Bug 13941 - ASAN detected use after free ldb_should_b64_encode
ASAN detected use after free ldb_should_b64_encode
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.10.2
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-13 01:40 UTC by Gary Lockyer
Modified: 2019-06-20 09:43 UTC (History)
1 user (show)

See Also:


Attachments
ASAN error report (16.30 KB, text/plain)
2019-05-13 01:40 UTC, Gary Lockyer
no flags Details
Proposed patch for V4.10 and V4.9 (5.45 KB, patch)
2019-05-19 20:49 UTC, Gary Lockyer
abartlet: review+
gary: ci‑passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gary Lockyer 2019-05-13 01:40:24 UTC
Created attachment 15143 [details]
ASAN error report

Reproduce with:                                                                                                                                        
  2  * configure with --address-sanitizer enabled                                                                                                          
  3  * make TESTS="ldap.python" test                                                                                                                       
  4                                                                                                                                                        
  5 =================================================================                                                                                      
  6 ==5132==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400026a4a0 at pc 0x7fd555c52f12 bp 0x7ffed7231180 sp 0x7ffed7231170                
  7 READ of size 1 at 0x61400026a4a0 thread T0                                                                                                             
  8     #0 0x7fd555c52f11 in ldb_should_b64_encode ../../lib/ldb/common/ldb_ldif.c:197                                                                     
  9     #1 0x7fd539dc9417 in dsdb_audit_add_ldb_value ../../source4/dsdb/samdb/ldb_modules/audit_util.c:491                                                
 10     #2 0x7fd539dc9417 in dsdb_audit_attributes_json ../../source4/dsdb/samdb/ldb_modules/audit_util.c:651                                              
 11     #3 0x7fd539dc6a7e in operation_json ../../source4/dsdb/samdb/ldb_modules/audit_log.c:305                                                           
 12     #4 0x7fd539dc6a7e in log_standard_operation ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1182                                                  
 13     #5 0x7fd539dc6a7e in log_operation ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1302                                                           
 14     #6 0x7fd539dc6a7e in audit_callback ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1486                                                          
 15     #7 0x7fd555c502c4 in ldb_module_done ../../lib/ldb/common/ldb_modules.c:868 
...
Comment 1 Andrew Bartlett 2019-05-13 23:07:03 UTC
This is a talloc hierarchy issue, the audit code is strange because it operates on the modify msg on the way back up the stack, long after it normally would have been irrelevant.
Comment 2 Andrew Bartlett 2019-05-15 18:50:56 UTC
Fix is in master, should be backported but while any use-after-free may be possible to turn into a crash and therefore DoS it would require the server also be configured for auditing.

Better to just backport a fix to supported branches. 

Removing team embargo.
Comment 3 Gary Lockyer 2019-05-19 20:49:14 UTC
Created attachment 15167 [details]
Proposed patch for V4.10 and V4.9

V4.9  CI: https://gitlab.com/samba-team/devel/samba/pipelines/61735202
V4.10 CI: https://gitlab.com/samba-team/devel/samba/pipelines/61528032

Patch applies to to V4.9 and V4.10 and passes CI.
Comment 4 Karolin Seeger 2019-06-04 09:32:26 UTC
Pushed to autobuild-v4-{10,9}-test.
Comment 5 Karolin Seeger 2019-06-20 09:43:20 UTC
(In reply to Karolin Seeger from comment #4)
Pushed to both branches.
Closing out bug report.

Thanks!