Bug 15659 - Segmentation fault when deleting files in vfs_recycle
Summary: Segmentation fault when deleting files in vfs_recycle
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.20.1
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-05 12:35 UTC by Markus Bach
Modified: 2024-06-25 07:38 UTC (History)
7 users (show)

See Also:


Attachments
gdb backtrace of segmentation fault (with debug symbols installed) (6.23 KB, text/plain)
2024-06-05 12:35 UTC, Markus Bach
no flags Details
possible fix (840 bytes, patch)
2024-06-14 06:34 UTC, Björn Jacke
no flags Details
Patches for v4-20-test (20.67 KB, text/plain)
2024-06-19 10:21 UTC, Stefan Metzmacher
vl: review+
npower: review+
metze: review? (slow)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Bach 2024-06-05 12:35:54 UTC
Created attachment 18327 [details]
gdb backtrace of segmentation fault (with debug symbols installed)

Hi,

since upgrading to samba 4.20.1 (provided by sernet) from 4.19.6 we got reports of strange behaviour (LibreOffice reporting readonly when saving, leftover temp files...) from our users on our most used fileserver.

In the logfiles I found a lot of segmentation faults. Since the backtrace showed vfs_recycle I temporarily disabled the recycle bin on the affected shares and the problems stoppped.

Attached you'll find a gdb backtrace of a core dump.
Comment 1 Markus Bach 2024-06-06 10:46:04 UTC
I forgot to mention: SAMBA is running on Debian 12 and the clients are mostly Windows Server 2019.
I have not been able to reproduce the problem on a similar setup.

In one of the shares I found some directories which had invalid characters, snippets from the config ("rid", "mkdirat read pread pwrite write renameat unlinkat connect create_file", "40000-60000") and even parts of lines from the auditlog as names.

As far as I can tell the creation time of these directories correlates with the segmentation faults. Looks to me like something points to the wrong memory address.
Comment 2 Björn Jacke 2024-06-06 12:03:09 UTC
please also provide a minimal configuration with which this issues can be reproduced.
Comment 3 Alexander Bokovoy 2024-06-13 08:03:40 UTC
This is the same issue we've got reported in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=2282238

I did some investigation after a core dump was provided and it looks like a memory overwrite or heap smashing as the structure that should be intact (coming from an smbconf parameter lookup) gets rewritten by a pointer to another smbconf data.
Comment 4 Björn Jacke 2024-06-14 06:34:21 UTC
Created attachment 18340 [details]
possible fix

can you try if this patch fixes the problem for you?
Comment 5 Stefan Metzmacher 2024-06-14 07:17:26 UTC
Most likely the problem is that the values from lp_parm_string_list()
in vfs_recycle_connect() get out of scope because we reloaded the config file.
Comment 6 Stefan Metzmacher 2024-06-14 07:23:54 UTC
Comment on attachment 18340 [details]
possible fix

This is ok, but won't fix the problem.
Comment 7 Samba QA Contact 2024-06-19 10:18:12 UTC
This bug was referenced in samba master:

2916b6096e16fb44d659b7e60d3f3a569d037279
6467c47cbe562e99e970dbb895e1068f54e6295b
691564f6ca7d206939558b8e69b5fb86a3e68650
220b0e977e2e25f2033cfd62c17d998c750992fc
cf7a6b521ac0bb903dabbd1af208d1af4fbe9a8b
b38241da3dd73386c4f41a56d95d33d4e1e3d2de
2175856fef17964cef7cf8618b39736168219eec
c229a84b449b8ba326ee0f6f702d91f101b99ee4
53b72ea4d25d4aa6cf8de1c7555456d4cc03b809
Comment 8 Stefan Metzmacher 2024-06-19 10:21:55 UTC
Created attachment 18346 [details]
Patches for v4-20-test
Comment 9 Noel Power 2024-06-19 10:35:47 UTC
Comment on attachment 18346 [details]
Patches for v4-20-test

lgtm
Comment 10 Noel Power 2024-06-19 10:36:34 UTC
assign to Jule for inclusion in 4.20
Comment 11 Jule Anger 2024-06-19 11:13:54 UTC
Pushed to autobuild-v4-20-test.
Comment 12 Samba QA Contact 2024-06-19 14:08:04 UTC
This bug was referenced in samba v4-20-test:

7d277c424fc14b5b43c63cb100705ae0fcc99994
cf22968a8a12151fcb294c164e0e3f6fc0015690
db098ff1aadb84d69ef32c981458a7b2c72e8a0a
69b9c140527c930b6632e7201a6f83a3e8f664f1
a5d5d83c4923ff860a1463a65057859bfdf61db0
4bb5f8a92aa34cf7d65fbc9518a2b8b94a98fec8
64d7108cddb64d60afaf52dd0fc74d127e6c0b94
f464a85c12968c0791714af68c7d3a044e81adc6
7d69ec93e3178105ee02aae24d056d65d2d70358
Comment 13 Samba QA Contact 2024-06-19 14:34:42 UTC
This bug was referenced in samba v4-20-stable (Release samba-4.20.2):

7d277c424fc14b5b43c63cb100705ae0fcc99994
cf22968a8a12151fcb294c164e0e3f6fc0015690
db098ff1aadb84d69ef32c981458a7b2c72e8a0a
69b9c140527c930b6632e7201a6f83a3e8f664f1
a5d5d83c4923ff860a1463a65057859bfdf61db0
4bb5f8a92aa34cf7d65fbc9518a2b8b94a98fec8
64d7108cddb64d60afaf52dd0fc74d127e6c0b94
f464a85c12968c0791714af68c7d3a044e81adc6
7d69ec93e3178105ee02aae24d056d65d2d70358
Comment 14 Jule Anger 2024-06-25 07:38:20 UTC
Closing out bug report.

Thanks!