A race condition in the tevent threaded code can cause tevent_common_wakeup_fd(tctx->wakeup_fd) to be called where wakeup_fd is being read out of reused memory unprotected by mutex lock (tctx may no longer exist). If the reused memory happens to point to a wakeup_fd value that matches a file descriptor in use by smbd to write to a on-disk file, file corruption will result. Found and fixed by Volker Lendecke <vl@samba.org>.
Created attachment 13766 [details] Instrumentation of tevent that allowed Volker to find the bug. This patch isn't part of the fix, I'm including it here mainly to help other who may have to debug similar issues in the future.
Created attachment 13767 [details] git-am fix submitted to master. NB. This already has been reviewed by <jra@samba.org>
Created attachment 13768 [details] git-am fix for 4.7.next. Cherry-pick from master.
Created attachment 13769 [details] git-am fix for 4.6.next Back-port of cherry-pick from master.
Hi, Karolin! Unfortunately I believe this makes an emergency interim release necessary. Sorry for that, but data corruption is really, really bad. Volker
Yes, I'm afraid I concur with Volker. This can cause file corruption, and the *single* thing file servers must do is not corrupt files. So this is more important than a security release IMHO. Sorry :-(.
(In reply to Volker Lendecke from comment #5) Ok, thanks. Should we add all fixes available up to now or only this one?
If you ask me, I'd vote for "just this patch" to make adoption easier for people.
On the other hand, this might be considerable effort in the release branches, right? So I don't want to put additional burden on you.
Pushed to autobuild-v4-{6,7}-test.
We need to backport full tevent releases, otherwise someone could still build against a broken system libtevent. I'm preparing tevent 0.9.34 and push it to autobuild shortly.
(In reply to Stefan Metzmacher from comment #11) Thanks metze and sorry for not spotting this!
(In reply to Volker Lendecke from comment #9) That's not the problem. I checked the (very few) commits since the last bugfix releases and think it makes sense to ship the other fixes also. Waiting for the tevent release and the adapted patch for Samba before preparing the releases.
Yes, I realized we'll need a tevent new release as well just after posting the patches.
Created attachment 13777 [details] tevent-0.9.34 for v4-7-test
Created attachment 13778 [details] tevent-0.9.34 for v4-6-test
The bug description above states Product: Samba 4.1 and newer I was under the impression this only applies to Samba 4.6 and newer?
(In reply to Ralph Wuerthner from comment #17) > The bug description above states > > Product: Samba 4.1 and newer > > I was under the impression this only applies to Samba 4.6 and newer? We don't have products for individual Samba versions anymore. To the best of my knowledge, this bug does not apply to any other version of Samba than 4.6 and 4.7. Do you have a reproducer of the issue in any other version? Please send me instructions how to reproduce it with 4.5 and older. Thanks!
Pushed tevent patches to autobuild-v4-{7,6}-test.
(In reply to Karolin Seeger from comment #19) Pushed to both branches. Closing out bug report. Thanks!