Bug 15594 - OOB write in `tdb_mutex_unlock` that can be triggered by remote
Summary: OOB write in `tdb_mutex_unlock` that can be triggered by remote
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.19.4
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-29 10:30 UTC by Nils Bars
Modified: 2024-02-29 10:30 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nils Bars 2024-02-29 10:30:59 UTC
Hello, 

I found an out-of-bounds write in `tdb_mutex_unlock` that is triggerable by a remote client. See the ASAN reports below. The following arguments have been used for the client and server respectively:

```
# Client:
smbclient -p 7777 -L //127.0.0.1

# Server:
smbd -s smb.conf -F -i

# smb.conf
[global]
   workgroup = SAMBA
   security = user
   guest account = user
   #passdb backend = smbpasswd:../testdata/samba3/smbpasswd tdbsam:../testdata/samba3/passdb.tdb ldapsam:tdb://samba3.ldb
   #debug level = 5
   netbios name = BEDWYR
   private dir = /tmp
   lock directory = /tmp
   state directory = /tmp
   ncalrpc dir = /tmp
   log file = /tmp/log.txt
   interfaces = 127.0.0.1
   smb ports = 7777
   dgram port = 7778
   server min protocol = LANMAN1

[tmp]
	path = /tmp
	guest only = yes
	public = yes
	read only = no

```

The server has been build with the following flags:
```
./configure --nonshared-binary=smbd/smbd,client/smbclient
```

Unfortunately, the used testing setup is quite complex; thus, it's hard for me to provide instructions on reproducing this bug independently. If you cannot deduce the underlying issue from the provided details, please reach out, and I will try to assist you further.


```
=================================================================
==989425==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff8 (pc 0x7ffff7404060 bp 0x7fffffffc6f0 sp 0x7fffffffc558 T0)
==989425==The signal is caused by a WRITE memory access.
    #0 0x7ffff7404060 in __pthread_mutex_unlock_full ./nptl/pthread_mutex_unlock.c:162:7
    #1 0x5555595229f7 in tdb_mutex_unlock bin/default/../../lib/tdb/common/mutex.c:347:8
    #2 0x5555594c56f6 in fcntl_unlock bin/default/../../lib/tdb/common/lock.c:125:7
    #3 0x5555594c56f6 in tdb_brunlock bin/default/../../lib/tdb/common/lock.c:234:9
    #4 0x5555594c56f6 in tdb_nest_unlock bin/default/../../lib/tdb/common/lock.c:552:9
    #5 0x5555594d6caf in tdb_allocate bin/default/../../lib/tdb/common/freelist.c:0:0
    #6 0x5555594af87d in _tdb_storev bin/default/../../lib/tdb/common/tdb.c:667:12
    #7 0x5555594ad05c in tdb_storev bin/default/../../lib/tdb/common/tdb.c:776:8
    #8 0x555559e76b2d in gencache_set_data_blob bin/default/../../source3/lib/gencache.c:294:8
    #9 0x5555576d7529 in remote_arch_cache_set bin/default/../../source3/lib/util.c:1188:7
    #10 0x5555576d7529 in remote_arch_cache_update bin/default/../../source3/lib/util.c:1210:7
    #11 0x555558be4ce4 in smbd_smb2_request_process_negprot bin/default/../../source3/smbd/smb2_negprot.c:321:8
    #12 0x555558badbf6 in smbd_smb2_request_dispatch bin/default/../../source3/smbd/smb2_server.c:3440:18
    #13 0x555558bd4ebf in smbd_smb2_io_handler bin/default/../../source3/smbd/smb2_server.c:5101:11
    #14 0x555558bd4ebf in smbd_smb2_connection_handler bin/default/../../source3/smbd/smb2_server.c:5139:11
    #15 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2
    #16 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11
    #17 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9
    #18 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8
    #19 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8
    #20 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9
    #21 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8
    #22 0x555558b4d0c1 in smbd_process bin/default/../../source3/smbd/smb2_process.c:2050:8
    #23 0x5555595e45ea in smbd_accept_connection bin/default/../../source3/smbd/server.c:982:3
    #24 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2
    #25 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11
    #26 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9
    #27 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8
    #28 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8
    #29 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9
    #30 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8
    #31 0x5555595d9e5f in smbd_parent_loop bin/default/../../source3/smbd/server.c:1377:8
    #32 0x5555595d39eb in main bin/default/../../source3/smbd/server.c:2139:2
    #33 0x7ffff7393a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #34 0x7ffff7393b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3
    #35 0x555556104c44 in _start ??:0:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94060) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1)
==989425==ABORTING



=================================================================
==3570364==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff8 (pc 0x7ffff740a060 bp 0x7fffffffc930 sp 0x7fffffffc798 T0)
==3570364==The signal is caused by a WRITE memory access.
    #0 0x7ffff740a060 in __pthread_mutex_unlock_full ./nptl/pthread_mutex_unlock.c:162:7
    #1 0x5555595229f7 in tdb_mutex_unlock bin/default/../../lib/tdb/common/mutex.c:347:8
    #2 0x5555594c56f6 in fcntl_unlock bin/default/../../lib/tdb/common/lock.c:125:7
    #3 0x5555594c56f6 in tdb_brunlock bin/default/../../lib/tdb/common/lock.c:234:9
    #4 0x5555594c56f6 in tdb_nest_unlock bin/default/../../lib/tdb/common/lock.c:552:9
    #5 0x5555594a8d14 in tdb_find_lock_hash bin/default/../../lib/tdb/common/tdb.c:168:3
    #6 0x5555594a8d14 in tdb_parse_record bin/default/../../lib/tdb/common/tdb.c:329:18
    #7 0x555559e797af in gencache_parse bin/default/../../source3/lib/gencache.c:431:8
    #8 0x5555576d6dd4 in remote_arch_cache_get bin/default/../../source3/lib/util.c:1155:7
    #9 0x5555576d6dd4 in remote_arch_cache_update bin/default/../../source3/lib/util.c:1203:8
    #10 0x555558be4ce4 in smbd_smb2_request_process_negprot bin/default/../../source3/smbd/smb2_negprot.c:321:8
    #11 0x555558badbf6 in smbd_smb2_request_dispatch bin/default/../../source3/smbd/smb2_server.c:3440:18
    #12 0x555558bc0eec in smbd_smb2_process_negprot bin/default/../../source3/smbd/smb2_server.c:4662:11
    #13 0x555558b412f0 in process_smb2 bin/default/../../source3/smbd/smb2_process.c:556:20
    #14 0x555558b412f0 in process_smb bin/default/../../source3/smbd/smb2_process.c:593:4
    #15 0x555558e8f379 in smbd_smb1_server_connection_read_handler bin/default/../../source3/smbd/smb1_process.c:2082:2
    #16 0x555558b48a88 in smbd_server_connection_handler bin/default/../../source3/smbd/smb2_process.c:976:4
    #17 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2
    #18 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11
    #19 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9
    #20 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8
    #21 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8
    #22 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9
    #23 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8
    #24 0x555558b4d0c1 in smbd_process bin/default/../../source3/smbd/smb2_process.c:2050:8
    #25 0x5555595e45ea in smbd_accept_connection bin/default/../../source3/smbd/server.c:982:3
    #26 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2
    #27 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11
    #28 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9
    #29 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8
    #30 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8
    #31 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9
    #32 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8
    #33 0x5555595d9e5f in smbd_parent_loop bin/default/../../source3/smbd/server.c:1377:8
    #34 0x5555595d39eb in main bin/default/../../source3/smbd/server.c:2139:2
    #35 0x7ffff7399a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #36 0x7ffff7399b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3
    #37 0x555556104c44 in _start ??:0:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94060) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1)
==3570364==ABORTING



=================================================================
==3570311==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff8 (pc 0x7ffff7404060 bp 0x7fffffffcab0 sp 0x7fffffffc918 T0)
==3570311==The signal is caused by a WRITE memory access.
    #0 0x7ffff7404060 in __pthread_mutex_unlock_full ./nptl/pthread_mutex_unlock.c:162:7
    #1 0x5555595229f7 in tdb_mutex_unlock bin/default/../../lib/tdb/common/mutex.c:347:8
    #2 0x5555594c56f6 in fcntl_unlock bin/default/../../lib/tdb/common/lock.c:125:7
    #3 0x5555594c56f6 in tdb_brunlock bin/default/../../lib/tdb/common/lock.c:234:9
    #4 0x5555594c56f6 in tdb_nest_unlock bin/default/../../lib/tdb/common/lock.c:552:9
    #5 0x5555594cdad3 in tdb_unlock bin/default/../../lib/tdb/common/lock.c:579:9
    #6 0x5555594cdad3 in tdb_chainunlock bin/default/../../lib/tdb/common/lock.c:891:9
    #7 0x555559e76b59 in gencache_set_data_blob bin/default/../../source3/lib/gencache.c:296:2
    #8 0x5555576d7529 in remote_arch_cache_set bin/default/../../source3/lib/util.c:1188:7
    #9 0x5555576d7529 in remote_arch_cache_update bin/default/../../source3/lib/util.c:1210:7
    #10 0x555558be4ce4 in smbd_smb2_request_process_negprot bin/default/../../source3/smbd/smb2_negprot.c:321:8
    #11 0x555558badbf6 in smbd_smb2_request_dispatch bin/default/../../source3/smbd/smb2_server.c:3440:18
    #12 0x555558bd4ebf in smbd_smb2_io_handler bin/default/../../source3/smbd/smb2_server.c:5101:11
    #13 0x555558bd4ebf in smbd_smb2_connection_handler bin/default/../../source3/smbd/smb2_server.c:5139:11
    #14 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2
    #15 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11
    #16 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9
    #17 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8
    #18 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8
    #19 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9
    #20 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8
    #21 0x555558b4d0c1 in smbd_process bin/default/../../source3/smbd/smb2_process.c:2050:8
    #22 0x5555595e45ea in smbd_accept_connection bin/default/../../source3/smbd/server.c:982:3
    #23 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2
    #24 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11
    #25 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9
    #26 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8
    #27 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8
    #28 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9
    #29 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8
    #30 0x5555595d9e5f in smbd_parent_loop bin/default/../../source3/smbd/server.c:1377:8
    #31 0x5555595d39eb in main bin/default/../../source3/smbd/server.c:2139:2
    #32 0x7ffff7393a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #33 0x7ffff7393b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3
    #34 0x555556104c44 in _start ??:0:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94060) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1)
==3570311==ABORTING



=================================================================
==632356==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff8 (pc 0x7ffff740833d bp 0x55555b6affe0 sp 0x7fffffffbf30 T0)
==632356==The signal is caused by a WRITE memory access.
    #0 0x7ffff740833d in __pthread_mutex_lock_full ./nptl/pthread_mutex_lock.c:358:7
    #1 0x55555951f771 in chain_mutex_lock bin/default/../../lib/tdb/common/mutex.c:182:9
    #2 0x55555951f771 in tdb_mutex_lock bin/default/../../lib/tdb/common/mutex.c:234:8
    #3 0x5555594c04c7 in fcntl_lock bin/default/../../lib/tdb/common/lock.c:44:7
    #4 0x5555594c04c7 in tdb_brlock bin/default/../../lib/tdb/common/lock.c:200:9
    #5 0x5555594c31c5 in tdb_nest_lock bin/default/../../lib/tdb/common/lock.c:390:6
    #6 0x5555594c440c in tdb_lock_list bin/default/../../lib/tdb/common/lock.c:482:8
    #7 0x5555594cc640 in tdb_lock bin/default/../../lib/tdb/common/lock.c:500:8
    #8 0x5555594cc640 in tdb_chainlock bin/default/../../lib/tdb/common/lock.c:856:12
    #9 0x5555583dfa43 in db_tdb_fetch_locked bin/default/../../lib/dbwrap/dbwrap_tdb.c:165:6
    #10 0x5555583c2387 in dbwrap_fetch_locked_internal bin/default/../../lib/dbwrap/dbwrap.c:277:8
    #11 0x5555583c2387 in dbwrap_fetch_locked bin/default/../../lib/dbwrap/dbwrap.c:291:9
    #12 0x555556ebcf45 in dbwrap_watched_fetch_locked bin/default/../../source3/lib/dbwrap/dbwrap_watch.c:275:16
    #13 0x5555583c2473 in dbwrap_fetch_locked_internal bin/default/../../lib/dbwrap/dbwrap.c:277:8
    #14 0x5555583c2473 in dbwrap_fetch_locked bin/default/../../lib/dbwrap/dbwrap.c:291:9
    #15 0x555558c9c0e0 in smbXsrv_client_global_fetch_locked bin/default/../../source3/smbd/smbXsrv_client.c:141:8
    #16 0x555558c8afaa in smb2srv_client_mc_negprot_next bin/default/../../source3/smbd/smbXsrv_client.c:562:18
    #17 0x555558c8a9f2 in smb2srv_client_mc_negprot_send bin/default/../../source3/smbd/smbXsrv_client.c:536:2
    #18 0x555558bf0316 in smbd_smb2_request_process_negprot bin/default/../../source3/smbd/smb2_negprot.c:857:11
    #19 0x555558badbf6 in smbd_smb2_request_dispatch bin/default/../../source3/smbd/smb2_server.c:3440:18
    #20 0x555558bc0eec in smbd_smb2_process_negprot bin/default/../../source3/smbd/smb2_server.c:4662:11
    #21 0x555558b412f0 in process_smb2 bin/default/../../source3/smbd/smb2_process.c:556:20
    #22 0x555558b412f0 in process_smb bin/default/../../source3/smbd/smb2_process.c:593:4
    #23 0x555558e8f379 in smbd_smb1_server_connection_read_handler bin/default/../../source3/smbd/smb1_process.c:2082:2
    #24 0x555558b48a88 in smbd_server_connection_handler bin/default/../../source3/smbd/smb2_process.c:976:4
    #25 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2
    #26 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11
    #27 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9
    #28 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8
    #29 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8
    #30 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9
    #31 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8
    #32 0x555558b4d0c1 in smbd_process bin/default/../../source3/smbd/smb2_process.c:2050:8
    #33 0x5555595e45ea in smbd_accept_connection bin/default/../../source3/smbd/server.c:982:3
    #34 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2
    #35 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11
    #36 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9
    #37 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8
    #38 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8
    #39 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9
    #40 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8
    #41 0x5555595d9e5f in smbd_parent_loop bin/default/../../source3/smbd/server.c:1377:8
    #42 0x5555595d39eb in main bin/default/../../source3/smbd/server.c:2139:2
    #43 0x7ffff7399a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #44 0x7ffff7399b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3
    #45 0x555556104c44 in _start ??:0:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x9233d) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1)
==632356==ABORTING
```