Bug 13376 - Crash in fill_mem_keytab_from_secrets: null pointer deref
Crash in fill_mem_keytab_from_secrets: null pointer deref
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.7.6
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
: 13393 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-10 14:58 UTC by Andreas Hasenack
Modified: 2018-04-25 06:46 UTC (History)
2 users (show)

See Also:


Attachments
core dump (742.20 KB, application/gzip)
2018-04-10 14:58 UTC, Andreas Hasenack
no flags Details
log with debug 5 (14.34 KB, text/plain)
2018-04-10 15:01 UTC, Andreas Hasenack
no flags Details
patch for master (1.00 KB, patch)
2018-04-18 13:30 UTC, Andreas Schneider
no flags Details
patch for 4.8 (1.12 KB, patch)
2018-04-19 10:33 UTC, Andreas Schneider
metze: review+
Details
patch for 4.7 (1.12 KB, patch)
2018-04-19 10:33 UTC, Andreas Schneider
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Hasenack 2018-04-10 14:58:31 UTC
Created attachment 14119 [details]
core dump

An Ubuntu user reported (https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1761737) a crash in samba 2:4.7.6+dfsg~ubuntu-0ubuntu1
 when trying to access a share.

I was able to reproduce it with a fresh install of 4.7.6 and the following smb.conf:
[global]
	dns proxy = No
	domain master = No
	kerberos method = secrets and keytab
	local master = No
	log file = /var/log/samba/log.%m
	map to guest = Bad User
	max log size = 1000
	obey pam restrictions = Yes
	pam password change = Yes
	panic action = /usr/share/samba/panic-action %d
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	security = USER
	server role = standalone server
	server string = %h %a
	syslog = 0
	unix password sync = Yes
	usershare allow guests = Yes
	idmap config * : backend = tdb

With that in place, this is enough to trigger the crash:

smbclient -L localhost -N

If I remove the "kerberos method" option, then it does not crash.

There is no kerberos setup at all here, no keytab file available, no initial users created by me. This may as well be an invalid configuration, and I asked the user for more details about how he expects this samba server to authenticate his users.

gdb:
(gdb) frame 8
#8  0x00007f55132a7070 in fill_mem_keytab_from_secrets (krbctx=0x5633f370b420, keytab=0x5633f36f2be0) at ../source3/librpc/crypto/gse_krb5.c:184
184		ct = &info->password->cleartext_blob;
(gdb) l
179			DBG_WARNING("secrets_fetch_or_upgrade_domain_info(%s) - %s\n",
180				    domain, nt_errstr(status));
181			TALLOC_FREE(frame);
182			return KRB5_LIBOS_CANTREADPWD;
183		}
184		ct = &info->password->cleartext_blob;
185	
186		if (info->domain_info.dns_domain.string != NULL) {
187			realm = strupper_talloc(frame,
188					info->domain_info.dns_domain.string);
(gdb) p info
$1 = (struct secrets_domain_info1 *) 0x0


I'm attaching logs and the actual core dump next.

This can be easily reproduced in an ubuntu 18.04 lxd container or VM:
echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list.d/ddebs.list

sudo apt update
sudo apt install samba samba-dbgsym samba-dsdb-modules-dbgsym python-samba-dbgsym samba-common-bin-dbgsym samba-libs-dbgsym samba-vfs-modules-dbgsym smbclient
# create /etc/samba/smb.conf as above
sudo systemctl restart smbd nmbd
smbclient -L localhost -N
# crash file will be in /var/crash/_usr_sbin_smbd.0.crash
# unpack crash file, ignore apport bug
apport-unpack /var/crash/_usr_sbin_smbd.0.crash /tmp/samba-crash
# coredump will be located in /tmp/samba-crash/CoreDump
Comment 1 Andreas Hasenack 2018-04-10 15:01:20 UTC
Created attachment 14120 [details]
log with debug 5
Comment 2 Andreas Hasenack 2018-04-17 13:21:45 UTC
This also happens with 4.7.7
Comment 3 Stefan Metzmacher 2018-04-18 12:56:07 UTC
*** Bug 13393 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Metzmacher 2018-04-18 12:59:29 UTC
This happens with sssd instead of winbindd.

We should fix the crash, but in at the same time I think it's an invalid configuration.

'secrets and keytab' should be just 'keytab'.
Comment 5 Andreas Schneider 2018-04-18 13:30:55 UTC
Created attachment 14155 [details]
patch for master
Comment 6 Stefan Metzmacher 2018-04-18 14:27:47 UTC
Can someone try what happens with 
https://attachments.samba.org/attachment.cgi?id=14155
together with "kerberos method = secrets and keytab"?

I'd guess it should behave like "system keytab" or "dedicated keytab",
but it would be good to have this verified.
Comment 7 Andreas Hasenack 2018-04-18 14:40:04 UTC
I'll prep a build with that patch
Comment 8 Andreas Hasenack 2018-04-18 17:43:47 UTC
The patch fixes the crash in the testcase from this bug, where "kerberos method = secrets and keytab". smbclient -L lists the shares as usual.

root@bionic-samba-1761737:~# smbclient -L localhost -N
WARNING: The "syslog" option is deprecated

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (bionic-samba-1761737 Samba)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP



Test packages for ubuntu bionic are available at https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kerberos-method-1761737 if someone wants to verify.
Comment 9 Andreas Schneider 2018-04-19 10:33:25 UTC
Created attachment 14158 [details]
patch for 4.8
Comment 10 Andreas Schneider 2018-04-19 10:33:52 UTC
Created attachment 14159 [details]
patch for 4.7
Comment 11 Karolin Seeger 2018-04-20 09:53:51 UTC
Pushed to autobuild-v4-[7,8]-test.
Comment 12 Karolin Seeger 2018-04-25 06:46:01 UTC
(In reply to Karolin Seeger from comment #11)
Pushed to both branches.
Closing out bug report.

Thanks!