Bug 14050 (CVE-2019-19344) - [SECURITY] CVE-2019-19344 server crash with dns zone scavenging = yes
Summary: [SECURITY] CVE-2019-19344 server crash with dns zone scavenging = yes
Status: RESOLVED FIXED
Alias: CVE-2019-19344
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14220
  Show dependency treegraph
 
Reported: 2019-07-25 01:34 UTC by Douglas Bagnall
Modified: 2020-02-04 10:00 UTC (History)
9 users (show)

See Also:


Attachments
Backtrace (5.65 KB, text/plain)
2019-07-25 07:20 UTC, Christian Naumer
no flags Details
ASAN output (9.15 KB, text/plain)
2019-12-15 20:16 UTC, Gary Lockyer
no flags Details
Proposed patch, applies to master (4.96 KB, patch)
2019-12-16 19:08 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+
Details
patch for Samba 4.11 (cherry-picked from master patch) v2 (4.96 KB, patch)
2019-12-16 22:20 UTC, Andrew Bartlett
abartlet: review+
gary: review+
abartlet: ci-passed+
Details
patch for Samba 4.10 (cherry-picked from master patch) v2 (4.96 KB, patch)
2019-12-16 22:20 UTC, Andrew Bartlett
abartlet: review+
gary: review+
abartlet: ci-passed+
Details
patch for Samba 4.9 (cherry-picked from master patch) v2 (4.96 KB, patch)
2019-12-16 22:21 UTC, Andrew Bartlett
abartlet: review+
gary: review+
abartlet: ci-passed+
Details
advisory with CVE (v1) (1.89 KB, text/plain)
2019-12-19 00:57 UTC, Andrew Bartlett
gary: review+
abartlet: review+
Details
patch for master (v3) (4.97 KB, patch)
2019-12-19 01:02 UTC, Andrew Bartlett
abartlet: review? (gary)
abartlet: review+
gary: review+
abartlet: ci-passed+
Details
patch for Samba 4.11 (cherry-picked from master patch) v3 (4.97 KB, patch)
2019-12-19 01:03 UTC, Andrew Bartlett
abartlet: review? (gary)
abartlet: review+
gary: review+
abartlet: ci-passed+
Details
patch for Samba 4.10 (cherry-picked from master patch) v3 (4.97 KB, patch)
2019-12-19 01:04 UTC, Andrew Bartlett
abartlet: review? (gary)
abartlet: review+
gary: review+
abartlet: ci-passed+
Details
patch for Samba 4.9 (cherry-picked from master patch) v3 (4.97 KB, patch)
2019-12-19 01:05 UTC, Andrew Bartlett
abartlet: review? (gary)
abartlet: review+
gary: review+
abartlet: ci-passed+
Details
Updated advisory with version numbers (1.88 KB, text/plain)
2020-01-17 09:05 UTC, Karolin Seeger
no flags Details
Updated advisory with version numbers (1.91 KB, text/plain)
2020-01-17 09:06 UTC, Karolin Seeger
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2019-07-25 01:34:17 UTC
This has been reported on the Samba list by Christian Naumer https://lists.samba.org/archive/samba/2019-July/224643.html and earlier by "M B"
https://lists.samba.org/archive/samba/2019-May/222862.html.


Christian Naumer's traceback looks like this:

Jul 24 16:39:20 dc1 samba[29071]: [2019/07/24 16:39:20.935219,  0]
../../source4/lib/cmdline/popt_common.c:74(popt_s4_talloc_log_fn)
Jul 24 16:39:20 dc1 samba[29071]:  Bad talloc magic value - unknown value
Jul 24 16:39:20 dc1 samba[29071]: [2019/07/24 16:39:20.935322,  0]
../../lib/util/fault.c:128(smb_panic_default)
Jul 24 16:39:20 dc1 samba[29071]:  smb_panic_default: PANIC (pid 29071):
Bad talloc magic value - unknown value
Jul 24 16:39:20 dc1 samba[29071]: [2019/07/24 16:39:20.946999,  0]
../../lib/util/fault.c:261(log_stack_trace)
Jul 24 16:39:20 dc1 samba[29071]:  BACKTRACE: 64 stack frames:
Jul 24 16:39:20 dc1 samba[29071]:   #0
/usr/lib64/samba/libsamba-util.so.0(log_stack_trace+0x2f) [0x7fda7560532d]
Jul 24 16:39:20 dc1 samba[29071]:   #1
/usr/lib64/samba/libsamba-util.so.0(smb_panic+0xa2) [0x7fda75605492]
Jul 24 16:39:20 dc1 samba[29071]:   #2
/usr/lib64/samba/libtalloc.so.2(+0x3a91) [0x7fda74547a91]
Jul 24 16:39:20 dc1 samba[29071]:   #3
/usr/lib64/samba/libtalloc.so.2(+0x3ab8) [0x7fda74547ab8]
Jul 24 16:39:20 dc1 samba[29071]:   #4
/usr/lib64/samba/libtalloc.so.2(talloc_strdup+0xad) [0x7fda7454a7d5]
Jul 24 16:39:20 dc1 samba[29071]:   #5
/usr/lib64/samba/libldb.so.1(+0x19f5c) [0x7fda74b8cf5c]
Jul 24 16:39:20 dc1 samba[29071]:   #6
/usr/lib64/samba/ldb/objectclass_attrs.so(+0x3038) [0x7fda57f70038]
Jul 24 16:39:20 dc1 samba[29071]:   #7
/usr/lib64/samba/ldb/objectclass_attrs.so(+0x3392) [0x7fda57f70392]
Jul 24 16:39:20 dc1 samba[29071]:   #8
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #9
/usr/lib64/samba/ldb/instancetype.so(+0x15e2) [0x7fda597b95e2]
Jul 24 16:39:20 dc1 samba[29071]:   #10
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #11
/usr/lib64/samba/ldb/password_hash.so(+0x5d35) [0x7fda57339d35]
Jul 24 16:39:20 dc1 samba[29071]:   #12
/usr/lib64/samba/ldb/password_hash.so(+0x61c7) [0x7fda5733a1c7]
Jul 24 16:39:20 dc1 samba[29071]:   #13
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #14
/usr/lib64/samba/ldb/samldb.so(+0x93cd) [0x7fda5588c3cd]
Jul 24 16:39:20 dc1 samba[29071]:   #15
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #16
/usr/lib64/samba/ldb/acl.so(+0x47da) [0x7fda5b6257da]
Jul 24 16:39:20 dc1 samba[29071]:   #17
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #18
/usr/lib64/samba/ldb/descriptor.so(+0x3f6f) [0x7fda5ac03f6f]
Jul 24 16:39:20 dc1 samba[29071]:   #19
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #20
/usr/lib64/samba/ldb/tombstone_reanimate.so(+0x23f3) [0x7fda53e493f3]
Jul 24 16:39:20 dc1 samba[29071]:   #21
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #22
/usr/lib64/samba/ldb/objectclass.so(+0x3cdb) [0x7fda58176cdb]
Jul 24 16:39:20 dc1 samba[29071]:   #23
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #24
/usr/lib64/samba/ldb/audit_log.so(+0x5d43) [0x7fda5ae0ed43]
Jul 24 16:39:20 dc1 samba[29071]:   #25
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:20 dc1 samba[29071]:   #26
/usr/lib64/samba/ldb/extended_dn_in.so(+0x2755) [0x7fda5a1da755]
Jul 24 16:39:20 dc1 samba[29071]:   #27
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:20 dc1 samba[29071]:   #28
/usr/lib64/samba/ldb/encrypted_secrets.so(+0x3cfb) [0x7fda5a3e1cfb]
Jul 24 16:39:20 dc1 samba[29071]:   #29
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:20 dc1 samba[29071]:   #30
/usr/lib64/samba/ldb/operational.so(+0x3a2e) [0x7fda57b61a2e]
Jul 24 16:39:20 dc1 samba[29071]:   #31
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:20 dc1 samba[29071]:   #32
/usr/lib64/samba/ldb/extended_dn_out.so(+0x2a2d) [0x7fda59fd3a2d]
Jul 24 16:39:20 dc1 samba[29071]:   #33
/usr/lib64/samba/ldb/extended_dn_out.so(+0x354d) [0x7fda59fd454d]
Jul 24 16:39:20 dc1 samba[29071]:   #34
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:20 dc1 samba[29071]:   #35
/usr/lib64/samba/libdsdb-module-samba4.so(dsdb_next_callback+0x50)
[0x7fda6015bc8a]
Jul 24 16:39:20 dc1 samba[29071]:   #36
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:20 dc1 samba[29071]:   #37
/usr/lib64/samba/ldb/partition.so(+0x57d7) [0x7fda5754b7d7]
Jul 24 16:39:20 dc1 samba[29071]:   #38
/usr/lib64/samba/libldb-key-value-samba4.so(+0x40df) [0x7fda591a30df]
Jul 24 16:39:20 dc1 samba[29071]:   #39
/usr/lib64/samba/libldb-key-value-samba4.so(+0x5d70) [0x7fda591a4d70]
Jul 24 16:39:20 dc1 samba[29071]:   #40
/usr/lib64/samba/libtevent.so.0(tevent_common_invoke_timer_handler+0x172)
[0x7fda73aecbbc]
Jul 24 16:39:20 dc1 samba[29071]:   #41
/usr/lib64/samba/libtevent.so.0(tevent_common_loop_timer_delay+0xa6)
[0x7fda73aecd22]
Jul 24 16:39:20 dc1 samba[29071]:   #42
/usr/lib64/samba/libtevent.so.0(+0xc180) [0x7fda73aee180]
Jul 24 16:39:20 dc1 samba[29071]:   #43
/usr/lib64/samba/libtevent.so.0(+0xa167) [0x7fda73aec167]
Jul 24 16:39:20 dc1 samba[29071]:   #44
/usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7fda73ae7880]
Jul 24 16:39:20 dc1 samba[29071]:   #45
/usr/lib64/samba/libldb.so.1(ldb_wait+0x143) [0x7fda74b7d542]
Jul 24 16:39:20 dc1 samba[29071]:   #46
/usr/lib64/samba/libldb.so.1(+0xb0e4) [0x7fda74b7e0e4]
Jul 24 16:39:20 dc1 samba[29071]:   #47
/usr/lib64/samba/libldb.so.1(ldb_modify+0x82) [0x7fda74b7ee0f]
Jul 24 16:39:20 dc1 samba[29071]:   #48
/usr/lib64/samba/libscavenge-dns-records-samba4.so(dns_tombstone_records_zone+0x405)
[0x7fda5d91afd0]
Jul 24 16:39:20 dc1 samba[29071]:   #49
/usr/lib64/samba/libscavenge-dns-records-samba4.so(dns_tombstone_records+0x15a)
[0x7fda5d91b1b1]
Jul 24 16:39:20 dc1 samba[29071]:   #50
/usr/lib64/samba/service/kcc.so(+0x6a46) [0x7fda5dd40a46]
Jul 24 16:39:20 dc1 samba[29071]:   #51
/usr/lib64/samba/libtevent.so.0(tevent_common_invoke_timer_handler+0x172)
[0x7fda73aecbbc]
Jul 24 16:39:20 dc1 samba[29071]:   #52
/usr/lib64/samba/libtevent.so.0(tevent_common_loop_timer_delay+0xa6)
[0x7fda73aecd22]
Jul 24 16:39:20 dc1 samba[29071]:   #53
/usr/lib64/samba/libtevent.so.0(+0xc2de) [0x7fda73aee2de]
Jul 24 16:39:20 dc1 samba[29071]:   #54
/usr/lib64/samba/libtevent.so.0(+0xa167) [0x7fda73aec167]
Jul 24 16:39:20 dc1 samba[29071]:   #55
/usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7fda73ae7880]
Jul 24 16:39:20 dc1 samba[29071]:   #56
/usr/lib64/samba/libtevent.so.0(tevent_common_loop_wait+0x17)
[0x7fda73ae7a6e]
Jul 24 16:39:20 dc1 samba[29071]:   #57
/usr/lib64/samba/libtevent.so.0(+0xa117) [0x7fda73aec117]
Jul 24 16:39:20 dc1 samba[29071]:   #58
/usr/lib64/samba/libtevent.so.0(_tevent_loop_wait+0xa) [0x7fda73ae7ad6]
Jul 24 16:39:20 dc1 samba[29071]:   #59
/usr/lib64/samba/process_model/prefork.so(+0x2b12) [0x7fda60e3cb12]
Jul 24 16:39:20 dc1 samba[29071]:   #60
/usr/lib64/samba/process_model/prefork.so(+0x2e64) [0x7fda60e3ce64]
Jul 24 16:39:20 dc1 samba[29071]:   #61
/usr/lib64/samba/libservice-samba4.so(task_server_startup+0x61)
[0x7fda74fc8d6d]
Jul 24 16:39:20 dc1 samba[29071]:   #62
/usr/lib64/samba/libservice-samba4.so(server_service_startup+0x15c)
[0x7fda74fc77b3]
Jul 24 16:39:20 dc1 samba[29071]:   #63 /usr/sbin/samba(+0x5e4d)
[0x55cb8f43de4d]
Jul 24 16:39:20 dc1 samba[29030]: [2019/07/24 16:39:20.965367,  0]
../../source4/smbd/process_prefork.c:519(prefork_child_pipe_handler)
Jul 24 16:39:20 dc1 samba[29030]:  prefork_child_pipe_handler: Parent
29030, Child 29071 terminated with signal 6
Jul 24 16:39:20 dc1 samba[29030]: [2019/07/24 16:39:20.965465,  0]
../../source4/smbd/process_prefork.c:450(prefork_restart)
Jul 24 16:39:20 dc1 samba[29030]:  prefork_restart: Restarting [kcc]
pre-fork master
Jul 24 16:39:36 dc1 samba[29226]: [2019/07/24 16:39:36.004071,  1]
../../source4/dsdb/kcc/garbage_collect_tombstones.c:68(garbage_collect_tombstones_part)
Jul 24 16:39:36 dc1 samba[29226]:  Doing a full scan on
DC=ForestDnsZones,DC=hq,DC=brain-biotech,DC=de and looking for deleted
objects
Jul 24 16:39:36 dc1 samba[29226]: [2019/07/24 16:39:36.005686,  1]
../../source4/dsdb/kcc/garbage_collect_tombstones.c:68(garbage_collect_tombstones_part)
Jul 24 16:39:36 dc1 samba[29226]:  Doing a full scan on
DC=DomainDnsZones,DC=hq,DC=brain-biotech,DC=de and looking for deleted
objects
Jul 24 16:39:36 dc1 samba[29226]: [2019/07/24 16:39:36.020543,  1]
../../source4/dsdb/kcc/garbage_collect_tombstones.c:68(garbage_collect_tombstones_part)
Jul 24 16:39:36 dc1 samba[29226]:  Doing a full scan on
DC=hq,DC=brain-biotech,DC=de and looking for deleted objects
Jul 24 16:39:36 dc1 samba[29226]: [2019/07/24 16:39:36.048708,  1]
../../source4/dsdb/kcc/garbage_collect_tombstones.c:68(garbage_collect_tombstones_part)
Jul 24 16:39:36 dc1 samba[29226]:  Doing a full scan on
CN=Configuration,DC=hq,DC=brain-biotech,DC=de and looking for deleted
objects
Jul 24 16:39:36 dc1 samba[29226]: [2019/07/24 16:39:36.089435,  0]
../../source4/lib/cmdline/popt_common.c:74(popt_s4_talloc_log_fn)
Jul 24 16:39:36 dc1 samba[29226]:  Bad talloc magic value - unknown value
Jul 24 16:39:36 dc1 samba[29226]: [2019/07/24 16:39:36.089540,  0]
../../lib/util/fault.c:128(smb_panic_default)
Jul 24 16:39:36 dc1 samba[29226]:  smb_panic_default: PANIC (pid 29226):
Bad talloc magic value - unknown value
Jul 24 16:39:36 dc1 samba[29226]: [2019/07/24 16:39:36.091014,  0]
../../lib/util/fault.c:261(log_stack_trace)
Jul 24 16:39:36 dc1 samba[29226]:  BACKTRACE: 64 stack frames:
Jul 24 16:39:36 dc1 samba[29226]:   #0
/usr/lib64/samba/libsamba-util.so.0(log_stack_trace+0x2f) [0x7fda7560532d]
Jul 24 16:39:36 dc1 samba[29226]:   #1
/usr/lib64/samba/libsamba-util.so.0(smb_panic+0xa2) [0x7fda75605492]
Jul 24 16:39:36 dc1 samba[29226]:   #2
/usr/lib64/samba/libtalloc.so.2(+0x3a91) [0x7fda74547a91]
Jul 24 16:39:36 dc1 samba[29226]:   #3
/usr/lib64/samba/libtalloc.so.2(+0x3ab8) [0x7fda74547ab8]
Jul 24 16:39:36 dc1 samba[29226]:   #4
/usr/lib64/samba/libtalloc.so.2(talloc_strdup+0xad) [0x7fda7454a7d5]
Jul 24 16:39:36 dc1 samba[29226]:   #5
/usr/lib64/samba/libldb.so.1(+0x19f5c) [0x7fda74b8cf5c]
Jul 24 16:39:36 dc1 samba[29226]:   #6
/usr/lib64/samba/ldb/objectclass_attrs.so(+0x3038) [0x7fda57f70038]
Jul 24 16:39:36 dc1 samba[29226]:   #7
/usr/lib64/samba/ldb/objectclass_attrs.so(+0x3392) [0x7fda57f70392]
Jul 24 16:39:36 dc1 samba[29226]:   #8
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #9
/usr/lib64/samba/ldb/instancetype.so(+0x15e2) [0x7fda597b95e2]
Jul 24 16:39:36 dc1 samba[29226]:   #10
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #11
/usr/lib64/samba/ldb/password_hash.so(+0x5d35) [0x7fda57339d35]
Jul 24 16:39:36 dc1 samba[29226]:   #12
/usr/lib64/samba/ldb/password_hash.so(+0x61c7) [0x7fda5733a1c7]
Jul 24 16:39:36 dc1 samba[29226]:   #13
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #14
/usr/lib64/samba/ldb/samldb.so(+0x93cd) [0x7fda5588c3cd]
Jul 24 16:39:36 dc1 samba[29226]:   #15
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #16
/usr/lib64/samba/ldb/acl.so(+0x47da) [0x7fda5b6257da]
Jul 24 16:39:36 dc1 samba[29226]:   #17
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #18
/usr/lib64/samba/ldb/descriptor.so(+0x3f6f) [0x7fda5ac03f6f]
Jul 24 16:39:36 dc1 samba[29226]:   #19
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #20
/usr/lib64/samba/ldb/tombstone_reanimate.so(+0x23f3) [0x7fda53e493f3]
Jul 24 16:39:36 dc1 samba[29226]:   #21
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #22
/usr/lib64/samba/ldb/objectclass.so(+0x3cdb) [0x7fda58176cdb]
Jul 24 16:39:36 dc1 samba[29226]:   #23
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #24
/usr/lib64/samba/ldb/audit_log.so(+0x5d43) [0x7fda5ae0ed43]
Jul 24 16:39:36 dc1 samba[29226]:   #25
/usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fda74b80eb0]
Jul 24 16:39:36 dc1 samba[29226]:   #26
/usr/lib64/samba/ldb/extended_dn_in.so(+0x2755) [0x7fda5a1da755]
Jul 24 16:39:36 dc1 samba[29226]:   #27
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:36 dc1 samba[29226]:   #28
/usr/lib64/samba/ldb/encrypted_secrets.so(+0x3cfb) [0x7fda5a3e1cfb]
Jul 24 16:39:36 dc1 samba[29226]:   #29
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:36 dc1 samba[29226]:   #30
/usr/lib64/samba/ldb/operational.so(+0x3a2e) [0x7fda57b61a2e]
Jul 24 16:39:36 dc1 samba[29226]:   #31
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:36 dc1 samba[29226]:   #32
/usr/lib64/samba/ldb/extended_dn_out.so(+0x2a2d) [0x7fda59fd3a2d]
Jul 24 16:39:36 dc1 samba[29226]:   #33
/usr/lib64/samba/ldb/extended_dn_out.so(+0x354d) [0x7fda59fd454d]
Jul 24 16:39:36 dc1 samba[29226]:   #34
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:36 dc1 samba[29226]:   #35
/usr/lib64/samba/libdsdb-module-samba4.so(dsdb_next_callback+0x50)
[0x7fda6015bc8a]
Jul 24 16:39:36 dc1 samba[29226]:   #36
/usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fda74b80a25]
Jul 24 16:39:36 dc1 samba[29226]:   #37
/usr/lib64/samba/ldb/partition.so(+0x57d7) [0x7fda5754b7d7]
Jul 24 16:39:36 dc1 samba[29226]:   #38
/usr/lib64/samba/libldb-key-value-samba4.so(+0x40df) [0x7fda591a30df]
Jul 24 16:39:36 dc1 samba[29226]:   #39
/usr/lib64/samba/libldb-key-value-samba4.so(+0x5d70) [0x7fda591a4d70]
Jul 24 16:39:36 dc1 samba[29226]:   #40
/usr/lib64/samba/libtevent.so.0(tevent_common_invoke_timer_handler+0x172)
[0x7fda73aecbbc]
Jul 24 16:39:36 dc1 samba[29226]:   #41
/usr/lib64/samba/libtevent.so.0(tevent_common_loop_timer_delay+0xa6)
[0x7fda73aecd22]
Jul 24 16:39:36 dc1 samba[29226]:   #42
/usr/lib64/samba/libtevent.so.0(+0xc180) [0x7fda73aee180]
Jul 24 16:39:36 dc1 samba[29226]:   #43
/usr/lib64/samba/libtevent.so.0(+0xa167) [0x7fda73aec167]
Jul 24 16:39:36 dc1 samba[29226]:   #44
/usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7fda73ae7880]
Jul 24 16:39:36 dc1 samba[29226]:   #45
/usr/lib64/samba/libldb.so.1(ldb_wait+0x143) [0x7fda74b7d542]
Jul 24 16:39:36 dc1 samba[29226]:   #46
/usr/lib64/samba/libldb.so.1(+0xb0e4) [0x7fda74b7e0e4]
Jul 24 16:39:36 dc1 samba[29226]:   #47
/usr/lib64/samba/libldb.so.1(ldb_modify+0x82) [0x7fda74b7ee0f]
Jul 24 16:39:36 dc1 samba[29226]:   #48
/usr/lib64/samba/libscavenge-dns-records-samba4.so(dns_tombstone_records_zone+0x405)
[0x7fda5d91afd0]
Jul 24 16:39:36 dc1 samba[29226]:   #49
/usr/lib64/samba/libscavenge-dns-records-samba4.so(dns_tombstone_records+0x15a)
[0x7fda5d91b1b1]
Jul 24 16:39:36 dc1 samba[29226]:   #50
/usr/lib64/samba/service/kcc.so(+0x6a46) [0x7fda5dd40a46]
Jul 24 16:39:36 dc1 samba[29226]:   #51
/usr/lib64/samba/libtevent.so.0(tevent_common_invoke_timer_handler+0x172)
[0x7fda73aecbbc]
Jul 24 16:39:36 dc1 samba[29226]:   #52
/usr/lib64/samba/libtevent.so.0(tevent_common_loop_timer_delay+0xa6)
[0x7fda73aecd22]
Jul 24 16:39:36 dc1 samba[29226]:   #53
/usr/lib64/samba/libtevent.so.0(+0xc2de) [0x7fda73aee2de]
Jul 24 16:39:36 dc1 samba[29226]:   #54
/usr/lib64/samba/libtevent.so.0(+0xa167) [0x7fda73aec167]
Jul 24 16:39:36 dc1 samba[29226]:   #55
/usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7fda73ae7880]
Jul 24 16:39:36 dc1 samba[29226]:   #56
/usr/lib64/samba/libtevent.so.0(tevent_common_loop_wait+0x17)
[0x7fda73ae7a6e]
Jul 24 16:39:36 dc1 samba[29226]:   #57
/usr/lib64/samba/libtevent.so.0(+0xa117) [0x7fda73aec117]
Jul 24 16:39:36 dc1 samba[29226]:   #58
/usr/lib64/samba/libtevent.so.0(_tevent_loop_wait+0xa) [0x7fda73ae7ad6]
Jul 24 16:39:36 dc1 samba[29226]:   #59
/usr/lib64/samba/process_model/prefork.so(+0x2b12) [0x7fda60e3cb12]
Jul 24 16:39:36 dc1 samba[29226]:   #60
/usr/lib64/samba/process_model/prefork.so(+0x2fff) [0x7fda60e3cfff]
Jul 24 16:39:36 dc1 samba[29226]:   #61
/usr/lib64/samba/process_model/prefork.so(+0x32fb) [0x7fda60e3d2fb]
Jul 24 16:39:36 dc1 samba[29226]:   #62
/usr/lib64/samba/libtevent.so.0(tevent_common_invoke_fd_handler+0x82)
[0x7fda73ae805f]
Jul 24 16:39:36 dc1 samba[29226]:   #63
/usr/lib64/samba/libtevent.so.0(+0xc415) [0x7fda73aee415]
Jul 24 16:39:36 dc1 samba[29030]: [2019/07/24 16:39:36.096474,  0]
../../source4/smbd/process_prefork.c:519(prefork_child_pipe_handler)
Jul 24 16:39:36 dc1 samba[29030]:  prefork_child_pipe_handler: Parent
29030, Child 29226 terminated with signal 6
Jul 24 16:39:36 dc1 samba[29030]: [2019/07/24 16:39:36.096578,  0]
../../source4/smbd/process_prefork.c:443(prefork_restart)
Jul 24 16:39:36 dc1 samba[29030]:  prefork_restart: Restarting [kcc]
pre-fork master in (10) seconds
Jul 24 16:39:46 dc1 samba[29030]: [2019/07/24 16:39:46.096697,  0]
../../source4/smbd/process_prefork.c:450(prefork_restart)
Jul 24 16:39:46 dc1 samba[29030]:  prefork_restart: Restarting [kcc]
pre-fork master
Comment 1 Douglas Bagnall 2019-07-25 02:52:47 UTC
Christian, are you able to reproduce this with debugging symbols enabled?

Louis, I see you mentioned you can reproduce it. Can you do it with debugging symbols?
Comment 2 Christian Naumer 2019-07-25 06:20:35 UTC
(In reply to Douglas Bagnall from comment #1)
How do I do this? I installed sernet-samba-debuginfo. And got this:

Jul 25 08:18:57 dc3 samba[54139]: [2019/07/25 08:18:57.219622,  0] ../../source4/lib/cmdline/popt_common.c:74(popt_s4_talloc_log_fn)
Jul 25 08:18:57 dc3 samba[54139]:  Bad talloc magic value - unknown value
Jul 25 08:18:57 dc3 samba[54139]: [2019/07/25 08:18:57.219893,  0] ../../lib/util/fault.c:128(smb_panic_default)
Jul 25 08:18:57 dc3 samba[54139]:  smb_panic_default: PANIC (pid 54139): Bad talloc magic value - unknown value
Jul 25 08:18:57 dc3 samba[54139]: [2019/07/25 08:18:57.222827,  0] ../../lib/util/fault.c:261(log_stack_trace)
Jul 25 08:18:57 dc3 samba[54139]:  BACKTRACE: 64 stack frames:
Jul 25 08:18:57 dc3 samba[54139]:   #0 /usr/lib64/samba/libsamba-util.so.0(log_stack_trace+0x2f) [0x7fe06b5ec32d]
Jul 25 08:18:57 dc3 samba[54139]:   #1 /usr/lib64/samba/libsamba-util.so.0(smb_panic+0xa2) [0x7fe06b5ec492]
Jul 25 08:18:57 dc3 samba[54139]:   #2 /usr/lib64/samba/libtalloc.so.2(+0x3a91) [0x7fe06a52ea91]
Jul 25 08:18:57 dc3 samba[54139]:   #3 /usr/lib64/samba/libtalloc.so.2(+0x3ab8) [0x7fe06a52eab8]
Jul 25 08:18:57 dc3 samba[54139]:   #4 /usr/lib64/samba/libtalloc.so.2(talloc_strdup+0xad) [0x7fe06a5317d5]
Jul 25 08:18:57 dc3 samba[54139]:   #5 /usr/lib64/samba/libldb.so.1(+0x19f5c) [0x7fe06ab73f5c]
Jul 25 08:18:57 dc3 samba[54139]:   #6 /usr/lib64/samba/ldb/objectclass_attrs.so(+0x3038) [0x7fe04df57038]
Jul 25 08:18:57 dc3 samba[54139]:   #7 /usr/lib64/samba/ldb/objectclass_attrs.so(+0x3392) [0x7fe04df57392]
Jul 25 08:18:57 dc3 samba[54139]:   #8 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #9 /usr/lib64/samba/ldb/instancetype.so(+0x15e2) [0x7fe04f7a05e2]
Jul 25 08:18:57 dc3 samba[54139]:   #10 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #11 /usr/lib64/samba/ldb/password_hash.so(+0x5d35) [0x7fe04d320d35]
Jul 25 08:18:57 dc3 samba[54139]:   #12 /usr/lib64/samba/ldb/password_hash.so(+0x61c7) [0x7fe04d3211c7]
Jul 25 08:18:57 dc3 samba[54139]:   #13 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #14 /usr/lib64/samba/ldb/samldb.so(+0x93cd) [0x7fe04b8733cd]
Jul 25 08:18:57 dc3 samba[54139]:   #15 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #16 /usr/lib64/samba/ldb/acl.so(+0x47da) [0x7fe05160c7da]
Jul 25 08:18:57 dc3 samba[54139]:   #17 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #18 /usr/lib64/samba/ldb/descriptor.so(+0x3f6f) [0x7fe050beaf6f]
Jul 25 08:18:57 dc3 samba[54139]:   #19 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #20 /usr/lib64/samba/ldb/tombstone_reanimate.so(+0x23f3) [0x7fe049e303f3]
Jul 25 08:18:57 dc3 samba[54139]:   #21 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #22 /usr/lib64/samba/ldb/objectclass.so(+0x3cdb) [0x7fe04e15dcdb]
Jul 25 08:18:57 dc3 samba[54139]:   #23 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #24 /usr/lib64/samba/ldb/audit_log.so(+0x5d43) [0x7fe050df5d43]
Jul 25 08:18:57 dc3 samba[54139]:   #25 /usr/lib64/samba/libldb.so.1(ldb_next_request+0x482) [0x7fe06ab67eb0]
Jul 25 08:18:57 dc3 samba[54139]:   #26 /usr/lib64/samba/ldb/extended_dn_in.so(+0x2755) [0x7fe0501c1755]
Jul 25 08:18:57 dc3 samba[54139]:   #27 /usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fe06ab67a25]
Jul 25 08:18:57 dc3 samba[54139]:   #28 /usr/lib64/samba/ldb/encrypted_secrets.so(+0x3cfb) [0x7fe0503c8cfb]
Jul 25 08:18:57 dc3 samba[54139]:   #29 /usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fe06ab67a25]
Jul 25 08:18:57 dc3 samba[54139]:   #30 /usr/lib64/samba/ldb/operational.so(+0x3a2e) [0x7fe04db48a2e]
Jul 25 08:18:57 dc3 samba[54139]:   #31 /usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fe06ab67a25]
Jul 25 08:18:57 dc3 samba[54139]:   #32 /usr/lib64/samba/ldb/extended_dn_out.so(+0x2a2d) [0x7fe04ffbaa2d]
Jul 25 08:18:57 dc3 samba[54139]:   #33 /usr/lib64/samba/ldb/extended_dn_out.so(+0x354d) [0x7fe04ffbb54d]
Jul 25 08:18:57 dc3 samba[54139]:   #34 /usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fe06ab67a25]
Jul 25 08:18:57 dc3 samba[54139]:   #35 /usr/lib64/samba/libdsdb-module-samba4.so(dsdb_next_callback+0x50) [0x7fe056142c8a]
Jul 25 08:18:57 dc3 samba[54139]:   #36 /usr/lib64/samba/libldb.so.1(ldb_module_done+0x144) [0x7fe06ab67a25]
Jul 25 08:18:57 dc3 samba[54139]:   #37 /usr/lib64/samba/ldb/partition.so(+0x57d7) [0x7fe04d5327d7]
Jul 25 08:18:57 dc3 samba[54139]:   #38 /usr/lib64/samba/libldb-key-value-samba4.so(+0x40df) [0x7fe04f18a0df]
Jul 25 08:18:57 dc3 samba[54139]:   #39 /usr/lib64/samba/libldb-key-value-samba4.so(+0x5d70) [0x7fe04f18bd70]
Jul 25 08:18:57 dc3 samba[54139]:   #40 /usr/lib64/samba/libtevent.so.0(tevent_common_invoke_timer_handler+0x172) [0x7fe069ad3bbc]
Jul 25 08:18:57 dc3 samba[54139]:   #41 /usr/lib64/samba/libtevent.so.0(tevent_common_loop_timer_delay+0xa6) [0x7fe069ad3d22]
Jul 25 08:18:57 dc3 samba[54139]:   #42 /usr/lib64/samba/libtevent.so.0(+0xc180) [0x7fe069ad5180]
Jul 25 08:18:57 dc3 samba[54139]:   #43 /usr/lib64/samba/libtevent.so.0(+0xa167) [0x7fe069ad3167]
Jul 25 08:18:57 dc3 samba[54139]:   #44 /usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7fe069ace880]
Jul 25 08:18:57 dc3 samba[54139]:   #45 /usr/lib64/samba/libldb.so.1(ldb_wait+0x143) [0x7fe06ab64542]
Jul 25 08:18:57 dc3 samba[54139]:   #46 /usr/lib64/samba/libldb.so.1(+0xb0e4) [0x7fe06ab650e4]
Jul 25 08:18:57 dc3 samba[54139]:   #47 /usr/lib64/samba/libldb.so.1(ldb_modify+0x82) [0x7fe06ab65e0f]
Jul 25 08:18:57 dc3 samba[54139]:   #48 /usr/lib64/samba/libscavenge-dns-records-samba4.so(dns_tombstone_records_zone+0x405) [0x7fe053901fd0]
Jul 25 08:18:57 dc3 samba[54139]:   #49 /usr/lib64/samba/libscavenge-dns-records-samba4.so(dns_tombstone_records+0x15a) [0x7fe0539021b1]
Jul 25 08:18:57 dc3 samba[54139]:   #50 /usr/lib64/samba/service/kcc.so(+0x6a46) [0x7fe053d27a46]
Jul 25 08:18:57 dc3 samba[54139]:   #51 /usr/lib64/samba/libtevent.so.0(tevent_common_invoke_timer_handler+0x172) [0x7fe069ad3bbc]
Jul 25 08:18:57 dc3 samba[54139]:   #52 /usr/lib64/samba/libtevent.so.0(tevent_common_loop_timer_delay+0xa6) [0x7fe069ad3d22]
Jul 25 08:18:57 dc3 samba[54139]:   #53 /usr/lib64/samba/libtevent.so.0(+0xc2de) [0x7fe069ad52de]
Jul 25 08:18:57 dc3 samba[54139]:   #54 /usr/lib64/samba/libtevent.so.0(+0xa167) [0x7fe069ad3167]
Jul 25 08:18:57 dc3 samba[54139]:   #55 /usr/lib64/samba/libtevent.so.0(_tevent_loop_once+0xa3) [0x7fe069ace880]
Jul 25 08:18:57 dc3 samba[54139]:   #56 /usr/lib64/samba/libtevent.so.0(tevent_common_loop_wait+0x17) [0x7fe069acea6e]
Jul 25 08:18:57 dc3 samba[54139]:   #57 /usr/lib64/samba/libtevent.so.0(+0xa117) [0x7fe069ad3117]
Jul 25 08:18:57 dc3 samba[54139]:   #58 /usr/lib64/samba/libtevent.so.0(_tevent_loop_wait+0xa) [0x7fe069acead6]
Jul 25 08:18:57 dc3 samba[54139]:   #59 /usr/lib64/samba/process_model/prefork.so(+0x2b12) [0x7fe056e23b12]
Jul 25 08:18:57 dc3 samba[54139]:   #60 /usr/lib64/samba/process_model/prefork.so(+0x2e64) [0x7fe056e23e64]
Jul 25 08:18:57 dc3 samba[54139]:   #61 /usr/lib64/samba/libservice-samba4.so(task_server_startup+0x61) [0x7fe06afafd6d]
Jul 25 08:18:57 dc3 samba[54139]:   #62 /usr/lib64/samba/libservice-samba4.so(server_service_startup+0x15c) [0x7fe06afae7b3]
Jul 25 08:18:57 dc3 samba[54139]:   #63 /usr/sbin/samba(+0x5e4d) [0x55da7585ce4d]
Jul 25 08:18:57 dc3 samba[54096]: [2019/07/25 08:18:57.234984,  0] ../../source4/smbd/process_prefork.c:519(prefork_child_pipe_handler)
Jul 25 08:18:57 dc3 samba[54096]:  prefork_child_pipe_handler: Parent 54096, Child 54139 terminated with signal 6
Jul 25 08:18:57 dc3 samba[54096]: [2019/07/25 08:18:57.235212,  0] ../../source4/smbd/process_prefork.c:450(prefork_restart)
Jul 25 08:18:57 dc3 samba[54096]:  prefork_restart: Restarting [kcc] pre-fork master

Anything more to do?
Comment 3 Christian Naumer 2019-07-25 07:20:41 UTC
Created attachment 15325 [details]
Backtrace
Comment 4 Christian Naumer 2019-07-25 07:22:23 UTC
(In reply to Douglas Bagnall from comment #1)
I installed the debug-info. However, I get lots of (CRC mismatch) when running gdb. So I don't know if the backtrace is useful. If more info is need I will try to help.
Comment 5 Louis 2019-07-25 08:52:56 UTC
Hai, 

I just noticed this in man smb.conf ( in the 4.10.6 version ) 

Warning
               This option should not be enabled for installations created with versions of samba before 4.9. Doing this will result in the loss of static DNS entries. This is due to a bug in previous
               versions of samba (BUG 12451) which marked dynamic DNS records as static and static records as dynamic.

And Cristians setup, his domain was set up with samba 4.4. He should not enable it! 

@Douglus, i cant enable/test this atm, because was testing this in my live setup and that was setup with 4.1.x. 
Im low in time atm, mail server problem here, need to recover that first. (sorry)
Comment 6 Christian Naumer 2019-07-25 09:00:28 UTC
Yes I read that. However, in the change log it says:

This support should however only be enabled on new zones or new
installations.

And I have one specific zone which was created with 4.10. But I can't test it as the server crashes before I can activate it on the windows side.
Comment 7 Louis 2019-07-25 10:08:28 UTC
hm, i fail to understand, how this is enabled on one zone only. ( in samba ) 
Because your talking also about a windows dc? 

so small recap, to make sure we understand you setup correctly. 
You have a windows DC + Samba a DC. 
Which is the DC with FSMO roles? (handy to know)
And Windows version? 

You have multiple Windows DC Zones and where you enable on the latest zone scavaging? 

As far i know, and what im guessing here.
Samba does not support zone partitions (yet) while the windows DC does. 
This might be and point to check Douglas.
Comment 8 Christian Naumer 2019-07-25 10:17:41 UTC
(In reply to Louis from comment #7)
No Windows DC involved (4 Linux DCs). I understood the release notes in that way that:

This support should however only be enabled on _new zones_ or new
installations.

From the WHATSNEW of 4.9:

Finally, there is not currently a command-line tool to enable this feature, currently it should be enabled from the DNS Manager tool from Windows. Also the feature needs to have been enabled by setting the smb.conf parameter "dns zone scavenging = yes". 

So you have to do BOTH smb.conf and DNS Manager on windows. And there it is a per zone Option. I thought as it is a new zone I can enable it only there. If this is not the case I think it still shouldn't crash?

Hope this helps
Comment 9 Andrew Bartlett 2019-07-25 19:09:13 UTC
(In reply to Christian Naumer from comment #8)
Correct, we are interested firstly in ensuring Samba doesn't crash under any circumstances. 

Loss of DNS records incorrectly scavenged due to not reading the smb.conf manpage would be administrator error, but we shouldn't crash regardless.
Comment 10 Christian Naumer 2019-07-25 20:07:07 UTC
(In reply to Andrew Bartlett from comment #9)
Hello Andrew,
sorry if I understood the manpage wrong. I thought the feature could be activated per zone. Is this not the case?
Another question I have is, in a newly created zone the problem with static entries should not occur? And it still would happen in "old" zones even with new samba versions?

Thanks for your help.
Comment 11 Douglas Bagnall 2019-07-26 04:49:03 UTC
(In reply to Christian Naumer from comment #4)
That traceback (attachment 15325 [details]) is helpful but not quite enough.

Could you provide debug logs from the time of the crash?
Comment 12 Christian Naumer 2019-07-26 06:45:55 UTC
Created attachment 15331 [details]
level 10 debug log
Comment 13 Christian Naumer 2019-07-26 06:48:11 UTC
(In reply to Douglas Bagnall from comment #11)
debug log attached. From startup of samba to about where it crashes shortly after finishing the dns_update of its own dns entries.
Comment 14 Douglas Bagnall 2019-07-26 21:21:57 UTC
Thanks. I will look into this next week.

What I see so far is that this search:

   dn: DC=5.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=hq,DC=brain-biotech,DC=de
   scope: sub
   expr: (&(objectClass=dnsNode)(&(!(dnsTombstoned=TRUE))(dnsRecord:1.3.6.1.4.1.7165.4.5.3:=3668718)))
   attr: dnsRecord
   attr: dNSTombstoned
   attr: objectGUID
   control: <NONE>

finds this record first and about 12 more:

  dn: DC=222,DC=5.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=hq,DC=brain-biotech,DC=de
  objectGUID: a1393815-9c2f-4495-9fd7-394e84ee9896
  dNSTombstoned: FALSE
  dnsRecord:: HwAMAAXwAABSBQAAAAAOEAAAAAC49jcAHQQHcm9wX2tueAJocQ1icmFpbi1iaW90ZW
   NoAmRlAA==
  
then this attempted modify:

  dn: <GUID=a1393815-9c2f-4495-9fd7-394e84ee9896>
  
  changetype: modify
  replace: dNSTombstoned
  dNSTombstoned: TRUE
  -
  delete: dnsRecord
  dnsRecord:: HwAMAAXwAABSBQAAAAAOEAAAAAC49jcAHQQHcm9wX2tueAJocQ1icmFpbi1iaW90ZW
   NoAmRlAA==
  -
  add: dnsRecord
  dnsRecord:: CAAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAPvw3AAAAAAA=
  -

leads to the crash somewhere around objectclass_attrs_modify() where it thinks a message or element or value is there when it has already been freed or something.

The fact that it is the first record in the list leads me to suspect there is nothing special about this one -- all the others would crash too.
Comment 15 Christian Naumer 2019-07-27 05:41:09 UTC
I will not be able to help in the next two weeks as I will be on vacation.
The zone that is modified there 192.168.5.x is not setup from the windows side to scavenge. Actually there also should no be any dynamic updates to this zone. All the entries are older then 7 days. Maybe this info helps. 

Just for clarification this feature should not be activated on zones that where created with samba version < 4.9?  As with these zones I still see new entries being created as static although they are dynamic. But not all maybe 1%.
Comment 16 Christian Naumer 2019-08-19 08:51:06 UTC
Is there more Info needed? I am now back and can do some tests.
Comment 17 Christian Naumer 2019-08-27 09:41:17 UTC
Is there any way to enable this feature on a domain that was provisioned before the feature was available? I am really interested to get this working somehow. If there is anything I can do let me know.


Regards
Comment 18 Christian Naumer 2019-11-15 12:20:50 UTC
Sorry to keep nagging about this. As we would really like to get scavenging working on our setup I would like to know how much work would it be to convert existing zones to be compatible? We have a budget where I could get some money for this.

Regards
Comment 19 Gary Lockyer 2019-12-15 20:16:47 UTC
Created attachment 15684 [details]
ASAN output
Comment 20 Gary Lockyer 2019-12-15 20:19:02 UTC
Was able to reproduce running

TESTS="dns" make test

with ASAN enabled.

Hope to start working on a fix tomorrow.
Comment 21 Andrew Bartlett 2019-12-16 03:59:36 UTC
If we were to do a security release on this it would score this on CVSS 3.1:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

The counter-opinion is that this was off by default and the error (crash) would have been evident to fairly early on most installations. Therefore most sites would not have "dns zone scavenging = yes" manually set. 

This doesn't mesh well with the CVSS scoring system, but there we have to consider the worst case.
Comment 22 Gary Lockyer 2019-12-16 19:08:36 UTC
Created attachment 15691 [details]
Proposed patch, applies to master
Comment 23 Andrew Bartlett 2019-12-16 22:20:05 UTC
Created attachment 15692 [details]
patch for Samba 4.11 (cherry-picked from master patch) v2
Comment 24 Andrew Bartlett 2019-12-16 22:20:52 UTC
Created attachment 15693 [details]
patch for Samba 4.10 (cherry-picked from master patch) v2
Comment 25 Andrew Bartlett 2019-12-16 22:21:29 UTC
Created attachment 15694 [details]
patch for Samba 4.9 (cherry-picked from master patch) v2
Comment 26 Andrew Bartlett 2019-12-16 22:25:22 UTC
I'll write up an advisory later today and ask RedHat for a CVE (or a for a review to say that we shouldn't get do a release for this one).
Comment 27 Andrew Bartlett 2019-12-17 22:09:46 UTC
(In reply to Andrew Bartlett from comment #26)
In the end I decided that any use-after-free is a CVE, so I've asked for one.
Comment 28 Andrew Bartlett 2019-12-18 17:41:41 UTC
I'll add the CVE reference to the patches later today.
Comment 29 Andrew Bartlett 2019-12-19 00:57:59 UTC
Created attachment 15696 [details]
advisory with CVE (v1)

Attached is the initial advisory, with versions left out until it is known exactly what the release numbers will be.

Christian,

Can you please confirm you are happy to be credited as the reporter, and if so is there any affiliation you would like listed (eg your employer)?

Thanks!

Andrew Bartlett
Comment 30 Andrew Bartlett 2019-12-19 01:02:42 UTC
Created attachment 15697 [details]
patch for master (v3)

Added CVE to the patch, otherwise unchanged.
Comment 31 Andrew Bartlett 2019-12-19 01:03:32 UTC
Created attachment 15698 [details]
patch for Samba 4.11 (cherry-picked from master patch) v3
Comment 32 Andrew Bartlett 2019-12-19 01:04:03 UTC
Created attachment 15699 [details]
patch for Samba 4.10 (cherry-picked from master patch) v3
Comment 33 Andrew Bartlett 2019-12-19 01:05:14 UTC
Created attachment 15700 [details]
patch for Samba 4.9 (cherry-picked from master patch) v3
Comment 34 Christian Naumer 2019-12-19 07:46:41 UTC
(In reply to Andrew Bartlett from comment #29)
Yes you can credit me and name my employer.
Thanks for the work.
Comment 35 Karolin Seeger 2020-01-07 11:37:16 UTC
Need review for the advisory.
Comment 36 Andrew Bartlett 2020-01-11 17:58:02 UTC
Comment on attachment 15696 [details]
advisory with CVE (v1)

Just needs the right $VERSIONS filled in.
Comment 37 Karolin Seeger 2020-01-13 09:50:48 UTC
Will be delayed.
The new planned release date will be published as soon as possible.
Comment 38 Karolin Seeger 2020-01-14 08:38:54 UTC
Planned release date: Tuesday, January 21 2020
Opening bug report for vendors.
Comment 39 Karolin Seeger 2020-01-17 09:05:06 UTC
Created attachment 15739 [details]
Updated advisory with version numbers
Comment 40 Karolin Seeger 2020-01-17 09:06:21 UTC
Created attachment 15740 [details]
Updated advisory with version numbers
Comment 41 Karolin Seeger 2020-01-21 10:00:09 UTC
Samba 4.11.5, 4.10.12 and 4.9.18 have been shipped to address these defects.
Comment 42 Karolin Seeger 2020-01-21 10:09:24 UTC
Merged into v4-{11,10,9}-test.
Comment 43 Karolin Seeger 2020-01-21 10:11:45 UTC
Pushed to autobuild-master.
Comment 44 Karolin Seeger 2020-01-23 09:51:33 UTC
Pushed to master.
Closing out bug report.

Thanks!
Comment 45 Andrew Bartlett 2020-02-03 00:45:32 UTC
Removing embargo, this is public now.