The Samba-Bugzilla – Bug 13951
CVE-2019-12436 [SECURITY] paged_searches crash on LDAP and [homes] access
Last modified: 2019-07-31 13:49:45 UTC
Created attachment 15159 [details] backtrace (internal only) From: Zombie Ryushu Under Samba 4.10.2 in AD DC mode, if you define the homes share, and then connect to \\servername\homes ([homes] iteslf not a user's home directory), Samba will preform a nasty Segfault. It refuse to let you connect to any more shares. the shares of individual users DO work \\servername\username, but can allow users other than the intended user to connect to it. Example: smbclient -d 3 //dc-server.domain.com/user1 -U user1 with the correct password succeeds and user can access users own files. smbclient -d 3 //dc-server.domain.com/user2 -U user1 with the correct password succeeds and user1 can access user2's files so long as permissions allow it. smbclient -d 3 //dc-server.domain.com/homes -U user1- causes crash, Samba Server stops responding to requests completely. One thing, when connected for a share list, only //dc-server.domain.com/homes is in the visible share list Copyright Andrew Tridgell and the Samba Team 1992-2019
This only happens in AD DC mode, not in File Server/Classic NT Domain mode.
2019/05/15 21:23:15.023517, 0] ../../lib/util/fault.c:261(log_stack_trace) BACKTRACE: 42 stack frames: #0 /usr/lib64/libsamba-util.so.0(log_stack_trace+0x2d) [0x7f4749d4c0cd] #1 /usr/lib64/libsamba-util.so.0(smb_panic+0x4b) [0x7f4749d4c1eb] #2 /usr/lib64/libsamba-util.so.0(+0x393921c41d) [0x7f4749d4c41d] #3 /lib64/libpthread.so.0(+0x3cfd210c90) [0x7f473ddc0c90] #4 /usr/lib64/samba/ldb/paged_results.so(+0x1bbf) [0x7f472d409bbf] #5 /usr/lib64/samba/ldb/paged_results.so(+0x275b) [0x7f472d40a75b] #6 /usr/lib64/ldb/asq.so(+0x1510) [0x7f4732bc1510] #7 /usr/lib64/ldb/asq.so(+0x1695) [0x7f4732bc1695] #8 /usr/lib64/libldb.so.1(+0x399561f3b1) [0x7f473cee73b1] #9 /usr/lib64/samba/ldb/acl.so(+0x64eb) [0x7f47306fe4eb] #10 /usr/lib64/samba/ldb/aclread.so(+0x2a43) [0x7f47304f2a43] #11 /usr/lib64/samba/ldb/encrypted_secrets.so(+0x26f5) [0x7f472f6aa6f5] #12 /usr/lib64/samba/ldb/extended_dn_out.so(+0x27a2) [0x7f472f29a7a2] #13 /usr/lib64/ldb/libldb-key-value.so(+0x5ab3) [0x7f473218dab3] #14 /usr/lib64/libtevent.so.0(tevent_common_invoke_timer_handler+0xf5) [0x7f473d953975] #15 /usr/lib64/libtevent.so.0(tevent_common_loop_timer_delay+0x5a) [0x7f473d953aea] #16 /usr/lib64/libtevent.so.0(+0x3995a0ccd9) [0x7f473d954cd9] #17 /usr/lib64/libtevent.so.0(+0x3995a0af27) [0x7f473d952f27] #18 /usr/lib64/libtevent.so.0(_tevent_loop_once+0xbd) [0x7f473d94e0fd] #19 /usr/lib64/libldb.so.1(ldb_wait+0x9b) [0x7f473cee8d0b] #20 /usr/lib64/samba/service/ldap.so(ldapsrv_do_call+0x1d50) [0x7f4733c39230] #21 /usr/lib64/samba/service/ldap.so(+0x4ce7) [0x7f4733c34ce7] #22 /usr/lib64/libtevent.so.0(tevent_common_invoke_immediate_handler+0x141) [0x7f473d94ee01] #23 /usr/lib64/libtevent.so.0(tevent_common_loop_immediate+0x1e) [0x7f473d94ee2e] #24 /usr/lib64/libtevent.so.0(+0x3995a0cccd) [0x7f473d954ccd] #25 /usr/lib64/libtevent.so.0(+0x3995a0af27) [0x7f473d952f27] #26 /usr/lib64/libtevent.so.0(_tevent_loop_once+0xbd) [0x7f473d94e0fd] #27 /usr/lib64/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f473d94e35b] #28 /usr/lib64/libtevent.so.0(+0x3995a0aec7) [0x7f473d952ec7] #29 /usr/lib64/samba/process_model/standard.so(+0x275a) [0x7f473825275a] #30 /usr/lib64/libtevent.so.0(tevent_common_invoke_fd_handler+0x80) [0x7f473d94e9a0] #31 /usr/lib64/libtevent.so.0(+0x3995a0cea7) [0x7f473d954ea7] #32 /usr/lib64/libtevent.so.0(+0x3995a0af27) [0x7f473d952f27] #33 /usr/lib64/libtevent.so.0(_tevent_loop_once+0xbd) [0x7f473d94e0fd] #34 /usr/lib64/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f473d94e35b] #35 /usr/lib64/libtevent.so.0(+0x3995a0aec7) [0x7f473d952ec7] #36 /usr/lib64/samba/process_model/standard.so(+0x2c7a) [0x7f4738252c7a] #37 /usr/lib64/samba/libservice-samba4.so(task_server_startup+0x5c) [0x7f474a82453c] #38 /usr/lib64/samba/libservice-samba4.so(server_service_startup+0x96) [0x7f474a822eb6] #39 /usr/sbin/samba(+0x5821) [0x55fc86494821] #40 /lib64/libc.so.6(__libc_start_main+0xf1) [0x7f473c008271] #41 /usr/sbin/samba(_start+0x2a) [0x55fc86492f1a]
#0 0x00007ffaec0408aa in waitpid () from /lib64/libc.so.6 #1 0x00007ffaebfbb68b in do_system () from /lib64/libc.so.6 #2 0x00007ffaf9cdc28f in smb_panic_default (why=0x7ffaf9d2bba6 "internal error") at ../../lib/util/fault.c:146 #3 smb_panic (why=why@entry=0x7ffaf9d2bba6 "internal error") at ../../lib/util/fault.c:173 #4 0x00007ffaf9cdc41d in fault_report (sig=11) at ../../lib/util/fault.c:84 #5 sig_fault (sig=11) at ../../lib/util/fault.c:95 #6 <signal handler called> #7 0x00007ffadd399bbf in paged_results (ac=ac@entry=0x561d165bd230) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:278 #8 0x00007ffadd39a75b in paged_results (ac=0x561d165bd230) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:246 #9 paged_search_callback (req=<optimized out>, ares=0x561d15f983f0) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:454 #10 0x00007ffae2b51510 in ?? () from /usr/lib64/ldb/asq.so #11 0x00007ffae2b51695 in ?? () from /usr/lib64/ldb/asq.so #12 0x00007ffaece773b1 in ?? () from /usr/lib64/libldb.so.1 #13 0x00007ffae068e4eb in acl_search_callback (req=0x561d15fd4540, ares=0x561d16107710) at ../../source4/dsdb/samdb/ldb_modules/acl.c:2111 #14 0x00007ffae0482a43 in aclread_callback (req=0x561d15d1cbf0, ares=0x561d16107680) at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:701 #15 0x00007ffadf63a6f5 in es_callback (req=<optimized out>, ares=0x561d15f98190) at ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1426 #16 0x00007ffadf22a7a2 in extended_callback (req=0x561d1579fe70, ares=0x561d15e5caa0, handle_dereference=0x0) at ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:426 #17 0x00007ffae211dab3 in ?? () from /usr/lib64/ldb/libldb-key-value.so #18 0x00007ffaed8e3975 in tevent_common_invoke_timer_handler () from /usr/lib64/libtevent.so.0 #19 0x00007ffaed8e3aea in tevent_common_loop_timer_delay () from /usr/lib64/libtevent.so.0 #20 0x00007ffaed8e4cd9 in ?? () from /usr/lib64/libtevent.so.0 #21 0x00007ffaed8e2f27 in ?? () from /usr/lib64/libtevent.so.0 #22 0x00007ffaed8de0fd in _tevent_loop_once () from /usr/lib64/libtevent.so.0 #23 0x00007ffaece78d0b in ldb_wait () from /usr/lib64/libldb.so.1 #24 0x00007ffae3bc9230 in ldapsrv_SearchRequest (call=<optimized out>) at ../../source4/ldap_server/ldap_backend.c:664 #25 ldapsrv_do_call (call=<optimized out>) at ../../source4/ldap_server/ldap_backend.c:1312 #26 0x00007ffae3bc4ce7 in ldapsrv_process_call_trigger (req=0x561d15924390, private_data=<optimized out>) at ../../source4/ldap_server/ldap_server.c:955 #27 0x00007ffaed8dee01 in tevent_common_invoke_immediate_handler () from /usr/lib64/libtevent.so.0 #28 0x00007ffaed8dee2e in tevent_common_loop_immediate () from /usr/lib64/libtevent.so.0 #29 0x00007ffaed8e4ccd in ?? () from /usr/lib64/libtevent.so.0 #30 0x00007ffaed8e2f27 in ?? () from /usr/lib64/libtevent.so.0 #31 0x00007ffaed8de0fd in _tevent_loop_once () from /usr/lib64/libtevent.so.0 #32 0x00007ffaed8de35b in tevent_common_loop_wait () from /usr/lib64/libtevent.so.0 #33 0x00007ffaed8e2ec7 in ?? () from /usr/lib64/libtevent.so.0 #34 0x00007ffae81e275a in standard_accept_connection (ev=0x561d15615820, lp_ctx=0x561d15608dc0, sock=<optimized out>, new_conn=0x7ffafa7b3860 <stream_new_connection>, private_data=0x561d15b1e4e0, process_context=0x561d15bcd000) at ../../source4/smbd/process_standard.c:411 #35 0x00007ffaed8de9a0 in tevent_common_invoke_fd_handler () from /usr/lib64/libtevent.so.0 #36 0x00007ffaed8e4ea7 in ?? () from /usr/lib64/libtevent.so.0 #37 0x00007ffaed8e2f27 in ?? () from /usr/lib64/libtevent.so.0 #38 0x00007ffaed8de0fd in _tevent_loop_once () from /usr/lib64/libtevent.so.0 #39 0x00007ffaed8de35b in tevent_common_loop_wait () from /usr/lib64/libtevent.so.0 #40 0x00007ffaed8e2ec7 in ?? () from /usr/lib64/libtevent.so.0 #41 0x00007ffae81e2c7a in standard_new_task (ev=0x561d15615820, lp_ctx=0x561d15608dc0, service_name=0x7ffae3bcca5a "ldap", new_task=0x7ffafa7b4400 <task_server_callback>, private_data=0x561d15db1a20, service_details=0x561d15614f90, ---Type <return> to continue, or q <return> to quit--- from_parent_fd=22) at ../../source4/smbd/process_standard.c:534 #42 0x00007ffafa7b453c in task_server_startup (event_ctx=event_ctx@entry=0x561d15615820, lp_ctx=lp_ctx@entry=0x561d15608dc0, service_name=service_name@entry=0x7ffae3bcca5a "ldap", model_ops=model_ops@entry=0x7ffae83e4620 <standard_ops>, service_details=0x561d15614f90, from_parent_fd=from_parent_fd@entry=22) at ../../source4/smbd/service_task.c:127 #43 0x00007ffafa7b2eb6 in server_service_init (from_parent_fd=22, model_ops=0x7ffae83e4620 <standard_ops>, lp_ctx=0x561d15608dc0, event_context=0x561d15615820, name=0x561d1560fd40 "ldap") at ../../source4/smbd/service.c:67 #44 server_service_startup (event_ctx=0x561d15615820, lp_ctx=0x561d15608dc0, model=<optimized out>, server_services=<optimized out>, from_parent_fd=22) at ../../source4/smbd/service.c:104 #45 0x0000561d14985821 in binary_smbd_main (argc=<optimized out>, argv=<optimized out>, binary_name=0x561d1498704f "samba") at ../../source4/smbd/server.c:813 #46 0x00007ffaebf98271 in __libc_start_main () from /lib64/libc.so.6 #47 0x0000561d14983f1a in _start () at ../sysdeps/x86_64/start.S:120
opt_no_process_group = <optimized out> db_is_backup = <optimized out> opt = <optimized out> pc = <optimized out> static_init = {0x7ffafa7b4580 <server_service_auth_init>, 0x7ffafa7b4bc0 <server_service_echo_init>, 0x0} shared_init = <optimized out> stdin_event_flags = <optimized out> status = <optimized out> model = 0x561d14986f5b "standard" max_runtime = 0 st = {st_dev = 6, st_ino = 1029, st_nlink = 1, st_mode = 8630, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 259, st_size = 0, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1557954789, tv_nsec = 45811692}, st_mtim = { tv_sec = 1557954789, tv_nsec = 45811692}, st_ctim = {tv_sec = 1557954789, tv_nsec = 45811692}, __glibc_reserved = {0, 0, 0}} long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7ffaed29c160 <poptHelpOptions>, val = 0, descrip = 0x561d14986f64 "Help options:", argDescrip = 0x0}, {longName = 0x561d14986f72 "daemon", shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x561d14986f79 "Become a daemon (default)", argDescrip = 0x0}, {longName = 0x561d14986fa5 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, val = 1001, descrip = 0x561d14986f93 "Run the daemon in foreground", argDescrip = 0x0}, { longName = 0x561d14986fb0 "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1002, descrip = 0x561d14986568 "Run interactive (not a daemon)", argDescrip = 0x0}, {longName = 0x561d14986fcb "model", shortName = 77 'M', argInfo = 1, arg = 0x0, val = 1003, descrip = 0x561d14986fbc "Select process model", argDescrip = 0x561d14986fd1 "MODEL"}, {longName = 0x561d14986fd7 "maximum-runtime", shortName = 0 '\000', argInfo = 2, arg = 0x7ffe9308de3c, val = 0, descrip = 0x561d14986588 "set maximum runtime of the server process, till autotermination", argDescrip = 0x561d14986fe7 "seconds"}, {longName = 0x561d14986fef "show-build", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 1004, descrip = 0x561d14986ffa "show build info", argDescrip = 0x0}, { longName = 0x561d1498700a "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1005, descrip = 0x561d149865c8 "Don't create a new process group", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x561d14b890c0 <popt_common_samba4>, val = 0, descrip = 0x561d1498701b "Common Samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x561d14b89020 <popt_common_version4>, val = 0, descrip = 0x561d14987031 "Version options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} state = 0x561d15608a90 se = <optimized out> #46 0x00007ffaebf98271 in __libc_start_main () from /lib64/libc.so.6 No symbol table info available. #47 0x0000561d14983f1a in _start () at ../sysdeps/x86_64/start.S:120
#0 0x00007ffaec0408aa in waitpid () from /lib64/libc.so.6 #1 0x00007ffaebfbb68b in do_system () from /lib64/libc.so.6 #2 0x00007ffaf9cdc28f in smb_panic_default (why=0x7ffaf9d2bba6 "internal error") at ../../lib/util/fault.c:146 #3 smb_panic (why=why@entry=0x7ffaf9d2bba6 "internal error") at ../../lib/util/fault.c:173 #4 0x00007ffaf9cdc41d in fault_report (sig=11) at ../../lib/util/fault.c:84 #5 sig_fault (sig=11) at ../../lib/util/fault.c:95 #6 <signal handler called> #7 0x00007ffadd399bbf in paged_results (ac=ac@entry=0x561d165bd230) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:278 #8 0x00007ffadd39a75b in paged_results (ac=0x561d165bd230) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:246 #9 paged_search_callback (req=<optimized out>, ares=0x561d15f983f0) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:454 #10 0x00007ffae2b51510 in asq_search_continue (ac=ac@entry=0x561d15bd32a0) at ../../modules/asq.c:339 #11 0x00007ffae2b51695 in asq_reqs_callback (req=<optimized out>, ares=0x561d15f983f0) at ../../modules/asq.c:203 #12 0x00007ffaece773b1 in ldb_lock_backend_callback (req=<optimized out>, ares=0x561d15f98360) at ../../common/ldb.c:1020 #13 0x00007ffae068e4eb in acl_search_callback (req=0x561d15fd4540, ares=0x561d16107710) at ../../source4/dsdb/samdb/ldb_modules/acl.c:2111 #14 0x00007ffae0482a43 in aclread_callback (req=0x561d15d1cbf0, ares=0x561d16107680) at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:701 #15 0x00007ffadf63a6f5 in es_callback (req=<optimized out>, ares=0x561d15f98190) at ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1426 #16 0x00007ffadf22a7a2 in extended_callback (req=0x561d1579fe70, ares=0x561d15e5caa0, handle_dereference=0x0) at ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:426 #17 0x00007ffae211dab3 in ldb_kv_callback (ev=<optimized out>, te=<optimized out>, t=..., private_data=<optimized out>) at ../../ldb_key_value/ldb_kv.c:1737 #18 0x00007ffaed8e3975 in tevent_common_invoke_timer_handler (te=te@entry=0x561d1603b770, current_time=..., removed=removed@entry=0x0) at ../../tevent_timed.c:370 #19 0x00007ffaed8e3aea in tevent_common_loop_timer_delay (ev=ev@entry=0x561d15834d90) at ../../tevent_timed.c:442 #20 0x00007ffaed8e4cd9 in epoll_event_loop_once (ev=0x561d15834d90, location=<optimized out>) at ../../tevent_epoll.c:922 #21 0x00007ffaed8e2f27 in std_event_loop_once (ev=0x561d15834d90, location=0x7ffaece80ccb "../../common/ldb.c:639") at ../../tevent_standard.c:110 #22 0x00007ffaed8de0fd in _tevent_loop_once (ev=ev@entry=0x561d15834d90, location=location@entry=0x7ffaece80ccb "../../common/ldb.c:639") at ../../tevent.c:772 #23 0x00007ffaece78d0b in ldb_wait (handle=0x561d15f34620, type=type@entry=LDB_WAIT_ALL) at ../../common/ldb.c:639 #24 0x00007ffae3bc9230 in ldapsrv_SearchRequest (call=<optimized out>) at ../../source4/ldap_server/ldap_backend.c:664 #25 ldapsrv_do_call (call=<optimized out>) at ../../source4/ldap_server/ldap_backend.c:1312 #26 0x00007ffae3bc4ce7 in ldapsrv_process_call_trigger (req=0x561d15924390, private_data=<optimized out>) at ../../source4/ldap_server/ldap_server.c:955 #27 0x00007ffaed8dee01 in tevent_common_invoke_immediate_handler (im=0x561d166001c0, removed=removed@entry=0x0) at ../../tevent_immediate.c:166 #28 0x00007ffaed8dee2e in tevent_common_loop_immediate (ev=ev@entry=0x561d15615820) at ../../tevent_immediate.c:203 #29 0x00007ffaed8e4ccd in epoll_event_loop_once (ev=0x561d15615820, location=<optimized out>) at ../../tevent_epoll.c:918 #30 0x00007ffaed8e2f27 in std_event_loop_once (ev=0x561d15615820, location=0x7ffae81e3760 "../../source4/smbd/process_standard.c:411") at ../../tevent_standard.c:110 #31 0x00007ffaed8de0fd in _tevent_loop_once (ev=ev@entry=0x561d15615820, location=location@entry=0x7ffae81e3760 "../../source4/smbd/process_standard.c:411") at ../../tevent.c:772 #32 0x00007ffaed8de35b in tevent_common_loop_wait (ev=0x561d15615820, location=0x7ffae81e3760 "../../source4/smbd/process_standard.c:411") at ../../tevent.c:895 #33 0x00007ffaed8e2ec7 in std_event_loop_wait (ev=0x561d15615820, location=0x7ffae81e3760 "../../source4/smbd/process_standard.c:411") at ../../tevent_standard.c:141 #34 0x00007ffae81e275a in standard_accept_connection (ev=0x561d15615820, lp_ctx=0x561d15608dc0, sock=<optimized out>, new_conn=0x7ffafa7b3860 <stream_new_connection>, private_data=0x561d15b1e4e0, process_context=0x561d15bcd000) at ../../source4/smbd/process_standard.c:411 #35 0x00007ffaed8de9a0 in tevent_common_invoke_fd_handler (fde=fde@entry=0x561d1607ac10, flags=<optimized out>, removed=removed@entry=0x0) at ../../tevent_fd.c:138 #36 0x00007ffaed8e4ea7 in epoll_event_loop (tvalp=0x7ffe9308dc10, epoll_ev=0x561d1628f400) at ../../tevent_epoll.c:736 #37 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../tevent_epoll.c:937 #38 0x00007ffaed8e2f27 in std_event_loop_once (ev=0x561d15615820, location=0x7ffae81e3960 "../../source4/smbd/process_standard.c:534") at ../../tevent_standard.c:110 #39 0x00007ffaed8de0fd in _tevent_loop_once (ev=ev@entry=0x561d15615820, location=location@entry=0x7ffae81e3960 "../../source4/smbd/process_standard.c:534") at ../../tevent.c:772 #40 0x00007ffaed8de35b in tevent_common_loop_wait (ev=0x561d15615820, location=0x7ffae81e3960 "../../source4/smbd/process_standard.c:534") at ../../tevent.c:895 ---Type <return> to continue, or q <return> to quit--- #41 0x00007ffaed8e2ec7 in std_event_loop_wait (ev=0x561d15615820, location=0x7ffae81e3960 "../../source4/smbd/process_standard.c:534") at ../../tevent_standard.c:141 #42 0x00007ffae81e2c7a in standard_new_task (ev=0x561d15615820, lp_ctx=0x561d15608dc0, service_name=0x7ffae3bcca5a "ldap", new_task=0x7ffafa7b4400 <task_server_callback>, private_data=0x561d15db1a20, service_details=0x561d15614f90, from_parent_fd=22) at ../../source4/smbd/process_standard.c:534 #43 0x00007ffafa7b453c in task_server_startup (event_ctx=event_ctx@entry=0x561d15615820, lp_ctx=lp_ctx@entry=0x561d15608dc0, service_name=service_name@entry=0x7ffae3bcca5a "ldap", model_ops=model_ops@entry=0x7ffae83e4620 <standard_ops>, service_details=0x561d15614f90, from_parent_fd=from_parent_fd@entry=22) at ../../source4/smbd/service_task.c:127 #44 0x00007ffafa7b2eb6 in server_service_init (from_parent_fd=22, model_ops=0x7ffae83e4620 <standard_ops>, lp_ctx=0x561d15608dc0, event_context=0x561d15615820, name=0x561d1560fd40 "ldap") at ../../source4/smbd/service.c:67 #45 server_service_startup (event_ctx=0x561d15615820, lp_ctx=0x561d15608dc0, model=<optimized out>, server_services=<optimized out>, from_parent_fd=22) at ../../source4/smbd/service.c:104 #46 0x0000561d14985821 in binary_smbd_main (argc=<optimized out>, argv=<optimized out>, binary_name=0x561d1498704f "samba") at ../../source4/smbd/server.c:813 #47 0x00007ffaebf98271 in __libc_start_main () from /lib64/libc.so.6 #48 0x0000561d14983f1a in _start () at ../sysdeps/x86_64/start.S:120
Thanks. It appears the object in question no longer matches the search expression between the initial search and the paged response. We call this without checking the count: ret = ldb_module_send_entry(ac->req, result->msgs[0], NULL); if (ret != LDB_SUCCESS) { return ret; }
Created attachment 15165 [details] patch for master, without any tests This should fix it. I'm still thinking about the tests.
Will this make the home shares work correctly, without crashing?
This part: > the shares of individual users DO work \\servername\username, but can > allow users other than the intended user to connect to it. > smbclient -d 3 //dc-server.domain.com/user2 -U user1 with the correct > password succeeds and user1 can access user2's files so long as > permissions allow it is a separate issue?
(In reply to Zombie Ryushu from comment #8) Yes, the patch should stop the crash. Please try it and confirm!
Is it alright to submit this patch to distributors?
(In reply to Douglas Bagnall from comment #9) It might be, Samba 4 in AD DC mode does not publish Home shares. They do exist, but are not visible. I think this functionality should be the same as it is in Classic Domain mode.
(In reply to Zombie Ryushu from comment #11) Please don't distribute the patch yet. There will be a security release, and vendors and distributions get some advance notice as part of that process.
Created attachment 15166 [details] WIP patch proving the bug This patch adds a test that will crash the server. I will tidy it into a proper test next week. Also we need to add one for VLV which appears to have a similar issue.
Does this Security release patch fix this bug with 4.10.3? I saw no mention of it.
(In reply to Zombie Ryushu from comment #15) No. Please be patient, the security release process will take about a month. Our procedure is documented here: https://wiki.samba.org/index.php/Samba_Security_Process Until the release is made (at which point [EMBARGOED] will be removed from the title), please keep this confidential! Thanks, Andrew Bartlett
(In reply to Douglas Bagnall from comment #9) I agree, this seems to be a distinct thing, but perhaps winbindd(?) doesn't like the LDAP server going away? Zombie Ryushu, Can you turn up the debug logs and see if you can get any useful information on the 'crash' you see there, as in a simple 'make testenv' this doesn't crash for me and doesn't show any hint of why this might have locked things up for you. We may need to deal with that as a distinct bug, even if we fix this the LDAP server going away should not be fatal in this way. Thanks!
What would you like me to set the log level too? Keep in mind this is on a live system with access to internal user data for my network. So if there is a way I can protect that, thats good.
(In reply to Zombie Ryushu from comment #18) Incrementally up to 10 would be my answer, until it confesses. I realise that might be hard for you to tell however. It will impact performance, but you should be able to do it on a per-client basis using https://wiki.samba.org/index.php/Client_specific_logging (for the smbd part, the samba part will log into that file literally). That may address some of the confidentiality concerns. We can also mark the attachment as private to the samba team. Also, when you can crash the server and put it into sleep, can you run ./selftest/gdb_backtrace $pid on each winbindd, smbd and samba pid? That may give another clue. Finally, does this reproduce if you create a new VM with a fresh provision but the same software stack? That would be less confidential.
this may have nothing to do with anything, but it has been discovered that there is some sort of clock issue where the system clock, set to tsc will slowly "drift" 30 minutes for every 4 hours that passes, I'm trying to get the clock source set from tsc to acpi_pm to fix this issue. I do have another provision in a VM, but that clean provision has Schema modifications imported from OpenLDAP for FreeRadius, and isc-dhcpd.
notsc divider=10 clocksource=acpi_pm Kernel Parameters seems to fix the clock drift issue.
I'm trying to make it crash. Not succeeding.
The actual home directory of the authenticated user still isn't being published, if you would like, I can still send you a log level 10 log. I think I finally got it, I am checking the log for confidential info.
Created attachment 15170 [details] log level 10 file.
Created attachment 15171 [details] log file 10 smbd
Any chance of a log from winbindd? I see [2019/05/20 23:24:17.803385, 2, pid=15466, effective(0, 0), real(0, 0), class=auth] ../../source4/auth/ntlm/auth.c:478(auth_check_password_recv) auth_check_password_recv: winbind authentication for user [?\zombie] FAILED with error NT_STATUS_CONNECTION_REFUSED, authoritative=1 Which looks quite odd.
Created attachment 15172 [details] log.winbindd level 10 winbind log I missed
(In reply to Zombie Ryushu from comment #27) Sorry to be a bother, winbindd logs to many different files, normally named eg log.wb-*. Can you look for the others?
I can find no other files, I know what you are referring too, but I do not have an per-client logs
Created attachment 15173 [details] fix and test for paged_results
Created attachment 15174 [details] additional patch for master: testing and hardening vlv It turns out VLV is not vulnerable, as it doesn't re-assert that the object still matches the original search. We should nevertheless check there are results, just in case, but this can go into master at a leisurely pace, after the paged search fix is in.
Created attachment 15175 [details] patch for 4.10 The 4.10 patch is the same as master.
(In reply to Zombie Ryushu from comment #29) Winbind doesn't produce per-client logs. In any case I don't think we are getting anywhere on this part of the investigation, and we have a fix for the primary issue. Just one last thing, can you please confirm if you are happy for us to name you as the reporter of the issue, and any affiliation (or None) that you wish to include in the credits? Thanks!
Feel free to credit me however you want. You can call me Zombie Ryushu. Thats not my real name of course, but thats fine too. I need to ask if you if this will fix the home share being published as well. The Home share is accessible, but not visible when the share list is refreshed.
(In reply to Zombie Ryushu from comment #34) The security fix won't deliberately fix any issues around [homes]. Ideally we would understand if/why winbindd crashes, but we won't hold the bug up for that. If you find any more clues do pass them our way, otherwise I'll just leave some vague statement in the CVE suggesting some mechanism related to [homes] access. However did you check the patch fixes anything for you? One last question on that: Back in the original report you said "Samba Server stops responding to requests completely.". Did you have a 'panic action' set then or where you running with the 'lmdb' backend to Samba? I'm trying to connect how one of these could be related to the other, and one possibility is that nothing crashed, it was just stuck behind the lock while the panic action was running. Thanks!
Yes I had a panic action working, thats how I got you the backtraces I have shown you. In the time we opened this bug, my Distribution updated Samba from 4.10.2 to 4.10.3. So the bug's behavior has changed a little bit. I am using an Android Application called Ghost Commander to test the Samba server. (Its jCIFS under the hood.) I have two "Domain Controllers", one is in NT Domain mode, and has an OpenLDAP backend. the other one is the AD Server, and my goal is to migrate the other one, and this incidident ground everything to a sceeching halt. I will need to go through and check and see what backend my AD Server is using. Still. I would like it if a patch was included to make user home directories visible once someone is authentiated. On Samba in Classic Domain mode, it works fine.
(In reply to Zombie Ryushu from comment #36) Thanks for getting back to me. I was meaning at the point you initially wrote to security@, was a panic action set, and was your backend the default tdb, or had you specifically selected lmdb with --backend-type=mdb during provision? Thanks!
I kept thedefault tdb. I did not change the backend type.
Looks like the same issue: https://lists.samba.org/archive/samba/2019-May/223134.html (segfault via paged_results.so).
Created attachment 15198 [details] fix and test for paged results v2 Extra testing. CI passed on master and 4.10.
(In reply to Douglas Bagnall from comment #39) Thanks Douglas, I've CC'ed the reporter there so they know this is being dealt with outside public view. Christian, This is a embargoed bug until until we get the fix out via our security process: https://wiki.samba.org/index.php/Samba_Security_Process If you have any concerns or would like to discuss it further, please do it here. Thanks!
*** Bug 13971 has been marked as a duplicate of this bug. ***
Created attachment 15226 [details] WIP advisory
Created attachment 15227 [details] Updated Advisory (v01)
Created attachment 15228 [details] Updated advisory (v02) Changes in advisory from v01: * remove VLV from the title. * spell dereference without a hyphen.
Created attachment 15230 [details] patch for Samba 4.10 (v3) Added my review tag and CVE tag to patch. Confirmed identical to attachment 15198 [details] otherwise.
Created attachment 15231 [details] patch for master (v3)
Comment on attachment 15230 [details] patch for Samba 4.10 (v3) Adding ci-passed as patch otherwise identical than the commit message passed CI on v4-10-test
Opening this bug to vendors under embargo. I've broken procedure (sorry), as there isn't two-team member positive review on attachment 15320 [details] (the patch) and attachment 15228 [details] (the advisory). I'll ensure this is addressed shortly, but as I've opened the tracking bug leaving this embargoed would just increase everybody's confusion. The release date is currently 19 June 2019.
Samba 4.10.5 has been shipped to address this defect.
Pushed to autobuild-master.
Pushed to v4-6-test.
Removing embargo to vendors, asigning to Douglas for the hardening patch.