Bug 14627 - Invalid memory read access in posix_sys_acl_blob_get_fd()
Summary: Invalid memory read access in posix_sys_acl_blob_get_fd()
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-01 19:07 UTC by Andreas Schneider
Modified: 2021-02-05 09:00 UTC (History)
2 users (show)

See Also:


Attachments
patch for 4.14, 4.13 and 4.12 (1.20 KB, patch)
2021-02-02 07:10 UTC, Andreas Schneider
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2021-02-01 19:07:34 UTC
Invalid memory read access in posix_sys_acl_blob_get_fd()

==16922==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe354fb360 at pc 0x7fd712e41f41 bp 0x7ffe354fac50 sp 0x7ffe354fa400
READ of size 17 at 0x7ffe354fb360 thread T0                                                   
    #0 0x7fd712e41f40  (/usr/lib64/libasan.so.6+0x3ff40)                                    
    #1 0x7fd70a6eb24e in cp_smb_filename ../../source3/lib/filename_util.c:234            
    #2 0x7fd70a6eb55c in synthetic_smb_fname ../../source3/lib/filename_util.c:73
    #3 0x7fd502b2ab99 in xattr_tdb_get_file_id ../../source3/modules/vfs_xattr_tdb.c:41
    #4 0x7fd502b2c3bf in xattr_tdb_getxattr ../../source3/modules/vfs_xattr_tdb.c:84        
    #5 0x7fd70a5a7485 in smb_vfs_call_getxattr ../../source3/smbd/vfs.c:2802                
    #6 0x7fd70b713e3e in fake_acls_sys_acl_get_file ../../source3/modules/vfs_fake_acls.c:277
    #7 0x7fd70a5a6ffb in smb_vfs_call_sys_acl_get_file ../../source3/smbd/vfs.c:2747
    #8 0x7fd70a5c1a41 in posix_sys_acl_blob_get_fd ../../source3/smbd/posix_acls.c:4681
    #9 0x7fd70a5a7243 in smb_vfs_call_sys_acl_blob_get_fd ../../source3/smbd/vfs.c:2776
    #10 0x7fd70a7b63b7 in fset_nt_acl_common ../../source3/modules/vfs_acl_common.c:1139
    #11 0x7fd708c576ba in acl_xattr_fset_nt_acl ../../source3/modules/vfs_acl_xattr.c:380 
    #12 0x7fd70a5a6e6f in smb_vfs_call_fset_nt_acl ../../source3/smbd/vfs.c:2723
    #13 0x7fd70ac02ab6 in set_nt_acl_conn ../../source3/smbd/pysmbd.c:284       
    #14 0x7fd70ac02ab6 in py_smbd_set_nt_acl ../../source3/smbd/pysmbd.c:803

Address 0x7ffe354fb360 is located in stack of thread T0 at offset 640 in frame                                                                                                                   #0 0x7fd70a5c179b in posix_sys_acl_blob_get_fd ../../source3/smbd/posix_acls.c:4649                                                                                                                                                                                                                                                                                                   
  This frame has 4 object(s):                                                                                                                                                                
    [48, 80) 'acl_wrapper' (line 4652)                                                                                                                                                       
    [112, 280) 'sbuf' (line 4650)                                                                                                                                                            
    [352, 568) 'fname' (line 4654)                                                            
    [640, 4736) 'buf' (line 4659) <== Memory access at offset 640 is inside this variable
Comment 1 Samba QA Contact 2021-02-01 22:56:03 UTC
This bug was referenced in samba master:

0a93f5367bc55ee14f13da5bdb812333c9d9e9f3
Comment 2 Andreas Schneider 2021-02-02 07:10:43 UTC
Created attachment 16420 [details]
patch for 4.14, 4.13 and 4.12
Comment 3 Jeremy Allison 2021-02-02 20:30:36 UTC
Comment on attachment 16420 [details]
patch for 4.14, 4.13 and 4.12

LGTM. Karolin, FYI this only applies to 4.14.rcNext, not any prior versions.
Comment 4 Jeremy Allison 2021-02-02 20:31:04 UTC
Re-assigning to Karolin for inclusion in 4.14.rcNext.
Comment 5 Karolin Seeger 2021-02-03 09:57:00 UTC
(In reply to Jeremy Allison from comment #4)
Pushed to autobuild-v4-14-test.
Comment 6 Samba QA Contact 2021-02-03 22:33:11 UTC
This bug was referenced in samba v4-14-test:

eac2d1504b72d766762f2991c0acd1355835a2cd
Comment 7 Samba QA Contact 2021-02-04 08:27:15 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.0rc2):

eac2d1504b72d766762f2991c0acd1355835a2cd
Comment 8 Karolin Seeger 2021-02-05 09:00:12 UTC
Closing out bug report.

Thanks!