Bug 14425 - idmap_ad crash when using incorrect schema mode
Summary: idmap_ad crash when using incorrect schema mode
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.12.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-30 11:14 UTC by Andrew Walker
Modified: 2020-07-17 09:35 UTC (History)
2 users (show)

See Also:


Attachments
Patch for 4.11 and 4.12 cherry-picked from master (1.15 KB, patch)
2020-07-03 09:10 UTC, Ralph Böhme
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Walker 2020-06-30 11:14:52 UTC
Setting idmap_ad schema mode to "SFU" when the Domain lacks SFU extensions can cause crash. 

WIP fix is here: https://gitlab.com/samba-team/devel/samba/-/commits/anodos325-idmap-ad-rfc2307-fallback

Basic idea is that we should fall back to rfc2307 schema mode if get_posix_schema_names() fails to look up one of the schema names, and log an error message.

Backtrace as follows:

(gdb) bt
#0  0x00000008115c3a7a in thr_kill () from /lib/libc.so.7
#1  0x00000008115c3a44 in __raise (s=6) at /truenas-releng/freenas/_BE/os/lib/libc/gen/raise.c:52
#2  0x00000008115c39b9 in abort () at /truenas-releng/freenas/_BE/os/lib/libc/stdlib/abort.c:65
#3  0x000000080634a49c in dump_core () at ../../source3/lib/dumpcore.c:338
#4  0x000000080633ab9b in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:847
#5  0x0000000802d86f47 in smb_panic (why=0x191fc <error: Cannot access memory at address 0x191fc>) at ../../lib/util/fault.c:174
#6  0x0000000802d8732e in fault_report (sig=11) at ../../lib/util/fault.c:88
#7  0x0000000802d86f29 in sig_fault (sig=102908) at ../../lib/util/fault.c:99
#8  0x0000000810ed2cf0 in handle_signal (actp=0x7fffffffbc00, sig=11, info=0x7fffffffbff0, ucp=0x7fffffffbc80) at /truenas-releng/freenas/_BE/os/lib/libthr/thread/thr_sig.c:246
#9  0x0000000810ed22bf in thr_sighandler (sig=11, info=0x7fffffffbff0, _ucp=0x7fffffffbc80) at /truenas-releng/freenas/_BE/os/lib/libthr/thread/thr_sig.c:189
#10 <signal handler called>
#11 strlen (str=0x0) at /truenas-releng/freenas/_BE/os/lib/libc/string/strlen.c:100
#12 0x000000081400eebc in tldap_search_send (mem_ctx=<optimized out>, ev=0x813c56e20, ld=0x813c4da60, base=<optimized out>, scope=<optimized out>, 
    filter=0x4 <error: Cannot access memory at address 0x4>, attrs=0x7fffffffcc50, num_attrs=4, attrsonly=0, sctrls=0x0, num_sctrls=0, cctrls=<optimized out>, num_cctrls=<optimized out>, timelimit=0, 
    sizelimit=0, deref=0) at ../../source3/lib/tldap.c:1791
#13 0x000000081400f680 in tldap_search_all_send (mem_ctx=0x813c216c0, ev=0x813c56e20, ld=0x813c4da60, base=0x813c4d8e0 "DC=ixsupport,DC=internal", scope=2, 
    filter=0x813c5bc60 "(&(|(sAMAccountType=805306368)(sAMAccountType=805306369)(sAMAccountType=805306370)(sAMAccountType=268435456)(sAMAccountType=536870912))(|(objectSid=\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\99\\8B=\\ED\\1BS\\0"..., attrs=0x7fffffffcc50, num_attrs=4, attrsonly=<optimized out>, sctrls=<optimized out>, num_sctrls=<optimized out>, cctrls=<optimized out>, 
    num_cctrls=<optimized out>, timelimit=<optimized out>, sizelimit=<optimized out>, deref=<optimized out>) at ../../source3/lib/tldap.c:1898
#14 tldap_search (ld=<optimized out>, base=0x813c4d8e0 "DC=ixsupport,DC=internal", scope=2, filter=<optimized out>, attrs=0x7fffffffcc50, num_attrs=4, attrsonly=0, sctrls=0x0, num_sctrls=0, cctrls=0x0, 
    num_cctrls=0, timelimit=0, sizelimit=0, deref=0, mem_ctx=0x813c21840, pmsgs=0x7fffffffcb38) at ../../source3/lib/tldap.c:1991
#15 0x00000008140171fe in idmap_ad_sids_to_unixids (dom=<optimized out>, ids=<optimized out>) at ../../source3/winbindd/idmap_ad.c:830
#16 0x0000000814015242 in idmap_ad_sids_to_unixids_retry (dom=0x813c4faa0, ids=0x813c47f90) at ../../source3/winbindd/idmap_ad.c:952
#17 0x000000000108805f in _wbint_Sids2UnixIDs (p=<optimized out>, r=<optimized out>) at ../../source3/winbindd/winbindd_dual_srv.c:209
#18 0x00000000010ce052 in api_wbint_Sids2UnixIDs (p=0x7fffffffce40) at librpc/gen_ndr/srv_winbind.c:391
#19 0x00000000010872ea in winbindd_dual_ndrcmd (domain=<optimized out>, state=0x7fffffffe8e8) at ../../source3/winbindd/winbindd_dual_ndr.c:369
#20 0x0000000001086855 in child_process_request (child=<optimized out>, state=0x7fffffffe8e8) at ../../source3/winbindd/winbindd_dual.c:748
#21 child_handler (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=0x7fffffffe8e0) at ../../source3/winbindd/winbindd_dual.c:1655
#22 0x00000008036167ed in tevent_common_invoke_fd_handler (fde=0x813c4f3a0, flags=<optimized out>, removed=0x0) at ../../lib/tevent/tevent_fd.c:138
#23 0x00000008036195e4 in poll_event_loop_poll (ev=0x813c56060, tvalp=<optimized out>) at ../../lib/tevent/tevent_poll.c:569
#24 poll_event_loop_once (ev=0x813c56060, location=<optimized out>) at ../../lib/tevent/tevent_poll.c:626
#25 0x0000000803615a11 in _tevent_loop_once (ev=0x813c56060, location=0x10f1b92 "../../source3/winbindd/winbindd_dual.c:1870") at ../../lib/tevent/tevent.c:772
#26 0x000000000108357b in fork_domain_child (child=0x13364d8 <static_idmap_child>) at ../../source3/winbindd/winbindd_dual.c:1870
#27 wb_child_request_waited (subreq=<optimized out>) at ../../source3/winbindd/winbindd_dual.c:241
#28 0x0000000803616c57 in tevent_common_invoke_immediate_handler (im=0x813c4cfe0, removed=0x0) at ../../lib/tevent/tevent_immediate.c:166
#29 0x0000000803616cb4 in tevent_common_loop_immediate (ev=<optimized out>) at ../../lib/tevent/tevent_immediate.c:203
#30 0x0000000803618eca in poll_event_loop_once (ev=0x813c56060, location=<optimized out>) at ../../lib/tevent/tevent_poll.c:617
#31 0x0000000803615a11 in _tevent_loop_once (ev=0x813c56060, location=0x10dcb20 "../../source3/winbindd/winbindd.c:1912") at ../../lib/tevent/tevent.c:772
#32 0x000000000105382b in main (argc=<optimized out>, argv=<optimized out>) at ../../source3/winbindd/winbindd.c:1912


struct idmap_ad_schema_names had NULL for uid, gid, gecos, etc.
(gdb) frame 15
#15 0x00000008140171fe in idmap_ad_sids_to_unixids (dom=<optimized out>, ids=<optimized out>) at ../../source3/winbindd/idmap_ad.c:830
830		rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
(gdb) p *ctx.schema
$4 = {name = 0x813cf4000 "msSFU30Name", uid = 0x0, gid = 0x0, gecos = 0x0, dir = 0x0, shell = 0x0}
(gdb) p ctx.schema
$5 = (struct idmap_ad_schema_names *) 0x813cf3e20

But things went south here:
(gdb) frame 12
#12 0x000000081400eebc in tldap_search_send (mem_ctx=<optimized out>, 
ev=0x813c56e20, ld=0x813c4da60, base=<optimized out>, scope=<optimized out>, 
    filter=0x4 <error: Cannot access memory at address 0x4>, attrs=0x7fffffffcc50, num_attrs=4, attrsonly=0, sctrls=0x0, num_sctrls=0, cctrls=<optimized out>, num_cctrls=<optimized out>, timelimit=0, 
    sizelimit=0, deref=0) at ../../source3/lib/tldap.c:1791
warning: Source file is more recent than executable.
1791			if (!asn1_write_OctetString(state->out, attrs[i], strlen(attrs[i]))) goto encoding_error;
(gdb) p attrs[0]
$6 = 0x81401ac7e "sAMAccountType"
(gdb) p attrs[1]
$7 = 0x81401ac8d "objectSid"
(gdb) p attrs[2]
$8 = 0x0
Comment 1 Ralph Böhme 2020-06-30 15:29:56 UTC
Oh, good catch, thanks! Proposed change looks reasonable.
Comment 2 Ralph Böhme 2020-07-03 09:10:12 UTC
Created attachment 16110 [details]
Patch for 4.11 and 4.12 cherry-picked from master
Comment 3 Karolin Seeger 2020-07-09 07:49:31 UTC
(In reply to Ralph Böhme from comment #2)
Pushed to autobuild-v4-{12,11}-test.
Comment 4 Karolin Seeger 2020-07-17 09:35:25 UTC
(In reply to Karolin Seeger from comment #3)
Pushed to both branches.
Closing out bug report.

Thanks!