Bug 15271 - rep_listxattr on FreeBSD does not properly check for reads off end of returned buffer
Summary: rep_listxattr on FreeBSD does not properly check for reads off end of returne...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.17.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-27 15:51 UTC by Andrew Walker
Modified: 2023-01-26 17:52 UTC (History)
2 users (show)

See Also:


Attachments
git-am fix for 4.17.next, 4.16.next. (1.86 KB, patch)
2023-01-10 21:27 UTC, Jeremy Allison
slow: review+
jra: review? (awalker)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Walker 2022-12-27 15:51:29 UTC
I wasn't able to obtain corefile from end-user, but saw in his smbd log following:

```
2022/12/25 15:38:18.037892,  0] ../../lib/util/fault.c:184(smb_panic_log)
  PANIC (pid 17385): Signal 11: Segmentation fault in 4.15.11
[2022/12/25 15:38:18.043928,  0] ../../lib/util/fault.c:288(log_stack_trace)
  BACKTRACE: 10 stack frames:
   #0 0x8014ab8c7 <log_stack_trace+0x37> at /usr/local/lib/samba4/libsamba-util.so.0
   #1 0x8014ab9a1 <smb_panic+0x11> at /usr/local/lib/samba4/libsamba-util.so.0
   #2 0x8014ab719 <fault_setup+0xa9> at /usr/local/lib/samba4/libsamba-util.so.0
   #3 0x80193b6d0 <pthread_sigmask+0x540> at /lib/libthr.so.3
   #4 0x80193ac8f <pthread_setschedparam+0x82f> at /lib/libthr.so.3
   #5 0x7ffffffff8a3 <???> at ???
   #6 0x804ce91e5 <memset+0xd5> at /lib/libc.so.7
   #7 0x804d5aaae <strncpy+0x3e> at /lib/libc.so.7
   #8 0x80519fd7c <rep_listxattr+0x1fc> at /usr/local/lib/samba4/private/libreplace-samba4.so
   #9 0x801b985c4 <vfs_default_init+0x8a34> at /usr/local/lib/samba4/private/libsmbd-base-samba4.so
```

Which caused me to look into rep_listxattr implementation on FreeBSD and I noticed there isn't handling for case where FreeBSD returns a truncated xattr list.

In case of truncated xattr list, the pascal string will still reference the full length of the xattr name, but it will not be included in the returned buffer. This somewhat less than felicitously encourages consumers to accidentally read off the end of the array.

Fix is fairly trivial. Filing bug ticket to get number to then make gitlab merge request.
Comment 2 Samba QA Contact 2023-01-02 14:28:11 UTC
This bug was referenced in samba master:

01cdc5e00be78a51f0766634cc7fe50de2088203
Comment 3 Jeremy Allison 2023-01-10 21:27:17 UTC
Created attachment 17723 [details]
git-am fix for 4.17.next, 4.16.next.
Comment 4 Jeremy Allison 2023-01-10 21:27:51 UTC
Comment on attachment 17723 [details]
git-am fix for 4.17.next, 4.16.next.

Cherry-picked from master.
Comment 5 Ralph Böhme 2023-01-13 18:31:14 UTC
Reassigning to Jule for inclusion in 4.16 and 4.17.
Comment 6 Jule Anger 2023-01-23 09:27:44 UTC
Pushed to autobuild-v4-{17,16}-test.
Comment 7 Samba QA Contact 2023-01-23 10:28:12 UTC
This bug was referenced in samba v4-17-test:

85331e00b6f41171c239fec0593b0c1ca133e9a6
Comment 8 Samba QA Contact 2023-01-23 11:00:39 UTC
This bug was referenced in samba v4-16-test:

eddd14cedbf6cc0a8c32f0e00e138c94aa941541
Comment 9 Jule Anger 2023-01-23 11:49:25 UTC
Closing out bug report.

Thanks!
Comment 10 Samba QA Contact 2023-01-26 17:52:06 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.5):

85331e00b6f41171c239fec0593b0c1ca133e9a6