Bug 15593 - Use after free in talloc that can be triggered by remote
Summary: Use after free in talloc that can be triggered by remote
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.19.4
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-29 10:20 UTC by Nils Bars
Modified: 2024-02-29 10:26 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nils Bars 2024-02-29 10:20:22 UTC
Hello, 

I found a user-after-free bug in Samba. See the ASAN report below. The following arguments have been used for the client and server respectively:

```
# Client:
smbclient -p 7777 -L //127.0.0.1

# Server:
smbd -s smb.conf -F -i

# smb.conf
[global]
   workgroup = SAMBA
   security = user
   guest account = user
   #passdb backend = smbpasswd:../testdata/samba3/smbpasswd tdbsam:../testdata/samba3/passdb.tdb ldapsam:tdb://samba3.ldb
   #debug level = 5
   netbios name = BEDWYR
   private dir = /tmp
   lock directory = /tmp
   state directory = /tmp
   ncalrpc dir = /tmp
   log file = /tmp/log.txt
   interfaces = 127.0.0.1
   smb ports = 7777
   dgram port = 7778
   server min protocol = LANMAN1

[tmp]
	path = /tmp
	guest only = yes
	public = yes
	read only = no

```

The server has been build with the following flags:
```
./configure --nonshared-binary=smbd/smbd,client/smbclient
```

Unfortunately, the used testing setup is quite complex; thus, it's hard for me to provide instructions on reproducing this bug independently. If you cannot deduce the underlying issue from the provided details, please reach out, and I will try to assist you further.


```
=================================================================
==3213739==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d000006240 at pc 0x555557427b2a bp 0x7ffff1fc78e0 sp 0x7ffff1fc78d8
READ of size 8 at 0x50d000006240 thread T1
    #0 0x555557427b29 in pthreadpool_tevent_job_signal bin/default/../../lib/pthreadpool/pthreadpool_tevent.c:372:14
    #1 0x555557424be6 in pthreadpool_server bin/default/../../lib/pthreadpool/pthreadpool.c:657:10
    #2 0x55555612bdb0 in asan_thread_start(void*) _asan_rtl_:42
    #3 0x7ffff74056b9 in start_thread ./nptl/pthread_create.c:444:8
    #4 0x7ffff749411f in clone3 ./misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81:0

0x50d000006240 is located 128 bytes inside of 144-byte region [0x50d0000061c0,0x50d000006250)
freed by thread T0 here:
    #0 0x5555561f04e8 in ___interceptor_free.part.0 _asan_rtl_:3
    #1 0x55555a171ab2 in _tc_free_internal bin/default/../../lib/talloc/talloc.c:1222:2

previously allocated by thread T0 here:
    #0 0x5555561f1787 in ___interceptor_malloc _asan_rtl_:3
    #1 0x55555a16f3b6 in __talloc_with_prefix bin/default/../../lib/talloc/talloc.c:783:9

Thread T1 created by T0 here:
    #0 0x5555561e8ac6 in __interceptor_pthread_create _asan_rtl_:3
    #1 0x555557420d2a in pthreadpool_create_thread bin/default/../../lib/pthreadpool/pthreadpool.c:711:8
    #2 0x55555742013d in pthreadpool_add_job bin/default/../../lib/pthreadpool/pthreadpool.c:792:8

SUMMARY: AddressSanitizer: heap-use-after-free (bin/default/source3/smbd/smbd+0x1ed3b29)
Shadow bytes around the buggy address:
  0x50d000005f80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x50d000006000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x50d000006080: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x50d000006100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x50d000006180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x50d000006200: fd fd fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa
  0x50d000006280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50d000006300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50d000006380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50d000006400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x50d000006480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3213739==ABORTING

```

Best,
Nils
Comment 1 Nils Bars 2024-02-29 10:26:25 UTC
The code has been retrieved via 
```
git clone https://github.com/samba-team/samba.git src
git checkout samba-4.19.4
```