15533 – winbindd crashes when listing trusted domains that contain an NT domain without DNS name

Bug 15533 - winbindd crashes when listing trusted domains that contain an NT domain without DNS name

Summary: winbindd crashes when listing trusted domains that contain an NT domain witho...

Status:	ASSIGNED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Ralph Böhme
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-12-08 14:20 UTC by Ralph Böhme
Modified:	2024-01-22 07:25 UTC (History)
CC List:	1 user (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/3441

Attachments
Patch for 4.19 cherry-picked from master (42.94 KB, patch) 2024-01-22 07:24 UTC, Ralph Böhme	slow: review? (metze)	Details
Patch for 4.18 backported from master (48.14 KB, patch) 2024-01-22 07:25 UTC, Ralph Böhme	slow: review? (metze)	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2023-12-08 14:20:45 UTC

Commit e07f8901ec95aab8c36965000de185d99e642644 removed the required handling for empty DNS domain names.
                                                                                                                                                                                                          
As for NT domains the dns_name will be NULL, causing the talloc_steal() to also return NULL, which causes _wbint_ListTrustedDomains return NT_STATUS_NO_MEMORY with an only partially initialized struct netr_DomainTrust: as out->array[n].sid is not yet initialized correctly, when NDR-pushing the result, the ndr_push() can crash.

To reproduce I used the following hack on master:

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5ca2ee37a32..09962c8b8738 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -775,7 +775,7 @@ sub provision_ad_member
        template homedir = /home/%D/%G/%U
        auth event notification = true
        password server = $dcvars->{SERVER}
-       winbind scan trusted domains = no
+       winbind scan trusted domains = yes
        winbind offline logon = $option_offline_logon
 
        allow dcerpc auth level connect:lsarpc = yes
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index d7a665abbc6d..4922a0e61d24 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1493,6 +1493,11 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
                        continue;
                }
 
+               if (strequal("SAMBA2003", trust->netbios_name)) {
+                       DBG_ERR("XXXXXXX HACK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");
+                       trust->dns_name = NULL;
+               }
+
                /* add to the trusted domain cache */

Then:

$ make -j testenv SELFTEST_TESTENV=ad_member SCREEN=1

This results in an an reliable error to list trusted domains, so wbinfo -m doesn't list them, and sometimes it crashes when eg the domain sid pointer is garbage:

    2023-12-08T14:07:42.759416+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: trusted_domains: XXXXXXX HACK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
    2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD)
    2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
    2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
    2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames:
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8]

Have patches, need bugnumber.

Comment 1 Samba QA Contact 2024-01-20 14:24:13 UTC

This bug was referenced in samba master:

340753a2554ce9a842a6c90d684fb0510def81a1
15c07723765c6863a0ada9dfbaaa204604500907
449a968d3d18633e05db7d00ab76c7a52b04a54c
9b2920fd367d26cfbf6f6f442a5c01fae4734abd
95bb2acbf066049f92c16836a2cdaea3aae829cc
60ac5b03ef15de73744e0f86507849fb4b55d96f
9d933abd9e578de74bd4c5a8bcfcf6924262a8e2
d0cdc81aa99031b0c067c7f8cf2ec0dc99d57da5
5420af6942307e045be1317edc323ee3ff9f379b
9725aa932e24622566baf208586d1fe03885da9f
645a725603ca03f27c1347b1e2ed9fea94a6319d
3a95e135472a495a90637e5dc0f9e3c8de052ff9
53ca19851dbfc3cab7345424c029a7c90745e24a
000bbede59e4ca78427fa57b56fa251d4d779adb
201edcb5c6138488959e54e7df88007d010f1cfb

Comment 2 Ralph Böhme 2024-01-22 07:24:17 UTC

Created attachment 18231 [details]
Patch for 4.19 cherry-picked from master

Comment 3 Ralph Böhme 2024-01-22 07:25:03 UTC

Created attachment 18232 [details]
Patch for 4.18 backported from master