rpcclient ncacn_ip_tcp:gdw2k19dc[packet] -Uadministrator%RedHat1234! -c 'winspool_AsyncOpenPrinter \\\\gdw2k19dc 0x02000000' The above works with samba 4.14.6 but crashes with obvious NULL pointer deref in 4.15.0rc1
Can someone please post a backtrace here?
make -j20 test TESTS="samba.blackbox.rpcclient_schannel" without the fixes: #0 0x00007f4d25082e3a in __GI___wait4 (pid=30148, stat_loc=stat_loc@entry=0x7ffc61c13cc8, options=options@entry=0, usage=usage@entry=0x0) at ../sysdeps/unix/sysv/linux/wait4.c:30 sc_ret = -512 sc_ret = <optimized out> #1 0x00007f4d25082ddb in __GI___waitpid (pid=<optimized out>, stat_loc=stat_loc@entry=0x7ffc61c13cc8, options=options@entry=0) at waitpid.c:38 No locals. #2 0x00007f4d24ff081b in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:171 __result = <optimized out> _cleanup_start_doit = true _buffer = { __routine = 0x7f4d24ff08ae <cancel_handler>, __arg = 0x7ffc61c13cd0, __canceltype = 0, __prev = 0x0 } _cleanup_routine = 0x7f4d24ff08ae <cancel_handler> cancel_args = { quit = 0x7f4d251af5a0 <quit>, intr = 0x7f4d251af640 <intr>, pid = 30148 } status = -1 ret = 0 pid = 30148 sa = { __sigaction_handler = { sa_handler = 0x1, sa_sigaction = 0x1 }, sa_mask = { __val = {[0] = 65536, [1] = 94162471129292, [2] = 0, [3] = 0, [4] = 0, [5] = 0, [6] = 0, [7] = 639876651, [8] = 139969309848624, [9] = 94162447826944, [10] = 0, [11] = 94162447131530, [12] = 10522175869605451008, [13] = 140721948540656, [14] = 140721948544248, [15] = 94162447131636} }, sa_flags = 0, sa_restorer = 0x55a3e748bc50 <_DYNAMIC> } omask = { __val = {[0] = 1024, [1] = 320, [2] = 193, [3] = 94162471128976, [4] = 139969311697568, [5] = 94162471129296, [6] = 139969311697568, [7] = 139969310235001, [8] = 206158430232, [9] = 140721948540752, [10] = 94162471128992, [11] = 181, [12] = 181, [13] = 94162471128976, [14] = 139969311697568, [15] = 139969310238649} } reset = { __val = {[0] = 6, [1] = 10522175869605451008, [2] = 94162469710832, [3] = 139969333972579, [4] = 180, [5] = 180, [6] = 181, [7] = 94162471128992, [8] = 140721948540416, [9] = 139969310118288, [10] = 139972911661056, [11] = 94162471128992, [12] = 94162471129093, [13] = 94162471128992, [14] = 94162471128992, [15] = 94162471129172} } spawn_attr = { __flags = 12, __pgrp = 0, __sd = { __val = {[0] = 6, [1] = 10522175869605451008, [2] = 94162469710832, [3] = 139969333972579, [4] = 180, [5] = 180, [6] = 181, [7] = 94162471128992, [8] = 140721948540416, [9] = 139969310118288, [10] = 139972911661056, [11] = 94162471128992, [12] = 94162471129093, [13] = 94162471128992, [14] = 94162471128992, [15] = 94162471129172} }, __ss = { __val = {[0] = 1024, [1] = 320, [2] = 193, [3] = 94162471128976, [4] = 139969311697568, [5] = 94162471129296, [6] = 139969311697568, [7] = 139969310235001, [8] = 206158430232, [9] = 140721948540752, [10] = 94162471128992, [11] = 181, [12] = 181, [13] = 94162471128976, [14] = 139969311697568, [15] = 139969310238649} }, __sp = { sched_priority = 0 }, __policy = 0, __pad = {[0] = 0 <repeats 16 times>} } #3 0x00007f4d26322c1a in smb_panic_s3 (why=0x7ffc61c140d0 "Signal 11: Segmentation fault") at ../../source3/lib/util.c:694 lp_sub = 0x7f4d2635ca80 <s3_global_substitution> cmd = 0x55a3e8a1a290 "cd /home/asn/workspace/projects/samba/asn-fips && /home/asn/workspace/projects/samba/asn-fips/selftest/gdb_backtrace 30147 %$(MAKE_TEST_BINARY)" result = 32589 __FUNCTION__ = "smb_panic_s3" #4 0x00007f4d2623c33e in smb_panic (why=0x7ffc61c140d0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:197 No locals. #5 0x00007f4d2623be16 in fault_report (sig=11) at ../../lib/util/fault.c:81 counter = 1 signal_string = "Signal 11: Segmentation fault\000\000\000\001\000\000\000\000\000\000\000\240\005G%M\177\000\000\220A\301a", '\000' <repeats 12 times>, "\240\005G%M\177\000\000\301\321\374\066\000\000\000\000hB\301a\374\177\000\000\262\244E%M\177\000\000\020\tG%M\177\000\000\300A\301a\374\177\000\000\320A\301a\374\177\000\000\061\272s&M\177\000" #6 0x00007f4d2623be2b in sig_fault (sig=11) at ../../lib/util/fault.c:92 No locals. #7 <signal handler called> No locals. #8 0x000055a3e741b435 in cli_rpc_pipe_open_schannel (cli=0x0, msg_ctx=0x55a3e8a18920, table=0x7f4d2601c2e0 <ndr_table_lsarpc>, transport=NCACN_IP_TCP, domain=0x55a3e8a0c1b0 "FIPSDOMAIN", presult=0x55a3e748d800 <lsarpc_commands+288>, mem_ctx=0x55a3e8a18920, pcreds=0x55a3e74928f8 <rpcclient_netlogon_creds>) at ../../source3/rpc_client/cli_pipe_schannel.c:50 frame = 0x55a3e8a0d230 dc_name = 0x7ffc61c147e4 "D" result = 0x7ffc61c147dc status = { v = 21923 } cli_creds = 0x7ffc61c14790 netlogon_creds = 0x55a3e889d5b0 creds = 0x7ffc61c14770 netlogon_flags = 32764 #9 0x000055a3e7365b56 in do_cmd (cli=0x0, creds=0x55a3e88bbc80, cmd_entry=0x55a3e748d7d0 <lsarpc_commands+240>, binding=0x55a3e889d5b0, argc=2, argv=0x55a3e88f2730) at ../../source3/rpcclient/rpcclient.c:929 auth_type = DCERPC_AUTH_TYPE_SCHANNEL auth_level = DCERPC_AUTH_LEVEL_INTEGRITY krb5_state = CRED_USE_KERBEROS_DESIRED ntresult = { v = 21923 } wresult = { w = 3901695816 } transport = NCACN_IP_TCP mem_ctx = 0x55a3e8a18210 __FUNCTION__ = "do_cmd" __func__ = "do_cmd" #10 0x000055a3e736638a in process_cmd (creds=0x55a3e88bbc80, cli=0x0, binding=0x55a3e889d5b0, cmd=0x55a3e8a405f0 "lookupsids3 S-1-1-0") at ../../source3/rpcclient/rpcclient.c:1090 set = 0x55a3e748d7d0 <lsarpc_commands+240> temp_list = 0x55a3e8a0d420 result = { v = 0 } ret = 0 argc = 2 argv = 0x55a3e88f2730 #11 0x000055a3e7366e1c in main (argc=6, argv=0x7ffc61c14cf8) at ../../source3/rpcclient/rpcclient.c:1318 cmd_result = { v = 32589 } cmd = 0x55a3e8a405f0 "lookupsids3 S-1-1-0" p = 0x0 const_argv = 0x7ffc61c14cf8 opt = -1 cmdstr = 0x55a3e88f2ab0 "lookupsids3 S-1-1-0" server = 0x7ffc61c169e0 "ncacn_ip_tcp:fipsdc[schannel]" cli = 0x0 opt_ipaddr = 0x0 cmd_set = 0x55a3e748d6d0 <rpcclient_command_list+176> server_ss = { ss_family = 2, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0 } nt_status = { v = 0 } opt_port = 0 result = 0 frame = 0x55a3e8899af0 flags = 4096 binding = 0x55a3e889d5b0 transport = NCACN_IP_TCP binding_string = 0x0 host = 0x55a3e8a0ce00 "fipsdc" creds = 0x55a3e88bbc80 ok = true pc = 0x55a3e88f4080 long_options = {[0] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d25430400 <poptHelpOptions>, val = 0, descrip = 0x55a3e741da41 "Help options:", argDescrip = 0x0 }, [1] = { longName = 0x55a3e741da4f "command", shortName = 99 'c', argInfo = 1, arg = 0x55a3e7492910 <cmdstr>, val = 99, descrip = 0x55a3e741da58 "Execute semicolon separated cmds", argDescrip = 0x55a3e741da79 "COMMANDS" }, [2] = { longName = 0x55a3e741da82 "dest-ip", shortName = 73 'I', argInfo = 1, arg = 0x55a3e7492918 <opt_ipaddr>, val = 73, descrip = 0x55a3e741da90 "Specify destination IP address", argDescrip = 0x55a3e741daaf "IP" }, [3] = { longName = 0x55a3e741dab2 "port", shortName = 112 'p', argInfo = 2, arg = 0x55a3e7492920 <opt_port>, val = 112, descrip = 0x55a3e741dab7 "Specify port number", argDescrip = 0x55a3e741dacb "PORT" }, [4] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638c220 <popt_common_samba>, val = 0, descrip = 0x55a3e741dad0 "Common Samba options:", argDescrip = 0x0 }, [5] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638c5a0 <popt_common_connection>, val = 0, descrip = 0x55a3e741dae6 "Connection options:", argDescrip = 0x0 }, [6] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638c760 <popt_common_credentials>, val = 0, descrip = 0x55a3e741dafa "Credential options:", argDescrip = 0x0 }, [7] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638cba0 <popt_legacy_s3>, val = 0, descrip = 0x55a3e741db0e "Deprecated legcacy options:", argDescrip = 0x0 }, [8] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638c9e0 <popt_common_version>, val = 0, descrip = 0x55a3e741db2a "Version options:", argDescrip = 0x0 }, [9] = { longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0 }} __func__ = "main" __FUNCTION__ = "main" Thread 1 (Thread 0x7f4d235ff0c0 (LWP 30147) "rpcclient"): #0 0x00007f4d25082e3a in __GI___wait4 (pid=30148, stat_loc=stat_loc@entry=0x7ffc61c13cc8, options=options@entry=0, usage=usage@entry=0x0) at ../sysdeps/unix/sysv/linux/wait4.c:30 sc_ret = -512 sc_ret = <optimized out> #1 0x00007f4d25082ddb in __GI___waitpid (pid=<optimized out>, stat_loc=stat_loc@entry=0x7ffc61c13cc8, options=options@entry=0) at waitpid.c:38 No locals. #2 0x00007f4d24ff081b in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:171 __result = <optimized out> _cleanup_start_doit = true _buffer = { __routine = 0x7f4d24ff08ae <cancel_handler>, __arg = 0x7ffc61c13cd0, __canceltype = 0, __prev = 0x0 } _cleanup_routine = 0x7f4d24ff08ae <cancel_handler> cancel_args = { quit = 0x7f4d251af5a0 <quit>, intr = 0x7f4d251af640 <intr>, pid = 30148 } status = -1 ret = 0 pid = 30148 sa = { __sigaction_handler = { sa_handler = 0x1, sa_sigaction = 0x1 }, sa_mask = { __val = {[0] = 65536, [1] = 94162471129292, [2] = 0, [3] = 0, [4] = 0, [5] = 0, [6] = 0, [7] = 639876651, [8] = 139969309848624, [9] = 94162447826944, [10] = 0, [11] = 94162447131530, [12] = 10522175869605451008, [13] = 140721948540656, [14] = 140721948544248, [15] = 94162447131636} }, sa_flags = 0, sa_restorer = 0x55a3e748bc50 <_DYNAMIC> } omask = { __val = {[0] = 1024, [1] = 320, [2] = 193, [3] = 94162471128976, [4] = 139969311697568, [5] = 94162471129296, [6] = 139969311697568, [7] = 139969310235001, [8] = 206158430232, [9] = 140721948540752, [10] = 94162471128992, [11] = 181, [12] = 181, [13] = 94162471128976, [14] = 139969311697568, [15] = 139969310238649} } reset = { __val = {[0] = 6, [1] = 10522175869605451008, [2] = 94162469710832, [3] = 139969333972579, [4] = 180, [5] = 180, [6] = 181, [7] = 94162471128992, [8] = 140721948540416, [9] = 139969310118288, [10] = 139972911661056, [11] = 94162471128992, [12] = 94162471129093, [13] = 94162471128992, [14] = 94162471128992, [15] = 94162471129172} } spawn_attr = { __flags = 12, __pgrp = 0, __sd = { __val = {[0] = 6, [1] = 10522175869605451008, [2] = 94162469710832, [3] = 139969333972579, [4] = 180, [5] = 180, [6] = 181, [7] = 94162471128992, [8] = 140721948540416, [9] = 139969310118288, [10] = 139972911661056, [11] = 94162471128992, [12] = 94162471129093, [13] = 94162471128992, [14] = 94162471128992, [15] = 94162471129172} }, __ss = { __val = {[0] = 1024, [1] = 320, [2] = 193, [3] = 94162471128976, [4] = 139969311697568, [5] = 94162471129296, [6] = 139969311697568, [7] = 139969310235001, [8] = 206158430232, [9] = 140721948540752, [10] = 94162471128992, [11] = 181, [12] = 181, [13] = 94162471128976, [14] = 139969311697568, [15] = 139969310238649} }, __sp = { sched_priority = 0 }, __policy = 0, __pad = {[0] = 0 <repeats 16 times>} } #3 0x00007f4d26322c1a in smb_panic_s3 (why=0x7ffc61c140d0 "Signal 11: Segmentation fault") at ../../source3/lib/util.c:694 lp_sub = 0x7f4d2635ca80 <s3_global_substitution> cmd = 0x55a3e8a1a290 "cd /home/asn/workspace/projects/samba/asn-fips && /home/asn/workspace/projects/samba/asn-fips/selftest/gdb_backtrace 30147 %$(MAKE_TEST_BINARY)" result = 32589 __FUNCTION__ = "smb_panic_s3" #4 0x00007f4d2623c33e in smb_panic (why=0x7ffc61c140d0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:197 No locals. #5 0x00007f4d2623be16 in fault_report (sig=11) at ../../lib/util/fault.c:81 counter = 1 signal_string = "Signal 11: Segmentation fault\000\000\000\001\000\000\000\000\000\000\000\240\005G%M\177\000\000\220A\301a", '\000' <repeats 12 times>, "\240\005G%M\177\000\000\301\321\374\066\000\000\000\000hB\301a\374\177\000\000\262\244E%M\177\000\000\020\tG%M\177\000\000\300A\301a\374\177\000\000\320A\301a\374\177\000\000\061\272s&M\177\000" #6 0x00007f4d2623be2b in sig_fault (sig=11) at ../../lib/util/fault.c:92 No locals. #7 <signal handler called> No locals. #8 0x000055a3e741b435 in cli_rpc_pipe_open_schannel (cli=0x0, msg_ctx=0x55a3e8a18920, table=0x7f4d2601c2e0 <ndr_table_lsarpc>, transport=NCACN_IP_TCP, domain=0x55a3e8a0c1b0 "FIPSDOMAIN", presult=0x55a3e748d800 <lsarpc_commands+288>, mem_ctx=0x55a3e8a18920, pcreds=0x55a3e74928f8 <rpcclient_netlogon_creds>) at ../../source3/rpc_client/cli_pipe_schannel.c:50 frame = 0x55a3e8a0d230 dc_name = 0x7ffc61c147e4 "D" result = 0x7ffc61c147dc status = { v = 21923 } cli_creds = 0x7ffc61c14790 netlogon_creds = 0x55a3e889d5b0 creds = 0x7ffc61c14770 netlogon_flags = 32764 #9 0x000055a3e7365b56 in do_cmd (cli=0x0, creds=0x55a3e88bbc80, cmd_entry=0x55a3e748d7d0 <lsarpc_commands+240>, binding=0x55a3e889d5b0, argc=2, argv=0x55a3e88f2730) at ../../source3/rpcclient/rpcclient.c:929 auth_type = DCERPC_AUTH_TYPE_SCHANNEL auth_level = DCERPC_AUTH_LEVEL_INTEGRITY krb5_state = CRED_USE_KERBEROS_DESIRED ntresult = { v = 21923 } wresult = { w = 3901695816 } transport = NCACN_IP_TCP mem_ctx = 0x55a3e8a18210 __FUNCTION__ = "do_cmd" __func__ = "do_cmd" #10 0x000055a3e736638a in process_cmd (creds=0x55a3e88bbc80, cli=0x0, binding=0x55a3e889d5b0, cmd=0x55a3e8a405f0 "lookupsids3 S-1-1-0") at ../../source3/rpcclient/rpcclient.c:1090 set = 0x55a3e748d7d0 <lsarpc_commands+240> temp_list = 0x55a3e8a0d420 result = { v = 0 } ret = 0 argc = 2 argv = 0x55a3e88f2730 #11 0x000055a3e7366e1c in main (argc=6, argv=0x7ffc61c14cf8) at ../../source3/rpcclient/rpcclient.c:1318 cmd_result = { v = 32589 } cmd = 0x55a3e8a405f0 "lookupsids3 S-1-1-0" p = 0x0 const_argv = 0x7ffc61c14cf8 opt = -1 cmdstr = 0x55a3e88f2ab0 "lookupsids3 S-1-1-0" server = 0x7ffc61c169e0 "ncacn_ip_tcp:fipsdc[schannel]" cli = 0x0 opt_ipaddr = 0x0 cmd_set = 0x55a3e748d6d0 <rpcclient_command_list+176> server_ss = { ss_family = 2, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0 } nt_status = { v = 0 } opt_port = 0 result = 0 frame = 0x55a3e8899af0 flags = 4096 binding = 0x55a3e889d5b0 transport = NCACN_IP_TCP binding_string = 0x0 host = 0x55a3e8a0ce00 "fipsdc" creds = 0x55a3e88bbc80 ok = true pc = 0x55a3e88f4080 long_options = {[0] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d25430400 <poptHelpOptions>, val = 0, descrip = 0x55a3e741da41 "Help options:", argDescrip = 0x0 }, [1] = { longName = 0x55a3e741da4f "command", shortName = 99 'c', argInfo = 1, arg = 0x55a3e7492910 <cmdstr>, val = 99, descrip = 0x55a3e741da58 "Execute semicolon separated cmds", argDescrip = 0x55a3e741da79 "COMMANDS" }, [2] = { longName = 0x55a3e741da82 "dest-ip", shortName = 73 'I', argInfo = 1, arg = 0x55a3e7492918 <opt_ipaddr>, val = 73, descrip = 0x55a3e741da90 "Specify destination IP address", argDescrip = 0x55a3e741daaf "IP" }, [3] = { longName = 0x55a3e741dab2 "port", shortName = 112 'p', argInfo = 2, arg = 0x55a3e7492920 <opt_port>, val = 112, descrip = 0x55a3e741dab7 "Specify port number", argDescrip = 0x55a3e741dacb "PORT" }, [4] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638c220 <popt_common_samba>, val = 0, descrip = 0x55a3e741dad0 "Common Samba options:", argDescrip = 0x0 }, [5] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638c5a0 <popt_common_connection>, val = 0, descrip = 0x55a3e741dae6 "Connection options:", argDescrip = 0x0 }, [6] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638c760 <popt_common_credentials>, val = 0, descrip = 0x55a3e741dafa "Credential options:", argDescrip = 0x0 }, [7] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638cba0 <popt_legacy_s3>, val = 0, descrip = 0x55a3e741db0e "Deprecated legcacy options:", argDescrip = 0x0 }, [8] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7f4d2638c9e0 <popt_common_version>, val = 0, descrip = 0x55a3e741db2a "Version options:", argDescrip = 0x0 }, [9] = { longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0 }} __func__ = "main" __FUNCTION__ = "main" sc_ret = -512 sc_ret = <optimized out>
This bug was referenced in samba master: 492fd5b00fe9d62f53b96e3a7588a7f2848a571d b3bf5bbaf81de369c8f9415d903816a2d7424ffc 016429acaf76bde53bd4ab81b48be23c2bcc28e3 33eb7a1bc9c21463dc699d6daaa6a1e19f668268 34c57ebee04bb770174fab31edd9bfe2f88a84eb bb3e0ce8fc932f5146044c548730f454a0119800 c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd 62aa769667464451cda672fc073e52a8e52ae4c1 6bf3a39b11832ad2feb655e29da84f8b5aac298e
Created attachment 17039 [details] patch for 4.15
Comment on attachment 17039 [details] patch for 4.15 LGTM, thanks!
Jule, please add to v4.15, thanks!
Pushed to autobuild-v4-15-test
This bug was referenced in samba v4-15-test: fea324d9cc4122c2fb2118d4cf4e2d7c408292e5 e72d611c78dcf5fb9776a5957dd099b3a973947d ea845570516f330720c3bbdd6efda307f0c0fef0 0801cae3df8492c9576b46b67572961e07d3241c 1b5b96d5a2453a7ffc374c3d10ef4ed890cc68ba 460cf672e65432d79512ceca2212572c470865f3 16d886511f158a56fb0ebb71df91fea127bed606 aca47d48f516b43ef20f44f85d50993ca25eb3fa b1f0aa5c22fdf65114540d4bb15ac6980f194abf
Closing out bug report. Thanks!
This bug was referenced in samba v4-15-stable (Release samba-4.15.3): fea324d9cc4122c2fb2118d4cf4e2d7c408292e5 e72d611c78dcf5fb9776a5957dd099b3a973947d ea845570516f330720c3bbdd6efda307f0c0fef0 0801cae3df8492c9576b46b67572961e07d3241c 1b5b96d5a2453a7ffc374c3d10ef4ed890cc68ba 460cf672e65432d79512ceca2212572c470865f3 16d886511f158a56fb0ebb71df91fea127bed606 aca47d48f516b43ef20f44f85d50993ca25eb3fa b1f0aa5c22fdf65114540d4bb15ac6980f194abf