Bug 13951 (CVE-2019-12436) - CVE-2019-12436 [SECURITY] paged_searches crash on LDAP and [homes] access
Summary: CVE-2019-12436 [SECURITY] paged_searches crash on LDAP and [homes] access
Status: RESOLVED FIXED
Alias: CVE-2019-12436
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
URL:
Keywords:
: 13971 (view as bug list)
Depends on:
Blocks: 13990
  Show dependency treegraph
 
Reported: 2019-05-16 00:52 UTC by Andrew Bartlett
Modified: 2020-08-21 04:07 UTC (History)
10 users (show)

See Also:


Attachments
backtrace (internal only) (3.98 KB, text/plain)
2019-05-16 00:52 UTC, Andrew Bartlett
no flags Details
patch for master, without any tests (2.53 KB, patch)
2019-05-16 21:46 UTC, Douglas Bagnall
no flags Details
WIP patch proving the bug (2.42 KB, patch)
2019-05-17 02:48 UTC, Douglas Bagnall
no flags Details
fix and test for paged_results (3.20 KB, patch)
2019-05-21 23:17 UTC, Douglas Bagnall
no flags Details
additional patch for master: testing and hardening vlv (4.26 KB, patch)
2019-05-21 23:21 UTC, Douglas Bagnall
no flags Details
patch for 4.10 (3.20 KB, patch)
2019-05-22 00:11 UTC, Douglas Bagnall
no flags Details
fix and test for paged results v2 (4.74 KB, patch)
2019-05-29 04:33 UTC, Aaron Haslett (dead mail address)
abartlet: review+
aaronhaslett: ci-passed+
Details
WIP advisory (1.97 KB, text/plain)
2019-06-06 15:02 UTC, Andrew Bartlett
no flags Details
Updated Advisory (v01) (2.32 KB, text/plain)
2019-06-08 08:27 UTC, Andrew Bartlett
no flags Details
Updated advisory (v02) (2.31 KB, text/plain)
2019-06-08 08:53 UTC, Douglas Bagnall
abartlet: review+
dbagnall: review+
gary: review+
kseeger: review+
Details
patch for Samba 4.10 (v3) (4.81 KB, patch)
2019-06-08 14:25 UTC, Andrew Bartlett
dbagnall: review+
gary: review+
abartlet: ci-passed+
Details
patch for master (v3) (4.81 KB, patch)
2019-06-08 14:27 UTC, Andrew Bartlett
dbagnall: review+
gary: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2019-05-16 00:52:16 UTC
Created attachment 15159 [details]
backtrace (internal only)

From:	Zombie Ryushu

Under Samba 4.10.2 in AD DC mode, if you define the homes share, and
then connect to \\servername\homes ([homes] iteslf not a user's home
directory), Samba will preform a nasty Segfault. It refuse to let you
connect to any more shares.

 the shares of individual users DO work \\servername\username, but can
allow users other than the intended user to connect to it.

Example:

smbclient -d 3 //dc-server.domain.com/user1 -U user1 with the correct
password succeeds and user can access users own files.

smbclient -d 3 //dc-server.domain.com/user2 -U user1 with the correct
password succeeds and user1 can access user2's files so long as
permissions allow it.

smbclient -d 3 //dc-server.domain.com/homes -U user1- causes crash,
Samba Server stops responding to requests completely.

One thing, when connected for a share list, only
//dc-server.domain.com/homes is in the visible share list
 Copyright Andrew Tridgell and the Samba Team 1992-2019
Comment 1 Zombie Ryushu 2019-05-16 00:55:40 UTC
This only happens in AD DC mode, not in File Server/Classic NT Domain mode.
Comment 2 Zombie Ryushu 2019-05-16 01:28:42 UTC
2019/05/15 21:23:15.023517,  0] ../../lib/util/fault.c:261(log_stack_trace)
  BACKTRACE: 42 stack frames:
   #0 /usr/lib64/libsamba-util.so.0(log_stack_trace+0x2d) [0x7f4749d4c0cd]
   #1 /usr/lib64/libsamba-util.so.0(smb_panic+0x4b) [0x7f4749d4c1eb]
   #2 /usr/lib64/libsamba-util.so.0(+0x393921c41d) [0x7f4749d4c41d]
   #3 /lib64/libpthread.so.0(+0x3cfd210c90) [0x7f473ddc0c90]
   #4 /usr/lib64/samba/ldb/paged_results.so(+0x1bbf) [0x7f472d409bbf]
   #5 /usr/lib64/samba/ldb/paged_results.so(+0x275b) [0x7f472d40a75b]
   #6 /usr/lib64/ldb/asq.so(+0x1510) [0x7f4732bc1510]
   #7 /usr/lib64/ldb/asq.so(+0x1695) [0x7f4732bc1695]
   #8 /usr/lib64/libldb.so.1(+0x399561f3b1) [0x7f473cee73b1]
   #9 /usr/lib64/samba/ldb/acl.so(+0x64eb) [0x7f47306fe4eb]
   #10 /usr/lib64/samba/ldb/aclread.so(+0x2a43) [0x7f47304f2a43]
   #11 /usr/lib64/samba/ldb/encrypted_secrets.so(+0x26f5) [0x7f472f6aa6f5]
   #12 /usr/lib64/samba/ldb/extended_dn_out.so(+0x27a2) [0x7f472f29a7a2]
   #13 /usr/lib64/ldb/libldb-key-value.so(+0x5ab3) [0x7f473218dab3]
   #14 /usr/lib64/libtevent.so.0(tevent_common_invoke_timer_handler+0xf5) [0x7f473d953975]
   #15 /usr/lib64/libtevent.so.0(tevent_common_loop_timer_delay+0x5a) [0x7f473d953aea]
   #16 /usr/lib64/libtevent.so.0(+0x3995a0ccd9) [0x7f473d954cd9]
   #17 /usr/lib64/libtevent.so.0(+0x3995a0af27) [0x7f473d952f27]
   #18 /usr/lib64/libtevent.so.0(_tevent_loop_once+0xbd) [0x7f473d94e0fd]
   #19 /usr/lib64/libldb.so.1(ldb_wait+0x9b) [0x7f473cee8d0b]
   #20 /usr/lib64/samba/service/ldap.so(ldapsrv_do_call+0x1d50) [0x7f4733c39230]
   #21 /usr/lib64/samba/service/ldap.so(+0x4ce7) [0x7f4733c34ce7]
   #22 /usr/lib64/libtevent.so.0(tevent_common_invoke_immediate_handler+0x141) [0x7f473d94ee01]
   #23 /usr/lib64/libtevent.so.0(tevent_common_loop_immediate+0x1e) [0x7f473d94ee2e]
   #24 /usr/lib64/libtevent.so.0(+0x3995a0cccd) [0x7f473d954ccd]
   #25 /usr/lib64/libtevent.so.0(+0x3995a0af27) [0x7f473d952f27]
   #26 /usr/lib64/libtevent.so.0(_tevent_loop_once+0xbd) [0x7f473d94e0fd]
   #27 /usr/lib64/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f473d94e35b]
   #28 /usr/lib64/libtevent.so.0(+0x3995a0aec7) [0x7f473d952ec7]
   #29 /usr/lib64/samba/process_model/standard.so(+0x275a) [0x7f473825275a]
   #30 /usr/lib64/libtevent.so.0(tevent_common_invoke_fd_handler+0x80) [0x7f473d94e9a0]
   #31 /usr/lib64/libtevent.so.0(+0x3995a0cea7) [0x7f473d954ea7]
   #32 /usr/lib64/libtevent.so.0(+0x3995a0af27) [0x7f473d952f27]
   #33 /usr/lib64/libtevent.so.0(_tevent_loop_once+0xbd) [0x7f473d94e0fd]
   #34 /usr/lib64/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f473d94e35b]
   #35 /usr/lib64/libtevent.so.0(+0x3995a0aec7) [0x7f473d952ec7]
   #36 /usr/lib64/samba/process_model/standard.so(+0x2c7a) [0x7f4738252c7a]
   #37 /usr/lib64/samba/libservice-samba4.so(task_server_startup+0x5c) [0x7f474a82453c]
   #38 /usr/lib64/samba/libservice-samba4.so(server_service_startup+0x96) [0x7f474a822eb6]
   #39 /usr/sbin/samba(+0x5821) [0x55fc86494821]
   #40 /lib64/libc.so.6(__libc_start_main+0xf1) [0x7f473c008271]
   #41 /usr/sbin/samba(_start+0x2a) [0x55fc86492f1a]
Comment 3 Zombie Ryushu 2019-05-16 16:12:25 UTC
#0  0x00007ffaec0408aa in waitpid () from /lib64/libc.so.6
#1  0x00007ffaebfbb68b in do_system () from /lib64/libc.so.6
#2  0x00007ffaf9cdc28f in smb_panic_default (why=0x7ffaf9d2bba6 "internal error") at ../../lib/util/fault.c:146
#3  smb_panic (why=why@entry=0x7ffaf9d2bba6 "internal error") at ../../lib/util/fault.c:173
#4  0x00007ffaf9cdc41d in fault_report (sig=11) at ../../lib/util/fault.c:84
#5  sig_fault (sig=11) at ../../lib/util/fault.c:95
#6  <signal handler called>
#7  0x00007ffadd399bbf in paged_results (ac=ac@entry=0x561d165bd230)
    at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:278
#8  0x00007ffadd39a75b in paged_results (ac=0x561d165bd230) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:246
#9  paged_search_callback (req=<optimized out>, ares=0x561d15f983f0)
    at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:454
#10 0x00007ffae2b51510 in ?? () from /usr/lib64/ldb/asq.so
#11 0x00007ffae2b51695 in ?? () from /usr/lib64/ldb/asq.so
#12 0x00007ffaece773b1 in ?? () from /usr/lib64/libldb.so.1
#13 0x00007ffae068e4eb in acl_search_callback (req=0x561d15fd4540, ares=0x561d16107710)
    at ../../source4/dsdb/samdb/ldb_modules/acl.c:2111
#14 0x00007ffae0482a43 in aclread_callback (req=0x561d15d1cbf0, ares=0x561d16107680)
    at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:701
#15 0x00007ffadf63a6f5 in es_callback (req=<optimized out>, ares=0x561d15f98190)
    at ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1426
#16 0x00007ffadf22a7a2 in extended_callback (req=0x561d1579fe70, ares=0x561d15e5caa0, handle_dereference=0x0)
    at ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:426
#17 0x00007ffae211dab3 in ?? () from /usr/lib64/ldb/libldb-key-value.so
#18 0x00007ffaed8e3975 in tevent_common_invoke_timer_handler () from /usr/lib64/libtevent.so.0
#19 0x00007ffaed8e3aea in tevent_common_loop_timer_delay () from /usr/lib64/libtevent.so.0
#20 0x00007ffaed8e4cd9 in ?? () from /usr/lib64/libtevent.so.0
#21 0x00007ffaed8e2f27 in ?? () from /usr/lib64/libtevent.so.0
#22 0x00007ffaed8de0fd in _tevent_loop_once () from /usr/lib64/libtevent.so.0
#23 0x00007ffaece78d0b in ldb_wait () from /usr/lib64/libldb.so.1
#24 0x00007ffae3bc9230 in ldapsrv_SearchRequest (call=<optimized out>) at ../../source4/ldap_server/ldap_backend.c:664
#25 ldapsrv_do_call (call=<optimized out>) at ../../source4/ldap_server/ldap_backend.c:1312
#26 0x00007ffae3bc4ce7 in ldapsrv_process_call_trigger (req=0x561d15924390, private_data=<optimized out>)
    at ../../source4/ldap_server/ldap_server.c:955
#27 0x00007ffaed8dee01 in tevent_common_invoke_immediate_handler () from /usr/lib64/libtevent.so.0
#28 0x00007ffaed8dee2e in tevent_common_loop_immediate () from /usr/lib64/libtevent.so.0
#29 0x00007ffaed8e4ccd in ?? () from /usr/lib64/libtevent.so.0
#30 0x00007ffaed8e2f27 in ?? () from /usr/lib64/libtevent.so.0
#31 0x00007ffaed8de0fd in _tevent_loop_once () from /usr/lib64/libtevent.so.0
#32 0x00007ffaed8de35b in tevent_common_loop_wait () from /usr/lib64/libtevent.so.0
#33 0x00007ffaed8e2ec7 in ?? () from /usr/lib64/libtevent.so.0
#34 0x00007ffae81e275a in standard_accept_connection (ev=0x561d15615820, lp_ctx=0x561d15608dc0, sock=<optimized out>, 
    new_conn=0x7ffafa7b3860 <stream_new_connection>, private_data=0x561d15b1e4e0, process_context=0x561d15bcd000)
    at ../../source4/smbd/process_standard.c:411
#35 0x00007ffaed8de9a0 in tevent_common_invoke_fd_handler () from /usr/lib64/libtevent.so.0
#36 0x00007ffaed8e4ea7 in ?? () from /usr/lib64/libtevent.so.0
#37 0x00007ffaed8e2f27 in ?? () from /usr/lib64/libtevent.so.0
#38 0x00007ffaed8de0fd in _tevent_loop_once () from /usr/lib64/libtevent.so.0
#39 0x00007ffaed8de35b in tevent_common_loop_wait () from /usr/lib64/libtevent.so.0
#40 0x00007ffaed8e2ec7 in ?? () from /usr/lib64/libtevent.so.0
#41 0x00007ffae81e2c7a in standard_new_task (ev=0x561d15615820, lp_ctx=0x561d15608dc0, service_name=0x7ffae3bcca5a "ldap", 
    new_task=0x7ffafa7b4400 <task_server_callback>, private_data=0x561d15db1a20, service_details=0x561d15614f90, 
---Type <return> to continue, or q <return> to quit---
    from_parent_fd=22) at ../../source4/smbd/process_standard.c:534
#42 0x00007ffafa7b453c in task_server_startup (event_ctx=event_ctx@entry=0x561d15615820, lp_ctx=lp_ctx@entry=0x561d15608dc0, 
    service_name=service_name@entry=0x7ffae3bcca5a "ldap", model_ops=model_ops@entry=0x7ffae83e4620 <standard_ops>, 
    service_details=0x561d15614f90, from_parent_fd=from_parent_fd@entry=22) at ../../source4/smbd/service_task.c:127
#43 0x00007ffafa7b2eb6 in server_service_init (from_parent_fd=22, model_ops=0x7ffae83e4620 <standard_ops>, 
    lp_ctx=0x561d15608dc0, event_context=0x561d15615820, name=0x561d1560fd40 "ldap") at ../../source4/smbd/service.c:67
#44 server_service_startup (event_ctx=0x561d15615820, lp_ctx=0x561d15608dc0, model=<optimized out>, 
    server_services=<optimized out>, from_parent_fd=22) at ../../source4/smbd/service.c:104
#45 0x0000561d14985821 in binary_smbd_main (argc=<optimized out>, argv=<optimized out>, binary_name=0x561d1498704f "samba")
    at ../../source4/smbd/server.c:813
#46 0x00007ffaebf98271 in __libc_start_main () from /lib64/libc.so.6
#47 0x0000561d14983f1a in _start () at ../sysdeps/x86_64/start.S:120
Comment 4 Zombie Ryushu 2019-05-16 16:14:56 UTC
        opt_no_process_group = <optimized out>
        db_is_backup = <optimized out>
        opt = <optimized out>
        pc = <optimized out>
        static_init = {0x7ffafa7b4580 <server_service_auth_init>, 0x7ffafa7b4bc0 <server_service_echo_init>, 0x0}
        shared_init = <optimized out>
        stdin_event_flags = <optimized out>
        status = <optimized out>
        model = 0x561d14986f5b "standard"
        max_runtime = 0
        st = {st_dev = 6, st_ino = 1029, st_nlink = 1, st_mode = 8630, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 259, 
          st_size = 0, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1557954789, tv_nsec = 45811692}, st_mtim = {
            tv_sec = 1557954789, tv_nsec = 45811692}, st_ctim = {tv_sec = 1557954789, tv_nsec = 45811692}, 
          __glibc_reserved = {0, 0, 0}}
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7ffaed29c160 <poptHelpOptions>, val = 0, 
            descrip = 0x561d14986f64 "Help options:", argDescrip = 0x0}, {longName = 0x561d14986f72 "daemon", 
            shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x561d14986f79 "Become a daemon (default)", 
            argDescrip = 0x0}, {longName = 0x561d14986fa5 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, 
            val = 1001, descrip = 0x561d14986f93 "Run the daemon in foreground", argDescrip = 0x0}, {
            longName = 0x561d14986fb0 "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1002, 
            descrip = 0x561d14986568 "Run interactive (not a daemon)", argDescrip = 0x0}, {longName = 0x561d14986fcb "model", 
            shortName = 77 'M', argInfo = 1, arg = 0x0, val = 1003, descrip = 0x561d14986fbc "Select process model", 
            argDescrip = 0x561d14986fd1 "MODEL"}, {longName = 0x561d14986fd7 "maximum-runtime", shortName = 0 '\000', 
            argInfo = 2, arg = 0x7ffe9308de3c, val = 0, 
            descrip = 0x561d14986588 "set maximum runtime of the server process, till autotermination", 
            argDescrip = 0x561d14986fe7 "seconds"}, {longName = 0x561d14986fef "show-build", shortName = 98 'b', argInfo = 0, 
            arg = 0x0, val = 1004, descrip = 0x561d14986ffa "show build info", argDescrip = 0x0}, {
            longName = 0x561d1498700a "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1005, 
            descrip = 0x561d149865c8 "Don't create a new process group", argDescrip = 0x0}, {longName = 0x0, 
            shortName = 0 '\000', argInfo = 4, arg = 0x561d14b890c0 <popt_common_samba4>, val = 0, 
            descrip = 0x561d1498701b "Common Samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', 
            argInfo = 4, arg = 0x561d14b89020 <popt_common_version4>, val = 0, descrip = 0x561d14987031 "Version options:", 
            argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, 
            argDescrip = 0x0}}
        state = 0x561d15608a90
        se = <optimized out>
#46 0x00007ffaebf98271 in __libc_start_main () from /lib64/libc.so.6
No symbol table info available.
#47 0x0000561d14983f1a in _start () at ../sysdeps/x86_64/start.S:120
Comment 5 Zombie Ryushu 2019-05-16 16:23:11 UTC
#0  0x00007ffaec0408aa in waitpid () from /lib64/libc.so.6
#1  0x00007ffaebfbb68b in do_system () from /lib64/libc.so.6
#2  0x00007ffaf9cdc28f in smb_panic_default (why=0x7ffaf9d2bba6 "internal error") at ../../lib/util/fault.c:146
#3  smb_panic (why=why@entry=0x7ffaf9d2bba6 "internal error") at ../../lib/util/fault.c:173
#4  0x00007ffaf9cdc41d in fault_report (sig=11) at ../../lib/util/fault.c:84
#5  sig_fault (sig=11) at ../../lib/util/fault.c:95
#6  <signal handler called>
#7  0x00007ffadd399bbf in paged_results (ac=ac@entry=0x561d165bd230) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:278
#8  0x00007ffadd39a75b in paged_results (ac=0x561d165bd230) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:246
#9  paged_search_callback (req=<optimized out>, ares=0x561d15f983f0) at ../../source4/dsdb/samdb/ldb_modules/paged_results.c:454
#10 0x00007ffae2b51510 in asq_search_continue (ac=ac@entry=0x561d15bd32a0) at ../../modules/asq.c:339
#11 0x00007ffae2b51695 in asq_reqs_callback (req=<optimized out>, ares=0x561d15f983f0) at ../../modules/asq.c:203
#12 0x00007ffaece773b1 in ldb_lock_backend_callback (req=<optimized out>, ares=0x561d15f98360) at ../../common/ldb.c:1020
#13 0x00007ffae068e4eb in acl_search_callback (req=0x561d15fd4540, ares=0x561d16107710)
    at ../../source4/dsdb/samdb/ldb_modules/acl.c:2111
#14 0x00007ffae0482a43 in aclread_callback (req=0x561d15d1cbf0, ares=0x561d16107680)
    at ../../source4/dsdb/samdb/ldb_modules/acl_read.c:701
#15 0x00007ffadf63a6f5 in es_callback (req=<optimized out>, ares=0x561d15f98190)
    at ../../source4/dsdb/samdb/ldb_modules/encrypted_secrets.c:1426
#16 0x00007ffadf22a7a2 in extended_callback (req=0x561d1579fe70, ares=0x561d15e5caa0, handle_dereference=0x0)
    at ../../source4/dsdb/samdb/ldb_modules/extended_dn_out.c:426
#17 0x00007ffae211dab3 in ldb_kv_callback (ev=<optimized out>, te=<optimized out>, t=..., private_data=<optimized out>)
    at ../../ldb_key_value/ldb_kv.c:1737
#18 0x00007ffaed8e3975 in tevent_common_invoke_timer_handler (te=te@entry=0x561d1603b770, current_time=..., removed=removed@entry=0x0)
    at ../../tevent_timed.c:370
#19 0x00007ffaed8e3aea in tevent_common_loop_timer_delay (ev=ev@entry=0x561d15834d90) at ../../tevent_timed.c:442
#20 0x00007ffaed8e4cd9 in epoll_event_loop_once (ev=0x561d15834d90, location=<optimized out>) at ../../tevent_epoll.c:922
#21 0x00007ffaed8e2f27 in std_event_loop_once (ev=0x561d15834d90, location=0x7ffaece80ccb "../../common/ldb.c:639")
    at ../../tevent_standard.c:110
#22 0x00007ffaed8de0fd in _tevent_loop_once (ev=ev@entry=0x561d15834d90, location=location@entry=0x7ffaece80ccb "../../common/ldb.c:639")
    at ../../tevent.c:772
#23 0x00007ffaece78d0b in ldb_wait (handle=0x561d15f34620, type=type@entry=LDB_WAIT_ALL) at ../../common/ldb.c:639
#24 0x00007ffae3bc9230 in ldapsrv_SearchRequest (call=<optimized out>) at ../../source4/ldap_server/ldap_backend.c:664
#25 ldapsrv_do_call (call=<optimized out>) at ../../source4/ldap_server/ldap_backend.c:1312
#26 0x00007ffae3bc4ce7 in ldapsrv_process_call_trigger (req=0x561d15924390, private_data=<optimized out>)
    at ../../source4/ldap_server/ldap_server.c:955
#27 0x00007ffaed8dee01 in tevent_common_invoke_immediate_handler (im=0x561d166001c0, removed=removed@entry=0x0)
    at ../../tevent_immediate.c:166
#28 0x00007ffaed8dee2e in tevent_common_loop_immediate (ev=ev@entry=0x561d15615820) at ../../tevent_immediate.c:203
#29 0x00007ffaed8e4ccd in epoll_event_loop_once (ev=0x561d15615820, location=<optimized out>) at ../../tevent_epoll.c:918
#30 0x00007ffaed8e2f27 in std_event_loop_once (ev=0x561d15615820, location=0x7ffae81e3760 "../../source4/smbd/process_standard.c:411")
    at ../../tevent_standard.c:110
#31 0x00007ffaed8de0fd in _tevent_loop_once (ev=ev@entry=0x561d15615820, 
    location=location@entry=0x7ffae81e3760 "../../source4/smbd/process_standard.c:411") at ../../tevent.c:772
#32 0x00007ffaed8de35b in tevent_common_loop_wait (ev=0x561d15615820, 
    location=0x7ffae81e3760 "../../source4/smbd/process_standard.c:411") at ../../tevent.c:895
#33 0x00007ffaed8e2ec7 in std_event_loop_wait (ev=0x561d15615820, location=0x7ffae81e3760 "../../source4/smbd/process_standard.c:411")
    at ../../tevent_standard.c:141
#34 0x00007ffae81e275a in standard_accept_connection (ev=0x561d15615820, lp_ctx=0x561d15608dc0, sock=<optimized out>, 
    new_conn=0x7ffafa7b3860 <stream_new_connection>, private_data=0x561d15b1e4e0, process_context=0x561d15bcd000)
    at ../../source4/smbd/process_standard.c:411
#35 0x00007ffaed8de9a0 in tevent_common_invoke_fd_handler (fde=fde@entry=0x561d1607ac10, flags=<optimized out>, 
    removed=removed@entry=0x0) at ../../tevent_fd.c:138
#36 0x00007ffaed8e4ea7 in epoll_event_loop (tvalp=0x7ffe9308dc10, epoll_ev=0x561d1628f400) at ../../tevent_epoll.c:736
#37 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../tevent_epoll.c:937
#38 0x00007ffaed8e2f27 in std_event_loop_once (ev=0x561d15615820, location=0x7ffae81e3960 "../../source4/smbd/process_standard.c:534")
    at ../../tevent_standard.c:110
#39 0x00007ffaed8de0fd in _tevent_loop_once (ev=ev@entry=0x561d15615820, 
    location=location@entry=0x7ffae81e3960 "../../source4/smbd/process_standard.c:534") at ../../tevent.c:772
#40 0x00007ffaed8de35b in tevent_common_loop_wait (ev=0x561d15615820, 
    location=0x7ffae81e3960 "../../source4/smbd/process_standard.c:534") at ../../tevent.c:895
---Type <return> to continue, or q <return> to quit---
#41 0x00007ffaed8e2ec7 in std_event_loop_wait (ev=0x561d15615820, location=0x7ffae81e3960 "../../source4/smbd/process_standard.c:534")
    at ../../tevent_standard.c:141
#42 0x00007ffae81e2c7a in standard_new_task (ev=0x561d15615820, lp_ctx=0x561d15608dc0, service_name=0x7ffae3bcca5a "ldap", 
    new_task=0x7ffafa7b4400 <task_server_callback>, private_data=0x561d15db1a20, service_details=0x561d15614f90, from_parent_fd=22)
    at ../../source4/smbd/process_standard.c:534
#43 0x00007ffafa7b453c in task_server_startup (event_ctx=event_ctx@entry=0x561d15615820, lp_ctx=lp_ctx@entry=0x561d15608dc0, 
    service_name=service_name@entry=0x7ffae3bcca5a "ldap", model_ops=model_ops@entry=0x7ffae83e4620 <standard_ops>, 
    service_details=0x561d15614f90, from_parent_fd=from_parent_fd@entry=22) at ../../source4/smbd/service_task.c:127
#44 0x00007ffafa7b2eb6 in server_service_init (from_parent_fd=22, model_ops=0x7ffae83e4620 <standard_ops>, lp_ctx=0x561d15608dc0, 
    event_context=0x561d15615820, name=0x561d1560fd40 "ldap") at ../../source4/smbd/service.c:67
#45 server_service_startup (event_ctx=0x561d15615820, lp_ctx=0x561d15608dc0, model=<optimized out>, server_services=<optimized out>, 
    from_parent_fd=22) at ../../source4/smbd/service.c:104
#46 0x0000561d14985821 in binary_smbd_main (argc=<optimized out>, argv=<optimized out>, binary_name=0x561d1498704f "samba")
    at ../../source4/smbd/server.c:813
#47 0x00007ffaebf98271 in __libc_start_main () from /lib64/libc.so.6
#48 0x0000561d14983f1a in _start () at ../sysdeps/x86_64/start.S:120
Comment 6 Andrew Bartlett 2019-05-16 19:01:02 UTC
Thanks.

It appears the object in question no longer matches the search expression between the initial search and the paged response.

We call this without checking the count:

		ret = ldb_module_send_entry(ac->req, result->msgs[0],
					    NULL);
		if (ret != LDB_SUCCESS) {
			return ret;
		}
Comment 7 Douglas Bagnall 2019-05-16 21:46:09 UTC
Created attachment 15165 [details]
patch for master, without any tests

This should fix it. I'm still thinking about the tests.
Comment 8 Zombie Ryushu 2019-05-16 21:47:36 UTC
Will this make the home shares work correctly, without crashing?
Comment 9 Douglas Bagnall 2019-05-16 21:50:52 UTC
This part:

>  the shares of individual users DO work \\servername\username, but can
> allow users other than the intended user to connect to it.

> smbclient -d 3 //dc-server.domain.com/user2 -U user1 with the correct
> password succeeds and user1 can access user2's files so long as
> permissions allow it

is a separate issue?
Comment 10 Douglas Bagnall 2019-05-16 21:51:50 UTC
(In reply to Zombie Ryushu from comment #8)

Yes, the patch should stop the crash. Please try it and confirm!
Comment 11 Zombie Ryushu 2019-05-16 22:18:59 UTC
Is it alright to submit this patch to distributors?
Comment 12 Zombie Ryushu 2019-05-16 22:21:03 UTC
(In reply to Douglas Bagnall from comment #9)
It might be, Samba 4 in AD DC mode does not publish Home shares. They do exist, but are not visible. I think this functionality should be the same as it is in Classic Domain mode.
Comment 13 Douglas Bagnall 2019-05-16 23:20:57 UTC
(In reply to Zombie Ryushu from comment #11)
Please don't distribute the patch yet.

There will be a security release, and vendors and distributions get some advance notice as part of that process.
Comment 14 Douglas Bagnall 2019-05-17 02:48:15 UTC
Created attachment 15166 [details]
WIP patch proving the bug

This patch adds a test that will crash the server.

I will tidy it into a proper test next week.

Also we need to add one for VLV which appears to have a similar issue.
Comment 15 Zombie Ryushu 2019-05-18 22:23:34 UTC
Does this Security release patch fix this bug with 4.10.3? I saw no mention of it.
Comment 16 Andrew Bartlett 2019-05-19 01:34:11 UTC
(In reply to Zombie Ryushu from comment #15)
No.

Please be patient, the security release process will take about a month. 

Our procedure is documented here:

https://wiki.samba.org/index.php/Samba_Security_Process

Until the release is made (at which point [EMBARGOED] will be removed from the title), please keep this confidential!

Thanks,

Andrew Bartlett
Comment 17 Andrew Bartlett 2019-05-19 23:18:33 UTC
(In reply to Douglas Bagnall from comment #9)
I agree, this seems to be a distinct thing, but perhaps winbindd(?) doesn't like the LDAP server going away?

Zombie Ryushu,

Can you turn up the debug logs and see if you can get any useful information on the 'crash' you see there, as in a simple 'make testenv' this doesn't crash for me and doesn't show any hint of why this might have locked things up for you. 

We may need to deal with that as a distinct bug, even if we fix this the LDAP server going away should not be fatal in this way.

Thanks!
Comment 18 Zombie Ryushu 2019-05-20 12:01:03 UTC
What would you like me to set the log level too? Keep in mind this is on a live system with access to internal user data for my network. So if there is a way I can protect that, thats good.
Comment 19 Andrew Bartlett 2019-05-20 23:53:24 UTC
(In reply to Zombie Ryushu from comment #18)
Incrementally up to 10 would be my answer, until it confesses.  I realise that might be hard for you to tell however.

It will impact performance, but you should be able to do it on a per-client basis using https://wiki.samba.org/index.php/Client_specific_logging (for the smbd part, the samba part will log into that file literally). 

That may address some of the confidentiality concerns.  We can also mark the attachment as private to the samba team.

Also, when you can crash the server and put it into sleep, can you run

./selftest/gdb_backtrace $pid

on each winbindd, smbd and samba pid?

That may give another clue. 

Finally, does this reproduce if you create a new VM with a fresh provision but the same software stack?  That would be less confidential.
Comment 20 Zombie Ryushu 2019-05-21 00:50:02 UTC
this may have nothing to do with anything, but it has been discovered that there is some sort of clock issue where the system clock, set to tsc will slowly "drift" 30 minutes for every 4 hours that passes, I'm trying to get the clock source set from tsc to acpi_pm to fix this issue.

I do have another provision in a VM, but that clean provision has Schema modifications imported from OpenLDAP for FreeRadius, and isc-dhcpd.
Comment 21 Zombie Ryushu 2019-05-21 01:28:17 UTC
notsc divider=10 clocksource=acpi_pm Kernel Parameters seems to fix the clock drift issue.
Comment 22 Zombie Ryushu 2019-05-21 01:56:40 UTC
I'm trying to make it crash. Not succeeding.
Comment 23 Zombie Ryushu 2019-05-21 03:40:13 UTC
The actual home directory of the authenticated user still isn't being published, if you would like, I can still send you a log level 10 log.

I think I finally got it, I am checking the log for confidential info.
Comment 24 Zombie Ryushu 2019-05-21 04:19:25 UTC
Created attachment 15170 [details]
log level 10 file.
Comment 25 Zombie Ryushu 2019-05-21 04:21:45 UTC
Created attachment 15171 [details]
log file 10 smbd
Comment 26 Andrew Bartlett 2019-05-21 04:39:17 UTC
Any chance of a log from winbindd?

I see 

[2019/05/20 23:24:17.803385,  2, pid=15466, effective(0, 0), real(0, 0), class=auth] ../../source4/auth/ntlm/auth.c:478(auth_check_password_recv)
  auth_check_password_recv: winbind authentication for user [?\zombie] FAILED with error NT_STATUS_CONNECTION_REFUSED, authoritative=1

Which looks quite odd.
Comment 27 Zombie Ryushu 2019-05-21 05:09:48 UTC
Created attachment 15172 [details]
log.winbindd level 10

winbind log I missed
Comment 28 Andrew Bartlett 2019-05-21 05:12:10 UTC
(In reply to Zombie Ryushu from comment #27)
Sorry to be a bother, winbindd logs to many different files, normally named eg log.wb-*.  Can you look for the others?
Comment 29 Zombie Ryushu 2019-05-21 05:35:35 UTC
I can find no other files, I know what  you are referring too, but I do not have an per-client logs
Comment 30 Douglas Bagnall 2019-05-21 23:17:55 UTC
Created attachment 15173 [details]
fix and test for paged_results
Comment 31 Douglas Bagnall 2019-05-21 23:21:25 UTC
Created attachment 15174 [details]
additional patch for master: testing and hardening vlv

It turns out VLV is not vulnerable, as it doesn't re-assert that the object still matches the original search.

We should nevertheless check there are results, just in case, but this can go into master at a leisurely pace, after the paged search fix is in.
Comment 32 Douglas Bagnall 2019-05-22 00:11:03 UTC
Created attachment 15175 [details]
patch for 4.10

The 4.10 patch is the same as master.
Comment 33 Andrew Bartlett 2019-05-22 05:04:09 UTC
(In reply to Zombie Ryushu from comment #29)
Winbind doesn't produce per-client logs.

In any case I don't think we are getting anywhere on this part of the investigation, and we have a fix for the primary issue.

Just one last thing, can you please confirm if you are happy for us to name you as the reporter of the issue, and any affiliation (or None) that you wish to include in the credits?

Thanks!
Comment 34 Zombie Ryushu 2019-05-22 07:58:47 UTC
Feel free to credit me however you want. You can call me Zombie Ryushu. Thats not my real name of course, but thats fine too.

I need to ask if you if this will fix the home share being published as well. The Home share is accessible, but not visible when the share list is refreshed.
Comment 35 Andrew Bartlett 2019-05-22 09:59:37 UTC
(In reply to Zombie Ryushu from comment #34)
The security fix won't deliberately fix any issues around [homes].  Ideally we would understand if/why winbindd crashes, but we won't hold the bug up for that.

If you find any more clues do pass them our way, otherwise I'll just leave some vague statement in the CVE suggesting some mechanism related to [homes] access.

However did you check the patch fixes anything for you?

One last question on that:  
Back in the original report you said "Samba Server stops responding to requests completely.".  Did you have a 'panic action' set then or where you running with the 'lmdb' backend to Samba?

I'm trying to connect how one of these could be related to the other, and one possibility is that nothing crashed, it was just stuck behind the lock while the panic action was running. 

Thanks!
Comment 36 Zombie Ryushu 2019-05-22 11:15:44 UTC
Yes I had a panic action working, thats how I got you the backtraces I have  shown you. 

In the time we opened this bug, my Distribution updated Samba from 4.10.2 to 4.10.3. So the bug's behavior has changed a little bit. 

I am using an Android Application called Ghost Commander to test the Samba server. (Its jCIFS under the hood.)

I have two "Domain Controllers", one is in NT Domain mode, and has an OpenLDAP backend. the other one is the AD Server, and my goal is to migrate the other one, and this incidident ground everything to a sceeching halt.

I will need to go through and check and see what backend my AD Server is using. Still. I would like it if a patch was included to make user home directories visible once someone is authentiated. On Samba in Classic Domain mode, it works fine.
Comment 37 Andrew Bartlett 2019-05-23 02:31:47 UTC
(In reply to Zombie Ryushu from comment #36)
Thanks for getting back to me.

I was meaning at the point you initially wrote to security@, was a panic action set, and was your backend the default tdb, or had you specifically selected lmdb with --backend-type=mdb during provision?

Thanks!
Comment 38 Zombie Ryushu 2019-05-23 03:27:04 UTC
I kept thedefault tdb. I did not change the backend type.
Comment 39 Douglas Bagnall 2019-05-28 12:35:20 UTC
Looks like the same issue:

https://lists.samba.org/archive/samba/2019-May/223134.html

(segfault via paged_results.so).
Comment 40 Aaron Haslett (dead mail address) 2019-05-29 04:33:52 UTC
Created attachment 15198 [details]
fix and test for paged results v2

Extra testing.  CI passed on master and 4.10.
Comment 41 Andrew Bartlett 2019-05-29 09:42:17 UTC
(In reply to Douglas Bagnall from comment #39)
Thanks Douglas,

I've CC'ed the reporter there so they know this is being dealt with outside public view.  

Christian,

This is a embargoed bug until until we get the fix out via our security process:
https://wiki.samba.org/index.php/Samba_Security_Process

If you have any concerns or would like to discuss it further, please do it here.

Thanks!
Comment 42 Andrew Bartlett 2019-06-06 10:50:10 UTC
*** Bug 13971 has been marked as a duplicate of this bug. ***
Comment 43 Andrew Bartlett 2019-06-06 15:02:31 UTC
Created attachment 15226 [details]
WIP advisory
Comment 44 Andrew Bartlett 2019-06-08 08:27:20 UTC
Created attachment 15227 [details]
Updated Advisory (v01)
Comment 45 Douglas Bagnall 2019-06-08 08:53:50 UTC
Created attachment 15228 [details]
Updated advisory (v02)

Changes in advisory from v01:

* remove VLV from the title.
* spell dereference without a hyphen.
Comment 46 Andrew Bartlett 2019-06-08 14:25:37 UTC
Created attachment 15230 [details]
patch for Samba 4.10 (v3)

Added my review tag and CVE tag to patch.  Confirmed identical to attachment 15198 [details] otherwise.
Comment 47 Andrew Bartlett 2019-06-08 14:27:50 UTC
Created attachment 15231 [details]
patch for master (v3)
Comment 48 Andrew Bartlett 2019-06-08 14:29:47 UTC
Comment on attachment 15230 [details]
patch for Samba 4.10 (v3)

Adding ci-passed as patch otherwise identical than the commit message passed CI on v4-10-test
Comment 49 Andrew Bartlett 2019-06-08 20:26:22 UTC
Opening this bug to vendors under embargo.

I've broken procedure (sorry), as there isn't two-team member positive review on attachment 15320 [details] (the patch) and attachment 15228 [details] (the advisory).  I'll ensure this is addressed shortly, but as I've opened the tracking bug leaving this embargoed would just increase everybody's confusion. 

The release date is currently 19 June 2019.
Comment 50 Karolin Seeger 2019-06-19 06:59:56 UTC
Samba 4.10.5 has been shipped to address this defect.
Comment 51 Karolin Seeger 2019-06-19 07:00:39 UTC
Pushed to autobuild-master.
Comment 52 Karolin Seeger 2019-06-19 08:50:19 UTC
Pushed to v4-6-test.
Comment 54 Andrew Bartlett 2019-06-19 17:25:01 UTC
Removing embargo to vendors, asigning to Douglas for the hardening patch.
Comment 55 Douglas Bagnall 2020-08-21 04:07:53 UTC
(In reply to Andrew Bartlett from comment #54)
https://gitlab.com/samba-team/samba/-/merge_requests/1523 is attachment 15174 [details].

One of the patches is obsoleted by the CVE-2020-10730 fixes.