Hello, I found an out-of-bounds write in `tdb_mutex_unlock` that is triggerable by a remote client. See the ASAN reports below. The following arguments have been used for the client and server respectively: ``` # Client: smbclient -p 7777 -L //127.0.0.1 # Server: smbd -s smb.conf -F -i # smb.conf [global] workgroup = SAMBA security = user guest account = user #passdb backend = smbpasswd:../testdata/samba3/smbpasswd tdbsam:../testdata/samba3/passdb.tdb ldapsam:tdb://samba3.ldb #debug level = 5 netbios name = BEDWYR private dir = /tmp lock directory = /tmp state directory = /tmp ncalrpc dir = /tmp log file = /tmp/log.txt interfaces = 127.0.0.1 smb ports = 7777 dgram port = 7778 server min protocol = LANMAN1 [tmp] path = /tmp guest only = yes public = yes read only = no ``` The server has been build with the following flags: ``` ./configure --nonshared-binary=smbd/smbd,client/smbclient ``` Unfortunately, the used testing setup is quite complex; thus, it's hard for me to provide instructions on reproducing this bug independently. If you cannot deduce the underlying issue from the provided details, please reach out, and I will try to assist you further. ``` ================================================================= ==989425==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff8 (pc 0x7ffff7404060 bp 0x7fffffffc6f0 sp 0x7fffffffc558 T0) ==989425==The signal is caused by a WRITE memory access. #0 0x7ffff7404060 in __pthread_mutex_unlock_full ./nptl/pthread_mutex_unlock.c:162:7 #1 0x5555595229f7 in tdb_mutex_unlock bin/default/../../lib/tdb/common/mutex.c:347:8 #2 0x5555594c56f6 in fcntl_unlock bin/default/../../lib/tdb/common/lock.c:125:7 #3 0x5555594c56f6 in tdb_brunlock bin/default/../../lib/tdb/common/lock.c:234:9 #4 0x5555594c56f6 in tdb_nest_unlock bin/default/../../lib/tdb/common/lock.c:552:9 #5 0x5555594d6caf in tdb_allocate bin/default/../../lib/tdb/common/freelist.c:0:0 #6 0x5555594af87d in _tdb_storev bin/default/../../lib/tdb/common/tdb.c:667:12 #7 0x5555594ad05c in tdb_storev bin/default/../../lib/tdb/common/tdb.c:776:8 #8 0x555559e76b2d in gencache_set_data_blob bin/default/../../source3/lib/gencache.c:294:8 #9 0x5555576d7529 in remote_arch_cache_set bin/default/../../source3/lib/util.c:1188:7 #10 0x5555576d7529 in remote_arch_cache_update bin/default/../../source3/lib/util.c:1210:7 #11 0x555558be4ce4 in smbd_smb2_request_process_negprot bin/default/../../source3/smbd/smb2_negprot.c:321:8 #12 0x555558badbf6 in smbd_smb2_request_dispatch bin/default/../../source3/smbd/smb2_server.c:3440:18 #13 0x555558bd4ebf in smbd_smb2_io_handler bin/default/../../source3/smbd/smb2_server.c:5101:11 #14 0x555558bd4ebf in smbd_smb2_connection_handler bin/default/../../source3/smbd/smb2_server.c:5139:11 #15 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2 #16 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11 #17 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9 #18 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8 #19 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8 #20 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9 #21 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8 #22 0x555558b4d0c1 in smbd_process bin/default/../../source3/smbd/smb2_process.c:2050:8 #23 0x5555595e45ea in smbd_accept_connection bin/default/../../source3/smbd/server.c:982:3 #24 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2 #25 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11 #26 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9 #27 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8 #28 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8 #29 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9 #30 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8 #31 0x5555595d9e5f in smbd_parent_loop bin/default/../../source3/smbd/server.c:1377:8 #32 0x5555595d39eb in main bin/default/../../source3/smbd/server.c:2139:2 #33 0x7ffff7393a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #34 0x7ffff7393b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3 #35 0x555556104c44 in _start ??:0:0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94060) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1) ==989425==ABORTING ================================================================= ==3570364==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff8 (pc 0x7ffff740a060 bp 0x7fffffffc930 sp 0x7fffffffc798 T0) ==3570364==The signal is caused by a WRITE memory access. #0 0x7ffff740a060 in __pthread_mutex_unlock_full ./nptl/pthread_mutex_unlock.c:162:7 #1 0x5555595229f7 in tdb_mutex_unlock bin/default/../../lib/tdb/common/mutex.c:347:8 #2 0x5555594c56f6 in fcntl_unlock bin/default/../../lib/tdb/common/lock.c:125:7 #3 0x5555594c56f6 in tdb_brunlock bin/default/../../lib/tdb/common/lock.c:234:9 #4 0x5555594c56f6 in tdb_nest_unlock bin/default/../../lib/tdb/common/lock.c:552:9 #5 0x5555594a8d14 in tdb_find_lock_hash bin/default/../../lib/tdb/common/tdb.c:168:3 #6 0x5555594a8d14 in tdb_parse_record bin/default/../../lib/tdb/common/tdb.c:329:18 #7 0x555559e797af in gencache_parse bin/default/../../source3/lib/gencache.c:431:8 #8 0x5555576d6dd4 in remote_arch_cache_get bin/default/../../source3/lib/util.c:1155:7 #9 0x5555576d6dd4 in remote_arch_cache_update bin/default/../../source3/lib/util.c:1203:8 #10 0x555558be4ce4 in smbd_smb2_request_process_negprot bin/default/../../source3/smbd/smb2_negprot.c:321:8 #11 0x555558badbf6 in smbd_smb2_request_dispatch bin/default/../../source3/smbd/smb2_server.c:3440:18 #12 0x555558bc0eec in smbd_smb2_process_negprot bin/default/../../source3/smbd/smb2_server.c:4662:11 #13 0x555558b412f0 in process_smb2 bin/default/../../source3/smbd/smb2_process.c:556:20 #14 0x555558b412f0 in process_smb bin/default/../../source3/smbd/smb2_process.c:593:4 #15 0x555558e8f379 in smbd_smb1_server_connection_read_handler bin/default/../../source3/smbd/smb1_process.c:2082:2 #16 0x555558b48a88 in smbd_server_connection_handler bin/default/../../source3/smbd/smb2_process.c:976:4 #17 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2 #18 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11 #19 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9 #20 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8 #21 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8 #22 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9 #23 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8 #24 0x555558b4d0c1 in smbd_process bin/default/../../source3/smbd/smb2_process.c:2050:8 #25 0x5555595e45ea in smbd_accept_connection bin/default/../../source3/smbd/server.c:982:3 #26 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2 #27 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11 #28 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9 #29 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8 #30 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8 #31 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9 #32 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8 #33 0x5555595d9e5f in smbd_parent_loop bin/default/../../source3/smbd/server.c:1377:8 #34 0x5555595d39eb in main bin/default/../../source3/smbd/server.c:2139:2 #35 0x7ffff7399a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #36 0x7ffff7399b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3 #37 0x555556104c44 in _start ??:0:0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94060) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1) ==3570364==ABORTING ================================================================= ==3570311==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff8 (pc 0x7ffff7404060 bp 0x7fffffffcab0 sp 0x7fffffffc918 T0) ==3570311==The signal is caused by a WRITE memory access. #0 0x7ffff7404060 in __pthread_mutex_unlock_full ./nptl/pthread_mutex_unlock.c:162:7 #1 0x5555595229f7 in tdb_mutex_unlock bin/default/../../lib/tdb/common/mutex.c:347:8 #2 0x5555594c56f6 in fcntl_unlock bin/default/../../lib/tdb/common/lock.c:125:7 #3 0x5555594c56f6 in tdb_brunlock bin/default/../../lib/tdb/common/lock.c:234:9 #4 0x5555594c56f6 in tdb_nest_unlock bin/default/../../lib/tdb/common/lock.c:552:9 #5 0x5555594cdad3 in tdb_unlock bin/default/../../lib/tdb/common/lock.c:579:9 #6 0x5555594cdad3 in tdb_chainunlock bin/default/../../lib/tdb/common/lock.c:891:9 #7 0x555559e76b59 in gencache_set_data_blob bin/default/../../source3/lib/gencache.c:296:2 #8 0x5555576d7529 in remote_arch_cache_set bin/default/../../source3/lib/util.c:1188:7 #9 0x5555576d7529 in remote_arch_cache_update bin/default/../../source3/lib/util.c:1210:7 #10 0x555558be4ce4 in smbd_smb2_request_process_negprot bin/default/../../source3/smbd/smb2_negprot.c:321:8 #11 0x555558badbf6 in smbd_smb2_request_dispatch bin/default/../../source3/smbd/smb2_server.c:3440:18 #12 0x555558bd4ebf in smbd_smb2_io_handler bin/default/../../source3/smbd/smb2_server.c:5101:11 #13 0x555558bd4ebf in smbd_smb2_connection_handler bin/default/../../source3/smbd/smb2_server.c:5139:11 #14 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2 #15 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11 #16 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9 #17 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8 #18 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8 #19 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9 #20 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8 #21 0x555558b4d0c1 in smbd_process bin/default/../../source3/smbd/smb2_process.c:2050:8 #22 0x5555595e45ea in smbd_accept_connection bin/default/../../source3/smbd/server.c:982:3 #23 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2 #24 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11 #25 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9 #26 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8 #27 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8 #28 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9 #29 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8 #30 0x5555595d9e5f in smbd_parent_loop bin/default/../../source3/smbd/server.c:1377:8 #31 0x5555595d39eb in main bin/default/../../source3/smbd/server.c:2139:2 #32 0x7ffff7393a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #33 0x7ffff7393b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3 #34 0x555556104c44 in _start ??:0:0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94060) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1) ==3570311==ABORTING ================================================================= ==632356==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffffffffffff8 (pc 0x7ffff740833d bp 0x55555b6affe0 sp 0x7fffffffbf30 T0) ==632356==The signal is caused by a WRITE memory access. #0 0x7ffff740833d in __pthread_mutex_lock_full ./nptl/pthread_mutex_lock.c:358:7 #1 0x55555951f771 in chain_mutex_lock bin/default/../../lib/tdb/common/mutex.c:182:9 #2 0x55555951f771 in tdb_mutex_lock bin/default/../../lib/tdb/common/mutex.c:234:8 #3 0x5555594c04c7 in fcntl_lock bin/default/../../lib/tdb/common/lock.c:44:7 #4 0x5555594c04c7 in tdb_brlock bin/default/../../lib/tdb/common/lock.c:200:9 #5 0x5555594c31c5 in tdb_nest_lock bin/default/../../lib/tdb/common/lock.c:390:6 #6 0x5555594c440c in tdb_lock_list bin/default/../../lib/tdb/common/lock.c:482:8 #7 0x5555594cc640 in tdb_lock bin/default/../../lib/tdb/common/lock.c:500:8 #8 0x5555594cc640 in tdb_chainlock bin/default/../../lib/tdb/common/lock.c:856:12 #9 0x5555583dfa43 in db_tdb_fetch_locked bin/default/../../lib/dbwrap/dbwrap_tdb.c:165:6 #10 0x5555583c2387 in dbwrap_fetch_locked_internal bin/default/../../lib/dbwrap/dbwrap.c:277:8 #11 0x5555583c2387 in dbwrap_fetch_locked bin/default/../../lib/dbwrap/dbwrap.c:291:9 #12 0x555556ebcf45 in dbwrap_watched_fetch_locked bin/default/../../source3/lib/dbwrap/dbwrap_watch.c:275:16 #13 0x5555583c2473 in dbwrap_fetch_locked_internal bin/default/../../lib/dbwrap/dbwrap.c:277:8 #14 0x5555583c2473 in dbwrap_fetch_locked bin/default/../../lib/dbwrap/dbwrap.c:291:9 #15 0x555558c9c0e0 in smbXsrv_client_global_fetch_locked bin/default/../../source3/smbd/smbXsrv_client.c:141:8 #16 0x555558c8afaa in smb2srv_client_mc_negprot_next bin/default/../../source3/smbd/smbXsrv_client.c:562:18 #17 0x555558c8a9f2 in smb2srv_client_mc_negprot_send bin/default/../../source3/smbd/smbXsrv_client.c:536:2 #18 0x555558bf0316 in smbd_smb2_request_process_negprot bin/default/../../source3/smbd/smb2_negprot.c:857:11 #19 0x555558badbf6 in smbd_smb2_request_dispatch bin/default/../../source3/smbd/smb2_server.c:3440:18 #20 0x555558bc0eec in smbd_smb2_process_negprot bin/default/../../source3/smbd/smb2_server.c:4662:11 #21 0x555558b412f0 in process_smb2 bin/default/../../source3/smbd/smb2_process.c:556:20 #22 0x555558b412f0 in process_smb bin/default/../../source3/smbd/smb2_process.c:593:4 #23 0x555558e8f379 in smbd_smb1_server_connection_read_handler bin/default/../../source3/smbd/smb1_process.c:2082:2 #24 0x555558b48a88 in smbd_server_connection_handler bin/default/../../source3/smbd/smb2_process.c:976:4 #25 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2 #26 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11 #27 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9 #28 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8 #29 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8 #30 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9 #31 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8 #32 0x555558b4d0c1 in smbd_process bin/default/../../source3/smbd/smb2_process.c:2050:8 #33 0x5555595e45ea in smbd_accept_connection bin/default/../../source3/smbd/server.c:982:3 #34 0x55555a739180 in tevent_common_invoke_fd_handler bin/default/../../lib/tevent/tevent_fd.c:158:2 #35 0x55555a765561 in epoll_event_loop bin/default/../../lib/tevent/tevent_epoll.c:730:11 #36 0x55555a765561 in epoll_event_loop_once bin/default/../../lib/tevent/tevent_epoll.c:946:9 #37 0x55555a75804a in std_event_loop_once bin/default/../../lib/tevent/tevent_standard.c:110:8 #38 0x55555a732d8a in _tevent_loop_once bin/default/../../lib/tevent/tevent.c:823:8 #39 0x55555a733f9d in tevent_common_loop_wait bin/default/../../lib/tevent/tevent.c:952:9 #40 0x55555a7581da in std_event_loop_wait bin/default/../../lib/tevent/tevent_standard.c:141:8 #41 0x5555595d9e5f in smbd_parent_loop bin/default/../../source3/smbd/server.c:1377:8 #42 0x5555595d39eb in main bin/default/../../source3/smbd/server.c:2139:2 #43 0x7ffff7399a8f in __libc_start_call_main ./csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #44 0x7ffff7399b48 in __libc_start_main ./csu/../csu/libc-start.c:360:3 #45 0x555556104c44 in _start ??:0:0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x9233d) (BuildId: d320ce4e63925d698610ed423fc4b1f0e8ed51f1) ==632356==ABORTING ```