Bug 13942 - ASAN detected use after free samldb_rename_search_base_callback
Summary: ASAN detected use after free samldb_rename_search_base_callback
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-05-13 01:48 UTC by Gary Lockyer
Modified: 2019-06-26 07:10 UTC (History)
1 user (show)

See Also:

ASAN error report (12.57 KB, text/plain)
2019-05-13 01:48 UTC, Gary Lockyer
no flags Details
Proposed patch for V4.10 (1.59 KB, text/plain)
2019-05-15 21:20 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+

Note You need to log in before you can comment on or make changes to this bug.
Description Gary Lockyer 2019-05-13 01:48:57 UTC
Created attachment 15144 [details]
ASAN error report

To reproduce:                                                                                                                                          
  2 * configure with address_sanitizer enabled                                                                                                             
  3 * make TESTS="ldap.sites" test                                                                                                                         
  5 =================================================================                                                                                        6 ==6065==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0002b2738 at pc 0x7fcce80fb3b5 bp 0x7ffd61798410 sp 0x7ffd61798400                
  7 READ of size 8 at 0x60f0002b2738 thread T0                                                                                                               8     #0 0x7fcce80fb3b4 in samldb_rename_search_base_callback ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203                                         
  9     #1 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793                                                                   10     #2 0x7fcced601356 in es_callback ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418                                                     
 11     #3 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793                                                                   12     #4 0x7fccea6d01b4 in operational_callback ../../source4/dsdb/samdb/ldb_modules/operational.c:1564    
Comment 1 Andrew Bartlett 2019-05-13 23:09:30 UTC
check_rename_constraints() should not talloc_free(ac).
Comment 2 Gary Lockyer 2019-05-15 21:20:43 UTC
Created attachment 15157 [details]
Proposed patch for V4.10

CI: https://gitlab.com/samba-team/devel/samba/pipelines/61324416
Comment 3 Andrew Bartlett 2019-05-21 05:27:33 UTC
Please select for 4.10 and 4.9. 

Removing team-only restriction, while not good I don't see this as exploitable given the codepath.
Comment 4 Karolin Seeger 2019-06-04 09:33:36 UTC
Pushed to autobuild-v4-10-test.
Comment 5 Karolin Seeger 2019-06-20 09:46:19 UTC
(In reply to Karolin Seeger from comment #4)
Pushed to v4-10-test, pushed to autobuild-v4-9-test (was confused by the patch name that indicates 4.10 only).
Comment 6 Karolin Seeger 2019-06-26 07:10:49 UTC
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.