Bug 15441 - samba-tool ntacl get segfault if aio_pthread appended
Summary: samba-tool ntacl get segfault if aio_pthread appended
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.18.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-02 01:38 UTC by Jones Syue
Modified: 2023-09-07 09:02 UTC (History)
2 users (show)

See Also:


Attachments
Patch for v4-19-test (3.24 KB, patch)
2023-08-03 01:31 UTC, Jones Syue
metze: review+
slow: review+
Details
Patch for v4-18-test & v4-17-test backported from master (3.29 KB, patch)
2023-08-03 08:05 UTC, Jones Syue
metze: review-
slow: review+
Details
Patch for v4-18-test & v4-17-test v2 (4.37 KB, patch)
2023-08-03 13:19 UTC, Jones Syue
metze: review+
jonessyue: review? (slow)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jones Syue 2023-08-02 01:38:51 UTC
If configured as AD DC and aio_pthread appended into 'vfs objects'[1],
run these commands would get segfault: 
1. sudo samba-tool ntacl get .
2. sudo net vfs getntacl sysvol .
gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2],
and the fsp->conn->sconn->client is null (0x0).

'sconn->client' memory is allocated when a new connection is accpeted:
smbd_accept_connection > smbd_process > smbXsrv_client_create
While running local commands looks like it would not go through 
smbXsrv_client_create so the 'client' is null, segfault might happen.
We should not dereference 'client->server_multi_channel_enabled',
if 'client' is null.

patch will follow.

[1] smb.conf example, samba-4.18.5, ubuntu 22.04.2 
[global]
        dns forwarder = 127.0.0.53
        netbios name = U22-JONES-88X1
        realm = U22-JONES-88X1.X88X1.JONES
        server role = active directory domain controller
        workgroup = X88X1
        idmap_ldb:use rfc2307 = yes
        vfs objects = dfs_samba4 acl_xattr aio_pthread

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts
        read only = No
        
[2] gdb
(gdb) run /usr/local/samba/bin/samba-tool ntacl get .
Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get .
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
warning: Source file is more recent than executable.
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) bt
#0  0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
#1  0x00007fffe0497b79 in smb_vfs_call_openat (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/smbd/vfs.c:1746
#2  0x00007fffe047f406 in non_widelink_open (dirfsp=0x8c3070, fsp=0x1af3550, smb_fname=0x10fe0c0, flags=196608, mode=0, link_depth=0) at ../../source3/smbd/open.c:810
#3  0x00007fffe047f90e in fd_openat (dirfsp=0x8c3070, smb_fname=0x10fe0c0, fsp=0x1af3550, flags=65536, mode=0) at ../../source3/smbd/open.c:954
#4  0x00007fffe04070ff in openat_pathref_fsp (dirfsp=0x8c3070, smb_fname=0x10fe0c0) at ../../source3/smbd/files.c:510
#5  0x00007fffe093cee3 in get_nt_acl_conn (mem_ctx=0x8c1550, fname=0x7ffff69517e0 ".", conn=0x742ed0, security_info_wanted=15, sd=0x7fffffffca50)
    at ../../source3/smbd/pysmbd.c:320
#6  0x00007fffe093e5e0 in py_smbd_get_nt_acl (self=0x7fffe3f13470, args=0x7fffd991fc80, kwargs=0x7fffda0cc550) at ../../source3/smbd/pysmbd.c:877
#7  0x00007ffff79107bf in _PyMethodDef_RawFastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0
#8  0x00007ffff7910a25 in _PyCFunction_FastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0
#9  0x00007ffff78eab02 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#10 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#11 0x00007ffff7910485 in _PyFunction_FastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0
#12 0x00007ffff78ea798 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#13 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#14 0x00007ffff7910307 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0
#15 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0
#16 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0
#17 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#18 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#19 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0
#20 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0
#21 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0
#22 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#23 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#24 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0
#25 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0
#26 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0
#27 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#28 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#29 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0
#30 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0
#31 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0
#32 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#33 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#34 0x00007ffff79f6dbe in PyEval_EvalCodeEx () from /usr/local/lib/libpython3.7m.so.1.0
#35 0x00007ffff79f6deb in PyEval_EvalCode () from /usr/local/lib/libpython3.7m.so.1.0
---Type <return> to continue, or q <return> to quit---
#36 0x00007ffff7a2ac8e in PyRun_FileExFlags () from /usr/local/lib/libpython3.7m.so.1.0
#37 0x00007ffff7a2ae06 in PyRun_SimpleFileExFlags () from /usr/local/lib/libpython3.7m.so.1.0
#38 0x00007ffff7a4e595 in ?? () from /usr/local/lib/libpython3.7m.so.1.0
#39 0x00007ffff7a4e81d in _Py_UnixMain () from /usr/local/lib/libpython3.7m.so.1.0
#40 0x00007ffff6995810 in __libc_start_main () from /lib/libc.so.6
#41 0x0000000000400729 in _start ()
(gdb) f
#0  0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) p fsp->conn->sconn->client
$1 = (struct smbXsrv_client *) 0x0
(gdb)
Comment 2 Samba QA Contact 2023-08-02 12:11:29 UTC
This bug was referenced in samba master:

8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2
Comment 3 Jones Syue 2023-08-03 01:31:20 UTC
Created attachment 18019 [details]
Patch for v4-19-test

Patch for 4.19 cherry-picked from master.
Comment 4 Ralph Böhme 2023-08-03 07:34:14 UTC
Do we also need the patch in 4.18 and 4.17? Does it apply cleanly or do we need seperate patches?
Comment 5 Jones Syue 2023-08-03 08:05:19 UTC
Created attachment 18020 [details]
Patch for v4-18-test & v4-17-test backported from master

Since this patch for 4.18 & 4.18 is not a clean cherry-pick from master,
the commit logs is changed to:

(backported from commit 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2)
[jonessyue@qnap.com: 4.18/4.17 does not have 3694f2ce sconn->pool checks]
Comment 6 Ralph Böhme 2023-08-03 08:17:40 UTC
Reassigning to Jule for inclusion in 4.17, 4.18 and 4.19.

Thanks for contributing!
Comment 7 Jule Anger 2023-08-03 08:35:18 UTC
Pushed to autobuild-v4-{19,18,17}-test.
Comment 8 Samba QA Contact 2023-08-03 09:46:03 UTC
This bug was referenced in samba v4-19-test:

e7f91e1d22b60069af9081dedd1b244273322ea3
Comment 9 Stefan Metzmacher 2023-08-03 11:08:38 UTC
Comment on attachment 18020 [details]
Patch for v4-18-test & v4-17-test backported from master

I think this incomplete, the backport needs to contain 3694f2ce6205a647eb5dab2115785fb45decaf0b
Comment 10 Jones Syue 2023-08-03 13:19:21 UTC
Created attachment 18023 [details]
Patch for v4-18-test & v4-17-test v2

(In reply to Stefan Metzmacher from comment #9)

ohh my bad i forgot to pick 3694f2ce,
this v2 patch for 4.18 & 4.17 is a cleanly cherry-picked from master,
including 2 commits to make it more complete:
3694f2ce6205a647eb5dab2115785fb45decaf0b
8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2

And 3694f2ce commit log is appended with tag to make it clear:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441
Comment 11 Samba QA Contact 2023-08-08 07:21:20 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc2):

e7f91e1d22b60069af9081dedd1b244273322ea3
Comment 12 Jule Anger 2023-08-08 11:40:44 UTC
Pushed to autobuild-v4-{18,17}-test.
Comment 13 Samba QA Contact 2023-08-08 12:57:12 UTC
This bug was referenced in samba v4-18-test:

cf7a0c9d754c0f5e0888fc9023e9a863e2f366a3
bace04c3c5c3bd3b345e2e5bf06f522745be2024
Comment 14 Samba QA Contact 2023-08-08 13:40:12 UTC
This bug was referenced in samba v4-17-test:

3a6964d02650ea123e36b639baaad89ffd4c79e3
f99fec49e25a1e54667286415c1a016c2116f42c
Comment 15 Jule Anger 2023-08-08 14:08:11 UTC
Closing out bug report.

Thanks!
Comment 16 Samba QA Contact 2023-08-16 16:57:01 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.6):

cf7a0c9d754c0f5e0888fc9023e9a863e2f366a3
bace04c3c5c3bd3b345e2e5bf06f522745be2024
Comment 17 Samba QA Contact 2023-09-07 09:02:55 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.11):

3a6964d02650ea123e36b639baaad89ffd4c79e3
f99fec49e25a1e54667286415c1a016c2116f42c