15271 – rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer

Bug 15271 - rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer

Summary: rep_listxattr on FreeBSD does not properly check for reads off end of returne...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.17.2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-12-27 15:51 UTC by Andrew Walker
Modified:	2023-02-16 16:38 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
git-am fix for 4.17.next, 4.16.next. (1.86 KB, patch) 2023-01-10 21:27 UTC, Jeremy Allison	slow: review+ jra: review? (awalker)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Walker 2022-12-27 15:51:29 UTC

I wasn't able to obtain corefile from end-user, but saw in his smbd log following:

```
2022/12/25 15:38:18.037892,  0] ../../lib/util/fault.c:184(smb_panic_log)
  PANIC (pid 17385): Signal 11: Segmentation fault in 4.15.11
[2022/12/25 15:38:18.043928,  0] ../../lib/util/fault.c:288(log_stack_trace)
  BACKTRACE: 10 stack frames:
   #0 0x8014ab8c7 <log_stack_trace+0x37> at /usr/local/lib/samba4/libsamba-util.so.0
   #1 0x8014ab9a1 <smb_panic+0x11> at /usr/local/lib/samba4/libsamba-util.so.0
   #2 0x8014ab719 <fault_setup+0xa9> at /usr/local/lib/samba4/libsamba-util.so.0
   #3 0x80193b6d0 <pthread_sigmask+0x540> at /lib/libthr.so.3
   #4 0x80193ac8f <pthread_setschedparam+0x82f> at /lib/libthr.so.3
   #5 0x7ffffffff8a3 <???> at ???
   #6 0x804ce91e5 <memset+0xd5> at /lib/libc.so.7
   #7 0x804d5aaae <strncpy+0x3e> at /lib/libc.so.7
   #8 0x80519fd7c <rep_listxattr+0x1fc> at /usr/local/lib/samba4/private/libreplace-samba4.so
   #9 0x801b985c4 <vfs_default_init+0x8a34> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
```

Which caused me to look into rep_listxattr implementation on FreeBSD and I noticed there isn't handling for case where FreeBSD returns a truncated xattr list.

In case of truncated xattr list, the pascal string will still reference the full length of the xattr name, but it will not be included in the returned buffer. This somewhat less than felicitously encourages consumers to accidentally read off the end of the array.

Fix is fairly trivial. Filing bug ticket to get number to then make gitlab merge request.

Comment 1 Andrew Walker 2022-12-27 16:06:17 UTC

https://gitlab.com/samba-team/samba/-/merge_requests/2863

Comment 2 Samba QA Contact 2023-01-02 14:28:11 UTC

This bug was referenced in samba master:

01cdc5e00be78a51f0766634cc7fe50de2088203

Comment 3 Jeremy Allison 2023-01-10 21:27:17 UTC

Created attachment 17723 [details]
git-am fix for 4.17.next, 4.16.next.

Comment 4 Jeremy Allison 2023-01-10 21:27:51 UTC

Comment on attachment 17723 [details]
git-am fix for 4.17.next, 4.16.next.

Cherry-picked from master.

Comment 5 Ralph Böhme 2023-01-13 18:31:14 UTC

Reassigning to Jule for inclusion in 4.16 and 4.17.

Comment 6 Jule Anger 2023-01-23 09:27:44 UTC

Pushed to autobuild-v4-{17,16}-test.

Comment 7 Samba QA Contact 2023-01-23 10:28:12 UTC

This bug was referenced in samba v4-17-test:

85331e00b6f41171c239fec0593b0c1ca133e9a6

Comment 8 Samba QA Contact 2023-01-23 11:00:39 UTC

This bug was referenced in samba v4-16-test:

eddd14cedbf6cc0a8c32f0e00e138c94aa941541

Comment 9 Jule Anger 2023-01-23 11:49:25 UTC

Closing out bug report.

Thanks!

Comment 10 Samba QA Contact 2023-01-26 17:52:06 UTC

This bug was referenced in samba v4-17-stable (Release samba-4.17.5):

85331e00b6f41171c239fec0593b0c1ca133e9a6

Comment 11 Samba QA Contact 2023-02-16 16:38:45 UTC

This bug was referenced in samba v4-16-stable (Release samba-4.16.9):

eddd14cedbf6cc0a8c32f0e00e138c94aa941541