Bug 15118 - Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled()
Summary: Crash in rpcd_classic - NULL pointer deference in mangle_is_mangled()
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.16.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-08 11:55 UTC by Pavel Filipenský
Modified: 2022-07-18 11:19 UTC (History)
6 users (show)

See Also:


Attachments
Potential patch (1.69 KB, patch)
2022-07-08 12:16 UTC, Volker Lendecke
no flags Details
patch for v4-16 (2.03 KB, patch)
2022-07-13 12:47 UTC, Pavel Filipenský
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pavel Filipenský 2022-07-08 11:55:24 UTC
mangle_fns is NULL and accessing it causes this panic in mangle_is_mangled():
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00007f3c0dbdf57e in mangle_is_mangled (s=0x55b02fad9ec0 "pointA", p=0x55b02fad0bc0) at ../../source3/smbd/mangle.c:86
    86              return mangle_fns->is_mangled(s, p);
    (gdb) bt
    \#0  0x00007f3c0dbdf57e in mangle_is_mangled (s=0x55b02fad9ec0 "pointA", p=0x55b02fad0bc0) at ../../source3/smbd/mangle.c:86
    \#1  0x00007f3c0db7b7fe in unix_convert (mem_ctx=<optimized out>, conn=<optimized out>, orig_path=<optimized out>, twrp=<optimized out>, smb_fname_out=0x7ffe9f0df3b0, ucf_flags=<optimized out>) at ../../source3/smbd/filename.c:1307
    \#2  0x00007f3c0dbaada2 in dfs_path_lookup (ctx=ctx@entry=0x55b02faceaa0, conn=conn@entry=0x55b02fa9b6d0, dfspath=dfspath@entry=0x55b02fa9f060 "\\\\localhost\\samba-share\\pointA", pdp=pdp@entry=0x55b02facc710,
        ucf_flags=ucf_flags@entry=0, _twrp=_twrp@entry=0x0, consumedcntp=0x7ffe9f0df4f4, ppreflist=0x55b02faaede0, preferral_count=0x55b02faaedd8) at ../../source3/smbd/msdfs.c:714
    \#3  0x00007f3c0dbab871 in get_referred_path (ctx=ctx@entry=0x55b02faceaa0, session_info=session_info@entry=0x55b02fac0a80, dfs_path=0x55b02fa9f060 "\\\\localhost\\samba-share\\pointA", remote_address=remote_address@entry=0x55b02fa9ec00,
        local_address=local_address@entry=0x55b02fad0710, allow_broken_path=allow_broken_path@entry=true, jucn=0x55b02faaedc0, consumedcntp=0x7ffe9f0df4f4, self_referralp=0x7ffe9f0df4f3) at ../../source3/smbd/msdfs.c:1174
    \#4  0x000055b02e41c4a4 in _dfs_GetInfo (p=p@entry=0x55b02fad3b48, r=r@entry=0x55b02fac15d0) at ../../source3/rpc_server/dfs/srv_dfs_nt.c:415
    \#5  0x000055b02e41cbca in netdfs__op_dispatch_internal (dce_call=0x55b02fad7000, mem_ctx=<optimized out>, r=0x55b02fac15d0, dispatch=S3COMPAT_RPC_DISPATCH_EXTERNAL) at ./librpc/gen_ndr/ndr_dfs_scompat.c:136
    \#6  0x00007f3c0e0e5ff0 in dcesrv_request (call=0x55b02fad7000) at ../../librpc/rpc/dcesrv_core.c:1957


Reproducible by:
    
    $ make -j8 testenv SELFTEST_TESTENV=fileserver:local SCREEN=1
    $ ln -s 'msdfs:\\\\localhost\\dropbox' st/fileserver/share/msdfsshare/pointA
    $ bin/rpcclient $SERVER_IP -U% -c 'dfsgetinfo \\\\localhost\\msdfs-share localhost pointA'
    

Patch will follow.
Comment 1 Andreas Schneider 2022-07-08 11:59:35 UTC
According to a user on the samba mailinglist, this also happens in rpcd_spoolss:

  Stack trace of thread 128214:
#0  0x00007ff4f4560a9f raise (libc.so.6)
#1  0x00007ff4f4533e05 abort (libc.so.6)
#2  0x00007ff4f93265e9 dump_core (libsmbconf-sernet-samba.so)
#3  0x00007ff4f933371f smb_panic_s3 (libsmbconf-sernet-samba.so)
#4  0x00007ff4f8c4f658 smb_panic (libsamba-util-sernet-samba.so)
#5  0x00007ff4f8c4f6e0 sig_fault (libsamba-util-sernet-samba.so)
#6  0x00007ff4f48e9ce0 __restore_rt (libpthread.so.0)
#7  0x00007ff4f789e7a9 mangle_is_mangled (libsmbd-base-sernet-samba.so)
#8  0x00007ff4f7832403 unix_convert (libsmbd-base-sernet-samba.so)
#9  0x0000559d1517bdd1 driver_unix_convert (rpcd_spoolss)
#10 0x0000559d1517cd6c move_driver_file_to_download_area (rpcd_spoolss)
#11 0x0000559d1517f02a move_driver_to_download_area (rpcd_spoolss)
#12 0x0000559d151a6f46 _spoolss_AddPrinterDriverEx (rpcd_spoolss)
#13 0x0000559d151ad5cd spoolss__op_dispatch_internal (rpcd_spoolss)
#14 0x0000559d151adf16 spoolss__op_dispatch (rpcd_spoolss)
#15 0x00007ff4f90d3971 dcesrv_loop_next_packet 
(libdcerpc-server-core-sernet-samba.so)
#16 0x00007ff4f90d3ff3 dcesrv_read_fragment_done 
(libdcerpc-server-core-sernet-samba.so)
#17 0x00007ff4fa1f1aeb _tevent_req_notify_callback 
(libtevent-sernet-samba.so)
#18 0x00007ff4fa1f1b93 tevent_req_finish (libtevent-sernet-samba.so)
#19 0x00007ff4fa1f1baf _tevent_req_done (libtevent-sernet-samba.so)
#20 0x00007ff4f613f9c0 dcerpc_read_ncacn_packet_done 
(libdcerpc-binding-sernet-samba.so)
#21 0x00007ff4fa1f1aeb _tevent_req_notify_callback 
(libtevent-sernet-samba.so)
#22 0x00007ff4fa1f1b93 tevent_req_finish (libtevent-sernet-samba.so)
#23 0x00007ff4fa1f1baf _tevent_req_done (libtevent-sernet-samba.so)
#24 0x00007ff4f8eb98b7 tstream_readv_pdu_ask_for_next_vector 
(libsamba-sockets-sernet-samba.so)
#25 0x00007ff4f8eb9a0c tstream_readv_pdu_readv_done 
(libsamba-sockets-sernet-samba.so)
#26 0x00007ff4fa1f1aeb _tevent_req_notify_callback 
(libtevent-sernet-samba.so)
#27 0x00007ff4fa1f1b93 tevent_req_finish (libtevent-sernet-samba.so)
#28 0x00007ff4fa1f1baf _tevent_req_done (libtevent-sernet-samba.so)
#29 0x00007ff4f8eb894d tstream_readv_done (libsamba-sockets-sernet-samba.so)
#30 0x00007ff4fa1f1aeb _tevent_req_notify_callback 
(libtevent-sernet-samba.so)
#31 0x00007ff4fa1f1b93 tevent_req_finish (libtevent-sernet-samba.so)
#32 0x00007ff4fa1f1c3e tevent_req_trigger (libtevent-sernet-samba.so)
#33 0x00007ff4fa1f1383 tevent_common_invoke_immediate_handler 
(libtevent-sernet-samba.so)
#34 0x00007ff4fa1f13a7 tevent_common_loop_immediate 
(libtevent-sernet-samba.so)
#35 0x00007ff4fa1f7294 epoll_event_loop_once (libtevent-sernet-samba.so)
#36 0x00007ff4fa1f518f std_event_loop_once (libtevent-sernet-samba.so)
#37 0x00007ff4fa1f0486 _tevent_loop_once (libtevent-sernet-samba.so)
#38 0x00007ff4f8837ff0 rpc_worker_main (libRPC-WORKER-sernet-samba.so)
#39 0x0000559d1518e3ec main (rpcd_spoolss)
#40 0x00007ff4f454ccf3 __libc_start_main (libc.so.6)
#41 0x0000559d15172bbe _start (rpcd_spoolss)
Comment 2 Volker Lendecke 2022-07-08 12:16:47 UTC
Created attachment 17412 [details]
Potential patch

Does this help?
Comment 3 Pavel Filipenský 2022-07-08 12:23:15 UTC
Yep. That works. I am evaluating if we need more:

mangle_reset_cache();                                                    
reset_stat_cache();                                                      
flush_dfree_cache();           

Any comments?
Comment 4 Volker Lendecke 2022-07-12 07:49:50 UTC
(In reply to Pavel Filipenský from comment #3)
> Yep. That works. I am evaluating if we need more:
> 
> mangle_reset_cache();                                                    
> reset_stat_cache();                                                      
> flush_dfree_cache();           
> 
> Any comments?

No, I don't think those are required. mangle_reset_cache() is a bad function name for initializing those pointers, but that's what it is.
Comment 5 Christian Naumer 2022-07-12 07:50:24 UTC
I am the user who reported the crash in rpcd_spoolss. We are using the Sernet packages on Rocky Linux. So I cannot test the patch.
Comment 6 Samba QA Contact 2022-07-12 13:34:03 UTC
This bug was referenced in samba master:

11d3d2aeac599ebbedd5332c5520465970319448
Comment 7 Pavel Filipenský 2022-07-13 12:47:42 UTC
Created attachment 17417 [details]
patch for v4-16
Comment 8 Jule Anger 2022-07-18 07:46:29 UTC
Pushed to autobuild-v4-16-test.
Comment 9 Samba QA Contact 2022-07-18 09:41:28 UTC
This bug was referenced in samba v4-16-test:

c5569b4f7a5a93da1fdeaba50a3ac6771200de62
Comment 10 Jule Anger 2022-07-18 11:03:13 UTC
Closing out bug report.

Thanks!
Comment 11 Samba QA Contact 2022-07-18 11:19:30 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.3):

c5569b4f7a5a93da1fdeaba50a3ac6771200de62