Bug 14888 - crash in recycle_unlink_internal()
Summary: crash in recycle_unlink_internal()
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.15.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-29 13:21 UTC by Andrew Walker
Modified: 2021-11-19 09:07 UTC (History)
2 users (show)

See Also:


Attachments
git-am fix for 4.15.next. (1.94 KB, patch)
2021-11-01 17:59 UTC, Jeremy Allison
jra: review? (awalker)
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Walker 2021-10-29 13:21:39 UTC
Relevant area - samba 4.12:
        /* extract filename and path */
        base = strrchr(smb_fname->base_name, '/');
        if (base == NULL) {
                base = smb_fname->base_name;
                path_name = SMB_STRDUP("/");
                ALLOC_CHECK(path_name, done);
        }
        else {
                path_name = SMB_STRDUP(smb_fname->base_name);
                ALLOC_CHECK(path_name, done);
                path_name[base - smb_fname->base_name] = '\0';
                base++;
        }

Samba 4.15:
        /* extract filename and path */
        base = strrchr(full_fname->base_name, '/');
        if (base == NULL) {
                base = full_fname->base_name;
                path_name = SMB_STRDUP("/");
                ALLOC_CHECK(path_name, done);
        }
        else {
                path_name = SMB_STRDUP(full_fname->base_name);
                ALLOC_CHECK(path_name, done);
                path_name[base - smb_fname->base_name] = '\0';
                base++;
        }


So between versions we switched from 
```
        base = strrchr(smb_fname->base_name, '/');
```

to

```
        base = strrchr(full_fname->base_name, '/');
```
which is return from full_path_from_dirfsp_atname(talloc_tos(), dirfsp, smb_fname);

Hence crash now (potentially) in:
```
 path_name[base - smb_fname->base_name] = '\0';

```

the stacktrace:
```
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f0273914537 in __GI_abort () at abort.c:79
#2  0x00007f0273bb97e0 in dump_core () at ../../source3/lib/dumpcore.c:338
#3  0x00007f0273bac711 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:704
#4  0x00007f0273e9ccaa in smb_panic (why=why@entry=0x7ffcf4120ed0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:197
#5  0x00007f0273e9cd31 in fault_report (sig=11) at ../../lib/util/fault.c:81
#6  sig_fault (sig=11) at ../../lib/util/fault.c:92
#7  <signal handler called>
#8  0x00007f02718eeace in recycle_unlink_internal (flags=0, smb_fname=0x561c2b1a1770, dirfsp=0x561c2b19bda0, handle=0x561c2b180af0) at ../../source3/modules/vfs_recycle.c:583
#9  recycle_unlinkat (handle=0x561c2b180af0, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a1770, flags=0) at ../../source3/modules/vfs_recycle.c:741
#10 0x00007f027163f521 in streams_xattr_unlink_internal (flags=0, smb_fname=0x561c2b1a1770, dirfsp=0x561c2b19bda0, handle=0x561c2b180d70) at ../../source3/modules/vfs_streams_xattr.c:504
#11 streams_xattr_unlinkat (handle=0x561c2b180d70, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a1770, flags=0) at ../../source3/modules/vfs_streams_xattr.c:546
#12 0x00007f027160ecb5 in catia_unlinkat (handle=0x561c2b1839e0, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a8ad0, flags=0) at ../../source3/modules/vfs_catia.c:694
#13 0x00007f0274078d20 in close_remove_share_mode (close_type=NORMAL_CLOSE, fsp=0x561c2b19bb90) at ../../source3/smbd/close.c:479
#14 close_normal_file (close_type=NORMAL_CLOSE, fsp=0x561c2b19bb90, req=0x561c2b197360) at ../../source3/smbd/close.c:804
#15 close_file (req=req@entry=0x561c2b197360, fsp=fsp@entry=0x561c2b19bb90, close_type=close_type@entry=NORMAL_CLOSE) at ../../source3/smbd/close.c:1509
#16 0x00007f02740b213b in smbd_smb2_close (req=req@entry=0x561c2b18cd80, fsp=fsp@entry=0x561c2b19bb90, in_flags=in_flags@entry=0, out_flags=0x561c2b0969b2, out_creation_ts=0x561c2b0969b8, out_last_access_ts=0x561c2b0969c8, out_last_write_ts=0x561c2b0969d8, 
    out_change_ts=0x561c2b0969e8, out_allocation_size=0x561c2b0969f8, out_end_of_file=0x561c2b096a00, out_file_attributes=0x561c2b096a08) at ../../source3/smbd/smb2_close.c:277
#17 0x00007f02740b28f2 in smbd_smb2_close_send (in_flags=<optimized out>, in_fsp=<optimized out>, smb2req=0x561c2b18cd80, ev=0x561c2b0acad0, mem_ctx=0x561c2b18cd80) at ../../source3/smbd/smb2_close.c:393
#18 smbd_smb2_request_process_close (req=req@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_close.c:72
#19 0x00007f02740a6cb0 in smbd_smb2_request_dispatch (req=req@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_server.c:3400
#20 0x00007f02740a7d8d in smbd_smb2_request_dispatch_immediate (ctx=ctx@entry=0x561c2b0acad0, im=<optimized out>, im@entry=0x561c2b1a7c70, private_data=private_data@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_server.c:3809
#21 0x00007f0273c2d952 in tevent_common_invoke_immediate_handler (im=0x561c2b1a7c70, removed=removed@entry=0x0) at ../../lib/tevent/tevent_immediate.c:190
#22 0x00007f0273c2d97a in tevent_common_loop_immediate (ev=ev@entry=0x561c2b0acad0) at ../../lib/tevent/tevent_immediate.c:236
#23 0x00007f0273c3371c in epoll_event_loop_once (ev=0x561c2b0acad0, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:918
#24 0x00007f0273c31a87 in std_event_loop_once (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent_standard.c:110
#25 0x00007f0273c2c824 in _tevent_loop_once (ev=ev@entry=0x561c2b0acad0, location=location@entry=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent.c:790
#26 0x00007f0273c2cb0b in tevent_common_loop_wait (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent.c:913
#27 0x00007f0273c31a27 in std_event_loop_wait (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent_standard.c:141
#28 0x00007f0274094b50 in smbd_process (ev_ctx=ev_ctx@entry=0x561c2b0acad0, msg_ctx=msg_ctx@entry=0x561c2b091de0, dce_ctx=dce_ctx@entry=0x561c2b0a8590, sock_fd=sock_fd@entry=51, interactive=interactive@entry=false) at ../../source3/smbd/process.c:4246
#29 0x0000561c29f22885 in smbd_accept_connection (ev=0x561c2b0acad0, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/server.c:1021
#30 0x00007f0273c2d3e1 in tevent_common_invoke_fd_handler (fde=fde@entry=0x561c2b0d15e0, flags=1, removed=removed@entry=0x0) at ../../lib/tevent/tevent_fd.c:142
#31 0x00007f0273c33947 in epoll_event_loop (tvalp=0x7ffcf4122640, epoll_ev=0x561c2b0b3aa0) at ../../lib/tevent/tevent_epoll.c:736
#32 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:937
#33 0x00007f0273c31a87 in std_event_loop_once (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent_standard.c:110
#34 0x00007f0273c2c824 in _tevent_loop_once (ev=ev@entry=0x561c2b0acad0, location=location@entry=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent.c:790
#35 0x00007f0273c2cb0b in tevent_common_loop_wait (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent.c:913
#36 0x00007f0273c31a27 in std_event_loop_wait (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent_standard.c:141
#37 0x0000561c29f1db5f in smbd_parent_loop (parent=0x561c2b0b7060, ev_ctx=0x561c2b0acad0) at ../../source3/smbd/server.c:1365
#38 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2190

```
Comment 2 Jeremy Allison 2021-10-29 20:24:51 UTC
Ah, thanks Andrew ! That (smb_fname -> full_fname) was the change I was missing :-). Thanks !
Comment 3 Samba QA Contact 2021-10-30 04:35:04 UTC
This bug was referenced in samba master:

be3a47e22ad6be204f4a7d6070f82f990c17e6fb
Comment 4 Jeremy Allison 2021-11-01 17:59:40 UTC
Created attachment 16904 [details]
git-am fix for 4.15.next.

Cherry-pick from master.
Comment 5 Ralph Böhme 2021-11-18 18:41:15 UTC
Reassigning to Jule for inclusion in 4.15.
Comment 6 Jule Anger 2021-11-19 06:44:34 UTC
Pushed to autobuild-v4-15-test.
Comment 7 Samba QA Contact 2021-11-19 08:12:05 UTC
This bug was referenced in samba v4-15-test:

4d68d797f187358e6b328550999ddff5bf755df0
Comment 8 Jule Anger 2021-11-19 09:07:36 UTC
Closing out bug report.

Thanks!