Bug 14900 - Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in tdbsam_getsampwnam
Summary: Regression: Samba 4.15.2 on macOS segfaults intermittently during strcpy in t...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.15.2
Hardware: All Mac OS X
: P5 regression (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-11 07:11 UTC by Akihiro Suda
Modified: 2022-03-15 13:26 UTC (History)
2 users (show)

See Also:

Attachments
samba.rb (Usage: `brew install --build-from-source ./samba.rb && brew test ./samba.rb`) (5.53 KB, text/x-ruby-script)
2021-11-11 07:11 UTC, Akihiro Suda 		no flags Details
possible patch for testing (1.47 KB, text/plain)
2022-02-03 12:22 UTC, Volker Lendecke 		no flags Details
Patch cherry-picked from master (1.58 KB, patch)
2022-02-14 12:13 UTC, Volker Lendecke 		jra: review+
Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Akihiro Suda 2021-11-11 07:11:43 UTC 
Created attachment 16989 [details]
samba.rb (Usage: `brew install --build-from-source ./samba.rb && brew test ./samba.rb`)

Samba 4.15.2 on macOS segfaults intermittently during `strcpy` in `tdbsam_getsampwnam`.

Samba 4.15.1 does not hit this issue. Seems a regression in 4.15.2.

> ===============================================================
> INTERNAL ERROR: Signal 11: Segmentation fault: 11 in pid 45847 (4.15.2)
> If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
> ===============================================================
> PANIC (pid 45847): Signal 11: Segmentation fault: 11 in 4.15.2
> BACKTRACE: 34 stack frames:
>  #0 0   libsamba-util.0.0.1.dylib           0x000000010f4521ef log_stack_trace + 52
>  #1 1   libsamba-util.0.0.1.dylib           0x000000010f4522be smb_panic + 14
>  #2 2   libsamba-util.0.0.1.dylib           0x000000010f4524e0 BlockSignals + 0
>  #3 3   libsamba-util.0.0.1.dylib           0x000000010f452058 smb_panic_log + 0
>  #4 4   libsystem_platform.dylib            0x00007ff808c66e2d _sigtramp + 29
>  #5 5   ???                                 0x0000000000000001 0x0 + 1
>  #6 6   libsystem_platform.dylib            0x00007ff808c65008 _platform_strlcpy + 28
>  #7 7   libsystem_c.dylib                   0x00007ff808b22cd8 __strlcpy_chk + 30
>  #8 8   libsamba-passdb.0.28.0.dylib        0x000000010fdea642 tdbsam_getsampwnam + 81
>  #9 9   libsamba-passdb.0.28.0.dylib        0x000000010fde907a pdb_default_id_to_sid + 97
>  #10 10  libsamba-passdb.0.28.0.dylib        0x000000010fde6ab2 pdb_id_to_sid + 36
>  #11 11  libsamba-passdb.0.28.0.dylib        0x000000010fde20dd xid_to_sid + 326
>  #12 12  libsamba-passdb.0.28.0.dylib        0x000000010fde22c1 uid_to_sid + 43
>  #13 13  libsmbd-base-samba4.dylib           0x000000010f7e8363 posix_fget_nt_acl + 563
>  #14 14  libsmbd-base-samba4.dylib           0x000000010f7d2114 smbd_check_access_rights_fsp + 184
>  #15 15  libsmbd-base-samba4.dylib           0x000000010f7d8146 open_file_ntcreate + 2831
>  #16 16  libsmbd-base-samba4.dylib           0x000000010f7d5a5a create_file_unixpath + 3519
>  #17 17  libsmbd-base-samba4.dylib           0x000000010f7d4ace create_file_default + 580
>  #18 18  libsmbd-base-samba4.dylib           0x000000010f80efe0 smbd_smb2_request_process_create + 5461
>  #19 19  libsmbd-base-samba4.dylib           0x000000010f804d35 smbd_smb2_request_dispatch + 3339
>  #20 20  libsmbd-base-samba4.dylib           0x000000010f8083d9 smbd_smb2_connection_handler + 1387
>  #21 21  libtevent.0.11.0.dylib              0x000000010f573d9d tevent_common_invoke_fd_handler + 153
>  #22 22  libtevent.0.11.0.dylib              0x000000010f5764a4 poll_event_loop_once + 1615
>  #23 23  libtevent.0.11.0.dylib              0x000000010f57308b _tevent_loop_once + 204
>  #24 24  libtevent.0.11.0.dylib              0x000000010f5732ab tevent_common_loop_wait + 39
>  #25 25  libsmbd-base-samba4.dylib           0x000000010f7f45a8 smbd_process + 1923
>  #26 26  samba-dot-org-smbd                  0x000000010f27a4fd smbd_accept_connection + 541
>  #27 27  libtevent.0.11.0.dylib              0x000000010f573d9d tevent_common_invoke_fd_handler + 153
>  #28 28  libtevent.0.11.0.dylib              0x000000010f5764a4 poll_event_loop_once + 1615
>  #29 29  libtevent.0.11.0.dylib              0x000000010f57308b _tevent_loop_once + 204
>  #30 30  libtevent.0.11.0.dylib              0x000000010f5732ab tevent_common_loop_wait + 39
>  #31 31  samba-dot-org-smbd                  0x000000010f278c3d smbd_parent_loop + 76
>  #32 32  samba-dot-org-smbd                  0x000000010f2776d5 main + 4855
>  #33 33  dyld                                0x000000011c2e94fe start + 462
> dumping core in /private/tmp/samba-test-20211110-45828-liw7zf/samba/state/cores/smbd

Test instructions:
1. Download the attachment file `samba.rb`. This file contains the entire configure flags and the test script.
2. Run `brew install --build-from-source ./samba.rb`
3. Run `brew test ./samba.rb` several times. On my local environment (macOS 12 Intel), 5 of 30 experiments segfaulted.

This issue was originally found in https://github.com/Homebrew/homebrew-core/pull/89142 .
Comment 1 Jeremy Allison 2021-11-11 07:29:24 UTC 
Is it possible to get real line numbers from the core dump on this platform ? That would help enormously in tracking this down.
Comment 2 Akihiro Suda 2022-02-03 10:49:56 UTC 
This seems still an issue (Samba 4.15.5).

I can't find core although the log says "dumping core in /private/tmp/samba-test-20211110-45828-liw7zf/samba/state/cores/smbd".

Tried `ulimit -c unlimited`, but still no success.
Comment 3 Volker Lendecke 2022-02-03 12:22:24 UTC 
Created attachment 17147 [details]
possible patch for testing

Can you try the attached (completely untested!) patch?
Comment 4 Akihiro Suda 2022-02-06 10:02:08 UTC 
(In reply to Volker Lendecke from comment #3)

Thank you Volker, that patch seems to work. 
Tested 30 times locally.
Comment 5 Samba QA Contact 2022-02-11 21:54:04 UTC 
This bug was referenced in samba master:

929ccd3d1afb864ea715fa4d3d8af8f997e5d2aa
Comment 6 Volker Lendecke 2022-02-14 12:13:11 UTC 
Created attachment 17165 [details]
Patch cherry-picked from master
Comment 7 Jeremy Allison 2022-02-14 18:34:26 UTC 
Comment on attachment 17165 [details]
Patch cherry-picked from master

Applied cleanly to 4.16.rcNext, 4.15.next.
Comment 8 Jeremy Allison 2022-02-14 18:34:49 UTC 
Re-assigning to Jule for inclusion in 4.16.rcNext, 4.15.next.
Comment 9 Samba QA Contact 2022-02-14 22:19:04 UTC 
This bug was referenced in samba v4-16-test:

1bbb3677ae5b95ea12bf9037b3a74725452382dc
Comment 10 Jule Anger 2022-02-15 07:55:14 UTC 
Also pushed to autobuild-v4-15-test.
Comment 11 Samba QA Contact 2022-02-15 07:55:37 UTC 
This bug was referenced in samba v4-16-stable (Release samba-4.16.0rc3):

1bbb3677ae5b95ea12bf9037b3a74725452382dc
Comment 12 Samba QA Contact 2022-02-15 08:58:04 UTC 
This bug was referenced in samba v4-15-test:

3bb0efcdded566e9788479e2b903adbf22af49fb
Comment 13 Jule Anger 2022-02-15 09:01:31 UTC 
Closing out bug report.

Thanks!
Comment 14 Samba QA Contact 2022-03-15 13:26:28 UTC 
This bug was referenced in samba v4-15-stable (Release samba-4.15.6):

3bb0efcdded566e9788479e2b903adbf22af49fb