Bug 13942 - ASAN detected use after free samldb_rename_search_base_callback
Summary: ASAN detected use after free samldb_rename_search_base_callback
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-13 01:48 UTC by Gary Lockyer
Modified: 2019-06-26 07:10 UTC (History)
1 user (show)

See Also:

Attachments
ASAN error report (12.57 KB, text/plain)
2019-05-13 01:48 UTC, Gary Lockyer 		no flags Details
Proposed patch for V4.10 (1.59 KB, text/plain)
2019-05-15 21:20 UTC, Gary Lockyer 		abartlet: review+
gary: ci-passed+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gary Lockyer 2019-05-13 01:48:57 UTC 
Created attachment 15144 [details]
ASAN error report

To reproduce:                                                                                                                                          
  2 * configure with address_sanitizer enabled                                                                                                             
  3 * make TESTS="ldap.sites" test                                                                                                                         
  4                                                                                                                                                        
  5 =================================================================                                                                                        6 ==6065==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0002b2738 at pc 0x7fcce80fb3b5 bp 0x7ffd61798410 sp 0x7ffd61798400                
  7 READ of size 8 at 0x60f0002b2738 thread T0                                                                                                               8     #0 0x7fcce80fb3b4 in samldb_rename_search_base_callback ../../source4/dsdb/samdb/ldb_modules/samldb.c:4203                                         
  9     #1 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793                                                                   10     #2 0x7fcced601356 in es_callback ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1418                                                     
 11     #3 0x7fcd0a0e7b4a in ldb_module_send_entry ../../lib/ldb/common/ldb_modules.c:793                                                                   12     #4 0x7fccea6d01b4 in operational_callback ../../source4/dsdb/samdb/ldb_modules/operational.c:1564    
...
Comment 1 Andrew Bartlett 2019-05-13 23:09:30 UTC 
check_rename_constraints() should not talloc_free(ac).
Comment 2 Gary Lockyer 2019-05-15 21:20:43 UTC 
Created attachment 15157 [details]
Proposed patch for V4.10

CI: https://gitlab.com/samba-team/devel/samba/pipelines/61324416
Comment 3 Andrew Bartlett 2019-05-21 05:27:33 UTC 
Please select for 4.10 and 4.9. 

Removing team-only restriction, while not good I don't see this as exploitable given the codepath.
Comment 4 Karolin Seeger 2019-06-04 09:33:36 UTC 
Pushed to autobuild-v4-10-test.
Comment 5 Karolin Seeger 2019-06-20 09:46:19 UTC 
(In reply to Karolin Seeger from comment #4)
Pushed to v4-10-test, pushed to autobuild-v4-9-test (was confused by the patch name that indicates 4.10 only).
Comment 6 Karolin Seeger 2019-06-26 07:10:49 UTC 
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!