Bug 14721 - vfs_shadow_copy2 causes uninitialized memory read in process_symlink_open().
Summary: vfs_shadow_copy2 causes uninitialized memory read in process_symlink_open().
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.13.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-27 05:35 UTC by Jeremy Allison
Modified: 2021-07-28 12:37 UTC (History)
1 user (show)

See Also:

Attachments
git-am fix for master. (4.52 KB, patch)
2021-05-27 05:46 UTC, Jeremy Allison 		slow: review+
Details
git-am fix for 4.14.next. (4.84 KB, patch)
2021-05-27 22:11 UTC, Jeremy Allison 		slow: review+
Details
git-am fix for 4.13.next. (4.74 KB, patch)
2021-05-27 22:14 UTC, Jeremy Allison 		slow: review+
Details
git-am fix for 4.13.next. (4.74 KB, patch)
2021-06-16 17:26 UTC, Jeremy Allison 		jra: review? (slow)
 Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2021-05-27 05:35:21 UTC 
Have patch, need bugid.
Comment 1 Jeremy Allison 2021-05-27 05:38:11 UTC 
==3627798== Invalid read of size 1
==3627798==    at 0x483FF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==    by 0x55DE412: strdup (strdup.c:41)
==3627798==    by 0x4F4657E: smb_xstrdup (util.c:660)
==3627798==    by 0x4C62C2E: vfs_ChDir (vfs.c:988)
==3627798==    by 0x4C4A51C: process_symlink_open (open.c:656)
==3627798==    by 0x4C4ADE7: non_widelink_open (open.c:862)
==3627798==    by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==    by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==    by 0x4C48A00: filename_convert_internal (filename.c:2027)
==3627798==    by 0x4C48B77: filename_convert (filename.c:2067)
==3627798==    by 0x4C32408: call_trans2qfilepathinfo (trans2.c:6173)
==3627798==    by 0x4C3C5DA: handle_trans2 (trans2.c:10143)
==3627798==  Address 0xda8bc90 is 96 bytes inside a block of size 217 free'd
==3627798==    at 0x483DA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==    by 0x4FCA3C9: _tc_free_internal (talloc.c:1222)
==3627798==    by 0x4FCA481: _talloc_free_internal (talloc.c:1248)
==3627798==    by 0x4FCB825: _talloc_free (talloc.c:1792)
==3627798==    by 0xDB248DD: store_cwd_data (vfs_shadow_copy2.c:1473)
==3627798==    by 0xDB24BEF: shadow_copy2_chdir (vfs_shadow_copy2.c:1542)
==3627798==    by 0x4C662A4: smb_vfs_call_chdir (vfs.c:2257)
==3627798==    by 0x4C62B48: vfs_ChDir (vfs.c:940)
==3627798==    by 0x4C4A51C: process_symlink_open (open.c:656)
==3627798==    by 0x4C4ADE7: non_widelink_open (open.c:862)
==3627798==    by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==    by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==  Block was alloc'd at
==3627798==    at 0x483C7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3627798==    by 0x4FC9365: __talloc_with_prefix (talloc.c:783)
==3627798==    by 0x4FC94FF: __talloc (talloc.c:825)
==3627798==    by 0x4FCCFDC: __talloc_strlendup (talloc.c:2454)
==3627798==    by 0x4FCD096: talloc_strdup (talloc.c:2470)
==3627798==    by 0xDB24977: store_cwd_data (vfs_shadow_copy2.c:1476)
==3627798==    by 0xDB24BEF: shadow_copy2_chdir (vfs_shadow_copy2.c:1542)
==3627798==    by 0x4C662A4: smb_vfs_call_chdir (vfs.c:2257)
==3627798==    by 0x4C62B48: vfs_ChDir (vfs.c:940)
==3627798==    by 0x4C4A92D: non_widelink_open (open.c:755)
==3627798==    by 0x4C4AFB7: fd_openat (open.c:918)
==3627798==    by 0x4BBE895: openat_pathref_fsp (files.c:506)
==3627798==
Comment 2 Jeremy Allison 2021-05-27 05:46:58 UTC 
Created attachment 16630 [details]
git-am fix for master.

In gitlab-ci right now. I'll post the MR for it once it passes.
Comment 3 Ralph Böhme 2021-05-27 05:55:50 UTC 
Comment on attachment 16630 [details]
git-am fix for master.

Good catch, thanks!
Comment 4 Jeremy Allison 2021-05-27 16:33:10 UTC 
MR: https://gitlab.com/samba-team/samba/-/merge_requests/1985

I'm pushing now.
Comment 5 Samba QA Contact 2021-05-27 17:26:04 UTC 
This bug was referenced in samba master:

2f0cfe82907516ecf23cc385d41b8d29ed6b8c96
Comment 6 Jeremy Allison 2021-05-27 22:11:17 UTC 
Created attachment 16632 [details]
git-am fix for 4.14.next.

Cherry-pick from master.
Comment 7 Jeremy Allison 2021-05-27 22:14:09 UTC 
Created attachment 16633 [details]
git-am fix for 4.13.next.

Back-port from master, cherry pick failed.
Comment 8 Ralph Böhme 2021-05-28 07:15:17 UTC 
Reassigning to Karolin for inclusion in 4.13 and 4.14.
Comment 9 Karolin Seeger 2021-05-28 07:59:36 UTC 
(In reply to Ralph Böhme from comment #8)
Pushed to autobuild-v4-{14,13}-test.
Comment 10 Samba QA Contact 2021-05-28 08:56:04 UTC 
This bug was referenced in samba v4-14-test:

e7e537d77ccfdaa526e5759ea770e034426a4f23
Comment 11 Karolin Seeger 2021-05-31 10:25:31 UTC 
In v4-13-test, make fails with this patch.
Comment 12 Samba QA Contact 2021-06-01 07:25:34 UTC 
This bug was referenced in samba v4-14-stable (Release samba-4.14.5):

e7e537d77ccfdaa526e5759ea770e034426a4f23
Comment 13 Jeremy Allison 2021-06-01 15:52:39 UTC 
Karolin can you let me know the specific test that fails with 4.13 ?

Thanks !

Jeremy.
Comment 14 Jeremy Allison 2021-06-16 17:26:29 UTC 
Created attachment 16661 [details]
git-am fix for 4.13.next.

Karolin, sorry for the error. Mixed up return variable types (4.13 requires, errno = ENOMEM, return -1 not return NT_STATUS_NO_MEMORY).

This should now build.
Comment 15 Samba QA Contact 2021-07-12 11:04:12 UTC 
This bug was referenced in samba v4-13-test:

b01c4526fef64ac7458459111d0715434ca3f2a2
Comment 16 Samba QA Contact 2021-07-14 08:15:31 UTC 
This bug was referenced in samba v4-13-stable (Release samba-4.13.10):

b01c4526fef64ac7458459111d0715434ca3f2a2