Bug 15078 - samba-tool domain join segfault when joining a samba ad domain
Summary: samba-tool domain join segfault when joining a samba ad domain
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.16.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
Depends on:
Reported: 2022-05-25 09:13 UTC by Michael Tokarev
Modified: 2022-09-28 15:40 UTC (History)
3 users (show)

See Also:

4.16 patch (3.80 KB, patch)
2022-08-05 03:40 UTC, Douglas Bagnall
asn: review+
4.15 backport patch (3.80 KB, patch)
2022-08-05 03:43 UTC, Douglas Bagnall
asn: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Tokarev 2022-05-25 09:13:28 UTC
There's a segfault possible in samba-tool domain join|leave due to incorrect usage of "p" attribute of PyArg_ParseTupleAndKeywords() function.

$ samba-tool domain join $DOMAIN MEMBER -U $USERNAME
BACKTRACE: 36 stack frames:
 #0 /lib/x86_64-linux-gnu/libsamba-util.so.0(log_stack_trace+0x30) [0x7ffff70510f0]
 #1 /lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x9) [0x7ffff7051339]
 #2 /lib/x86_64-linux-gnu/libsamba-util.so.0(+0xf3d1) [0x7ffff70513d1]
 #3 /lib/x86_64-linux-gnu/libpthread.so.0(+0x14140) [0x7ffff7fad140]
 #4 /usr/lib/python3/dist-packages/samba/net_s3.cpython-39-x86_64-linux-gnu.so(+0x7558) [0x7ffff221c558]
 #5 /usr/bin/python3() [0x53f350]
 #6 /usr/bin/python3(_PyObject_MakeTpCall+0x39b) [0x51d89b]
 #7 /usr/bin/python3(_PyEval_EvalFrameDefault+0x5f7f) [0x517a0f]
 #8 /usr/bin/python3() [0x5106ed]
 #9 /usr/bin/python3(_PyFunction_Vectorcall+0x361) [0x528d21]
 #10 /usr/bin/python3() [0x53bcfb]
 #11 /usr/bin/python3(PyObject_Call+0xc1) [0x53c361]
 #12 /usr/bin/python3(_PyEval_EvalFrameDefault+0x23fb) [0x513e8b]
 #13 /usr/bin/python3() [0x5106ed]
 #14 /usr/bin/python3(_PyFunction_Vectorcall+0x361) [0x528d21]
 #15 /usr/bin/python3() [0x53be7e]
 #16 /usr/bin/python3(_PyEval_EvalFrameDefault+0x23fb) [0x513e8b]
 #17 /usr/bin/python3() [0x5106ed]
 #18 /usr/bin/python3(_PyFunction_Vectorcall+0x361) [0x528d21]
 #19 /usr/bin/python3() [0x53be7e]
 #20 /usr/bin/python3(_PyEval_EvalFrameDefault+0x23fb) [0x513e8b]
 #21 /usr/bin/python3() [0x5106ed]
 #22 /usr/bin/python3(_PyFunction_Vectorcall+0x361) [0x528d21]
 #23 /usr/bin/python3() [0x53be7e]
 #24 /usr/bin/python3(_PyEval_EvalFrameDefault+0x23fb) [0x513e8b]
 #25 /usr/bin/python3() [0x5106ed]
 #26 /usr/bin/python3(_PyEval_EvalCodeWithName+0x47) [0x510497]
 #27 /usr/bin/python3(PyEval_EvalCode+0x23) [0x5f5be3]
 #28 /usr/bin/python3() [0x619de7]
 #29 /usr/bin/python3() [0x615610]
 #30 /usr/bin/python3() [0x619d79]
 #31 /usr/bin/python3(PyRun_SimpleFileExFlags+0x196) [0x619816]
 #32 /usr/bin/python3(Py_RunMain+0x2b3) [0x60d4e3]
 #33 /usr/bin/python3(Py_BytesMain+0x29) [0x5ea6e9]
 #34 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xea) [0x7ffff7c5dd0a]
 #35 /usr/bin/python3(_start+0x2a) [0x5ea5ea]

(it doesn't even ask for a password for the $USERNAME).  This happens in py_net_join_member() and depends on the stack layout (so it is dependent on the compiler used and on the endianness of the code).

In my testcase (x86-64 arch, gcc-9, debian stable "bullseye" environment), compiler puts struct libnet_JoinCtx *r variable right on the next address after uint8_t no_dns_updates variable.  And this variable (no_dns_updates) is used as an argument for PyArg_ParseTupleAndKeywords(), in place of "p" parameter, - which, according to the python documentation, expects parameter of type int.  So after PyArg_ParseTupleAndKeywords() return, r variable becomes NULL, and next we immediately see a segfault because when trying to access various members of the structure pointed to by r.

The same issue happens with other similar usages of this "p" argument in this file - there are 4 of them, but unfortunately, in other places the result isn't an immediate crash but garbage in other variables which may or may not be okay, again, depending on the memory layout.

Even this very place actually does not crash on debian testing "bookworm" system with gcc-12 and a different python version, - but again, this is not because the bug does not exist but because it garbles other data in some other way.

This is fixed by the upstream commit 976326fa2b6423ac5866af682605cf7584e4991a
Comment 1 Andrew Bartlett 2022-05-25 11:40:21 UTC
Reopening for a backport to 4.16 and 4.15
Comment 2 Douglas Bagnall 2022-08-05 03:40:51 UTC
Created attachment 17461 [details]
4.16 patch
Comment 3 Douglas Bagnall 2022-08-05 03:43:12 UTC
Created attachment 17462 [details]
4.15 backport patch

The 4.15 patch is a little bit tricky, because one of the variables wasn't there. Please review carefully.
Comment 4 Andreas Schneider 2022-08-05 07:00:21 UTC
Jule, can you please apply the patches to the corresponding branches? Thanks!
Comment 5 Jule Anger 2022-08-08 09:31:45 UTC
Pushed to autobuild-v4-{16,15}-test.
Comment 6 Samba QA Contact 2022-08-08 10:33:03 UTC
This bug was referenced in samba v4-16-test:

Comment 7 Samba QA Contact 2022-08-15 09:19:03 UTC
This bug was referenced in samba v4-15-test:

Comment 8 Jule Anger 2022-08-15 09:37:35 UTC
Closing out bug report.

Comment 9 Samba QA Contact 2022-09-07 19:01:53 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.5):

Comment 10 Samba QA Contact 2022-09-28 15:40:43 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.10):