15293 – with clustering enabled samba-bgqd can core dump due to use after free

Bug 15293 - with clustering enabled samba-bgqd can core dump due to use after free

Summary: with clustering enabled samba-bgqd can core dump due to use after free

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Printing (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-01-26 10:14 UTC by Noel Power
Modified:	2023-03-09 09:21 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
patch for v4.17 & v4.18 (same patch applies to both) (4.97 KB, patch) 2023-01-26 19:52 UTC, Noel Power	slow: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Noel Power 2023-01-26 10:14:35 UTC

Comment 1 Noel Power 2023-01-26 10:15:20 UTC

see https://gitlab.com/samba-team/samba/-/merge_requests/2908

Comment 2 Noel Power 2023-01-26 10:16:11 UTC

In a cluster setup samba-bgqd async callback
cups_pcap_load_async can access messaging_ctdb_fde_ev associated
with already destructed global_ctdb_ctx_destructor

==26053== Invalid read of size 8
==26053==    at 0x71692E1: messaging_ctdb_fde_ev_destructor (messages_ctdb.c:181)
==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
==26053==    by 0x4056BCA: tevent_req_received (tevent_req.c:301)
==26053==    by 0x405673D: tevent_req_destructor (tevent_req.c:135)
==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
==26053==    by 0x1384EF: cups_pcap_load_async (print_cups.c:507)
==26053==    by 0x13894B: cups_cache_reload (print_cups.c:602)
==26053==    by 0x1373AE: pcap_cache_reload (pcap.c:140)
==26053==    by 0x1369D2: register_printing_bq_handlers (queue_process.c:323)
==26053==    by 0x122AD6: main (samba-bgqd.c:316)
==26053==  Address 0xed64d48 is 120 bytes inside a block of size 128 free'd
==26053==    at 0x4C370EB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26053==    by 0x40B25E1: _tc_free_internal (talloc.c:1222)
==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
==26053==    by 0x71691F6: messaging_ctdb_destroy (messages_ctdb.c:141)
==26053==    by 0x7169C21: msg_ctdb_ref_destructor (messages_ctdb_ref.c:142)
==26053==    by 0x40B2309: _tc_free_internal (talloc.c:1158)
==26053==    by 0x40B3539: _tc_free_children_internal (talloc.c:1669)
==26053==    by 0x40B24C4: _tc_free_internal (talloc.c:1184)
==26053==    by 0x40B2685: _talloc_free_internal (talloc.c:1248)
==26053==    by 0x40B3963: _talloc_free (talloc.c:1792)
==26053==    by 0x4157380: messaging_reinit (messages.c:646)
==26053==    by 0x416C01E: reinit_after_fork (util.c:488)
==26053==    by 0x13844C: cups_pcap_load_async (print_cups.c:498)
==26053==    by 0x13894B: cups_cache_reload (print_cups.c:602)
==26053==    by 0x1373AE: pcap_cache_reload (pcap.c:140)
==26053==    by 0x1369D2: register_printing_bq_handlers (queue_process.c:323)
==26053==    by 0x122AD6: main (samba-bgqd.c:316)
==26053==  Block was alloc'd at
==26053==    at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==26053==    by 0x40B1989: __talloc_with_prefix (talloc.c:783)
==26053==    by 0x40B1B23: __talloc (talloc.c:825)
==26053==    by 0x40B1ECC: _talloc_named_const (talloc.c:982)
==26053==    by 0x40B49C3: _talloc_zero (talloc.c:2421)
==26053==    by 0x7168E68: messaging_ctdb_init (messages_ctdb.c:93)
==26053==    by 0x716979D: messaging_ctdb_ref (messages_ctdb_ref.c:75)
==26053==    by 0x415702A: messaging_init_internal (messages.c:563)
==26053==    by 0x41572FD: messaging_init (messages.c:622)
==26053==    by 0x4163ED3: global_messaging_context (global_contexts.c:62)
==26053==    by 0x12273B: main (samba-bgqd.c:271)
==26053==

Comment 3 Samba QA Contact 2023-01-26 16:04:03 UTC

This bug was referenced in samba master:

2a104556e8489b9fc3e2185a1fbbec7f4c8d8fea

Comment 4 Noel Power 2023-01-26 19:52:45 UTC

Created attachment 17743 [details]
patch for v4.17 & v4.18 (same patch applies to both)

Comment 5 Noel Power 2023-01-26 19:54:21 UTC

assign to Jule for inclusion in 4.17, 4.18

Comment 6 Noel Power 2023-01-26 20:00:33 UTC

not sure if patch is needed for 4.16 but if it is, same patch will apply

Comment 7 Jule Anger 2023-01-27 08:45:09 UTC

Pushed to autobuild-v4-{18,17}-test.

Comment 8 Samba QA Contact 2023-01-27 09:46:03 UTC

This bug was referenced in samba v4-17-test:

ddf64adea1358f0effb2148a03acfa5bb66cf1ea

Comment 9 Samba QA Contact 2023-01-31 12:50:08 UTC

This bug was referenced in samba v4-18-test:

af00a0df70a591ef5890274ba700349abe9ec928

Comment 10 Jule Anger 2023-01-31 13:14:31 UTC

Closing out bug report.

Thanks!

Comment 11 Samba QA Contact 2023-02-01 17:42:58 UTC

This bug was referenced in samba v4-18-stable (Release samba-4.18.0rc2):

af00a0df70a591ef5890274ba700349abe9ec928

Comment 12 Samba QA Contact 2023-03-09 09:21:56 UTC

This bug was referenced in samba v4-17-stable (Release samba-4.17.6):

ddf64adea1358f0effb2148a03acfa5bb66cf1ea