14888 – crash in recycle_unlink_internal()

Bug 14888 - crash in recycle_unlink_internal()

Summary: crash in recycle_unlink_internal()

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.15.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-10-29 13:21 UTC by Andrew Walker
Modified:	2021-12-08 14:57 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
git-am fix for 4.15.next. (1.94 KB, patch) 2021-11-01 17:59 UTC, Jeremy Allison	jra: review? (awalker) slow: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Walker 2021-10-29 13:21:39 UTC

Relevant area - samba 4.12:
        /* extract filename and path */
        base = strrchr(smb_fname->base_name, '/');
        if (base == NULL) {
                base = smb_fname->base_name;
                path_name = SMB_STRDUP("/");
                ALLOC_CHECK(path_name, done);
        }
        else {
                path_name = SMB_STRDUP(smb_fname->base_name);
                ALLOC_CHECK(path_name, done);
                path_name[base - smb_fname->base_name] = '\0';
                base++;
        }

Samba 4.15:
        /* extract filename and path */
        base = strrchr(full_fname->base_name, '/');
        if (base == NULL) {
                base = full_fname->base_name;
                path_name = SMB_STRDUP("/");
                ALLOC_CHECK(path_name, done);
        }
        else {
                path_name = SMB_STRDUP(full_fname->base_name);
                ALLOC_CHECK(path_name, done);
                path_name[base - smb_fname->base_name] = '\0';
                base++;
        }


So between versions we switched from 
```
        base = strrchr(smb_fname->base_name, '/');
```

to

```
        base = strrchr(full_fname->base_name, '/');
```
which is return from full_path_from_dirfsp_atname(talloc_tos(), dirfsp, smb_fname);

Hence crash now (potentially) in:
```
 path_name[base - smb_fname->base_name] = '\0';

```

the stacktrace:
```
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f0273914537 in __GI_abort () at abort.c:79
#2  0x00007f0273bb97e0 in dump_core () at ../../source3/lib/dumpcore.c:338
#3  0x00007f0273bac711 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:704
#4  0x00007f0273e9ccaa in smb_panic (why=why@entry=0x7ffcf4120ed0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:197
#5  0x00007f0273e9cd31 in fault_report (sig=11) at ../../lib/util/fault.c:81
#6  sig_fault (sig=11) at ../../lib/util/fault.c:92
#7  <signal handler called>
#8  0x00007f02718eeace in recycle_unlink_internal (flags=0, smb_fname=0x561c2b1a1770, dirfsp=0x561c2b19bda0, handle=0x561c2b180af0) at ../../source3/modules/vfs_recycle.c:583
#9  recycle_unlinkat (handle=0x561c2b180af0, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a1770, flags=0) at ../../source3/modules/vfs_recycle.c:741
#10 0x00007f027163f521 in streams_xattr_unlink_internal (flags=0, smb_fname=0x561c2b1a1770, dirfsp=0x561c2b19bda0, handle=0x561c2b180d70) at ../../source3/modules/vfs_streams_xattr.c:504
#11 streams_xattr_unlinkat (handle=0x561c2b180d70, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a1770, flags=0) at ../../source3/modules/vfs_streams_xattr.c:546
#12 0x00007f027160ecb5 in catia_unlinkat (handle=0x561c2b1839e0, dirfsp=0x561c2b19bda0, smb_fname=0x561c2b1a8ad0, flags=0) at ../../source3/modules/vfs_catia.c:694
#13 0x00007f0274078d20 in close_remove_share_mode (close_type=NORMAL_CLOSE, fsp=0x561c2b19bb90) at ../../source3/smbd/close.c:479
#14 close_normal_file (close_type=NORMAL_CLOSE, fsp=0x561c2b19bb90, req=0x561c2b197360) at ../../source3/smbd/close.c:804
#15 close_file (req=req@entry=0x561c2b197360, fsp=fsp@entry=0x561c2b19bb90, close_type=close_type@entry=NORMAL_CLOSE) at ../../source3/smbd/close.c:1509
#16 0x00007f02740b213b in smbd_smb2_close (req=req@entry=0x561c2b18cd80, fsp=fsp@entry=0x561c2b19bb90, in_flags=in_flags@entry=0, out_flags=0x561c2b0969b2, out_creation_ts=0x561c2b0969b8, out_last_access_ts=0x561c2b0969c8, out_last_write_ts=0x561c2b0969d8, 
    out_change_ts=0x561c2b0969e8, out_allocation_size=0x561c2b0969f8, out_end_of_file=0x561c2b096a00, out_file_attributes=0x561c2b096a08) at ../../source3/smbd/smb2_close.c:277
#17 0x00007f02740b28f2 in smbd_smb2_close_send (in_flags=<optimized out>, in_fsp=<optimized out>, smb2req=0x561c2b18cd80, ev=0x561c2b0acad0, mem_ctx=0x561c2b18cd80) at ../../source3/smbd/smb2_close.c:393
#18 smbd_smb2_request_process_close (req=req@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_close.c:72
#19 0x00007f02740a6cb0 in smbd_smb2_request_dispatch (req=req@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_server.c:3400
#20 0x00007f02740a7d8d in smbd_smb2_request_dispatch_immediate (ctx=ctx@entry=0x561c2b0acad0, im=<optimized out>, im@entry=0x561c2b1a7c70, private_data=private_data@entry=0x561c2b18cd80) at ../../source3/smbd/smb2_server.c:3809
#21 0x00007f0273c2d952 in tevent_common_invoke_immediate_handler (im=0x561c2b1a7c70, removed=removed@entry=0x0) at ../../lib/tevent/tevent_immediate.c:190
#22 0x00007f0273c2d97a in tevent_common_loop_immediate (ev=ev@entry=0x561c2b0acad0) at ../../lib/tevent/tevent_immediate.c:236
#23 0x00007f0273c3371c in epoll_event_loop_once (ev=0x561c2b0acad0, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:918
#24 0x00007f0273c31a87 in std_event_loop_once (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent_standard.c:110
#25 0x00007f0273c2c824 in _tevent_loop_once (ev=ev@entry=0x561c2b0acad0, location=location@entry=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent.c:790
#26 0x00007f0273c2cb0b in tevent_common_loop_wait (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent.c:913
#27 0x00007f0273c31a27 in std_event_loop_wait (ev=0x561c2b0acad0, location=0x7f02741b3718 "../../source3/smbd/process.c:4246") at ../../lib/tevent/tevent_standard.c:141
#28 0x00007f0274094b50 in smbd_process (ev_ctx=ev_ctx@entry=0x561c2b0acad0, msg_ctx=msg_ctx@entry=0x561c2b091de0, dce_ctx=dce_ctx@entry=0x561c2b0a8590, sock_fd=sock_fd@entry=51, interactive=interactive@entry=false) at ../../source3/smbd/process.c:4246
#29 0x0000561c29f22885 in smbd_accept_connection (ev=0x561c2b0acad0, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/server.c:1021
#30 0x00007f0273c2d3e1 in tevent_common_invoke_fd_handler (fde=fde@entry=0x561c2b0d15e0, flags=1, removed=removed@entry=0x0) at ../../lib/tevent/tevent_fd.c:142
#31 0x00007f0273c33947 in epoll_event_loop (tvalp=0x7ffcf4122640, epoll_ev=0x561c2b0b3aa0) at ../../lib/tevent/tevent_epoll.c:736
#32 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:937
#33 0x00007f0273c31a87 in std_event_loop_once (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent_standard.c:110
#34 0x00007f0273c2c824 in _tevent_loop_once (ev=ev@entry=0x561c2b0acad0, location=location@entry=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent.c:790
#35 0x00007f0273c2cb0b in tevent_common_loop_wait (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent.c:913
#36 0x00007f0273c31a27 in std_event_loop_wait (ev=0x561c2b0acad0, location=0x561c29f286e0 "../../source3/smbd/server.c:1365") at ../../lib/tevent/tevent_standard.c:141
#37 0x0000561c29f1db5f in smbd_parent_loop (parent=0x561c2b0b7060, ev_ctx=0x561c2b0acad0) at ../../source3/smbd/server.c:1365
#38 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2190

```

Comment 1 Andrew Walker 2021-10-29 13:22:42 UTC

https://gitlab.com/samba-team/samba/-/merge_requests/2232

Comment 2 Jeremy Allison 2021-10-29 20:24:51 UTC

Ah, thanks Andrew ! That (smb_fname -> full_fname) was the change I was missing :-). Thanks !

Comment 3 Samba QA Contact 2021-10-30 04:35:04 UTC

This bug was referenced in samba master:

be3a47e22ad6be204f4a7d6070f82f990c17e6fb

Comment 4 Jeremy Allison 2021-11-01 17:59:40 UTC

Created attachment 16904 [details]
git-am fix for 4.15.next.

Cherry-pick from master.

Comment 5 Ralph Böhme 2021-11-18 18:41:15 UTC

Reassigning to Jule for inclusion in 4.15.

Comment 6 Jule Anger 2021-11-19 06:44:34 UTC

Pushed to autobuild-v4-15-test.

Comment 7 Samba QA Contact 2021-11-19 08:12:05 UTC

This bug was referenced in samba v4-15-test:

4d68d797f187358e6b328550999ddff5bf755df0

Comment 8 Jule Anger 2021-11-19 09:07:36 UTC

Closing out bug report.

Thanks!

Comment 9 Samba QA Contact 2021-12-08 14:57:09 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.3):

4d68d797f187358e6b328550999ddff5bf755df0