdout", shortName = 83 'S', argInfo = 0, arg = 0x0, val = 1004, descrip = 0x560aa1b042ec "Log to stdout", argDescrip = 0x0}, {longName = 0x560aa1b042fa "build-options", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 98, descrip = 0x560aa1b04308 "Print build options", argDescrip = 0x0}, {longName = 0x560aa1b0431c "port", shortName = 112 'p', argInfo = 1, arg = 0x7ffd209325e0, val = 0, descrip = 0x560aa1b04321 "Listen on the specified ports", argDescrip = 0x0}, {longName = 0x560aa1b0433f "profiling-level", shortName = 80 'P', argInfo = 1, arg = 0x7ffd209325e8, val = 0, descrip = 0x560aa1b0434f "Set profiling level", argDescrip = 0x560aa1b04363 "PROFILE_LEVEL"}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fdefc3b6180 <popt_common_samba>, val = 0, descrip = 0x560aa1b04371 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
        parent = 0x560aa3446070
        frame = 0x560aa342d3d0
        status = {v = 0}
        ev_ctx = 0x560aa343e670
        msg_ctx = 0x560aa3440320
        server_id = {pid = 17947, task_id = 0, vnn = 4294967295, unique_id = 7118057808384568755}
        se = 0x560aa3446f80
        profiling_level = 0
        np_dir = 0x560aa34509b0 ""
        smbd_shim_fns = 
          {cancel_pending_lock_requests_by_fid = 0x7fdefbb34e01 <smbd_cancel_pending_lock_requests_by_fid>, send_stat_cache_delete_message = 0x7fdefbb3f0fd <smbd_send_stat_cache_delete_message>, change_to_root_user = 0x7fdefbb1f138 <smbd_change_to_root_user>, become_authenticated_pipe_user = 0x7fdefbb1f1ee <smbd_become_authenticated_pipe_user>, unbecome_authenticated_pipe_user = 0x7fdefbb1f2e0 <smbd_unbecome_authenticated_pipe_user>, contend_level2_oplocks_begin = 0x7fdefbbafd1b <smbd_contend_level2_oplocks_begin>, contend_level2_oplocks_end = 0x7fdefbbafd8e <smbd_contend_level2_oplocks_end>, become_root = 0x7fdefbb1f500 <smbd_become_root>, unbecome_root = 0x7fdefbb1f528 <smbd_unbecome_root>, exit_server = 0x7fdefbba44d4 <smbd_exit_server>, exit_server_cleanly = 0x7fdefbba44f1 <smbd_exit_server_cleanly>}
        __FUNCTION__ = "main"
        __func__ = "main"

Comment 1 Justin Maggard 2017-08-31 00:40:49 UTC

Created attachment 13521 [details]
Patch to fix the segfault

Comment 2 Jeremy Allison 2017-08-31 23:25:00 UTC

Comment on attachment 13521 [details]
Patch to fix the segfault

LGTM. I'll post on samba-technical with your Signed-off and my Reviewed-by.

Comment 3 Justin Maggard 2017-09-07 06:11:47 UTC

FWIW, this isn't just a problem with macOS clients.  Windows and smbclient crash smbd too, given an appropriate array of VFS modules.

Comment 4 Jeremy Allison 2017-09-07 23:39:04 UTC

Justin, this unfortunately causes samba3.smbtorture_s3.plain(nt4_dc).OPLOCK2 to fail. I'll look closely..

Comment 5 Jeremy Allison 2017-09-08 22:30:36 UTC

Comment on attachment 13521 [details]
Patch to fix the segfault

Breaks OPLOCK2 test case :-(.

Comment 6 Jeremy Allison 2017-09-08 22:33:06 UTC

Created attachment 13560 [details]
git-am fix for master.

Justin, I think this might fix it. get/set compression has no place in the streams_xattr module (compression always acts on base file and all contents) and the second patch makes catia cope with fsp == NULL (as the underlying btrfs module already does).

Your patch was more elegant, but I think this might also fix the underlying issue and keep the tests going.

Comment 7 Justin Maggard 2017-09-11 21:53:08 UTC

Yes, your patch is working for me as well.

Comment 8 Stefan Metzmacher 2017-09-17 16:53:42 UTC

Pushed to v4-{6,7}-test with review from slow@samba.org