15456 – slrpc_open_query() looks for sl_array_t rather than sl_cnids_t

Bug 15456 - slrpc_open_query() looks for sl_array_t rather than sl_cnids_t

Summary: slrpc_open_query() looks for sl_array_t rather than sl_cnids_t

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-08-23 17:55 UTC by Robert Morris
Modified:	2023-08-23 17:55 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Morris 2023-08-23 17:55:22 UTC

This in mdssvc.c's slrpc_open_query() should probably say sl_cnids_t
rather than sl_array_t:

        cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0,
                                     "DALLOC_CTX", 1,
                                     "kMDQueryItemArray",
                                     "sl_array_t");
        if (cnids) {
                ok = sort_cnids(slq, cnids->ca_cnids);

If the client passes a sl_array_t (rather than nothing), sort_cnids()
may crash when it tries to dereference cnids->ca_cnids:

Program received signal SIGBUS, Bus error.
Object-specific hardware error.
0x000000fc49f2de68 in dalloc_size (d=0x7a7a7a7a7a7a7a7a)
    at ../../source3/rpc_server/mdssvc/dalloc.c:82
82              return talloc_array_length(d->dd_talloc_array);
(gdb) where
#0  0x000000fc49f2de68 in dalloc_size (d=0x7a7a7a7a7a7a7a7a)
    at ../../source3/rpc_server/mdssvc/dalloc.c:82
#1  0x000000fc49f1c569 in sort_cnids (slq=0x104b35d2cc0, d=0x7a7a7a7a7a7a7a7a)
    at ../../source3/rpc_server/mdssvc/mdssvc.c:235
#2  0x000000fc49f19e44 in slrpc_open_query (mds_ctx=0x104b35ae820, 
    query=0x104b35cdce0, reply=0x104b35cdd70)
    at ../../source3/rpc_server/mdssvc/mdssvc.c:1030
#3  0x000000fc49f188b8 in mds_dispatch (mds_ctx=0x104b35ae820, 
    request_blob=0x104b35ccd20, response_blob=0x104b35cdbc0, 
    max_fragment_size=512) at ../../source3/rpc_server/mdssvc/mdssvc.c:1880
#4  0x000000fc49f1dad8 in _mdssvc_cmd (p=0x104b359ee48, r=0x104b35ccd00)
    at ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:239

The above crash was produced by a client mds cmd request that
contained this blob passed by mds_dispatch() to sl_unpack():

(gdb) x/784xb request_blob->spotlight_blob
0x3c0696b551f0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b551f8: 0x61    0x00    0x00    0x00    0x41    0x00    0x00    0x00
0x3c0696b55200: 0x01    0x00    0x00    0x02    0x01    0x00    0x00    0x00
0x3c0696b55208: 0x01    0x00    0x00    0x02    0x02    0x00    0x00    0x00
0x3c0696b55210: 0x01    0x00    0x00    0x02    0x03    0x00    0x00    0x00
0x3c0696b55218: 0x05    0x00    0x00    0x00    0x1f    0x00    0x00    0x00
0x3c0696b55220: 0x6f    0x70    0x65    0x6e    0x51    0x75    0x65    0x72
0x3c0696b55228: 0x79    0x57    0x69    0x74    0x68    0x50    0x61    0x72
0x3c0696b55230: 0x61    0x6d    0x73    0x3a    0x66    0x6f    0x72    0x43
0x3c0696b55238: 0x6f    0x6e    0x74    0x65    0x78    0x74    0x3a    0x00
0x3c0696b55240: 0x02    0x00    0x00    0x84    0x01    0x00    0x00    0x00
0x3c0696b55248: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b55250: 0x02    0x00    0x00    0x84    0x01    0x00    0x00    0x00
0x3c0696b55258: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b55260: 0x01    0x00    0x00    0x02    0x04    0x00    0x00    0x00
0x3c0696b55268: 0x01    0x00    0x00    0x02    0x05    0x00    0x00    0x00
0x3c0696b55270: 0x03    0x00    0x00    0x00    0x0e    0x00    0x00    0x00
0x3c0696b55278: 0x6b    0x4d    0x44    0x51    0x75    0x65    0x72    0x79
0x3c0696b55280: 0x53    0x74    0x72    0x69    0x6e    0x67    0x00    0x00
0x3c0696b55288: 0x01    0x00    0x00    0x02    0x06    0x00    0x00    0x00
0x3c0696b55290: 0x04    0x00    0x00    0x00    0x12    0x00    0x00    0x00
0x3c0696b55298: 0x21    0x40    0x23    0x24    0x25    0x5e    0x26    0x2a
0x3c0696b552a0: 0x28    0x29    0x3a    0x7b    0x7d    0x27    0x5b    0x5d
0x3c0696b552a8: 0x7c    0x5c    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b552b0: 0x01    0x00    0x00    0x02    0x07    0x00    0x00    0x00
0x3c0696b552b8: 0x03    0x00    0x00    0x00    0x0d    0x00    0x00    0x00
0x3c0696b552c0: 0x6b    0x4d    0x44    0x53    0x63    0x6f    0x70    0x65
0x3c0696b552c8: 0x41    0x72    0x72    0x61    0x79    0x00    0x00    0x00
0x3c0696b552d0: 0x01    0x00    0x00    0x02    0x08    0x00    0x00    0x00
0x3c0696b552d8: 0x01    0x00    0x00    0x02    0x09    0x00    0x00    0x00
0x3c0696b552e0: 0x02    0x00    0x00    0x00    0x03    0x00    0x00    0x00
0x3c0696b552e8: 0x78    0x79    0x7a    0x00    0x00    0x00    0x00    0x00
0x3c0696b552f0: 0x01    0x00    0x00    0x02    0x0a    0x00    0x00    0x00
0x3c0696b552f8: 0x04    0x00    0x00    0x00    0x11    0x00    0x00    0x00
0x3c0696b55300: 0x6b    0x4d    0x44    0x41    0x74    0x74    0x72    0x69
0x3c0696b55308: 0x62    0x75    0x74    0x65    0x41    0x72    0x72    0x61
0x3c0696b55310: 0x79    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b55318: 0x01    0x00    0x00    0x02    0x0b    0x00    0x00    0x00
0x3c0696b55320: 0x01    0x00    0x00    0x02    0x0c    0x00    0x00    0x00
0x3c0696b55328: 0x02    0x00    0x00    0x00    0x01    0x00    0x00    0x00
0x3c0696b55330: 0x61    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b55338: 0x01    0x00    0x00    0x02    0x0d    0x00    0x00    0x00
0x3c0696b55340: 0x02    0x00    0x00    0x00    0x01    0x00    0x00    0x00
0x3c0696b55348: 0x62    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b55350: 0x01    0x00    0x00    0x02    0x0e    0x00    0x00    0x00
0x3c0696b55358: 0x04    0x00    0x00    0x00    0x11    0x00    0x00    0x00
0x3c0696b55360: 0x6b    0x4d    0x44    0x51    0x75    0x65    0x72    0x79
0x3c0696b55368: 0x49    0x74    0x65    0x6d    0x41    0x72    0x72    0x61
0x3c0696b55370: 0x79    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b55378: 0x01    0x00    0x00    0x02    0x0f    0x00    0x00    0x00
0x3c0696b55380: 0x01    0x00    0x00    0x02    0x10    0x00    0x00    0x00
0x3c0696b55388: 0x02    0x00    0x00    0x00    0x01    0x00    0x00    0x00
0x3c0696b55390: 0x61    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b55398: 0x01    0x00    0x00    0x02    0x11    0x00    0x00    0x00
0x3c0696b553a0: 0x02    0x00    0x00    0x00    0x01    0x00    0x00    0x00
0x3c0696b553a8: 0x62    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b553b0: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553b8: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553c0: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553c8: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553d0: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553d8: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553e0: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553e8: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553f0: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b553f8: 0x01    0x00    0x00    0x01    0x01    0x00    0x00    0x00
0x3c0696b55400: 0x01    0x00    0x00    0x88    0x00    0x00    0x00    0x00
0x3c0696b55408: 0x01    0x00    0x00    0x0a    0x02    0x00    0x00    0x00
0x3c0696b55410: 0x01    0x00    0x00    0x0a    0x03    0x00    0x00    0x00
0x3c0696b55418: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55420: 0x01    0x00    0x00    0x0a    0x08    0x00    0x00    0x00
0x3c0696b55428: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55430: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55438: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55440: 0x01    0x00    0x00    0x0a    0x01    0x00    0x00    0x00
0x3c0696b55448: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55450: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55458: 0x01    0x00    0x00    0x0a    0x02    0x00    0x00    0x00
0x3c0696b55460: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55468: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55470: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55478: 0x01    0x00    0x00    0x0a    0x02    0x00    0x00    0x00
0x3c0696b55480: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55488: 0x01    0x00    0x00    0x0c    0x01    0x00    0x00    0x00
0x3c0696b55490: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b55498: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554a0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554a8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554b0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554b8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554c0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554c8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554d0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554d8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554e0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554e8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554f0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x3c0696b554f8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00

In more readable form; it's the second "a" and "b" that cnids ends up
pointing to:

DALLOC_CTX(#1): {
        sl_array_t(#2): {
                sl_array_t(#3): {
                        string: openQueryWithParams:forContext:
                        uint64_t: 0x0000
                        uint64_t: 0x0000
                }
                sl_array_t(#8): {
                        string: kMDQueryString
                        string: !@#$%^&*():{}'[]|\
                        string: kMDScopeArray
                        sl_array_t(#1): {
                                string: xyz
                        }
                        string: kMDAttributeArray
                        sl_array_t(#2): {
                                string: a
                                string: b
                        }
                        string: kMDQueryItemArray
                        sl_array_t(#2): {
                                string: a
                                string: b
                        }
                }
        }
}