Bug 14721 - vfs_shadow_copy2 causes uninitialized memory read in process_symlink_open().
Summary: vfs_shadow_copy2 causes uninitialized memory read in process_symlink_open().
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.13.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-27 05:35 UTC by Jeremy Allison
Modified: 2021-06-16 17:26 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for master. (4.52 KB, patch)
2021-05-27 05:46 UTC, Jeremy Allison
slow: review+
Details
git-am fix for 4.14.next. (4.84 KB, patch)
2021-05-27 22:11 UTC, Jeremy Allison
slow: review+
Details
git-am fix for 4.13.next. (4.74 KB, patch)
2021-05-27 22:14 UTC, Jeremy Allison
slow: review+
Details
git-am fix for 4.13.next. (4.74 KB, patch)
2021-06-16 17:26 UTC, Jeremy Allison
jra: review? (slow)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2021-05-27 05:35:21 UTC
Have patch, need bugid.
Comment 1 Jeremy Allison 2021-05-27 05:38:11 UTC
==3627798== Invalid read of size 1
==3627798==    at 0x483FF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==    by 0x55DE412: strdup (strdup.c:41)
==3627798==    by 0x4F4657E: smb_xstrdup (util.c:660)
==3627798==    by 0x4C62C2E: vfs_ChDir (vfs.c:988)
==3627798==    by 0x4C4A51C: process_symlink_open (open.c:656)
==3627798==    by 0x4C4ADE7: non_widelink_open (open.c:862)
==3627798==    by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==    by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==    by 0x4C48A00: filename_convert_internal (filename.c:2027)
==3627798==    by 0x4C48B77: filename_convert (filename.c:2067)
==3627798==    by 0x4C32408: call_trans2qfilepathinfo (trans2.c:6173)
==3627798==    by 0x4C3C5DA: handle_trans2 (trans2.c:10143)
==3627798==  Address 0xda8bc90 is 96 bytes inside a block of size 217 free'd
==3627798==    at 0x483DA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==    by 0x4FCA3C9: _tc_free_internal (talloc.c:1222)
==3627798==    by 0x4FCA481: _talloc_free_internal (talloc.c:1248)
==3627798==    by 0x4FCB825: _talloc_free (talloc.c:1792)
==3627798==    by 0xDB248DD: store_cwd_data (vfs_shadow_copy2.c:1473)
==3627798==    by 0xDB24BEF: shadow_copy2_chdir (vfs_shadow_copy2.c:1542)
==3627798==    by 0x4C662A4: smb_vfs_call_chdir (vfs.c:2257)
==3627798==    by 0x4C62B48: vfs_ChDir (vfs.c:940)
==3627798==    by 0x4C4A51C: process_symlink_open (open.c:656)
==3627798==    by 0x4C4ADE7: non_widelink_open (open.c:862)
==3627798==    by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==    by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==  Block was alloc'd at
==3627798==    at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==    by 0x4FC9365: __talloc_with_prefix (talloc.c:783)
==3627798==    by 0x4FC94FF: __talloc (talloc.c:825)
==3627798==    by 0x4FCCFDC: __talloc_strlendup (talloc.c:2454)
==3627798==    by 0x4FCD096: talloc_strdup (talloc.c:2470)
==3627798==    by 0xDB24977: store_cwd_data (vfs_shadow_copy2.c:1476)
==3627798==    by 0xDB24BEF: shadow_copy2_chdir (vfs_shadow_copy2.c:1542)
==3627798==    by 0x4C662A4: smb_vfs_call_chdir (vfs.c:2257)
==3627798==    by 0x4C62B48: vfs_ChDir (vfs.c:940)
==3627798==    by 0x4C4A92D: non_widelink_open (open.c:755)
==3627798==    by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==    by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==
Comment 2 Jeremy Allison 2021-05-27 05:46:58 UTC
Created attachment 16630 [details]
git-am fix for master.

In gitlab-ci right now. I'll post the MR for it once it passes.
Comment 3 Ralph Böhme 2021-05-27 05:55:50 UTC
Comment on attachment 16630 [details]
git-am fix for master.

Good catch, thanks!
Comment 4 Jeremy Allison 2021-05-27 16:33:10 UTC
MR: https://gitlab.com/samba-team/samba/-/merge_requests/1985

I'm pushing now.
Comment 5 Samba QA Contact 2021-05-27 17:26:04 UTC
This bug was referenced in samba master:

2f0cfe82907516ecf23cc385d41b8d29ed6b8c96
Comment 6 Jeremy Allison 2021-05-27 22:11:17 UTC
Created attachment 16632 [details]
git-am fix for 4.14.next.

Cherry-pick from master.
Comment 7 Jeremy Allison 2021-05-27 22:14:09 UTC
Created attachment 16633 [details]
git-am fix for 4.13.next.

Back-port from master, cherry pick failed.
Comment 8 Ralph Böhme 2021-05-28 07:15:17 UTC
Reassigning to Karolin for inclusion in 4.13 and 4.14.
Comment 9 Karolin Seeger 2021-05-28 07:59:36 UTC
(In reply to Ralph Böhme from comment #8)
Pushed to autobuild-v4-{14,13}-test.
Comment 10 Samba QA Contact 2021-05-28 08:56:04 UTC
This bug was referenced in samba v4-14-test:

e7e537d77ccfdaa526e5759ea770e034426a4f23
Comment 11 Karolin Seeger 2021-05-31 10:25:31 UTC
In v4-13-test, make fails with this patch.
Comment 12 Samba QA Contact 2021-06-01 07:25:34 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.5):

e7e537d77ccfdaa526e5759ea770e034426a4f23
Comment 13 Jeremy Allison 2021-06-01 15:52:39 UTC
Karolin can you let me know the specific test that fails with 4.13 ?

Thanks !

Jeremy.
Comment 14 Jeremy Allison 2021-06-16 17:26:29 UTC
Created attachment 16661 [details]
git-am fix for 4.13.next.

Karolin, sorry for the error. Mixed up return variable types (4.13 requires, errno = ENOMEM, return -1 not return NT_STATUS_NO_MEMORY).

This should now build.