Bug 15283 - vfs_virusfilter segfault on access, directory edgecase (accessing NULL value)
Summary: vfs_virusfilter segfault on access, directory edgecase (accessing NULL value)
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.17.4
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-12 00:14 UTC by p.assmann
Modified: 2023-01-26 17:52 UTC (History)
1 user (show)

See Also:

Attachments
GDB Backtrace (5.76 KB, text/x-log)
2023-01-12 00:14 UTC, p.assmann 		no flags Details
Patch for 4.17 (5.55 KB, patch)
2023-01-13 08:48 UTC, Volker Lendecke 		jra: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description p.assmann 2023-01-12 00:14:13 UTC 
Created attachment 17725 [details]
GDB Backtrace

vfs_virusfilter does not work at all in latest version, segfaults due to NULL access.

(from Jeremy Allison)
The error is occurring due to this code in openat_pathref_dirfsp_nosymlink().

1055         if (dirfsp != conn->cwd_fsp) {
1056                 dirfsp->fsp_name = NULL;
1057                 SMB_ASSERT(fsp_get_pathref_fd(dirfsp) != -1);
1058                 fd_close(dirfsp);
1059                 file_free(NULL, dirfsp);
1060                 dirfsp = NULL;
1061         }

Note line 1056 which sets dirfsp->fsp_name = NULL.

Then inside virusfilter_vfs_close() we have:

1412 static int virusfilter_vfs_close(
1413         struct vfs_handle_struct *handle,
1414         files_struct *fsp)
1415 {
1416         /*
1417          * The name of this variable is for consistency. If API changes to
1418          * match _open change to cwd_fname as in virusfilter_vfs_open.
1419          */
1420         const char *cwd_fname = handle->conn->connectpath;
1421
1422         struct virusfilter_config *config = NULL;
1423         char *fname = fsp->fsp_name->base_name;
1424         int close_result = -1;
1425         int close_errno = 0;
1426         virusfilter_result scan_result;
1427         int scan_errno = 0;
1428
1429         SMB_VFS_HANDLE_GET_DATA(handle, config,
1430                                 struct virusfilter_config, return -1);

Note line 1423:  char *fname = fsp->fsp_name->base_name;

As we've just set fsp_name == NULL in the caller, we crash
here.

Jeremy proposed the following patch to fix this:

-------------------------------------------------
diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
index 124b4091c1b..8df7d98b9e0 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -1420,7 +1420,7 @@ static int virusfilter_vfs_close(
         const char *cwd_fname = handle->conn->connectpath;
 
         struct virusfilter_config *config = NULL;
-       char *fname = fsp->fsp_name->base_name;
+       char *fname = NULL;
         int close_result = -1;
         int close_errno = 0;
         virusfilter_result scan_result;
@@ -1439,6 +1439,13 @@ static int virusfilter_vfs_close(
                 close_errno = errno;
         }
 
+       if (fsp->fsp_flags.is_directory) {
+               DBG_INFO("Not scanned: Directory: %s/\n", cwd_fname);
+               return close_result;
+       }
+
+       fname = fsp->fsp_name->base_name;
+
         /*
          * Return immediately if close_result == -1, and close_errno == EBADF.
          * If close failed, file likely doesn't exist, do not try to scan.
@@ -1453,11 +1460,6 @@ static int virusfilter_vfs_close(
                 goto virusfilter_vfs_close_fail;
         }
 
-       if (fsp->fsp_flags.is_directory) {
-               DBG_INFO("Not scanned: Directory: %s/\n", cwd_fname);
-               return close_result;
-       }
-
         if (fsp_is_alternate_stream(fsp)) {
                 if (config->scan_on_open && fsp->fsp_flags.modified) {
                         if (config->cache) {
-------------------------------------------------

After  manually  applying the patch, I confirm that vfs_virusfilter is working again, scanning and removing an eicar testfile works
Comment 1 Samba QA Contact 2023-01-13 08:34:04 UTC 
This bug was referenced in samba master:

c844bff3eca336547c6cedfeeb03adda4eed57c6
3d3d01cda8d3a6d0d18d1b808aa9414e71d56062
Comment 2 Volker Lendecke 2023-01-13 08:48:47 UTC 
Created attachment 17735 [details]
Patch for 4.17
Comment 3 Jeremy Allison 2023-01-13 18:24:39 UTC 
Re-assigning to Jule for inclusion in 4.17.next.
Comment 4 Jule Anger 2023-01-16 09:40:30 UTC 
Pushed to autobuild-v4-17-test.
Comment 5 Samba QA Contact 2023-01-16 10:50:35 UTC 
This bug was referenced in samba v4-17-test:

669da62d636d8e2dada61e096b33b91dde6c9eeb
34a9084044814868a2a8d7deca9b3c8df1767abd
Comment 6 Jule Anger 2023-01-16 11:59:24 UTC 
Closing out bug report.

Thanks!
Comment 7 Samba QA Contact 2023-01-26 17:52:55 UTC 
This bug was referenced in samba v4-17-stable (Release samba-4.17.5):

669da62d636d8e2dada61e096b33b91dde6c9eeb
34a9084044814868a2a8d7deca9b3c8df1767abd